Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Outline
A bit about Zurich and myself
Introduction to Zurich
Offices in North America and Europe as well as in Asia
Pacific, Latin America and other markets
Approximately 58,000 employees worldwide Insurer of the majority of Fortunes Global 100
companies
My Background
Industrial Research (6 yr)
What people might want
Consulting (5 yr)
What people say they want
In house (2 yr)
What people expect
(Security)
(Risk)
Investigations
GITR
Co-operate
Group functions
Industry Bodies & Suppliers G-IT support functions External functions
5
Does IT Matter?
IT doesnt matter and cant bring strategic advantage at present!
Carr, N, IT Doesnt Matter, Harvard Business Review, Vol 81, 5, May 2003 Carr, N, Does IT Matter?, 2004
6
There is a dependency but not a strategic relationship Business see IT as something technical IT Department
IT Security
Confidentiality
Integrity
Availability
TECHNICAL
CONCEPTUAL ARCHITECTURAL
One person, one ID Rapid and flexible provisioning and deprovisioning of rights Role Based Access Control
PROCESS BUSINESS
Data Retention Data Leakage Data Breach Data Privacy Cross Border Data Flow
Security Bingo
10
Regulatory Frameworks over Security Frameworks (SOX over 7799) Excel over FUD (Fear, Uncertainty and Doubt) Reactive over Proactive
11
Castle
Security mechanisms are static and difficult to change. Reliance on a few mechanisms. Castle walls are impregnable. Once inside security mechanisms are minimal. Known community have unrestricted access within security boundary.
Airport
Security mechanisms are dynamic and responsive to threats. Uses multiple overlapping technologies for defence in depth.
Security must be maintained whilst an unknown population traverse. Security of inclusion (ensuring the right people have access to the right resources) and Security of exclusion (ensuring that assets are protected). Use of roles to determine security requirements. Requires an open, co-ordinated, global approach to security.
12
Quarantine Network
AAA Server
VPN Concentrator
IDS Sensor
13
From Security .
Perceived Desired Reality The Plan
Objectives
Controls
Testing
Report
ISO 17799 ISF Cobit NIST Your Policies and Standards etc
to Risk
Description
Trigger
Consequence
Probability
How often?
Severity
How bad?
15
Control Objective
Risk?
Risk?
Risk?
C 1
C 2
C 3
C 4
Control Assessment
16
IT Risk Components
IT Risk Components
IT Projects Risk
Financial & Resources Compliance & Audit Contract & Supplier Mgmt IT Architecture & Strategy IT Project Management Risks Facilities & Environment IT Operations & Support Time to Deliver IT Security
IT Services Risk
Service Level Management Capacity Planning Contingency Planning Availability Management Cost Management Configuration Management Problem Management Change Management Help Desk Software Control & Distribution IT Security
17
The ABC (Assessment of Business Criticality) risk analysis prioritizes resources Optimised risk analysis for projects Optimised risk analysis for services
ABC
Above threshold
2 3
Project
Service
Below threshold
Risk register provides single global data store for analysis reporting Reporting, Escalation and Action Monitoring
4 5
QRR
Dashboard
Actions monitoring
Awareness, Well Informed Decision M aking, Incentives, Performance M easurement IT Risk Reporting opRisk Report ing
opRisk Process
IT Risk Process
Common IT Infrastructure
Joint Effort
Ot her Process
opRisk QRA
opRisk KRIs
19
Over to you
21