Implementing Enterprise IT Security - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Implementing Enterprise IT Security

Description:

Where does IT security risk fit within an organisation's risk management framework ... on previous 12 months); 40m transactions (60% increase on pervious 12 months) ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 16
Provided by: Sophi85
Category:

less

Transcript and Presenter's Notes

Title: Implementing Enterprise IT Security


1
Implementing Enterprise IT Security
  • John ODriscoll
  • Senior Executive, Information IT Security
  • Commonwealth Bank
  • Lunchtime Technical Session
  • Wednesday, 12 November, 2003

2
Overview
  • Where does IT security risk fit within an
    organisations risk management framework
  • Is there a link between physical and IT security
  • What are the components of an IT security
    management framework
  • How does this help manage risk

3
Risk Management Framework
Credit Risk
Operational Risk
Market Risk
4
Physical IT Security
Physical Security
IT Security
5
IT Security Management Framework
Strategic Direction
Correction
Organisation
Response
Approach
Detection
Communications

Governance
Incident Response
Physical
Prevention
IT Security Management Framework
Threat Vulnerability Management
Operations Management
IT Service Delivery
Assessment
IT Service Support
Monitoring Compliance
Identity Access Management
Resource Management
Registration
Protection
Authentication
Classification
Authorisation
Identification
6
ITT Security Capabilities Identified and
Prioritised
Group Priority Matrix
ITT Security Capabilities Required) ( Does Not
Represent Priority)
High Priority
Higher
Medium Priority
Highest Priority
  • GOVERNANCE
  • 1. Strategic Direction
  • 2. Organisation
  • 3. Approach
  • Communications
  • OPERATIONS MANAGEMENT
  • 5. Physical
  • 6. IT Service Delivery
  • IT Service Support
  • IDENTITY ACCESS MANAGEMENT
  • 8. Registration
  • 9. Authentication
  • 10. Authorisation
  • RESOURCE MANAGEMENT
  • 11. Identification
  • Classification
  • Protection
  • THREAT VULNERABILITY MANAGEMENT
  • 14. Monitoring Compliance

1
17
15
11
2
5
16
3
9
10
14
13
7
Impact (strategic, financial reputational)
Sample Only
20
Medium Priority
Lower Priority
Lower
High Priority
4
12
18
6
19
8
Lower
Intermediate
Gap between the current and desired capabilities
7
Risk Management
Identify Risks
Minimise Risk
Identify Threats
Identify Vulnerabilities
  • Risk exposure to loss or damage
  • Threat Activity that represents possible danger
    to Confidentiality, Integrity, Availability (CIA)
  • Vulnerability weakness that could be exploited
    by a threat

8
Threats Vulnerabilities
  • Past
  • Present
  • Future

9
Past
  • External hold ups, theft (assets, IP)
  • Internal theft, fraud, succession

10
Present
  • External more, faster, higher value
  • Internal smarter, more access to information,
    motive
  • Electronic transactions exceed branch initiated
    transactions
  • 3m NetBank customers (50 increase on previous
    12 months) 40m transactions (60 increase on
    pervious 12 months)
  • Fraud hotspots
  • Customer PC keyboard logger and malicious code
  • Identity theft
  • Ghosted website
  • Worm/virus
  • Slammer (8 mins)
  • Blaster (18 hours)
  • Infections vectors home users hibernating
    laptops direct rogue connections (WiFi, dialup)

11
Future
  • Fraudster profile
  • Terrorists
  • Regulators
  • Vulnerability management (network perimeter, AV,
    patching)
  • Customer pilfering
  • Brand

12
Management Reporting Service Providers
  • Security Management Reports
  • Incident Reports
  • Compliance Statements
  • Independent Reviews

13
Executive Management Reporting
  • Detailed Status Reports
  • Summary Reporting
  • Security Policy Exemptions
  • Security Incidents
  • Security Compliance

14
Executive Management Reporting
Sample Only
15
Questions
Write a Comment
User Comments (0)
About PowerShow.com