Does IT Security Matter?

Dr. Luke OConnor

Group IT Risk Zurich Financial Services, Switzerland

Faculty of Information Technology, QUT

November 27th, 2007

Outline
A bit about Zurich and myself

Nicholas Carr and knowing your neighbours

Security Tectonics

The Explanation is Mightier than the Action

Risk and the New Math

Final Grains of Wisdom

2

Introduction to Zurich
Offices in North America and Europe as well as in Asia
Pacific, Latin America and other markets

Servicing capabilities to manage programs with risk

exposure in more than 170 countries

Approximately 58,000 employees worldwide Insurer of the majority of Fortunes Global 100
companies

Net income attributable to shareholders of USD 4.5

billion in 2006

Business operating profit of USD 5.9 billion in 2006

3

My Background
Industrial Research (6 yr)
What people might want

Consulting (5 yr)
What people say they want

In house (2 yr)
What people expect

(Security)

(Risk)

G-IT Risk stakeholders

Service Providers G-ISP Supplier A Supplier B Supplier x Service risk management

Zurich Business Business A Business B Business C Business x

GSM Account Exec A Account Exec B Account Exec C Account Exec x

Project risk management

Investigations

GITR
Co-operate

Capabilities Finance GITAG Process/QM Sourcing

Primary interface for G-IT

Consume information and Services

GITR Partner Focus

Audit Compliance Legal Risk

Group functions
Industry Bodies & Suppliers G-IT support functions External functions
5

Does IT Matter?
IT doesnt matter and cant bring strategic advantage at present!

Spend less Follow, don't lead Focus on vulnerabilities, not on opportunities

IT management should become boring Manage risks and costs

Carr, N, IT Doesnt Matter, Harvard Business Review, Vol 81, 5, May 2003 Carr, N, Does IT Matter?, 2004
6

Good Neighbours, but Good Friends?

There is a dependency but not a strategic relationship Business

There is a dependency but not a strategic relationship Business see IT as something technical IT Department

IT Departments see IT Security as something technical

IT Security

The Continental Drift of C, I, A

CIA better known to business as Call in Accenture
Security

Confidentiality

Integrity

Availability

TECHNICAL

SSL VPN SSL VPN Database Encryption Hard Disk Encryption

Hashing & Checksums Digital Signatures Authentication Access Control Logging

Anti-Virus Firewalls Anti-Spyware DOS

CONCEPTUAL ARCHITECTURAL

Data In Flight Data at Rest

One person, one ID Rapid and flexible provisioning and deprovisioning of rights Role Based Access Control

Backup & Restore RAID, Clustering Hot Swapping Incident Response

PROCESS BUSINESS

Data Retention Data Leakage Data Breach Data Privacy Cross Border Data Flow

ID Management Financial Process Integrity

Business Continuity Disaster Recovery

8

The Explanation is Mightier Than the Action

Security Bingo

10

Notable Security Setbacks

Regulatory Frameworks over Security Frameworks (SOX over 7799) Excel over FUD (Fear, Uncertainty and Doubt) Reactive over Proactive

SLAs over Security Program

Commerical over Military

11

The New-ish Security Model

From Castle to Airport

Castle
Security mechanisms are static and difficult to change. Reliance on a few mechanisms. Castle walls are impregnable. Once inside security mechanisms are minimal. Known community have unrestricted access within security boundary.

Airport
Security mechanisms are dynamic and responsive to threats. Uses multiple overlapping technologies for defence in depth.

Security must be maintained whilst an unknown population traverse. Security of inclusion (ensuring the right people have access to the right resources) and Security of exclusion (ensuring that assets are protected). Use of roles to determine security requirements. Requires an open, co-ordinated, global approach to security.

Silo mentality in organisation.

12

The next Big Thing: Network Access Control (NAC)

How do you sell this to your IT Department or Business?
Remote Access DMZ Trusted Network

Quarantine Server Platform Configuration Server

Quarantine Network

AAA Server

Network Access Control Server

Access to a restricted set of web applications based on user role

DMZ Network IDS Sensor

Firewall Cluster Firewall Cluster Access to a restricted VLAN based on user role Trusted VLANs

VPN Concentrator

IDS Sensor

13

From Security .
Perceived Desired Reality The Plan

Objectives

Controls

Testing

Report

ISO 17799 ISF Cobit NIST Your Policies and Standards etc

ISO 17799 ISF Cobit NIST Your Service Catalogue etc

Documentation Questionnaires Interviews Demonstrations Inspections Tooling 3rd Party Analysis

Control Effectiveness Compliance Risk Mitigation Priorities

14

 to Risk

What could happen?

How could it happen?

What is the impact?

Description

Trigger

Consequence

Probability
How often?

Severity
How bad?

15

Controls as Risk (as is)

Control Objective

e.g. CoBIT, Risk Scenarios are reformulations of control deficiencies (gaps) NO !

Risk?

Risk?

Effective Needs Improvement Not Effective

Risk?

Control C1 Control C2 Control C3 Control C4

Control Gaps are potential triggers of Risk

C 1

C 2

C 3

C 4

Control Assessment

16

IT Risk Components

IT Risk Components

IT Projects Risk
Financial & Resources Compliance & Audit Contract & Supplier Mgmt IT Architecture & Strategy IT Project Management Risks Facilities & Environment IT Operations & Support Time to Deliver IT Security

IT Services Risk
Service Level Management Capacity Planning Contingency Planning Availability Management Cost Management Configuration Management Problem Management Change Management Help Desk Software Control & Distribution IT Security

17

Zurichs IT Risk Management Framework

Object to be assessed

The ABC (Assessment of Business Criticality) risk analysis prioritizes resources Optimised risk analysis for projects Optimised risk analysis for services

ABC

Above threshold

2 3

Project

Service

Below threshold

Project Risk Tool Risk assessment Within PMO process

Service Risk Tool Facilitated Assessments and Self-Assessments

No further Analysis Apply Policies and Standards

IT Security Risk Assessments

Project Risk Consulting

Services Risk Consulting

Risk register provides single global data store for analysis reporting Reporting, Escalation and Action Monitoring

4 5

Group IT - Risk Register (Central)

QRR

Dashboard

Actions monitoring

Group IT 18 Risk Reporting

Relation to Operational Risk

Awareness, Well Informed Decision M aking, Incentives, Performance M easurement IT Risk Reporting opRisk Report ing

opRisk Process

Capit al Allocat ion

IT Risk Process

Common Risk Repository

opRisk M odeling and Quant if icat ion

Common IT Infrastructure

Joint Effort

Ot her Process

opRisk QRA

opRisk KRIs

opRisk LED Collect ion

Dat a Flow Input

IT Project Risk Assessments

IT Service Risk Assessments

Ot her Sources: ICF, TRP, ...

IT Risk Incident M anagement

19

Conclusion: Does IT Security Matter?

IT Security in general is not an end in itself IT Security is one area competing for attention and funding, amongst many If you dont make IT security matter, it wont Keeping business secure is the main end Focus on securing business processes not the process of securing Excel is your new best friend Make your spreadsheets work with their spreadsheets A risk-based approach is the opportunity to speak business language Dont replace FUD with GIGO (garbage in, garbage out)
20

Over to you

21