OS will be talking about Data Security identified as business objective

Agenda

• Business Strategy alignment with Business Process -
• Information /Data Security identified as business objective -
• Building processes integrated with Security aspects -
• Software development,Banking ,Service industries etc. -
• Case studies -
• Key Metrics -
• Advantages of building security framework as part of the Business process

Register now for this great online workshop with one of the top experts in the field.

Most companies have good perimeter security – i.e. a firewall and an IDS or IPS. While many security people often view an IPS as the next generation of IDS; it’s important to understand the different roles of detection and prevention. Detection helps you understand what kind of attacks are being mounted (or potentially COULD be mounted on the network, and prevention (an IPS) is part of your access control  systems – a way of keeping the bad guys off your network.

However, in our experience the same companies with well-managed perimeter security do not know what’s happening inside their network.

Do you know what is happening inside your network?

Read the full article here  network surveillance.

No question is more important for mounting  effective security countermeasures. The management, IT and security practitioners cannot expect to mitigate risk effectively without knowing the objectives and cost of potential attacks on their organization.

We all depend on transaction processing systems in order to run the business and make decisions, no matter how many employees we have. Whether you have a small business making wedding cakes or a global enterprise with 14,000 employees in 40 locations, you use information systems daily to buy, sell, pay and collect from customers.

The prevailing security model predicates defense in depth of transaction systems. The most common strategies are to mitigate risk with network and application security products that are reactive countermeasures; blocking network ports and services, detecting known application exploits, or by blocking entry of malicious code to the network.

Are any of these security countermeasures likely to be effective in the long-term? Can attacks on a business be neutralized with defensive means only? In other words, is there a “fire and forget” security solution for the business? The answer is clearly no.

A reactive network defense tool such as a firewall cannot protect exploitation of software defects and an application firewall is no replacement for in-depth understanding of company-specific source code or system configuration vulnerabilities.

Business Threat Modeling is a threat assessment process that employs a systematic risk analysis of business systems along with quantitative evaluation of how well removing defects reduces risk.

Business Threat Modeling is based on four basic tenets:

1. Risk analysis for production software

2. Quantitative evaluation and financial justification

3. Explicit communications between developers and security

4. Sustain continuous risk reduction

You can download the Business Threat Modeling methodology for free here

]]> http://www.controlpolicy.com/2008/11/what-hackers-really-want/feed/ 0 http://www.controlpolicy.com/2008/08/using-iso-27001-for-cost-effective-risk-mitigation/ http://www.controlpolicy.com/2008/08/using-iso-27001-for-cost-effective-risk-mitigation/#comments Fri, 29 Aug 2008 13:08:32 +0000 admin http://www.controlpolicy.com/?p=20 Many small to medium-sized enterprises (SME) have  risk and privacy compliance issues similar to big companies without the big budgets.

Control Policy Group’s  free risk and compliance automation tool provides an SME with an extremely cost-effective way of collecting data, analyzing risk, meeting compliance requirements and providing effective internal security to the business.

The Control Policy risk and compliance automation tool provides 4 key benefits for an SME (besides being free…):

1. It’s quantitative: enables business decision makers to define the dollar value of assets, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
2. It’s Robust: preserve the integrity of data you collect during the risk assessment; Excel is the wrong tool for maintaining large, complex, multi-dimensional data models such as we use during a risk assessment.
3. It’s Versatile: enable a business to reuse existing knowledge in new business situations and perform what-if analysis on control scenarios without jeopardizing the integrity of the data.
4. It’s Effective: recommends the right security controls and the most effective order of implementation – saving you money.

The risk and compliance automation tool is implemented as a  plugin  ISO27001 library for PTA Professional. This PTA ISO 27001 library is a full implementation of the ISO 27001 standard and is provided free of charge to any ISO consultant or business wishing to certify to the standard. The user-friendly PTA Professional application  for Windows is available as a free download at the PTA Technologies web site. The Control Policy Risk and Compliance Automation tool is provided free of charge to end users and security and compliance  consultants and is licensed under the Creative Commons Attribution License by the Control Policy Group.

Compliance is a minimum but not sufficient requirement for risk management.

What security controls should a firm implement after a risk assessment? All, none, some?

We all know that a business can be compliant with a standard such as PCI DSS 1.1 and still suffer from a data security breach.

There are always many more available security products and services controls than threats. Many businesses find themselves coping with a long and confusing shopping list of controls specified by  standards like PCI DSS and ISO27001. You can implement all the controls in the standard (if you have deep pockets), you can do nothing (ignore the risk assessment) or you can try and get the biggest bang for your dollar by implementing the right security controls and the lowest cost.

It is well known that implementing additional controls does not necessarily reduce risk.

For example, beefing up network security (like firewalls and proxies) and installing advanced application security products is never a free lunch and tends to increase the total system risk and cost of ownership as a result of the interaction between the elements and an inflation in the number of firewall and content filtering rules.

The result of providing inappropriate countermeasures to threats is that the cost of attacks and security ownership goes up, instead of risk exposure going down.

Using the risk and compliance automation tool to get  the right security at the right price

By using the ISO27001 framework with PTA,  the business terms can construct an economically justified set of security controls that reduces risk in a specific customer business environment. A company can implement security controls consistent with its budget instead of an expensive all-or-nothing checklist of controls.

ISO27001 specifies that the organization should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable level). The  ISO27001 automation tool provides a systematic, and quantitative approach to risk assessment and adds value with an optimized risk mitigation program. Doing a risk audit process is faster, easier, more robust and lot more fun than with an Excel spreadsheet.

An ISO 27001 risk assessment with Control Policy involves a two-stage process:

• Stage 1 is a “first cut” review of the existence and completeness of key documentation for Security Policy and Information Security Management System (ISMS). This is done by cycling through the threat model, tagging top-level vulnerabilities with a status and storing appropriate documentation in the model, while linking to the appropriate entity.
• Stage 2 is a detailed, in-depth audit that tests existence and effectiveness of control policies as well as their supporting documentation. Controls that already exist would be marked as “Already Implemented” in PTA Professional Edition countermeasures detail screen. Controls needing work would be tagged with an action-required status (see the tagging option of the PTA tool).

Step by Step with the ISO27001 automation tool

First download and install  the PTA Professional Edition free risk assessment software on a Windows XP PC. Then download the PTA ISO27001 library.

• Step 0 – Fire up the program
• Step 1 – Load the ISO27001.2.thl library into your own threat model or just open the ISO27001.2.thm data model in its entirety
• Step 2 – Create assets with valuations
• Step 3 – Enter the costs of countermeasures; the PTA ISO 27001 library that we provide is agnostic; we understand that each organization has their own estimates of how much a control policy should cost.
• Step 4 – Run the Optimized Countermeasures report. You have just built a cost-justified plan of controls compliant with ISO 27001.
• Step 5 – Refine the model. Don’t stop here; return to the model periodically and test the effectiveness of your risk mitigation program. For a structured methodology of continuous security assessment see the excellent article on the Software Associates Web site titled “Practical software security assessment”

The power of the PTA ISO27001 library is demonstrated by a simple risk assessment with assets and threats that was built in just a few minutes – available online Download now

If you’re an IT executive you are probably familiar with this predicament:

• You need to provide your CEO with financial justifications in Euro – not high or low risk.
• You need security controls that don’t disrupt the business.

We recommend employing a 7 step  process with the Practical Threat Analysis (PTA) free risk Assessment software that will help you generate financial justification in dollar/Euro terms before the evaluation and implementation

• Step 1 – Assess your assets and valuate them
• Step 2 – Assess and mitigate  threats:
  • Data leakage
  • Data abuse by trusted insiders
  • Network abuse by trusted insiders
• Step 3 – Assess your vulnerabilities
• Step 4 – Identify cost-effective security controls
• Step 5 – Build the financial justification for the CEO. The output of our practical threat analysis process is a financial justification for an effective risk mitigation plan. The plan includes the most cost-effective countermeasures that reduce the risk level to a minimum at a given capital and variable cost.
• Step 6 – Approve implementation plan
• Step 7 – Implement the countermeasures