2003 ANNUAL PCIE ECIE CONFERENCE PANEL DISCUSSION : IT SECURITY: BEST AND PROMISING PRACTICES

1
2003 ANNUAL PCIE / ECIE CONFERENCEPANEL
DISCUSSION IT SECURITY BEST AND PROMISING
PRACTICES

• MIKE DONAHUE
• PARTNER, GLOBAL RISK MANAGEMENT SOLUTIONS
• MARCH 25,2003

PwC
2
FEDERAL AUDIT PERSPECTIVE

• SOCIAL SECURITY ADMIN
• BUREAU OF ATF
• DEPT OF JUSTICE
• PBGC
• GENERAL SERVICES ADMIN
• DEPT OF LABOR
• DEPT OF DEFENSE
• DEPT OF TREASURY

• US HOUSE OF REPS
• DEPT OF AGRICULTURE
• DEPT OF VET AFFAIRS
• DEPT OF EDUCATION
• DEPT OF HHS
• DEPT OF INTERIOR
• DEPT OF STATE
• NASA

PricewaterhouseCoopers
3
COMMON IT SECURITY ISSUES

• GAO High Risk Area since 1997
• Poor risk management process
• Lack of strong CA process
• Unclear responsibility for security
• Unclear policy, standards, procedures
• Undefined security architecture
• Lack of configuration requirements
• Poor guidance/monitoring over 3rd parties

PricewaterhouseCoopers
4
ERP EXAMPLE

• Desktop (Presentation Server)
• External Network (WWW)
• Internal Network (NT)
• Application ( SAP, Peoplesoft, Oracle)
• Database (Oracle, Sybase, Informix)
• Operating System (UNIX)

PricewaterhouseCoopers
5
Where Are The Security Controls ?
PAYROLL
6
Where Are The Security Controls ?
WWW
Desktop
NT
PAYROLL
PAYROLL
Oracle
UNIX
7
ERP EXAMPLE

• Complicated Application Security Implementation
• New Technical Operating Environment
• De-centralized Data and Application Environment
  Accessed by Many Users
• Significant and Critical Information Being
  Transferred Across Networks
• Organization Not Established to Support Controls
  and Security in a Decentralized Environment

PricewaterhouseCoopers
8
CONTROL MATRIX EXAMPLE
9
MULTIDIMENSIONAL ORGANIZATIONALENVIRONMENT
10
Information Security Framework
Senior Management Commitment
Training and Awareness Program
Security Vision and Strategy
Information Security Management Structure
11
TODAYS CHALLENGES

• Clarifying risk
• Keeping up with vendor releases/versions
• Maintaining discipline for CA
• Understanding product standards vs.
  Implementation/configuration rqmts
• Defining cost-effective, realistic solutions
• Understanding trusted relationships

PricewaterhouseCoopers
12
PROCESS OF CONTINUOUS IMPROVEMENT

• Risk Assessment
• Product/Process Selection
• Features and Functions Selection
• Product/Process Implementation
• Pre Post Implementation CA
• Annual Management Evaluation
• Independent Assessment/Audit

PricewaterhouseCoopers
13
FINAL THOUGHTS

• Clearly defined standards and requirements
• Risk - Based Design and Implementation
• Security Integrated Into Business Solutions
• Security Plans Documented per NIST 800-18
• Improve Procurement Process Define Security
  Requirements
• Measure Third Party Compliance
• Adopt Best Practices (GAO Study)

PricewaterhouseCoopers
14
FINAL THOUGHTS

• Information security controls need to be
• defined
• designed
• developed
• tested
• implemented
• throughout the SDLC process via a clearly defined
  security architecture

PricewaterhouseCoopers
15
pwc