Protecting American Businesses from Risk - Zurich North America
A Risk Based Approach to Protecting Business Information May 2, 2006.
-
Upload
ashley-mason -
Category
Documents
-
view
213 -
download
0
Transcript of A Risk Based Approach to Protecting Business Information May 2, 2006.
![Page 1: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/1.jpg)
A Risk Based Approach
to Protecting Business
Information
May 2, 2006
![Page 2: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/2.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
2
Who We Are
Debbie Cherry
Jeff Hittle
Information Security Consultants
Corporate Information Security
KeyBank N.A.
Cleveland, Ohio
![Page 3: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/3.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
3
Agenda
• The Regulatory Environment
• Risk of Ineffective Access Control
• Principles of Good Access Control
• Applying Access Controls to Computer Applications
• Developing a Control Culture
![Page 4: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/4.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
4
Regulatory Environment
Regulations• SOX Sarbanes-Oxley• GLBA Gramm-Leach-Bliley Act• HIPAA Health Insurance Portability and Accountability Act
Regulatory Agencies• OCC Office of Comptroller of
Currency
• SEC Securities & Exchange
Commission
• FED Federal Reserve Bank
![Page 5: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/5.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
5
5 Steps to Managing Risk
• Identify potential risks
• Analyze and prioritize risks
• high, medium, low
• Identify avoidance strategies
• Identify mitigation options
• identify and/or establish controls
• Identify contingency strategies
• detective controls – early identification
![Page 6: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/6.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
6
Risk Management Pitfalls
• Out of sight, out of mind
• Can’t see the forest for the trees (Selective bias)
• Controlling the areas you know well, but not the others (Expertise bias)
• The Spin Doctor – it’s really not so bad (Presentation Bias)
• “We have always Done it This way” (Conservatism)
• Increased ice cream sales = increased drownings (Incorrect Association of cause and effect)
• The Sin of Omission (Did I forget to mention that…)
![Page 7: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/7.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
7
The Risk
An individual may have
too much control
over a business process
BIG PICTURE
RISK
![Page 8: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/8.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
8
The Consequences
• Business Information is vulnerable to • Employee malfeasance• Fraudulent transactions• Identity theft• Misstatement of financial information• Privacy violations and loss of personal data
• Regulatory Violations• Bad Press and Damage to your Reputation • Monetary Damages
![Page 9: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/9.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
9
The Control
An effective
access control
process
protects your
business information
BIG PICTURE
CONTROL
![Page 10: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/10.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
10
The goal of effective access control is to ensure the right people have access to the right things based on:
•Their job function and placement in the organization
•The principles and policies of:
•Least privilege access (minimum access required to do the job)
•Separation of duties (no one person controls all facets of a business transaction)
•Assignment of roles to each business process
Access Control ProcessWhat is the goal, and what makes it effective?
![Page 11: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/11.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
11
Access Control ProcessWhat is the goal, and what makes it effective?
• Are knowledgeable and empowered• Understand their role in the process• Have the right information to make good decisions• Execute process steps consistently and accurately • Have organizational support and the ability to say “no” • Execute reviews to validate the process
Effective access control occurs when a repeatable, sustainable, measurable process is executed by individuals who:
![Page 12: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/12.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
12
Access Control A workflow example
1. An access request is submitted that describes what is needed in enough detail to make the request clear and unambiguous
“Please assign George Jetson to the Loan Origination function within the Education Resource system.”
2. The Manager approves or rejects the request based on knowledge of the requester’s role in the organization
“George is my employee. I acknowledge he is asking for this access, and I believe it to be appropriate for his job function.”
![Page 13: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/13.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
13
Access Control A workflow example
3. Assuming Manager approval, the Access Control Specialist approves/rejects the request based on pre-defined access control criteria for the role“I have considered the request based on written criteria for access to this application. Based on that criteria, this access is appropriate for George Jetson’s job function. I therefore approve the request.”
Note: The Access Control Specialist will reject the request if it does not meet the criteria. This may be contrary to the manager’s approval, and that’s ok!
4. If approved, the Security Admins fulfill the request
“I am adding, removing, or changing George Jetson’s access to this technology, based on the Access Control Specialist’s decision.”
![Page 14: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/14.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
14
The Top 10 Things That Can Go Wrong
1. Business roles are not clearly understood or ineffective
2. Requests may not be clear3. Process may not be repeatable, sustainable, or measurable4. May not be able to identify individuals with access5. Individuals may not have been given the right access
6. People in the process may not be executing their jobs effectively
7. May not have good criteria for access decisions
8. Process may not deal effectively with errors and omissions
9. Process may not deal effectively with access changes over time
10. Organizational culture does not support the process
![Page 15: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/15.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
15
Risk: 1. Business roles are not clearly understood or ineffective
Control: Separation of duties
• Roles reflect actual job duties • No one person has complete control over a business process• Supports proper checks and balances in the business process• Decision criteria enforces one role per person• Limited individuals with high risk functions• Limited individuals with administrative access• Supports least privilege if done properly
Access Control - Risks & Controls
![Page 16: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/16.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
16
Access Control - Risks & Controls
Risks: 2. Requests may not be clear
3. Process may not be repeatable, sustainable, or measurable
Control: Provisioning
• Standard request form that matches specific decision criteria• Approvals at the organization and business process level• Well defined process roles and responsibilities• Mechanisms for processing all types of requests (e.g., adds,
deletes, and changes)• Appropriate reporting capabilities and audit trails
![Page 17: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/17.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
17
Access Control - Risks & Controls
Risks: 4. May not be able to identify individuals with access
5. Individuals may not have been given the right access
6. People in the process may not be executing their jobs effectively
7. May not have good criteria for access decisions
Control: Appropriate Access
• Method for enforcing business functions/roles
• Ability to deal with both people and things that need access
• Execution of decision criteria by trained individuals
• Based on an authoritative source of information
![Page 18: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/18.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
18
Access Control - Risks & Controls
Risks: 8. Process may not deal effectively with errors and omissions
9. Process may not deal effectively with access changes over time
Control: Periodic Review
• Examine routine processes to identify errors and omissions• Examine access to find mistakes and identify gaps• Examine changes to identify access discrepancies (roles,
decision criteria and actual access)• Reconciliation to the authoritative source of information
![Page 19: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/19.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
19
Access Control - Risks & Controls
Risk: 10. Organizational culture does not support the process
Control: Governance
• Senior Management buy-in and support• Provide a process & control framework• Awareness / Security orientation • Education and Training
• An understanding of operational risks, controls, and tests• Compliance assessments, metrics, & reporting
![Page 20: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/20.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
20
Applying Effective Access Control for Computer
Applications
What we did at KeyBank
![Page 21: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/21.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
21
A Structured Framework &
Consistent Approach
![Page 22: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/22.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
22
Step 1 of the Workflow - Organization
Establish the Team responsible for accesscontrol
• Line of Business personnel• Access Control Specialist• Line of Business RISC Officer• Additional Subject Matter Expert(s)
• Technology personnel• Application Developers• Technology RISC Officer• Additional Subject Matter Expert(s)
![Page 23: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/23.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
23
Step 1 of the Workflow - Organization
• Line of Business Access Control Specialist - Roles & Responsibilities
• Understand the business functions of their system and who performs those functions
• Understands how all security components work together to control access
• Have written procedures and decision criteria for granting access
• Control access to their business systems
• Assists the Application Owner in understanding the business roles that must be controlled
![Page 24: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/24.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
24
Step 1 of the Workflow - Organization
• Technology Owner Roles & Responsibilities
• Understand how security works in their system and how it relates to the business functions
• Understand how the platform, database, & application security components work together to control access
• Understand how interfacing systems and middleware impact/use security
• Have written documentation that illustrates how security works within the system
• Assists the ACS in understanding the security architecture and options available to control access
![Page 25: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/25.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
25
Step 2 of the Workflow Anatomy of an Application
![Page 26: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/26.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
26
Step 2 of the Workflow Anatomy of an Application
• Why is it important for everyone in the organization to understand the anatomy of an application?• Focus the Line of Business on owning access control
• Develop the appropriate checks and balances (Separation of Duties)
• Develop the basis for a need to know control structure(Least Privilege)
• Ensure the integrity and accountability of the process(It’s the right way to do business!)
• Ensure regulatory compliance
![Page 27: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/27.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
27
Step 3 of the Workflow - Architecture
Application
Database Mgt System
Scheduling System
Middleware/Reporting
Operating System
![Page 28: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/28.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
28
Step 3 of the Workflow - Architecture
• Technical Application Information • Identify all application and application data platforms • Identify and document existing platform security groupings• Identify all databases and other data stores • Identify and document existing all data store security groupings
• Document Authentication & Authorization
• Authentication (Who you are)• Authorization (What you can do)• Identify system IDs granting access at various levels of the
platform or database
![Page 29: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/29.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
29
Step 3 of the Workflow - Architecture
• Middleware• Document the business functions that utilize middleware • Help the line of business understand middleware security
concerns
• Diagrams• Context• Interface• Security
• Help the line of business understand how security works for their application
![Page 30: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/30.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
30
Step 3 of the Workflow - Architecture
Application
Database Mgt System
Scheduling System
Middleware/Reporting
Operating System
Step 3 of the Workflow - Architecture
Application
Database Mgt System
Scheduling System
Middleware/Reporting
Operating System
Step 3 of the Workflow - Architecture
Application
Database Mgt System
Scheduling System
Middleware/Reporting
Operating System
Application
Database Mgt System
Scheduling System
Middleware/Reporting
Operating System
![Page 31: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/31.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
31
Step 4 of the Workflow – Develop Roles
• Identify each business Role• Business functions of the role • Each job is a role • Defined in business terms and
language
• Define Specific Access• Inquiry• Update• Reporting• Administrative
![Page 32: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/32.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
32
Step 4 of the Workflow – Develop Roles
• Document how the role is set-up • In the application• In the platform • In the database
• Examine each role for adherence to • Privacy• Separation of duties• Least privilege principle• Privileged or super user capability• High risk transactions (fee waiver; fee reversals; loan approval;
password reset)
![Page 33: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/33.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
33
Step 4 of the Workflow – Develop Roles
• Who is allowed to have the role?• Each role needs specific decision criteria• Separation of duties• Least privilege
• Establish the Decision Criteria • What are the business rules? • How can I tell a loan originator from a credit approver?
• Department name• Cost or profit center number• Job title• Location• Manager
![Page 34: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/34.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
34
Step 4 of the Workflow – Routine Processes
• Define Routine Processes to ensure proper access (Right people – Right information)• Identify triggers that may indicate the business roles are changing
• Business reorganizations• Application upgrades • New functions being automated
• Identify triggers that may indicate decision criteria needs to be reviewed
• Business reorganizations• Spot check the provisioning process for errors
• Access approved doesn’t match access given• Access granted without proper approval
![Page 35: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/35.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
35
Step 4 of the Workflow – Periodic Review
• Define a Periodic Review CONTROL to ensure proper access • Review and validate the business roles
• Evaluate the components of the Separation of Duties Control
• Review and validate the decision criteria• Evaluate the components of the Separation of Duties Control
• Review the process for granting all access • Evaluate the components of the Provisioning Control • Evaluate the components of the Appropriate Access Control
![Page 36: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/36.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
36
Step 5 of the Workflow – Clean-up and Start Over
• Defining everything is not enough
• Clean-up all old access • Establish new access for each person• Set routine processes in motion• Establish a periodic review schedule• Monitor for compliance
• Measurable• Sustainable• Repeatable
![Page 37: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/37.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
37
Governance - In the KeyBank Culture
• Senior management is becoming more supportive in practical ways• Encouraged by the external auditors & regulators• Encouraged by the CISO and security organization
• Access control responsibility is within the line of business – not a technology function• The Access Control Specialist is the gatekeeper
• Access control is not a customer service function• Responsible to evaluate each request based on the decision
criteria • Challenge all application access• NO rubber stamp approvals
![Page 38: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/38.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
38
Governance - In the KeyBank Culture
• The “Access Control Workflow Database”• consistent methodology to develop good access controls• provides a framework for audit and compliance
• Used 2005 “lessons learned” to establish a project structure that increases accountability
• Developing “continuing education” refresher courses for ACS population
• Launching internal website to increase awareness and compliance
![Page 39: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/39.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
39
Summary
• The Regulatory Environment • Many regulations & Regulators• Increasing emphasis and higher expectations
• Risk of Ineffective Access Control
• An individual may have too much control over a business process
• Consequences can be severe • damage to the organization’s reputation • misrepresentation of financial statements• Fines • Loss of customer confidence
![Page 40: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/40.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
40
Summary
• Effective Access Control• Principles
• Controlling access is a business responsibility• Process that provides the right people the right degree of access• Repeatable, sustainable and measurable process executed by
knowledgeable individuals • 5 Main Risk Controls
• Separation of Duties• Provisioning• Appropriate Access • Periodic Review • Governance
![Page 41: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/41.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
41
Summary
• Applying Access Controls to Computer Applications• Identify the team members (business & technology)• Focus the line of business on owning access control• Assign the Business functions to roles • Define the criteria for granting access • Document the security architecture• Clean-up the old stuff! • Establish Routine Controls and a Period Review
• Developing a Control Culture• Top down – management commitment• Bottom Up – governance , frameworks, education
![Page 42: A Risk Based Approach to Protecting Business Information May 2, 2006.](https://reader036.fdocuments.net/reader036/viewer/2022062720/56649f155503460f94c2b162/html5/thumbnails/42.jpg)
Date 05/02/06 Classification: Public
A Risk Based Approach to Protecting Business Infomation
42
A Risk Based Approach to Protecting Business Information