User Security and Governance Models. A review and primer presented for. ISACA - Phoenix

Transcription

1 User Security and Governance Models A review and primer presented for ISACA - Phoenix By Patrick Bass

2

3 Security Acts & Models Many different models exist. Why? Provide frameworks for effective cybersecurity and data privacy. Examples of federal models we will cover: GLBA, FISMA

4 What happens when GLBA and FISMA are federal laws enacted to protect information systems, data, and privacy. They have narrow scopes defined by public law However, some organizations use these models as the basis for information security management programs Is this good or bad?

5 Let s take a clsoer look: GLBA Gramm-Leach-Bliley Act November, 1999 Repealed the Glass-Steagall Act Thus, commercial and investment banks are no longer subject to separation requirements Strengthens privacy protection for banking consumers Increases competition among banks: HOW?

6 GLBA, continued Banks have great access to information about their depositors GLBA limits how banks use and share their client s financial information Thus, GLBA increases competition by limiting moral hazards of unfettered access Another effect: increases banking conglomerations rather than limits them. GLBA may hurt smaller banks.

7 GLBA Privacy Provisions Protects nonpublic personal information from unauthorized use Name, address, income, SSN, etc. Scope is financial activity, an ever-expanding list of activities defined by the Federal Reserve Requires privacy notices and a taxonomy of information collected and disclosed, types of affiliated and non-affiliated third parties who share information, and FCRA disclosures

8 GLBA Security Requirements Document security controls in writing Must ensure the security and confidentiality of non-public information Protect against common threats Formal security program, risk assessment, threat identification, and a review of policy and procedures

9 FISMA Federal Information Security Management Act 2002 Requires federal agencies to develop, document, and implement information security programs The scope for FISMA includes federal information systems including those provided or managed by another agency, contractor, or other source Approaches IS from a risk-based, cost-effective methodology

10 FISMA Security Requirements NIST security controls About 249 individual controls 18 different domains Includes all aspects of IS Access control Education Change management Authentication Etc

11 FISMA, continued FISMA, along with FIPS and NIST, comprise well-documented information security standards that are applicable to all federal computing systems. Systems outside of FISMA s scope may not benefit from the act s exhaustive requirements. FISMA compliance may be cost prohibitive and in some cases impossible to achieve for smaller organizations

12 Security Models Ye olde standby ISO/IEC series ISO the main specification for ISMS ISO the IS code of practice Compliance with international standards is especially useful for multi-national corporations

13 More Security Models PCI DSS Payment Card Industry Data Security Standard Applicable to organizations that store, process, or transmit credit card data HIPAA/HITECH Applicable to electronic healthcare information

14 Discussion - Issues Prescriptive acts and models Relate to the imposition and enforcement of a particular rule or method What does true data security require? The freedom to make decisions that are economically optimal

15 Are we more secure? There is no empirical evidence that proves organizations are more or less secure in a post-(insert your act or model here) world. Some insecure behaviors have stopped However, prescriptive solutions do not take into account every conceivable security threat (this is why PCI DSS is getting larger and more difficult to comply with)

16 The IF Game IF these acts and models are sufficient, THEN, absent of human error, there would be no new security breaches Prescriptive acts and models must always expand (approaching infinity) until the megastandard considers all known, unknown, and emerging issues.

17 Acts and Models - Pros Create a consistent approach for information security

18 Acts and Models - Conclusions The effectiveness of any security frameworks is measured not only by the completeness of the framework s authors, but by the implementation skill of the practitioner. Thus, security must never be about compliance, but rather, data security itself.

19 Conclusion, continued When data security is achieved, compliance is easily validated. In the absence of data security, compliance is difficult or impossible. Finally, security acts and models provide a potential overview for consideration as the beginning, not the end of a protection scheme

20 About Terra Verde Services Terra Verde Services is a value-provider of professional security services and solutions with experienced professionals to help you navigate the risky waters of modern business. Established in 2008 Offices in Scottsdale Only Payment Card Industry Qualified Security Assessor (PCI QSA) headquartered in Arizona Pragmatic experience to solve problems Key differentiators Objective and un-biased Experienced, dedicated personnel Service professionals have minimum 10 years IT experience with an average of 15 years

21 TruSOC Managed security services provider Discovery Monitoring Response Metrics An experienced, Arizona based staff, monitoring your IT investment 24x7

22 Some of our partners

23 A sample of (cool) recent projects Security incident response for a major Scottsdale-based firm External logical pen test for a well-known Midwest financial organization Infiltrated a large hospitality company s reservation system and stole credit card numbers Broke into a technology firm by posing as electricians and infiltrated the clean room stealing next-gen patent filing applications, business plans and product design Security assistance to a leading research university

24 Patrick W. Bass Director, Security Solutions Scottsdale, Arizona