Title: 2003 ANNUAL PCIE ECIE CONFERENCE PANEL DISCUSSION : IT SECURITY: BEST AND PROMISING PRACTICES
12003 ANNUAL PCIE / ECIE CONFERENCEPANEL
DISCUSSION IT SECURITY BEST AND PROMISING
PRACTICES
- MIKE DONAHUE
- PARTNER, GLOBAL RISK MANAGEMENT SOLUTIONS
- MARCH 25,2003
PwC
2FEDERAL AUDIT PERSPECTIVE
- SOCIAL SECURITY ADMIN
- BUREAU OF ATF
- DEPT OF JUSTICE
- PBGC
- GENERAL SERVICES ADMIN
- DEPT OF LABOR
- DEPT OF DEFENSE
- DEPT OF TREASURY
- US HOUSE OF REPS
- DEPT OF AGRICULTURE
- DEPT OF VET AFFAIRS
- DEPT OF EDUCATION
- DEPT OF HHS
- DEPT OF INTERIOR
- DEPT OF STATE
- NASA
PricewaterhouseCoopers
3COMMON IT SECURITY ISSUES
- GAO High Risk Area since 1997
- Poor risk management process
- Lack of strong CA process
- Unclear responsibility for security
- Unclear policy, standards, procedures
- Undefined security architecture
- Lack of configuration requirements
- Poor guidance/monitoring over 3rd parties
PricewaterhouseCoopers
4ERP EXAMPLE
- Desktop (Presentation Server)
- External Network (WWW)
- Internal Network (NT)
- Application ( SAP, Peoplesoft, Oracle)
- Database (Oracle, Sybase, Informix)
- Operating System (UNIX)
PricewaterhouseCoopers
5 Where Are The Security Controls ?
PAYROLL
6Where Are The Security Controls ?
WWW
Desktop
NT
PAYROLL
PAYROLL
Oracle
UNIX
7ERP EXAMPLE
- Complicated Application Security Implementation
- New Technical Operating Environment
- De-centralized Data and Application Environment
Accessed by Many Users - Significant and Critical Information Being
Transferred Across Networks - Organization Not Established to Support Controls
and Security in a Decentralized Environment
PricewaterhouseCoopers
8CONTROL MATRIX EXAMPLE
9MULTIDIMENSIONAL ORGANIZATIONALENVIRONMENT
10Information Security Framework
Senior Management Commitment
Training and Awareness Program
Security Vision and Strategy
Information Security Management Structure
11TODAYS CHALLENGES
- Clarifying risk
- Keeping up with vendor releases/versions
- Maintaining discipline for CA
- Understanding product standards vs.
Implementation/configuration rqmts - Defining cost-effective, realistic solutions
- Understanding trusted relationships
PricewaterhouseCoopers
12PROCESS OF CONTINUOUS IMPROVEMENT
- Risk Assessment
- Product/Process Selection
- Features and Functions Selection
- Product/Process Implementation
- Pre Post Implementation CA
- Annual Management Evaluation
- Independent Assessment/Audit
PricewaterhouseCoopers
13FINAL THOUGHTS
- Clearly defined standards and requirements
- Risk - Based Design and Implementation
- Security Integrated Into Business Solutions
- Security Plans Documented per NIST 800-18
- Improve Procurement Process Define Security
Requirements - Measure Third Party Compliance
- Adopt Best Practices (GAO Study)
PricewaterhouseCoopers
14FINAL THOUGHTS
- Information security controls need to be
- defined
- designed
- developed
- tested
- implemented
- throughout the SDLC process via a clearly defined
security architecture
PricewaterhouseCoopers
15pwc