Tom McCann - Sopra

SOCITM Conference Oct 2009 1

T O G E T H E RT A L E N T E D T O G E T H E RT A L E N T E D

Navigating a safe course to better information assuranceEnabling Your Business

SOCITM Conference Oct 20092

Agenda

11

22

33 Government perspectiveGovernment perspective

44

55

Assistance availableAssistance available

Point of viewPoint of view

IntroductionIntroduction

ContextContext


*Symantec ISTR vol. XIII, Apr 2008

Government, healthcare and education sectors accounted for 60% of data breaches and 60% of identities exposed*

Wrecks – A brief history of non-protection


Data Protection

Reported DPA breaches578 since Nov 07

Private sector 172NHS 162Local Government 69Central Government 56

““No organisation handling information can No organisation handling information can guarantee it will never experience losses. But guarantee it will never experience losses. But people have a right to expect that their public people have a right to expect that their public

services achieve and maintain high standards in services achieve and maintain high standards in this important area. Those involved in delivering this important area. Those involved in delivering those public services must work harder and be those public services must work harder and be

more effective to meet and exceed those more effective to meet and exceed those expectations.expectations.””

(Sir Gus O(Sir Gus O’’Donnell)Donnell)


So what?


Personal data is now pervasive

Network End Point Application DB/FS Storage

WebServers

Core App

ExchangeServer

Database

Custom App ReplicatedDatabase

File Server

Internet BackupDisk

BackupTape

Backup

Backup

Disk Storage

Disk Storage

Disk Storage

Disk Storage

Enterprise App Database Disk Storage

Portals

WAN

Other sites & Partners


Major threat areas

Network End Point Application DB/FS Storage

WANWeb

Servers

Enterprise App

Core App

Custom App

ExchangeServer

Database

ReplicatedDatabase

File Server

BackupDisk

BackupTape

Internet

Database

Backup

Backup

Disk Storage

Disk Storage

Disk Storage

Disk Storage

Disk Storage

Internal Portals

Other sites & Partners

Media lost or stolen

1

Disks stolen or discarded media

exploited

2

Packets sniffed in transit

3

Privileged User Breach DBA/FSA

4

(Semi) Trusted User Misuse

6

Unintentional Distribution

7

Database/File Server Hack

5

ApplicationHack

9

(Semi)Trusted User

Misuse

10

Privileged UserBreach

8

UnintentionalDistribution

11

Physical theft of media or lost

media exploited

12

Trojans / Key Loggers

13


14

Public Infrastructure Access Hack

15


3

Media lost or stolen

1

Disks stolen or discarded media

exploited

2


3

Privileged User Breach DBA/FSA

4

(Semi) Trusted User Misuse

6


7

Database/File Server Hack

5

ApplicationHack

9

(Semi)Trusted User

Misuse

10

Privileged UserBreach

8

UnintentionalDistribution

11

Physical theft of media or lost

media exploited

12

Trojans / Key Loggers

13


14

Public Infrastructure Access Hack

15


3

Risk

X High RiskMedium RiskLow Risk


World Economic Forum 2009


PCI DSS

Access Control & Management

Encryption

Key Management

File IntegrityMonitoring

Log ReviewLogging

InformationSecurityPolicies

NetworkSecurity

VulnerabilityManagement

Requirements for Compliance

PCI Remediation

Strategy

PCI Remediation

Strategy

Key Focus Areas for PCI Compliance

Build & Maintain a Secure Network

Maintain a Vulnerability Management

Program

Protect Cardholder Data

Implement Strong Access Control

Measures

Regularly Monitor & Test Networks

Maintain an Information

Security Policy


Real risk of compliance fatigue

ICOFinance Legal Risk Internal

AuditExternal

AuditCorporate Services

Policy Privacy BCP InfoSec Op’Risk

ICT

Citizens Council Central Gov’t

LGA

Business fatigueLack of co-ordinationDuplicate effortRisks falling between the cracksCompetition for attention

+

+

=

Increasing stakeholder demands

Expanding risk & control oversight

functions

Changing law, policy & directives


IA challenges facing Public Sector

Government Agenda Shared services v’s privacy v’s efficiencyCitizen centric – more online services

Global development

Citizen expectations

Growing threats to UK Plc

Expanding compliance requirements

New CIA – Convenience / Interoperability / Affordability


Reviews Conducted

HMRC – Poynter Review (Kieran Poynter PWC) June 2008

MOD – Burton Review (Sir Edmund Burton) June 2008

Data Handling Review (Sir Gus O’Donnell) June 2008

Data Sharing Review (Richard Thomas & Dr Mark Walport) July 2008

Data Handling ReportData Handling Report

Security Policy F/WorkSecurity Policy F/Work

Government ReviewsGovernment Reviews

New Guidance New Guidance

IA Maturity ModelIA Maturity Model

Looking ForwardLooking Forward


Cost reduction pressures

Competing business prioritiesnow v’s secure

Failing to effectively risk manage 3rd partiesoutsourcing … development … hosting … testing

New initiativescloud computing … offshore …

Mobilityremote working … mobile computing (32GB of data on a mobile phone..)

Compliance fatigue

Reefs and rocks – where things go wrong


Data Handling Report

Key DHR Recommendations

Core measures to protect personal data and other information across Government;

A culture that properly values, protects and uses information;

Stronger accountability mechanisms; and

Stronger scrutiny of performance.








Charts to help you







Replaced Manual of Protective Security (MPS)

Collective responsibility to protect assetsMust be able to share informationMust have confidence in peopleBusiness resilience

Mandated Protective Security PolicyFor HMG Departments and their AgenciesIncludes IA Policy70 Mandatory requirements

4 TiersTiers 1-3 Not Protectively Marked

Available to public & WIAC via CSIATier 4 – Restricted

Available through accredited route

New ICO PowersMonetary PenaltiesAssessment Notices (without permission)New EU e-privacy legislation will drive ‘Breach Notification’ requirement (2-3 years)


The High Level View

National Information Assurance Strategy (NIAS)National Information Assurance Strategy (NIAS)

Security Policy Framework (SPF)Security Policy Framework (SPF)70 Minimum Mandatory Measures70 Minimum Mandatory Measures

Information Assurance Maturity ModelInformation Assurance Maturity Model(IAMM)(IAMM)

HMG IA Standard No. 6HMG IA Standard No. 6Data Handling Review Data Handling Review

GuidelinesGuidelines

Cyber Security Strategy of the UK Cyber Security Strategy of the UK

Dat

a Pr

otec

tion

Act

Dat

a Pr

otec

tion

Act

Free

dom

of

Free

dom

of

Info

rmat

ion

Act

Info

rmat

ion

Act

AccreditationAccreditation

CoCoCoCo’’ss

Other Legal / Compliance Requirements Other Legal / Compliance Requirements (PCI, RIPA, etc)(PCI, RIPA, etc)


Some new lighthousesLocal Authority Data Handling Guidelines

Data Handling (NHS)

Enhanced GovernanceGovt level – IADG / IAOBLocally – SIRO / Data ownershipImproved professionalism - IISP

IA Good Practice GuidesCurrently 15

OutsourcingData AggregationLaptopsRemote workingSecure bulk data transfers

IA StandardsExisting standards reviewedNew risk assessment methodologyNew Standards (IAS 6)








Protecting personal data

HMG IA Standard No.6 - Protecting Personal Data and Managing Information Risk

Outlines minimum measures MUST be implemented by Departments & Agencies bound by the SPF.

Key PrinciplesDepartments and delivery partners must protect personal dataSensitive personal information must be handled in accordance with specific measuresThose with access to sensitive personal data must have appropriate training.


Government model for IA

INTRINSIC INTRINSIC Design in IA

EXTRINSIC EXTRINSIC Evaluate Solutions

Determine Residual Risk

IMPLEMENTATION IMPLEMENTATION Build in IA

OPERATIONALOPERATIONALOngoing IA Management

““The pressure is to deliver quicker, but the advantage will be onThe pressure is to deliver quicker, but the advantage will be on those who can build in assurancethose who can build in assurance””(Sir E. Burton)(Sir E. Burton)


IA Maturity Model (IAMM)







IAMM and IA Assessment Framework Published in Sept 2008 to assist Senior Information Risk Owners (SIROs) develop IA maturity within their Departments

Will assist boards to report improvements in their IA and IRM in their annual reports to Cabinet Office.

Incorporates SPF and DHR requirements and is aligned to ISO 27001.

Departments will need to provide evidence of IA maturity in their Agencies, NDPBs and delivery partners

5 levels – Initial (1) to Optimised (5)

Self-assessment and supported self-assessment


On the horizonNIAS Delivery

Continued focus on DH (>ICO powers)

Increased focus onTrainingAuditBenchmarking

WIAC adoption DH guidelinesSPFGovernance measures

Delivery Partner scrutiny

Partner with Industry Initiative (PWI)

Government Cyber security strategy

PCI incorporated into policy








Safety equipment

Education, education, education!

Through-life assurance approach build security in & prove it

Risk management advice CESG CLAS scheme

Ensure 3rd parties know what they need to do & do it! flowdown of any CoCo requirements

Technology solutions encryption, DLP, etc

Proven ability to react in the event of an incidentforensics readiness

Ongoing technical assurance CESG CHECK scheme


Prove that your security is effective

Penetration Test (s) (Annual /bi-annual/quarterly) (including CHECK)

External Network Mapping

Vulnerability Scanning Service of external network

Monthly reports

Workshops with Security Consultants


Point of view

The recent global events around data loss has been cause for significant reflection as to the effectiveness of information risk management & compliance globally – expect more ‘regulation’

The pace of change in UK Government in particular has been unprecedented – the assurance elements have yet to mature

Quality and clarity of guidance available in the UK is unlike any other country globally

It is possible to implement an information centric security assurance strategy which reduces compliance cost and minimises duplication of effort

Effective information assurance supported by sound governance is key to not repeating the mistakes of the past


A final word from the Information Commissioner

… The blunt truth is that all organisations need to take the protection of customer data with the utmost seriousness. I have made it clear publicly on several

occasions over the past year that organisations holding individuals’ data must in particular take steps to ensure that it is adequately protected from loss or

theft. … Getting data protection wrong can bring commercial reputational, regulatory and legal

penalties. Getting it right brings rewards in terms of customer trust and confidence. …

Richard Thomas

April 2008


Questions …?

Tom McCann - Sopra

Business

Transcript of Tom McCann - Sopra