N O R T H C R O S S
N O R T H C R O S S
G R O U PDesigning & Implementing
Enterprise Security
Enterprise Security
Programs
MBA Bank Expo 2012
April 11, 2012
NORTHCROSS
G R O U P
Session Purpose
• Premise:
– Security is institutionalized, but the enterprise is evolving
the enterprise is evolving. – Threats are more diversified. – Lines are more blurred.
Rate of change in increasing – Rate of change in increasing.
• Enterprise Security Programs:
– Need structure and defined scope reflective of today’s scope reflective of today s factors.
– Need to plan on change. – Agility and scalability overAgility and scalability over
rigidity.
NORTHCROSS G R O U P
Scope & Topics
• Enterprise Security Programs: – A current working definition of the enterprise – The evolving cyber landscape – Building and/or integrating programs • Banking Operational Backdrop – Project Management Life Cycles (PMLC) S t D l t Lif C l (SDLC) – System Development Life Cycles (SDLC) – Change Management Processes – Internal Audit – Operational Risk Management N hi – New hire processes – Training & Performance Objectives – Third party interface management• Steps to build (or enhance) Security Programs
• Steps to build (or enhance) Security Programs
– Program hierarchies
– Integration with other processes
NORTHCROSS G R O U P
Evolving Enterprise
• People, networks, and systems • Third party interfaces: – Outsourced functions – Direct connecting or interfacing systems C • Customers: – Evolving devices – Connectivity expectations – System to system data exchanges • Contractors and Vendors: – Personal and Vendor equipment – Network detecting smart phones, tablets, laptopsNORTHCROSS G R O U P
The Changing Landscape
• Cyber Infrastructure: the devices and k d d d networks to create, read, update, and delete data. • The scope of Cyber Infrastructure continues to expand with different systems and devices interacting like never before. • Security – needs to account for the people that use the cyber infrastructure, the business processes p followed, physical security, as well as the overall security culture in the organization.NORTHCROSS G R O U P
Tradition of Security
• Strong tradition of security in banking. I d f t k d • Increased focus on networks and access controls. • Information security is standard ti practice. Still applicable; but things are more inter‐connected than ever and threats inter‐connected than ever and threats are coming from new quarters… • Cyber Terrorism / • Social/Political Activists • Industrial EspionageNORTHCROSS G R O U P
Building on that Tradition
• Changing workforce, business model evolution, and increasingly inter‐connected technology—all gy require the right level of visibility and control. • Governance and oversight needg to account for more sophisticated threats from internal and external sources. • Security should not be a project afterthought, with a patchwork of unrelated products and uncoordinated practices uncoordinated practices. • Lack of coordination between people, processes and technology is an exploitable vulnerability is an exploitable vulnerabilityNORTHCROSS
G R O U P
Threat Profile
• The motivation and capabilities of
internal and external threats have and will continue to evolve
and will continue to evolve. • Focus on locking the door or securing transport have been cornerstones cornerstones. • Broader focus: • Terrorism • Distributed criminal activity • Media focused attacks • Reputational impact
NORTHCROSS G R O U P
Programs for the New Enterprise
• Focus on existing processes that operate your environment or change it change it. • Project Management Life Cycle (PMLC) S t D l t Lif C l • System Development Life Cycles (SDLC) • Change Management • Business Process Management (BPM) • Vendor Management Offices • Human Resources • Internal AuditsNORTHCROSS
G R O U P
Connecting Operations & Solutions
NORTHCROSS G R O U P
Program Hierarchy
rity Program Supporting Plans A Cyber Secu r Domain pp g Policies & Procedures A CT IO N S• Programs that describe the management oversight aspects and scope
Interfaces Awareness Culture Knowledge
• Programs that describe the management, oversight aspects, and scope. • Plans support the program by detailing how the objectives are to be met.
• Policies and procedures provide details of how to implement the tasks identified in the plans.
• Dealing with a broad spectrum of vulnerabilities • Dealing with a broad spectrum of vulnerabilities:
– Traditional information technology security realm – Physical security
– Existing or lacking policies and procedures – Corporate cultureCorporate culture
NORTHCROSS G R O U P
Integration Mechanics
• Craft a program that integrates with the organizations existing structure Policies & Enterprise Security Program structure. • Tailor support to provide as much direct support or consultative services as needed Procedures PMLC & SDLC PMLC & SDLCNew Solutions Delivery
services as needed. • Create practical and actionable roadmaps that can be measured and tracked New Solutions Delivery New Solutions Delivery Audits & Assessments and tracked. • Programmatic governance and oversight from start to finish. Job Aids & Training g
NORTHCROSS G R O U P
Health Check
• Step back and take a quick look. • Use an independent group or external party external party. • Conduct a capabilities assessment: – Strengths, to build them.g , – Weaknesses, to remediate them. – Gaps, to address them. – Opportunities, to leverage them. • Specifically look at the Enterprise Security Confluence: – Physical b – Cyber – Security Culture – Banking ProcessesNORTHCROSS G R O U P
Enterprise Security Checklist
• Secure automation to support oversight & governance S it li i d d • Perimeter Layered Security – Firewalls • Security policies and procedures • Security program development and operations support • Risk Assessments – Intrusion Detection and Prevention (DS/IPS) – Encrypted VPNs – Viruses • Security Planning • Security Design & Implementation • Security Awareness Program Viruses – Data in transit encryption • Internal Layered Security – System / device hardening • Security Management • Compliance Audits • Vulnerability & Penetration assessments • Compliance risk assessments and audits– Database security and hardening – Data at rest encryption – Security Event and Incident Management (SEIM) • Compliance risk assessments and audits • Application security Management (SEIM) – Desktop security – Incident response
NORTHCROSS G R O U P
Roadmaps
• Roadmaps should account for the realities of timelines and resource availability. • Prioritization, accountability, and defined responsibility are essential. • Roadmap efforts need to be tracked d i i d dj and revisited to adjust as necessary. Must Have Items High risk and/or Strong Opportunity items to be li h d i th Will Have Items Items that will be scheduled as part of th f t ff t Might Have Items Items that will be accomplished if other ff t t iti accomplished in the very near term. other future efforts or future projects. efforts or opportunities come to fruition.NORTHCROSS G R O U P
Getting Started
Scope Refinement & Building a Roadmap Baseline Risk Assessment • Model the operating environment noting Program Management • Use assessment prioritization • Evaluate the design and performance. • Specific steps to address important cyber security elements • Provide immediate environment, noting interdependencies and management relationships. • Cyber Security controls, functions, and interfaces are captured C id ti f t g p • Use multiple methodologies: • Scans ‐ Server, Network, Workstation, Routing/Switching • Pen‐Tests Provide immediate value and provide the foundation for subsequent efforts. • Address key l b l d • Consideration of management, communications, technology, training, and environment will be applied. • Areas of immediate attention or concern are noted to prioritize ff • Policy & Procedures / Program reviews • On‐site interviews • Manage efforts to mitigate or eliminate risk in coordination with management vulnerabilities and identify focus areas • Immediate returns on investment and supports scalability effort • Architecture Review • Hardening Process Review Lif l P R i direction. • Provide implementation support. • Provide dash board tracking. supports scalability into the future. • Lifecycle Process Review • Prioritized list of findings and recommendations grouped by • Update of Assessment information to memorialize effortNORTHCROSS G R O U P
Program Implementation
• Account for and assess in‐flight projects and initiatives for an early warning of potential issues or risks. • Initiating steps that implement processes and a framework to drive the Security Program: • Successfully execute the program to protect cyber assets (external & internal). • Establish oversight and governance of the program and its effects• Establish oversight and governance of the program and its effects. • Operationally achievable and repeatable methodology. • Data and Information management: • Access Controls to Information • Identify patterns • Identify patterns • Trend analysis • Data from running the program and addressing cyber security needs • Data from how the program runs to address deficiencies and identify improvements improvements • Training and Communication Channels • Closed feedback loop to support continuous improvements.
NORTHCROSS G R O U P
Typical Implementation Steps
1. Outline purpose, objectives, milestones and resource requirements for the program. • Layout program supporting plans 2. Identify a core cyber security steering group comprised of representatives from all stakeholder groups. 3. Organize and train the steering group:a) Review overall approach and program
plans • Engage the right resources a) Review overall approach and program components b) Establish expectations and responsibilities c) Define engagement model for tasks d) R i t l d l i t h i • Reassess and validate d) Review tools and analysis techniques e) Approach for supporting plant operational needs 4. Refine program purpose, objectives, milestones, and resource requirements. • Capture the organization— roles & responsibilities 5. Create enterprise/organizational models to organize data, define ownership, and identify relationships.
NORTHCROSS G R O U P
Steps continued…
6. Review and prioritize focus areas for cyber security efforts 7. Define audits/assessments to look at the design d f f b i l • Prioritize Effort and performance of cyber security controls. 8. Establish Emergency Response Team and develop security incident response plan implementation and process to maintain and update . • Action Plan & Supporting Tasks p 9. Prepare action plans and supporting data and access requirements. 10. Establish a comprehensive cyber security training program and information resources. 11 Establish risk assessment work plan• Sustainable Processes 11. Establish risk assessment work plan. 12. Establish risk management work plan to implement the risk management process flow. a) Implement automated data collection and reporting • Closing the loop – data and validation processes b) Data extraction for data analysis 13. Establish regular security reviews. 14. Establish incident and change analysis and review process.
NORTHCROSS
G R O U P
Program Governance
• Security plans (across physical, cyber, etc.) are often started from
decentralized efforts, but need to
Key Steps
decentralized efforts, but need to be controlled and guided.
• Establish a standing presence:
– Standing Integrated Program
Key Steps
• Chartering a steering group to oversee efforts Standing Integrated Program Office – Complimentary program responsibility • Crafting parameters for roles and responsibilities • Setting standards – Outsourced support • Articulate expectations: – Target objectives • Establishing common measures • Developing supporting policy g j – Methods to achieve objectives – Measures to recognize success • Demonstrating Executive buy‐in • Defined accountability andNORTHCROSS G R O U P
