Dr. Soojung shin, CISSP, Executive Vice President, Infosec, Korea - PowerPoint PPT Presentation

Loading...

PPT – Dr. Soojung shin, CISSP, Executive Vice President, Infosec, Korea PowerPoint presentation | free to download - id: 3ff99a-ZjJkO



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Dr. Soojung shin, CISSP, Executive Vice President, Infosec, Korea

Description:

... CISSP, Executive Vice President, Infosec, Korea Contents Change in the recent threats Expanded Attack Change in the environment Change in the strategies ... – PowerPoint PPT presentation

Number of Views:6
Avg rating:3.0/5.0
Slides: 15
Provided by: tubb8
Learn more at: http://www.shinsoojung.pe.kr
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Dr. Soojung shin, CISSP, Executive Vice President, Infosec, Korea


1
(ISC)2 SecureAsia_at_Seoul Conference- 29-30 Oct,
2008
Change in enterprise information security
strategies for responding to emerging threats
2008.10 Dr. Soojung shin, CISSP, Executive Vice
President, Infosec, Korea
2
Contents
  1. Change in the recent threats
  2. Expanded Attack
  3. Change in the environment
  4. Change in the strategies
  5. Strategies
  6. Conclusions

3
1. Change in the recent threats
Present
Past
Ability show-off
Clear monetary Goal
Customer information
Cyber System
IT Infra Attack
Application User, Social engineering
Attacking systems of the target company directly
Using a roundabout path
4
2. Expanded Attack
(6) On/Off-line Information leakage (document,
USB, PC, backup)
(4) Attack Users
attacker
internet
Information
(1) System/Application attack
Employee/partner
(5) DDOS attack
Partnership Network
(3)Attack using Trusted entity
(2) Wireless attack
5
3. Change in the environment
Past
Present
Autonomously regulating environment
Strengthen the government-based legal regulations
Government
Passive, Sporadic response
Positive, collective response
Customer
Particular department, CIO/CSOs agenda
The whole company, CEOs agenda
Enterprise
5
6
4. Change in the strategies
Past
Present
Infra-centric
Information-centric
Technology-centric
People-centric
Security Privacy
Security
Target Company and People
Virtual Company People
Baseline-centric
Risk-centric
Ad-hoc approach
Process and Governance
Company-own Policy
Compliance Due Diligence
7
5. Strategies-(1) Information-centric
Area of interest
Network
System
Application
Threat
Dynamic
information
Information
information
information
Vulnerability
Asset
information
Risk
8
5. Strategies-(2) People-centric
  • Who are the core of security risk?
  • What are their permissions?
  • How can the risk be reduced ?
  • Can the number be reduced?
  • Can their permission be limited?
  • Will the training be strengthened?
  • Will the technical control be strengthened?
  • How can spontaneity be induced?
  • How can audit and assessment be conducted

Area of interest
Network
System
Application
Threat
Dynamic
information
information
information
information
Vulnerability
Risk
9
5. Strategies-(3) Security Privacy
  • - Analysis Control of the personal-information
    treatment process(On Off-line)
  • Analysis Control of people in accordance with
    the process
  • Analysis Control of systems managing and
    protecting the personal information
  • Designing personal information protection
    management framework architecture

generate ,collect
Collection /Use limitation
Store
Data Quality
Openness Transparency
Use
Individual Participation
Notice
Security
Management
Accountability
Transfer
Identifying Purpose
Destroy
System
Process
10
5. Strategies-(4) Virtual Organization
New Area
-Policy, support, audit, training,
certification system for the partner
companies -Policy, support, training system for
customers
Enterprise Asset People(Old area)
Customer
Partner company Asset and people
11
5. Strategies-(5) Risk-Centered
  • - Equipping with a framework and methodology for
    managing information risks
  • Necessity of utilizing a threat-centered risk
    assessment methodology
  • Assessing only of the companys critical assets
  • Making it simple
  • Making it a process

Enterprise
Service Planning
Marketing
Risk
Risk
Risk
Service/System Operation
Service/System Development
Risk
Risk
12
5. Strategies-(6) Governance Process
13
5. Strategies-(7) Compliance Due Diligence
  • Understanding related regulation, Law
  • Planning
  • - Awareness and training
  • Store and backup Information
  • Security monitoring
  • Forensics
  • Incident handling
  • Necessity of making preparations for lawsuit
    countermeasures

Incident
  • Compliance check and audit
  • Certification

14
6.Conclusion
With 2008 being the starting point, information
security has become the business issue in Korea
Give highest priority to Information People in
information security
Construct processes systems for ensuring
compliance with laws and regulations, and for
responding to potential lawsuit
Do not make the territory of information security
narrow
Watch the change of the threat and environment
carefully, and change strategies accordingly
About PowerShow.com