Awareness Program on Compliance in the Era of Technology - PowerPoint PPT Presentation

1 / 30
About This Presentation

Awareness Program on Compliance in the Era of Technology


Awareness Program on Compliance in the Era of Technology ICAI, Mumbai October 19, 2008 u Public Document 1 Public Document Public Document Public ... – PowerPoint PPT presentation

Number of Views:445
Avg rating:3.0/5.0
Slides: 31
Provided by: SM162


Transcript and Presenter's Notes

Title: Awareness Program on Compliance in the Era of Technology

Awareness Program on Compliance in the Era of
  • ICAI, Mumbai
  • October 19, 2008

  1. Compliance Today
  2. Business Risks
  3. Evolving Security and Compliance landscape
  4. Technology and IT value for business
  5. Incidents and Security related industry
  6. Snapshot of Global Compliance requirements over
  7. Extracting Compliance ROI
  8. Suggested Safeguards (unified framework)
  9. Common regulatory reqmts (standards, etc)
  • The technology solution
  • Compliance spotlight PCI-DSS
  • Leverage the technology solution
  • VA/PT
  • Continuous VA and Monitoring
  • List of Tools
  • Why VA/PT
  • Web App Security, Secure Coding

Compliance Today
  • Organizations have numerous Compliance
    requirements which keep growing by the day / hour
    / minute !
  • Regulatory
  • Standards / Best Practice Frameworks
  • Industrial, Contractual, etc.

Much of the increase in cost is due to
duplication of regulation and ambiguous or
inconsistent rules -Securities Industry
Association, 2006
  • Technology is constantly evolving providing new
    tools and methods to tackle the increasing
    information and compliance overload

Compliance Today
  • Compliance with Compliance requirements takes up
    too much resources
  • Compliance initiatives are considered Projects
    (e.g. SOX / PCI project) but these are
    continuous processes (benefits are not realized)
  • Technology solutions will leverage Compliance
    efforts to enable Governance and Risk Management
    leading to Business gains (productivity,

Compliance must be part of your organization
DNA Regulatory Compliance is not just a legal
requirement but a critical business function.
Business Risks
What is at Risk
  • Operational risk
  • Physical damage/theft
  • Services not available
  • Market risk
  • Lost customers
  • Global partners
  • Legal risk
  • SLAs
  • Lawsuits
  • Regulatory
  • Compliance
  • Financial Risk
  • Claims and losses
  • Quantification of information assets/impact
  • Information on your network
  • Databases
  • Intellectual Property
  • Financial Information
  • Personally Identifiable Information
  • Reputation Market Value

(No Transcript)
Technology and Information Made People Smarter
  • Google
  • Luhns algorithm (to validate any credit card)
  • VB based basic key loggers
  • Web based IP tools, DNS network tools, traceroute
  • Network tools
  • Nmap
  • Nessus etc. All available online
  • Password cracking tools

(No Transcript)
Incidents (2000-2007)
  • According to Attrition Data Loss Archive and
    Database and FlowingData, following are the 10
    largest data breaches since 2000
  • Is there a trend? Yes, numbers are growing!

Are we safe in 2008?
  • UK Government Depts. reported loss of 29 million
    records in last one year (August 2008)
  • Countrywide Financial Corp. possible all 2
    million records were sold (August 2008)
  • If sensitive data only includes SSNs and
    financial account data and not date of birth and
    email ids then should we decide Facebooks 80
    million records as a data breach? (July 2008)
  • Bank of New York Mellon, PA as many as 4.5
    million customer records are thought to be
    compromised (March 2008)
  • Compass Bank 1 million (March 2008)
  • Hannaford Bros. supermarket chain 4.2 million
    (March 2008)
  • Trend Numbers are still growing!

Some Facts
  • Who are behind these breaches
  • External sources including past employees
  • Insiders
  • Business partners
  • Multiple parties
  • How these breaches are caused
  • Business process errors or no policy/procedural
  • Hacking and intrusions including malicious code
  • System/Application vulnerabilities including for
    those patches already exist
  • Physical threats
  • Mostly
  • Victims dont know that breach has occurred or
    more often aware of the criticality of the
  • Mostly breaches are opportunistic in nature
  • More than 90 breaches are avoidable

Some Insights drivers for security spend
By 2008, more than 75 of large and midsize
companies will purchase new compliance
management, monitoring, and automation
solutions. By 2009, compliance will grow to
14.2 of IT budget from 12 in 2006. Source
Gartner 2007
(No Transcript)
Common Regulatory Reqmts /Standards / Frameworks
/ Guidelines
  • Sarbanes Oxley
  • Basel II
  • SAS 70
  • Privacy Laws (e.g.PIPEDA)
  • many more..
  • Clause 49 (SEBI Guideline, Government of India)
  • CTCL
  • ISO27001 2005
  • 133 Control objectives
  • 12 requirements
  • CobiT
  • BS25999
  • ITIL
  • Data Protection Act
  • IT Act and applicable Criminal / Civil

Extracting Compliance ROI
  • Organizations must plan beyond Compliance
  • Better Security means reduced / managed risk
  • Managed (reduced) risk means better business
  • Operational efficiencies result from compliance
  • Approach Compliance as a as a business process,
    not as requirement / overhead
  • Use learning to shorten future compliance cycles
  • Identify opportunities to build unified
    compliance ecosystem
  • Lead the organization to Industry certifications
    resulting in higher brand value
  • Eliminate the risk of penalties for
  • Address multiple compliance requirements in a
    unified approach

Suggested Safeguards
Suggested Safeguards
(No Transcript)
Technology Solution
  • Systems must be developed providing a risk based
    approach that is aligned with Business,
    Regulatory and Contractual requirements
  • Leverage technology and co-ordinate Security
    spend with Compliance with the overall objective
    achieve Governance (automation)
  • Technology practices to enable proactive security
    Risk management
  • Vulnerability Assessment / Penetration Testing
  • Web Application Security (AppSec)
  • Code Review
  • Continuous Vulnerability Management
  • Managed Security Services

Compliance Spotlight PCI Data Security
Compliance Spotlight PCI-DSS
  • Requirement 5 and 6 (Maintain Vulnerability
    Management Program)
  • Stay Current on versions (Anti Virus, Patches,
    Systems, Configuration)
  • Monitor Custom Web applications
  • SDLC (do we practice secure coding)
  • Invest in automated tools
  • Secure Audit Logs
  • Requirement 10 and 11 (Regularly Monitor Test
  • Monitor Systems for Intrusions and Anomalies
  • Implement Reporting and Analysis Tools
  • Centralize and Secure Data
  • ISO27001 A.15 Compliance
  • Compliance with Legal Requirements
  • Compliance with Security Policies, and standards
    and technical compliance

ISO27001 A.12.6 Technical Vulnerability
Leverage the Technology Solution
Leverage the Technology Solution
Results allow the organization to compare
findings against known vulnerabilities and
prioritize remediation by implementing controls.
Provides a health report on the organization
security posture. All Standards, Regulations,
Frameworks recommend (or require) Network
Assessments as an essential practice.
Helps determine whether the controls are in fact
preventing the vulnerability from actually
endangering the network. A well-executed
penetration test can identify the most critical
holes in an organizations defensive net
including the holes exploited by social
engineering. pen tests are best used as a way to
get an extra set of eyes on a network after major
system upgrades.
Leverage the Technology Solution
Provides a 24 x 7 x 365 watch on network traffic
and is available as a Managed Security Service.
Traffic is monitored and events (incidents) are
correlated against updated industry Common
Vulnerability Exposure (CVE) database.
Reports are available online to client via a
web interface which will provide information
about the threat(s) and remediation plans.
Undertaken by qualified professionals
Methodology includes use of automated tools
augmented with manual skills Meet regulatory
requirements (PCI-DSS, HIPAA, GLBA, PIPEDA, etc.)
Organizations can realize their true security
level Measure IT security effectiveness
Identify and remediate potential breach points
reducing security risk and liability Benchmark /
baseline security posture Certifications
Certified Vulnerability Assessor (CVA) (Secure
Matrix - DNV) CEH (EC Council) CISSP
(ISC2) certifications in Forensics, Fraud
(Secure Matrix) Commonly used Tools for VA/PT
(commercial / open source) Nessus, GFI Languard
(c), Nmap Metasploit, Canvas (c), etc.
List of Tools (indicative)
Vulnerability Assessment Vulnerability Assessment
Nessus Nessus is one of the most popular and widely used vulnerability assessment scanner with nearly 14,000 plugins.
GFI Languard GFI Languard is a commercial vulnerability assessment scanner with neat reporting capabilities.
Netcat Netcat is a network debugging and exploration tool
Hping This tool is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. This is to map out firewall rulesets.
Nikto A comprehensive webserver scanner
Sam Spade Windows network query tool
Web Inspect Web Application Scanner
Firewalk An Advanced traceroute tool
Penetration Testing Penetration Testing
Metasploit Framework This is a framework to deploy vulnerability exploits and payloads. Securematrix has created a database of nearly 100 exploits in this framework
Canvas A Commercial Penetration Testing tool
Core Impact A Commercial Penetration Testing tool
SAINT A commercial Penetration Testing tool
CenZic A Commercial Web application testing tool
John the ripper powerful, flexible, and fast multi-platform password hash cracker
THC Hydra A Fast network authentication cracker which support many different services
Dsniff A suite of powerful network auditing and penetration-testing tools
Solarwinds Network discovery/monitoring/attack tools
  • To catch a thief.. You have to think like one.
  • You hack into your network to do a Vulnerability
    Assessment (VA), identifying vulnerabilities in
    the same manner as they may be visible to an
    intruder like open ports.
  • Following up a VA is the Penetration Test you
    are taking advantage of the vulnerabilities by
    penetrating the network.
  • When you test all IP addresses that are visible
    to the outside world you can get answers to
    sticky questions like
  • Can an intruder hop on to the conference room
    network ?
  • Is it possible for the intruder to connect to the
    database server ?
  • What can you do (that which no one wants an
    intruder to do!) ??

Presented by
Dinesh Bareja CISA, CISM, ITIL, IPR, ERM, BS
7799 (Imp LA) - Senior Vice President Email
Information Security professional, having more
than 11 years of experience in technology in
commercial, operational, functional and Project
Management roles on multiple large and small
projects in global and domestic
markets.   Experienced in establishing ISMS
(Information Security Management System),
planning and implementation of large scale CobiT
implementation, ISO 27001, Risk Management,
BCP/DR, BIA, Asset Management, Incident Mgt,
Governance and Compliance among others.   He is
also member of ISACA, OCEG, iTSMF and co-founder
of Canadian Honeynet Project and Open Security
Alliance among others.
Contact Information
Registered Office Mumbai 12 Oricon House, 14, K. Dubash Marg Fort, Mumbai 400 001 Tel 91 22 3253 7579 Fax91 22 2288 6152 Email Registered Office Mumbai 12 Oricon House, 14, K. Dubash Marg Fort, Mumbai 400 001 Tel 91 22 3253 7579 Fax91 22 2288 6152 Email
Technology Centre Pune Trident Towers 2nd Floor, Pashan Road Bavdhan, Pune - 411021 Email Technology Centre Chennai Plot No. 1, Door No. 5, Venkateshwara Street, Dhanalakshmi Colony, Vadapalani, Chennai 600026 Email
Dubai P O Box 5207 Dubai Email London 16-20 Ealing Road Wembley Middlesex Hao 4TL Email
Bahrain Atlanta
Thank You ICAI, Mumbai
Write a Comment
User Comments (0)