Title: Implementing Enterprise IT Security
1Implementing Enterprise IT Security
- John ODriscoll
- Senior Executive, Information IT Security
- Commonwealth Bank
- Lunchtime Technical Session
- Wednesday, 12 November, 2003
-
2Overview
- Where does IT security risk fit within an
organisations risk management framework - Is there a link between physical and IT security
- What are the components of an IT security
management framework - How does this help manage risk
3Risk Management Framework
Credit Risk
Operational Risk
Market Risk
4Physical IT Security
Physical Security
IT Security
5IT Security Management Framework
Strategic Direction
Correction
Organisation
Response
Approach
Detection
Communications
Governance
Incident Response
Physical
Prevention
IT Security Management Framework
Threat Vulnerability Management
Operations Management
IT Service Delivery
Assessment
IT Service Support
Monitoring Compliance
Identity Access Management
Resource Management
Registration
Protection
Authentication
Classification
Authorisation
Identification
6ITT Security Capabilities Identified and
Prioritised
Group Priority Matrix
ITT Security Capabilities Required) ( Does Not
Represent Priority)
High Priority
Higher
Medium Priority
Highest Priority
- GOVERNANCE
- 1. Strategic Direction
- 2. Organisation
- 3. Approach
- Communications
- OPERATIONS MANAGEMENT
- 5. Physical
- 6. IT Service Delivery
- IT Service Support
- IDENTITY ACCESS MANAGEMENT
- 8. Registration
- 9. Authentication
- 10. Authorisation
- RESOURCE MANAGEMENT
- 11. Identification
- Classification
- Protection
- THREAT VULNERABILITY MANAGEMENT
- 14. Monitoring Compliance
1
17
15
11
2
5
16
3
9
10
14
13
7
Impact (strategic, financial reputational)
Sample Only
20
Medium Priority
Lower Priority
Lower
High Priority
4
12
18
6
19
8
Lower
Intermediate
Gap between the current and desired capabilities
7Risk Management
Identify Risks
Minimise Risk
Identify Threats
Identify Vulnerabilities
- Risk exposure to loss or damage
- Threat Activity that represents possible danger
to Confidentiality, Integrity, Availability (CIA) - Vulnerability weakness that could be exploited
by a threat
8Threats Vulnerabilities
9Past
- External hold ups, theft (assets, IP)
- Internal theft, fraud, succession
10Present
- External more, faster, higher value
- Internal smarter, more access to information,
motive - Electronic transactions exceed branch initiated
transactions - 3m NetBank customers (50 increase on previous
12 months) 40m transactions (60 increase on
pervious 12 months) - Fraud hotspots
- Customer PC keyboard logger and malicious code
- Identity theft
- Ghosted website
- Worm/virus
- Slammer (8 mins)
- Blaster (18 hours)
- Infections vectors home users hibernating
laptops direct rogue connections (WiFi, dialup)
11Future
- Fraudster profile
- Terrorists
- Regulators
- Vulnerability management (network perimeter, AV,
patching) - Customer pilfering
- Brand
12Management Reporting Service Providers
- Security Management Reports
- Incident Reports
- Compliance Statements
- Independent Reviews
13Executive Management Reporting
- Detailed Status Reports
- Summary Reporting
- Security Policy Exemptions
- Security Incidents
- Security Compliance
14Executive Management Reporting
Sample Only
15Questions