Convergence Iissm 2008 Ab 121108
-
Upload
arindam-bose -
Category
Documents
-
view
581 -
download
0
description
Transcript of Convergence Iissm 2008 Ab 121108
Security Convergence
November 12 2008 ISSM 2008 Goa India
Physical, Human? and Information
What do we need to secure?
Tangible Wealth - Assets Intangible wealth –
InformationHuman ResourcesWhere?
Physical Space – Premises Cyber Space – IT Resources Thoughts in the Mind?
November 12 2008 ISSM 2008 Goa India 2
04/08/23 3
Why does it need to be secured
Threat vs riskConsequences of
lossLevel of protection
November 12 2008 ISSM 2008 Goa India 4
Is there a need for Convergence?
Agenda Traditional Security Divisions
What is convergence Benefits and Challenges Findings of Surveys Evolution of Integrated Enterprise
Risk Management Standards and Best Practices
November 12 2008 IISSM 2008 Goa India
Traditional Security Concerns
Physical Security
Personnel Security
Communication Security
November 12 2008 IISSM 2008 Goa India
Major Threats
Sabotage Subversion Espionage Terrorist attack Mob violence Pilferage
November 12 2008 ISSM 2008 Goa India 7
Sabotage Precautions
Access Control
Check fire fighting aids
Bomb fire mock drill
Decoy drills
Patrolling of Premises
Sensitization
November 12 2008 IISSM 2008 Goa India
Subversion Precautions
Vetting
Re-verification
Sensitization
Watch on potential targets
Sudden wealth
November 12 2008 IISSM 2008 Goa India
Espionage Precautions
Vetting
Communication Security
Watch potential targets
Liaison with Intelligence agencies
Sensitization
November 12 2008 IISSM 2008 Goa India
Terrorist Attack
Sneak entry
Suicide attack
Missile attack
Sabotage
Cyber terrorism
November 12 2008 IISSM 2008 Goa India
Mob Violence
Security protection scheme
Police to secure area
Restrict entry
Strict access control
Placate agitators
Activate leaders to mediate
November 12 2008 IISSM 2008 Goa India
PILFERAGE
Access control Checking Accounting Patrolling Random checks Consumption pattern
November 12 2008 IISSM 2008 Goa India
Theft of wealth for benefit Tangible – assets Intangible Information
To help steal assets To help Compete against
Destroy without material gain Terrorism both tangible and
intangible wealth
November 12 2008 ISSM 2008 Goa India 14
Threat Categories
Threat Categories
System Failures Negligence
Carelessness and Complacency Accidents Natural Hazards
04/08/23 15
Intelligence
&
Advance
warning
Threats
Analysis
&
Security
System
Analysis
Physical
Security
Communication
Information & IT
Security
Personnel
&
HRD Security
Guards
Investigation
Fire &
Disaster
Protection
Fail Safe/
Fail Soft & Event
Logging
INTERELATED SECURITY FUCTIONS
Traditional Approaches
November 12 2008 IISSM 2008 Goa India
Insulated Departments Silos Unnecessary need to know
policy Need to know or ‘better not
know’ Inadequate sharing of
Information Specialisation
Convergence
Convergence of historically disparate security functions Convergence is so endorsed by
the three leading international organizations for security professionals --
November 12 2008 IISSM 2008 Goa India
Convergence
Integration enables an organization to establish and manage a single, consolidated repository for all authentication credentials, and to have a centralized means of setting access privileges for both physical and logical resources.
November 12 2008 IISSM 2008 Goa India
Convergence
This identity-based convergence makes it possible for organizations to have: One identity-based system for
managing all physical and logical access; A unified network policy for both
network and remote access that leverages card status and location information from physical access systems; Exchange of events and alarms from
the physical access system to the logical access system;
November 12 2008 IISSM 2008 Goa India
Convergence
An identity-based reporting system for use in forensic investigations; and
A streamlined workflow for creating, deleting and modifying user identities from both systems simultaneously.
Balanced and Mandatory Information Exchange
November 12 2008 IISSM 2008 Goa India
Enabler for Convergence
Open Security Exchange ... Not for Profit association
Defines convergence as the migration of physical and IT security towards
common objectives, processes and architectures.
Enable vendor-neutral interoperability among diverse security components to support overall enterprise risk management needs.
November 12 2008 IISSM 2008 Goa India
Benefits of Convergence Stronger, more integrated security Greater overall control Affordable dual factor authentication Coordinated responses to problems or
emergency situations Regulatory compliance .. US? A solution to tailgating A deterrent to ‘we were never told’
All of these benefits – plus the better protection, cost savings, risk reduction, and increased compliance associated with them – make converged physical and logical security a worthwhile goalNovember 12 2008 IISSM 2008 Goa India
Requirements of Convergence
Approach security from a holistic view; Offer fine-grained, zone-based
logical access coupled to a user’s badge status and location; Leverage existing security
investments; Enforce both physical and logical
security policies;
November 12 2008 IISSM 2008 Goa India
Requirements of Convergence
Have monitoring and reporting capabilities in order to demonstrate compliance with acts applicable Be cost-effective for companies of
all types and sizes; Be easy to deploy; and Deliver a measurable return on
investment.
November 12 2008 IISSM 2008 Goa India
Challenges
Conventional attitudes
Need for knowledge beyond traditional security domain Non security benefits of security systems
resource questions Diverse usage patterns realistic
estimation Judicious balance of High technology and
the rest Inadequate common recording standards
November 12 2008 IISSM 2008 Goa India
Findings of Surveys 0n Convergence
Annual Global Information Security Survey 2007
“We have realized that the focus and drivers of information security may change over the years, but the need to protect information assets remains virtually important to businesses globally. Organizations are beginning to recognize that information security can deliver more than just protection for information.”
November 12 2008 IISSM 2008 Goa India
Findings of Surveys 0n Convergence
Though Converged security is emerging there is a greater need for interaction between IT and General management Thus Alignment of IT and Business
objectives needs greater attention Thus IT Governance principles on the lines
og COBIT and ITIL need to be established
November 12 2008 IISSM 2008 Goa India
Evolution of Integrated Enterprise Risk Management
The Alliance for Enterprise Security Risk Management (AESRM) - Convergent Security Risks in Physical Security Systems and IT Infrastructures Created in late 2004/early 2005 Partners:
–ASIS International– Information Systems Security Association
(ISSA)– ISACA
Combined worldwide membership in excess of 90,000
November 12 2008 IISSM 2008 Goa India
November 12 2008 IISSM 2008 Goa India
November 12 2008 IISSM 2008 Goa India
Findings of Surveys 0n Convergence
November 12 2008 IISSM 2008 Goa India
November 12 2008 IISSM 2008 Goa India
04/08/23 40
04/08/23 41
Standards and Best Practices
BS 25999-1:2006: Business Continuity Management Code of Practice (management system for disaster recovery and business continuity)
- BS 7799-3:2006: Guidelines for Information Security Risk Management (management system approach for the assessment and treatment of risk)
-ISO/PAS 28000: Specification for Security Management Systems for the Supply Chain (management system specification for physical security)
November 12 2008 IISSM 2008 Goa India
Standards and Best Practices
ISO 22000: Food Safety Management Systems - Requirements for Any Organization in the Food Chain management (system for preventing the introduction of food safety hazards) -OHSAS 18001: Occupational Health and Safety
Management (specification for health and safety management systems)
November 12 2008 IISSM 2008 Goa India
Standards and Best Practices
Three specific practices and standards that are becoming widely adopted around the world. • ITIL V3—Published by the UK government to provide a best practice framework for IT service management• CobiT 4.1—Published by ITGI and positioned as a high- level governance and control framework• ISO/IEC 27002:2005—Published by the International
Organization for Standardization (ISO) and International Electro technical Commission (IEC) and derived from the UK government’s BS 7799, renamed ISO/IEC 17799:2005, to provide a framework of a standard for information security management
November 12 2008 IISSM 2008 Goa India
Thank You
Questions and discussions
November 12 2008 IISSM 2008 Goa India