Implementing Enterprise IT Security

1
Implementing Enterprise IT Security

• John ODriscoll
• Senior Executive, Information IT Security
• Commonwealth Bank
• Lunchtime Technical Session
• Wednesday, 12 November, 2003

2
Overview

• Where does IT security risk fit within an
  organisations risk management framework
• Is there a link between physical and IT security
• What are the components of an IT security
  management framework
• How does this help manage risk

3
Risk Management Framework
Credit Risk
Operational Risk
Market Risk
4
Physical IT Security
Physical Security
IT Security
5
IT Security Management Framework
Strategic Direction
Correction
Organisation
Response
Approach
Detection
Communications

Governance
Incident Response
Physical
Prevention
IT Security Management Framework
Threat Vulnerability Management
Operations Management
IT Service Delivery
Assessment
IT Service Support
Monitoring Compliance
Identity Access Management
Resource Management
Registration
Protection
Authentication
Classification
Authorisation
Identification
6
ITT Security Capabilities Identified and
Prioritised
Group Priority Matrix
ITT Security Capabilities Required) ( Does Not
Represent Priority)
High Priority
Higher
Medium Priority
Highest Priority

• GOVERNANCE
• 1. Strategic Direction
• 2. Organisation
• 3. Approach
• Communications
• OPERATIONS MANAGEMENT
• 5. Physical
• 6. IT Service Delivery
• IT Service Support
• IDENTITY ACCESS MANAGEMENT
• 8. Registration
• 9. Authentication
• 10. Authorisation
• RESOURCE MANAGEMENT
• 11. Identification
• Classification
• Protection
• THREAT VULNERABILITY MANAGEMENT
• 14. Monitoring Compliance

1
17
15
11
2
5
16
3
9
10
14
13
7
Impact (strategic, financial reputational)
Sample Only
20
Medium Priority
Lower Priority
Lower
High Priority
4
12
18
6
19
8
Lower
Intermediate
Gap between the current and desired capabilities
7
Risk Management
Identify Risks
Minimise Risk
Identify Threats
Identify Vulnerabilities

• Risk exposure to loss or damage
• Threat Activity that represents possible danger
  to Confidentiality, Integrity, Availability (CIA)
• Vulnerability weakness that could be exploited
  by a threat

8
Threats Vulnerabilities

• Past
• Present
• Future

9
Past

• External hold ups, theft (assets, IP)
• Internal theft, fraud, succession

10
Present

• External more, faster, higher value
• Internal smarter, more access to information,
  motive
• Electronic transactions exceed branch initiated
  transactions
• 3m NetBank customers (50 increase on previous
  12 months) 40m transactions (60 increase on
  pervious 12 months)
• Fraud hotspots
• Customer PC keyboard logger and malicious code
• Identity theft
• Ghosted website
• Worm/virus
• Slammer (8 mins)
• Blaster (18 hours)
• Infections vectors home users hibernating
  laptops direct rogue connections (WiFi, dialup)

11
Future

• Fraudster profile
• Terrorists
• Regulators
• Vulnerability management (network perimeter, AV,
  patching)
• Customer pilfering
• Brand

12
Management Reporting Service Providers

• Security Management Reports
• Incident Reports
• Compliance Statements
• Independent Reviews

13
Executive Management Reporting

• Detailed Status Reports
• Summary Reporting
• Security Policy Exemptions
• Security Incidents
• Security Compliance

14
Executive Management Reporting
Sample Only
15
Questions