A Risk Based Approach to Protecting Business Information May 2, 2006.

A Risk Based Approach

to Protecting Business

Information

May 2, 2006

Date 05/02/06 Classification: Public

A Risk Based Approach to Protecting Business Infomation

2

Who We Are

Debbie Cherry

Jeff Hittle

Information Security Consultants

Corporate Information Security

KeyBank N.A.

Cleveland, Ohio



3

Agenda

• The Regulatory Environment

• Risk of Ineffective Access Control

• Principles of Good Access Control

• Applying Access Controls to Computer Applications

• Developing a Control Culture



4

Regulatory Environment

Regulations• SOX Sarbanes-Oxley• GLBA Gramm-Leach-Bliley Act• HIPAA Health Insurance Portability and Accountability Act

Regulatory Agencies• OCC Office of Comptroller of

Currency

• SEC Securities & Exchange

Commission

• FED Federal Reserve Bank



5

5 Steps to Managing Risk

• Identify potential risks

• Analyze and prioritize risks

• high, medium, low

• Identify avoidance strategies

• Identify mitigation options

• identify and/or establish controls

• Identify contingency strategies

• detective controls – early identification



6

Risk Management Pitfalls

• Out of sight, out of mind

• Can’t see the forest for the trees (Selective bias)

• Controlling the areas you know well, but not the others (Expertise bias)

• The Spin Doctor – it’s really not so bad (Presentation Bias)

• “We have always Done it This way” (Conservatism)

• Increased ice cream sales = increased drownings (Incorrect Association of cause and effect)

• The Sin of Omission (Did I forget to mention that…)



7

The Risk

An individual may have

too much control

over a business process

BIG PICTURE

RISK



8

The Consequences

• Business Information is vulnerable to • Employee malfeasance• Fraudulent transactions• Identity theft• Misstatement of financial information• Privacy violations and loss of personal data

• Regulatory Violations• Bad Press and Damage to your Reputation • Monetary Damages



9

The Control

An effective

access control

process

protects your

business information

BIG PICTURE

CONTROL



10

The goal of effective access control is to ensure the right people have access to the right things based on:

•Their job function and placement in the organization

•The principles and policies of:

•Least privilege access (minimum access required to do the job)

•Separation of duties (no one person controls all facets of a business transaction)

•Assignment of roles to each business process

Access Control ProcessWhat is the goal, and what makes it effective?



11

Access Control ProcessWhat is the goal, and what makes it effective?

• Are knowledgeable and empowered• Understand their role in the process• Have the right information to make good decisions• Execute process steps consistently and accurately • Have organizational support and the ability to say “no” • Execute reviews to validate the process

Effective access control occurs when a repeatable, sustainable, measurable process is executed by individuals who:



12

Access Control A workflow example

1. An access request is submitted that describes what is needed in enough detail to make the request clear and unambiguous

“Please assign George Jetson to the Loan Origination function within the Education Resource system.”

2. The Manager approves or rejects the request based on knowledge of the requester’s role in the organization

“George is my employee. I acknowledge he is asking for this access, and I believe it to be appropriate for his job function.”



13

Access Control A workflow example

3. Assuming Manager approval, the Access Control Specialist approves/rejects the request based on pre-defined access control criteria for the role“I have considered the request based on written criteria for access to this application. Based on that criteria, this access is appropriate for George Jetson’s job function. I therefore approve the request.”

Note: The Access Control Specialist will reject the request if it does not meet the criteria. This may be contrary to the manager’s approval, and that’s ok!

4. If approved, the Security Admins fulfill the request

“I am adding, removing, or changing George Jetson’s access to this technology, based on the Access Control Specialist’s decision.”



14

The Top 10 Things That Can Go Wrong

1. Business roles are not clearly understood or ineffective

2. Requests may not be clear3. Process may not be repeatable, sustainable, or measurable4. May not be able to identify individuals with access5. Individuals may not have been given the right access

6. People in the process may not be executing their jobs effectively

7. May not have good criteria for access decisions

8. Process may not deal effectively with errors and omissions

9. Process may not deal effectively with access changes over time

10. Organizational culture does not support the process



15

Risk: 1. Business roles are not clearly understood or ineffective

Control: Separation of duties

• Roles reflect actual job duties • No one person has complete control over a business process• Supports proper checks and balances in the business process• Decision criteria enforces one role per person• Limited individuals with high risk functions• Limited individuals with administrative access• Supports least privilege if done properly

Access Control - Risks & Controls



16


Risks: 2. Requests may not be clear

3. Process may not be repeatable, sustainable, or measurable

Control: Provisioning

• Standard request form that matches specific decision criteria• Approvals at the organization and business process level• Well defined process roles and responsibilities• Mechanisms for processing all types of requests (e.g., adds,

deletes, and changes)• Appropriate reporting capabilities and audit trails



17


Risks: 4. May not be able to identify individuals with access

5. Individuals may not have been given the right access

6. People in the process may not be executing their jobs effectively

7. May not have good criteria for access decisions

Control: Appropriate Access

• Method for enforcing business functions/roles

• Ability to deal with both people and things that need access

• Execution of decision criteria by trained individuals

• Based on an authoritative source of information



18


Risks: 8. Process may not deal effectively with errors and omissions

9. Process may not deal effectively with access changes over time

Control: Periodic Review

• Examine routine processes to identify errors and omissions• Examine access to find mistakes and identify gaps• Examine changes to identify access discrepancies (roles,

decision criteria and actual access)• Reconciliation to the authoritative source of information



19


Risk: 10. Organizational culture does not support the process

Control: Governance

• Senior Management buy-in and support• Provide a process & control framework• Awareness / Security orientation • Education and Training

• An understanding of operational risks, controls, and tests• Compliance assessments, metrics, & reporting



20

Applying Effective Access Control for Computer

Applications

What we did at KeyBank



21

A Structured Framework &

Consistent Approach



22

Step 1 of the Workflow - Organization

Establish the Team responsible for accesscontrol

• Line of Business personnel• Access Control Specialist• Line of Business RISC Officer• Additional Subject Matter Expert(s)

• Technology personnel• Application Developers• Technology RISC Officer• Additional Subject Matter Expert(s)



23


• Line of Business Access Control Specialist - Roles & Responsibilities

• Understand the business functions of their system and who performs those functions

• Understands how all security components work together to control access

• Have written procedures and decision criteria for granting access

• Control access to their business systems

• Assists the Application Owner in understanding the business roles that must be controlled



24


• Technology Owner Roles & Responsibilities

• Understand how security works in their system and how it relates to the business functions

• Understand how the platform, database, & application security components work together to control access

• Understand how interfacing systems and middleware impact/use security

• Have written documentation that illustrates how security works within the system

• Assists the ACS in understanding the security architecture and options available to control access



25

Step 2 of the Workflow Anatomy of an Application



26

Step 2 of the Workflow Anatomy of an Application

• Why is it important for everyone in the organization to understand the anatomy of an application?• Focus the Line of Business on owning access control

• Develop the appropriate checks and balances (Separation of Duties)

• Develop the basis for a need to know control structure(Least Privilege)

• Ensure the integrity and accountability of the process(It’s the right way to do business!)

• Ensure regulatory compliance



27

Step 3 of the Workflow - Architecture

Application

Database Mgt System

Scheduling System

Middleware/Reporting

Operating System



28


• Technical Application Information • Identify all application and application data platforms • Identify and document existing platform security groupings• Identify all databases and other data stores • Identify and document existing all data store security groupings

• Document Authentication & Authorization

• Authentication (Who you are)• Authorization (What you can do)• Identify system IDs granting access at various levels of the

platform or database



29


• Middleware• Document the business functions that utilize middleware • Help the line of business understand middleware security

concerns

• Diagrams• Context• Interface• Security

• Help the line of business understand how security works for their application



30


Application

Database Mgt System

Scheduling System


Operating System


Application

Database Mgt System

Scheduling System


Operating System


Application

Database Mgt System

Scheduling System


Operating System

Application

Database Mgt System

Scheduling System


Operating System



31

Step 4 of the Workflow – Develop Roles

• Identify each business Role• Business functions of the role • Each job is a role • Defined in business terms and

language

• Define Specific Access• Inquiry• Update• Reporting• Administrative



32


• Document how the role is set-up • In the application• In the platform • In the database

• Examine each role for adherence to • Privacy• Separation of duties• Least privilege principle• Privileged or super user capability• High risk transactions (fee waiver; fee reversals; loan approval;

password reset)



33


• Who is allowed to have the role?• Each role needs specific decision criteria• Separation of duties• Least privilege

• Establish the Decision Criteria • What are the business rules? • How can I tell a loan originator from a credit approver?

• Department name• Cost or profit center number• Job title• Location• Manager



34

Step 4 of the Workflow – Routine Processes

• Define Routine Processes to ensure proper access (Right people – Right information)• Identify triggers that may indicate the business roles are changing

• Business reorganizations• Application upgrades • New functions being automated

• Identify triggers that may indicate decision criteria needs to be reviewed

• Business reorganizations• Spot check the provisioning process for errors

• Access approved doesn’t match access given• Access granted without proper approval



35

Step 4 of the Workflow – Periodic Review

• Define a Periodic Review CONTROL to ensure proper access • Review and validate the business roles

• Evaluate the components of the Separation of Duties Control

• Review and validate the decision criteria• Evaluate the components of the Separation of Duties Control

• Review the process for granting all access • Evaluate the components of the Provisioning Control • Evaluate the components of the Appropriate Access Control



36

Step 5 of the Workflow – Clean-up and Start Over

• Defining everything is not enough

• Clean-up all old access • Establish new access for each person• Set routine processes in motion• Establish a periodic review schedule• Monitor for compliance

• Measurable• Sustainable• Repeatable



37

Governance - In the KeyBank Culture

• Senior management is becoming more supportive in practical ways• Encouraged by the external auditors & regulators• Encouraged by the CISO and security organization

• Access control responsibility is within the line of business – not a technology function• The Access Control Specialist is the gatekeeper

• Access control is not a customer service function• Responsible to evaluate each request based on the decision

criteria • Challenge all application access• NO rubber stamp approvals



38

Governance - In the KeyBank Culture

• The “Access Control Workflow Database”• consistent methodology to develop good access controls• provides a framework for audit and compliance

• Used 2005 “lessons learned” to establish a project structure that increases accountability

• Developing “continuing education” refresher courses for ACS population

• Launching internal website to increase awareness and compliance



39

Summary

• The Regulatory Environment • Many regulations & Regulators• Increasing emphasis and higher expectations

• Risk of Ineffective Access Control

• An individual may have too much control over a business process

• Consequences can be severe • damage to the organization’s reputation • misrepresentation of financial statements• Fines • Loss of customer confidence



40

Summary

• Effective Access Control• Principles

• Controlling access is a business responsibility• Process that provides the right people the right degree of access• Repeatable, sustainable and measurable process executed by

knowledgeable individuals • 5 Main Risk Controls

• Separation of Duties• Provisioning• Appropriate Access • Periodic Review • Governance



41

Summary

• Applying Access Controls to Computer Applications• Identify the team members (business & technology)• Focus the line of business on owning access control• Assign the Business functions to roles • Define the criteria for granting access • Document the security architecture• Clean-up the old stuff! • Establish Routine Controls and a Period Review

• Developing a Control Culture• Top down – management commitment• Bottom Up – governance , frameworks, education



42

A Risk Based Approach to Protecting Business Information

A Risk Based Approach to Protecting Business Information May 2, 2006.

Documents

Transcript of A Risk Based Approach to Protecting Business Information May 2, 2006.