Post on 26-Dec-2015
June 13 - 15, 2010February 27, 2010
1
Enterprise Computing Community
Information Security Industry View
Linda BetzIBM Director IT Policy and Information Security
June 13 - 15, 2010February 27, 2010
2
Enterprise Computing Community
• Challenges in Enterprise IT Security Today
•Options to address IT security challenges
Agenda
June 13 - 15, 2010February 27, 2010
3
Enterprise Computing Community
3
*Ponemon Institute, LLC; 2007 Annual Study: U.S. Cost of a Data Breach
Lost laptop
or other
device 49%
Undisclosed 2%
Malicious Code 4%Hacked systems 5%
Electronic backup 7%
Malicious
insider 9%
Paper
Records 9%
Third party or
outsourcer 16%
Primary Cause of data breach “Security is evolving from the traditional, perimeter-centric model of protecting
infrastructure to a data-centric model that protects information”
“…according to Gartner, insider threats are responsible for about 70% of security
breaches” Pervasive Security in a Connected World, Wachovia, April 2007
Gartner estimates a breach of customer information can cost a company from $50 to $1,000 per customer record depending on the number of accounts impacted. Typical costs include:
Brand reputation Lost customers Loss of revenue
Litigation and regulatory fines drive the numbers even higher
Audit Fees Call Center expenses Notification costs
As the risks expand and the cost of associated losses increase, data protection is top of mind
June 13 - 15, 2010February 27, 2010
4
Enterprise Computing Community
• Global Employees
– Creating infrastructure to provide folks access to data, but controlling access to key data
– Wanting to work from anywhere on any device
– Blurring of lines between personal and business activities
– Global resourcing
• Financial challenges & Global competition
• Global business partners
– Allowing controlled access to data by 3rd parties
• Concern about protecting client data, company intellectual property, & regulated data
• World wide regulations about handling data– Cross boarder data flow, Personal information, government data
• Enabling business
• Increased sophistication of hackers
Challenges of Enterprise Security Today
June 13 - 15, 2010February 27, 2010
5
Enterprise Computing Community
Major Employee Sites
Customer Fulfillment
Manufacturing
Employee Service Centers
IBM Research Centers
IBM Internal Data Centers
400,000 employees
Approx. 200,000 contractors
$102 B revenue in 2009
IBM’s Global Operations – A Challenge to secure
June 13 - 15, 2010February 27, 2010
6
Enterprise Computing Community
• Risk Assessments– Communication mechanism
– Prioritization
– Acceptance of residual risk
• Policies– Centralized or Decentralized
– IT, employee, 3rd party
• Technical Solutions– Layers of defense
– Preventative (ex: DLP)
– Educational (ex: DLP)
• Compliance Programs– Self testing
– Internal audit
– External audit
– Tools to automatically test
• Security Awareness & Training
• Crisis Management Program– Ability to move work
– Loss of customer data
– Loss of regulated data
• Penetration testing
Variety of options to address security challenges
June 13 - 15, 2010February 27, 2010
7
Enterprise Computing Community
Network SecurityArchitecture
Threat EvaluationIncident Mgt.
Malware Mitigation
Identity Mgt &Use What We Sell
Application VulnerabilityScanning
2000 2002 2004 2006 2008 2010 2012
SPI Protection
Sco
pe o
f P
rote
ctio
n
IBM IT Security Transformations
June 13 - 15, 2010February 27, 2010
8
Enterprise Computing Community
• Corporate Instruction: "Information Technology Security”– Infrastructure security standards– Employee security standards– Third-party security
and privacy standards
Vital business process standard
Data classification standard
CIO IT security directives
June 13 - 15, 2010February 27, 2010
9
Enterprise Computing Community
• Chief information security officer• Physical security• Chief privacy officer• Chief risk officer• Procurement• Legal• Marketing• Human resources• Corporate audit• Third parties and vendors
Security takes a team
June 13 - 15, 2010February 27, 2010
10
Enterprise Computing Community
10
Personal
Firewall
HIPS
System Policy
Processes
Procedures
Local Local
Network Network
ConnectionsConnections
AndAnd
FirewallsFirewalls
Campus IPSCampus IPS
Server
Antivirus
Gateway
Antivirus
WAN Firewall
Router ACLs
Internet Gateway IPS
Infrastructure
Policy
Processes
Procedures
Antivirus
System
Configuration
Current
Consistent
Compliant
Defense in Depth for Blended Threat mitigation
June 13 - 15, 2010February 27, 2010
11
Enterprise Computing Community
Likelihood of Event Occurring(in next 12 months)
Imp
act
of
Even
t
Unlikely Likely
Low
High
Highest RiskExposure
Possible
Medium
Lowest RiskExposure
AA
Impact of Event
• Loss of revenue
• Increased cost
• Brand reputation negative impact
• Loss of assets
• Loss of use of infrastructure
Likelihood of Event
• How likely is the event in the next 12 months.
AB
AC
Risk Assessment Approach
June 13 - 15, 2010February 27, 2010
12
Enterprise Computing Community
• Hard drive password
• Screen lock
• Encrypted databases
• Anti-virus with automatic updates
• Firewall configuration
• Limit peer-to-peer file sharing
• Password rules
• Windows service pack level
Scans for security compliance of all Microsoft® Windows® and Linux® end user PCs
Workstation security tool
June 13 - 15, 2010February 27, 2010
13
Enterprise Computing Community
Security and data protection must always be top-of-mind.
Reminders and tips shared with entire workforce.
Corporate-wide messaging created umbrella for unit- and geo-specific initiatives.
Employee Education
June 13 - 15, 2010February 27, 2010
14
Enterprise Computing Community
Thanks!Linda Betz
Director, IBM IT Policy and Information Securitylnbetz@us.ibm.com
June 13 - 15, 2010February 27, 2010
15
Enterprise Computing Community
• IBM and the IBM logo are registered trademarks, and other company, product or service names may be trademarks or service marks of International Business Machines Corporation in the United States, other countries, or both.
• Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
• Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
• Other company, product or service names may be trademarks or service marks of others.
• References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.
Trademarks and notes