Assessment of Corporation Finance’s Confidential Treatment ...
Resiliency and the Next Generation Business ~ The ISO ......Mobility • E-Finance’s four primary...
Transcript of Resiliency and the Next Generation Business ~ The ISO ......Mobility • E-Finance’s four primary...
Resiliency and the Next Generation Business ~ The ISO 27001 Way Awareness on Security Risks and Tools to Mitigate Risks
3i Infotech’s perspective on Confronting Security Challenges
6th June 2011
2 - Confidential2 - Confidential
…every organization is at risk
Web Threats Access Restrictions Data Leakage
• Virus
• Spyware
• Phishing
• Dangerous
files
• Dangerous
Websites
• Content
Scanning
• Reporting
• File Sharing
• URL Filtering
• Trusted
Domains
• Lexical /
Keyword
Analysis
• Online
Shopping
• Oversize
Downloads
• Non-
Business
Downloads
• Games
• File Sharing
• Stock Trading
• Inappropriate
Language
• Social
Networking
• Streaming
Media
• Time & MB
Quotas
• Intellectual
Property
• Confidential
Data
• User
Authentication
• Web-Based
• Unauthorized
uploads
• Private
Information
• Policy
Breaches
• Data
Integrity
• Data
Storage &
disposal
INTERNET
YOUR
ORGANIZATION
Web
Incoming
?
Web
Incoming
?
Web
Outgoing
?
Web
Outgoing
?
3 - Confidential3 - Confidential
… and financial organizations’ even more
E-Finance
Mobility
• E-Finance’s four primary categories:
– Electronic Funds Transfer (EFT)
– Electronic Benefits Transfers (EBT)
– Electronic Data Interchange (EDI)
– Electronic Trade Confirmations (ETC)
• E-Finance accounts for over $10 trillion a day
• Percentage of banking online has risen from 5% to 60% in 7years
• Proliferation of e-credit mechanisms
• Additionally, the communications channels used for E-Finance have grown
– Home PCs
– E-Banking
– Phones and PDAs
• Number of connected countries and individuals has exploded globally
– Internet availability in developing countries
– 90% penetration of mobile phone markets
– Wireless applications for daily business
• Electronic Fraud
– Identity theft
– Access manipulation
• Security Breaches
– Hacking
– Viruses and "spy-ware"
4 - Confidential4 - Confidential
Service Organizations Are Evolving ….to meet customer demands
Open Computing Environments increases the RISK EXPOSURE
5 - Confidential5 - Confidential
Risks Exposure
...and business impact thereof
Legal Records
R&D InformationHR Records
Customer Records
Financials
DNS
NT DomainDHCP
NTP
LDAP
Project
Mgmt
RADIUS
X.509 CA
Web
Sales Automation
TelephonyExchange
SQL
ERP
An attack here can result in:
•Loss of data integrity
•Theft of data
•Loss of privacy
•Legal liability
An attack here can result in:
•Loss authentication key integrity
•Loss of access to resources
•Loss of availability
•Network slowdown
•Network shutdown
An attack here can result in:
•Loss of Confidentiality
•Loss of business function
•Business shutdown
Implications of loss
of Availability,
Integrity,
Confidentiality,
Privacy and
Competitive
information
Loss of competitive
advantage
Penalties
Loss of reputation
Loss of customer
confidence
Risk Exposure = f($)
6 - Confidential6 - Confidential
SecurityUncover vulnerabilities with
latest attacks and evasions
Reduce Risks by ensure system is
protected against latest Day 0 attacks
& secure sensitive data
How Result
PerformanceUnder high load determine
hidden stress fractures &
ability to scale
Improve performance by validating
data center design & configuration.
Determine performance under load
under various changing conditions
StabilitySimulate real-world conditions
(malformed packets) to
determine system-wide stability
Proactively identify areas of weakness
to prevent system degradation or
costly downtime
RE
SIL
IEN
CY
Network Infrastructure
Database Systems
Application Software
Information Assets
IT Resources(Assurance for resilient
business operations)
Thus, the need to build resiliency …to counter risks
7 - Confidential7 - Confidential
MetricsGoals
SECURITY
Assurance
STABILITY
Reviews
Best
PRACTICES
Automation
TOOLS
PERFORMANCE
Engineering RESILIENCY
FRAMEWORK
3i Infotech’s IT Resiliency Architecture…aligned to IT Security & Continuity Standards
ISO 31000NIST
OSSTMM
OCTAVE
COBIT
Security
Baseline
OECD
COSO
ISO 27000
IT Security
& Continuity
StandardsOWASP
RISK IT
(from ITGI)
Regulatory
Compliance
(DSS PII, HIPPA,
SOX, BASELII
etc.)
8 - Confidential8 - Confidential
INFORMATION PROTECTION & SECURITY ASSURANCE
Endurance / Soak
Testing
Baseline
Testing
Spike Testing
APPLICATION SECURITY ASSURANCE
DATABASE SECURITY ASSURANCE
Consistency
Verification TestRecovery/Failover
Testing
Load Testing
INFRASTRUCTURE SECURITY ASSURANCE
Script Based
Penetration TestingVulnerability
Assessment
App. Security
Gap Analysis
App. Security
Functionality Testing
App. Static Code
Review & Scanning
DB Architecture
Review
DB Vulnerability
AssessmentDB Penetration
Testing
User Rights
AuditDB
Audit
Security Code
ReviewVolume Testing
Security
Architecture Review
White-Blue-Black Hat or
Overt-Covert Testing
Host Hardening Asmt. &
IDS Benchmarking
Security
Configuration Audit
Stress Testing
PERFORMANCE
ENGINEERING
STABILITY REVIEWS
Data Protection
Assessment
Privacy Impact
AssessmentData Security Standards
Compliance Testing
Data Privacy
Audit
Random Destruction
Testing
Resiliency Architecture implemented by 3i Infotech …for assurance of IT Risks & Controls
9 - Confidential9 - Confidential
Resiliency Architecture – Infrastructure Security…Infrastructure resilience through logical and physical controls
Network &
File Servers
FIREWALL
/ IDS/IDP /
AAA –
TACACS /
TOOLS
LAN: Internal
Services
LAN: Client
#1
LAN:
Client #2
Network
level Application
Level
Physical
access
levelOperating
system
level
• WAN, LAN /
VLANS
segregating
the
Development
and Production
Area • Segregation
through
Active
Directory
system
• Unique
user id
and
password
• General area -
identification
cards,
Automated
access control
systems
• Sensitive area
/ Data centre –
Biometric
access system
10 - Confidential10 - Confidential
Sensitive Information Management
DISCOVER PROTECT MANAGE
Lower the Cost of Compliance
→ Discover , document and assess all sensitive data
locations
→ Respond quickly to new legislation (PII, FDA,
SEC, Data Protection Act etc.)
Protect against Data Breaches (internal &
external)
→ Secure and mask sensitive data
→ Ongoing monitoring and audit of access controls
Extend across Enterprise Applications /
Databases
→ Packaged or custom applications on Oracle &
SQL Server
→ Automated discovery and metadata classifications
Fast Time to Value
→ Automated discovery/scanning
→ Template-driven configuration & flexibility
→ Rapid implementation
Resiliency Architecture – Data & Info SecurityLimited the data security and privacy breach ~ 99.9%
11 - Confidential11 - Confidential
Compliance
Template
(PCI)
Credit Card #
Compliance
Template
(PII)
National ID #
Name
Address
Driver’s License #
MANAGE
PRIVILEGED
ACCESS
MONITOR
USER
ACTIVITIES
RESPONSIVE
AUDIT &
COMPLIANCE
SECURE
DATABASE
ACCESS
Prod
Non-
Prod
Reporting
&
Documentation
Offshore/
Outsource
Alerts,
Breach
Notifications
Sensitive Information Management™ Platform
DISCOVER PROTECT MANAGE
Employees
Customers
Partners
Business/
Information
Users
IT
Users
Contractors
Repeatable Auditing, Masking and Monitoring
Resiliency Architecture – Data & Info SecurityAn automated approach to Data Protection & Security
12 - Confidential12 - Confidential
PROD
DATABASES
NON-PROD
DATABASESAPPLICATIONS
DEFINITIONS METADATA CLASSIFICATIONS
TEMPLATES RESULTS HISTORY/ LOGS
RULES
ACCESS CONTROLS
Data Protection & Information Management Platform
Resiliency Architecture – Data & Info SecurityAn automated approach to Data Protection & Security
13 - Confidential13 - Confidential
IT Compliance – Balancing the need
Best tools to
improve
productivity
Abide by policies,
sub-policies and
upgrades
Optimize Licenses
Management PublisherUser
Resiliency Architecture – Asset Management…Software Asset Management Compliance driving > 70% optimization
• Created a streamlined SAM process
• Evaluate the appropriate tools to meet collective user needs
Create
• Capture user request / approvals
• Parameters to conduct inventory
• Up-to- date Purchase records
Refine
• Evaluated and implemented auto discovery open source tool
• Software Usage Metering
• Reconcile Purchase records
Detect
• Enforced through HR & legal policies
Discipline
14 - Confidential14 - Confidential
Capture the need of a
user / business
request
Raise the
purchase request
Add to inventory and
directly allocate to the
business groups
Check for availability in
the inventory?
Purchased and delivered
Business says not
required now
NoAllocate the asset to the
respective business and
debit the cost
Then move back
to inventory
for re-allocation
Yes
Evaluate the
best
alternatives
Resiliency Architecture – Asset Management…Software Asset Management Compliance
15 - Confidential15 - Confidential
Value Delivered ~ Integrated approach to IT ServicesAn Example of Test Automation Services delivered on a VPN
Client Org.
Application
Tester
VPN Port
Static IP
Firewall / Network policies
VPN Server
HP QTP
Services Org.
VPN Client
Firewall / Network policies
RDP Security Login
“abc” Client Org. “xyz” Services Org.
Tester &
Application
Testing Tool
Firewall / Network policies
HP License
Server
License Server
Tester1
Level 1
Level 3
Level 2
Level 4
Thank You