2003 ANNUAL PCIE ECIE CONFERENCE PANEL DISCUSSION by div18514

VIEWS: 0 PAGES: 15

									     2003 ANNUAL PCIE / ECIE
          CONFERENCE
       PANEL DISCUSSION :
IT SECURITY: BEST AND PROMISING
           PRACTICES
                   MIKE DONAHUE
     PARTNER, GLOBAL RISK MANAGEMENT SOLUTIONS
                    MARCH 25,2003




                    PwC
   FEDERAL AUDIT PERSPECTIVE

• SOCIAL SECURITY    • US HOUSE OF REPS
  ADMIN              • DEPT OF
• BUREAU OF ATF        AGRICULTURE
• DEPT OF JUSTICE    • DEPT OF VET
• PBGC                 AFFAIRS
• GENERAL SERVICES   • DEPT OF EDUCATION
  ADMIN              • DEPT OF HHS
• DEPT OF LABOR      • DEPT OF INTERIOR
• DEPT OF DEFENSE    • DEPT OF STATE
• DEPT OF TREASURY   • NASA

                                PricewaterhouseCoopers
       COMMON IT SECURITY ISSUES

•   GAO High Risk Area since 1997
•   Poor risk management process
•   Lack of strong C&A process
•   Unclear responsibility for security
•   Unclear policy, standards, procedures
•   Undefined security architecture
•   Lack of configuration requirements
•   Poor guidance/monitoring over 3rd parties
                                      PricewaterhouseCoopers
                ERP EXAMPLE


•   Desktop (Presentation Server)
•   External Network (WWW)
•   Internal Network (NT)
•   Application ( SAP, Peoplesoft, Oracle)
•   Database (Oracle, Sybase, Informix)
•   Operating System (UNIX)


                                       PricewaterhouseCoopers
Where Are The Security
    Controls ?



        PAYROLL
Where Are The Security Controls
              ?
                      WWW

                      Desktop

                        NT

     PAYROLL         PAYROLL

                      Oracle

                       UNIX
              ERP EXAMPLE

• Complicated Application Security
  Implementation
• New Technical Operating Environment
• De-centralized Data and Application
  Environment Accessed by Many Users
• Significant and Critical Information Being
  Transferred Across Networks
• Organization Not Established to Support
  Controls and Security in a Decentralized
  Environment
                                     PricewaterhouseCoopers
      CONTROL MATRIX EXAMPLE

CONTROL      ACCESS     LOGGING    MONITORING
LAYER        CONTROLS   CONTROLS   CONTROLS
WWW

DESKTOP

NETWORK

PAYROLL

DATABASE

OPER. SYS.
          MULTIDIMENSIONAL
           ORGANIZATIONAL
            ENVIRONMENT

AREA      OWNER   USER   HOST   MAINT.

POLICY

ACCESS

SDLC

SYS.SW.

SEG DU.

BCP
                               Information Security Framework
                                    Senior Management Commitment




                                                                                           Training and Awareness Program
                                                  Business Initiatives Threats
Security Vision and Strategy

                                                    & Processes
                                 Technology                         Vulnerability & Risk
                               Strategy & Usage                        Assessment


                                                      Policy

                                                   Security Model

                                                 Security Architecture
                                                and Technical Standards

                                             Administrative and End-User
                                              Guidelines and Procedures

                                  Enforcement       Monitoring         Recovery
                                   Processes        Processes          Processes

                               Information Security Management Structure
         TODAY’S CHALLENGES


• Clarifying risk
• Keeping up with vendor releases/versions
• Maintaining discipline for C&A
• Understanding product standards vs.
  Implementation/configuration rqmts
• Defining cost-effective, realistic solutions
• Understanding trusted relationships


                                       PricewaterhouseCoopers
        PROCESS OF CONTINUOUS
            IMPROVEMENT

•   Risk Assessment
•   Product/Process Selection
•   Features and Functions Selection
•   Product/Process Implementation
•   Pre & Post Implementation C&A
•   Annual Management Evaluation
•   Independent Assessment/Audit


                                       PricewaterhouseCoopers
            FINAL THOUGHTS


• Clearly defined standards and requirements
• Risk - Based Design and Implementation
• Security Integrated Into Business Solutions
• Security Plans Documented per NIST 800-18
• Improve Procurement Process; Define
  Security Requirements
• Measure Third Party Compliance
• Adopt Best Practices (GAO Study)

                                    PricewaterhouseCoopers
            FINAL THOUGHTS


• Information security controls need to be
    •defined
    •designed
    •developed
    •tested
    •implemented
• throughout the SDLC process via a clearly
  defined security architecture

                                    PricewaterhouseCoopers
pwc

								
To top