AEBIT Committee Working Breakfast IT for CEOs:Best Practice Update on Information Security

1
AEB-IT CommitteeWorking BreakfastIT for
CEOs Best Practice Update on Information
Security

• Zachary Haberer
• Chief Information Officer
• Ernst Young Russia/CISThursday, 22 February
  2007

2
Information Security Process Definition

• Objective To protect the interests of those
  relying on information, and the systems and
  communications that deliver the information, from
  harm resulting from failures of availability,
  confidentiality and integrity.
• Availability there when you need it resistant
  to attacks and failures
• Confidentiality limited to those who need it
• Integrity protected against unauthorized
  modification
• Information Security Governance Guidance for
  Boards of Directors and Executive Management IT
  Governance Institute www.itgi.org

3
Information Security What it is/isnt

• Not a product
• Not just an IT problem
• Not a one-time effort
• Part of overall risk management
• Passwords, firewalls, anti-virus software,
  security cable locks are all important, but most
  of all, information security is about behavior

4
Risk and potential consequences
5
Risk management

• To manage risks, organizations must first
  identify the risk, assess value and plan
  accordingly
• Define limits and tolerances
• Communicate regularly, at multiple levels
• Hold regular discussions with IT/IS function
• Incorporate into policies for all employees
• Assess compliance as part of annual reviews
• security is everybodys problem

6
The Classic Example Stolen Notebook

• Was the theft based on value of computer or value
  of data?
• Risks
• Sensitive data is lost
• Sensitive data may be used against you
• Reputation damage if publicized
• Possible legal consequences
• Mitigation strategies
• Hard disk password protection
• not enough by itself
• Hard disk encryption
• better!
• Policies against keeping sensitive data notebooks
• Hard to enforce, open to doubt
• Secure, automatic backup of all notebook hard
  drives

7
Some questions for business leaders

• Would people recognize a security incident when
  they saw one?
• Does anyone know how many computers the company
  owns? Would management know if some went missing?
• What is the procedure when a computer is
  lost/stolen?
• Has management identified all information that
  would cause embarrassment or competitive
  disadvantage if leaked?
• Did the company suffer from the latest virus
  attack?
• What safeguards have been established over
  physical security of computer assets?

8
Some more questions

• Does anyone know how many people are using the
  organizations systems, and what for?
• How secure is the information you provide to
  business partners, vendors and other third-party
  organizations?
• What are the top 3 critical information assets of
  your organization?
• Do you provide employees with USB flash memory
  devices? Do you provide them with any guidance on
  how to use them?
• Do your employees follow good security practices?
  Are you leading by example?

9
Some performance measures

• No incidents causing public embarrassment
  (success via non-occurrence)
• Number of critical infrastructure components with
  automatic availability monitoring
• Number of critical business processes dependent
  on IT that have adequate continuity plans
• Measured improvement in employee security
  awareness
• Number of automated systems controls (password
  requirements, forced password changes, automatic
  screen saver locks, PC data encryption)

10
Risks software patching

• Software is never finished
• In 2006 Microsoft released approximately 70
  software patches
• Challenge to find stability
• Not just Microsoft (all software is at risk)
• Security is an iterative process

11
Risks emerging technologies

• mobile computing
• smart phones, PDAs, shared applications over the
  Internet
• removable media
• flash memory (now up to 4 GB)
• wireless networks

12
Risks Regulatory compliance

• Sarbanes-Oxley
• European 8th Directive
• Basel-II
• Personal data protection

13
Internet Resources

• IT Governance Institute, www.itgi.org
• Document containing questions for management
• http//www.isaca.org/ContentManagement/ContentDisp
  lay.cfm?ContentID24384
• CERT Computer Emergency Response Team,
  www.cert.org
• general non-profit resource for security-related
  materials
• SANS Internet Storm Center, isc.sans.org
• Link to a world map showing Internet virus
  activity
• Ernst Young 2006 Global Information Security
  Survey
• http//www.ey.com/global/content.nsf/International
  /Assurance__Advisory_-_Technology_and_Security_Ri
  sk_-_Global_Information_Security_Survey_2006

14
Ernst Young contact information

• For questions regarding this presentation, the
  AEB-IT Committee, or
• Ernst Young in general
• Zachary Haberer
• Chief Information Officer
• zachary.haberer_at_ru.ey.com
• Tel. 7 495 755 9700
• For questions regarding IT security audits and
  related services
• Alexei Shindin
• Ernst Young, Technology Security and Risk
  Services (TSRS)
• Alexei.Shindin_at_ru.ey.com
• Tel. 7 495 755 9700