1. Navigating a safe course to better
information assurance
Enabling Your Business
TALENTED TOGETHER
SOCITM Conference Oct 2009 1
2. Agenda
1
1 Introduction
Introduction
2
2 Context
Context
3
3 Government perspective
Government perspective
4
4 Assistance available
Assistance available
5
5 Point of view
Point of view
SOCITM Conference Oct 2009
2
3. Wrecks – A brief history of non-protection
Government, healthcare and education sectors accounted
for 60% of data breaches and 60% of identities exposed*
*Symantec ISTR vol. XIII, Apr 2008
SOCITM Conference Oct 2009
33
4. Data Protection
Reported DPA breaches
578 since Nov 07
Private sector 172
NHS 162
Local Government 69
Central Government 56
“No organisation handling information can
guarantee it will never experience losses. But
people have a right to expect that their public
services achieve and maintain high standards in
this important area. Those involved in delivering
those public services must work harder and be
more effective to meet and exceed those
expectations.”
(Sir Gus O’Donnell)
SOCITM Conference Oct 2009
4
6. Personal data is now pervasive
Network End Point Application DB/FS Storage
Enterprise App Database Disk Storage
WAN
Web
Servers
Core App Database Disk Storage
Backup
Tape
Custom App Replicated Disk Storage
Other sites Database Backup
& Partners
Exchange Disk Storage
Internet Server Backup
Disk
File Server Disk Storage
Backup
Portals
SOCITM Conference Oct 2009
6
7. Major threat areas
X
High Risk
Risk Medium Risk
Low Risk
Network End Point Application DB/FS Storage
3 8 4
Packets sniffed Privileged User Privileged User
in transit Breach Breach DBA/FSA
1
5 Database Disk Storage Media lost or
Enterprise App
WAN Database/File stolen
Server Hack
Web
Servers
Core App Database Disk Storage
13
Trojans / Key 9
9
Loggers Application
Application Backup
Hack
Hack Tape
Replicated Disk Storage
Custom App
Other sites Database Backup
& Partners 2
6 Disks stolen or
(Semi) Trusted discarded media
User Misuse exploited
Exchange Disk Storage
Internet Server Backup
10 Disk
(Semi)
14 Trusted User 3
Unintentional Misuse Packets sniffed
File Server Disk Storage
Distribution in transit
12
Physical theft of
media or lost Backup
media exploited Internal Portals 7
Unintentional
15 11 Distribution
Public
Infrastructure Unintentional
Access Hack Distribution
SOCITM Conference Oct 2009
7
9. PCI DSS
Requirements for Key Focus Areas for PCI
Compliance Compliance
Build & Maintain
a Secure
Network
Protect
Cardholder Data Information
Security Network
Maintain a Policies Security
Vulnerability
Management
Program
PCI
PCI
Remediation Encryption
Remediation
Implement Strong Strategy
Strategy Logging Key Management Log Review
Access Control Access Control
Measures & Management
Maintain an
Information File Integrity
Security Policy Monitoring
Regularly Monitor Vulnerability
& Test Networks Management
SOCITM Conference Oct 2009
9
10. Real risk of compliance fatigue
Increasing
stakeholder Citizens Council Central LGA
demands Gov’t
+
Expanding risk & Internal External Corporate
Finance Legal Risk
control oversight Audit Audit ServicesICO
functions
+
Changing law,
policy & directives Policy Privacy BCP InfoSec Op’
Risk
=
Business fatigue
Lack of co-ordination
Duplicate effort
Risks falling between
the cracks
Competition for ICT
attention
SOCITM Conference Oct 2009
10
11. IA challenges facing Public Sector
Government Agenda
Shared services v’s privacy v’s efficiency
Citizen centric – more online services
Global development
Citizen expectations
Growing threats to UK Plc
Expanding compliance requirements
New CIA – Convenience / Interoperability / Affordability
SOCITM Conference Oct 2009
11
12. Reviews Conducted Government Reviews
Government Reviews
Data Handling Report
Data Handling Report
HMRC – Poynter Review
(Kieran Poynter PWC) June 2008
Security Policy F/Work
Security Policy F/Work
MOD – Burton Review
(Sir Edmund Burton) June 2008 New Guidance
New Guidance
Data Handling Review IA Maturity Model
IA Maturity Model
(Sir Gus O’Donnell) June 2008
Looking Forward
Looking Forward
Data Sharing Review
(Richard Thomas & Dr Mark Walport) July 2008
SOCITM Conference Oct 2009
12
13. Reefs and rocks – where things go wrong
Cost reduction pressures
Competing business priorities
now v’s secure
Failing to effectively risk manage 3rd parties
outsourcing … development … hosting … testing
New initiatives
cloud computing … offshore …
Mobility
remote working … mobile computing (32GB of data on a mobile phone..)
Compliance fatigue
SOCITM Conference Oct 2009
13
14. Data Handling Report Government Reviews
Government Reviews
Data Handling Report
Data Handling Report
Key DHR Recommendations
Core measures to protect personal data Security Policy F/Work
Security Policy F/Work
and other information across Government;
New Guidance
New Guidance
A culture that properly values, protects
and uses information;
IA Maturity Model
IA Maturity Model
Stronger accountability mechanisms; and
Looking Forward
Looking Forward
Stronger scrutiny of performance.
SOCITM Conference Oct 2009
14
15. Charts to help you Government Reviews
Government Reviews
Replaced Manual of Protective Security
(MPS) Data Handling Report
Data Handling Report
Collective responsibility to protect assets
Must be able to share information
Must have confidence in people Security Policy F/Work
Security Policy F/Work
Business resilience
Mandated Protective Security Policy New Guidance
New Guidance
For HMG Departments and their Agencies
Includes IA Policy
70 Mandatory requirements IA Maturity Model
IA Maturity Model
4 Tiers
Tiers 1-3 Not Protectively Marked Looking Forward
Looking Forward
Available to public & WIAC via CSIA
Tier 4 – Restricted
Available through accredited route
New ICO Powers
Monetary Penalties
Assessment Notices (without permission)
New EU e-privacy legislation will drive ‘Breach
Notification’ requirement (2-3 years)
SOCITM Conference Oct 2009
15
16. The High Level View
Cyber Security Strategy of the UK
National Information Assurance Strategy (NIAS)
Security Policy Framework (SPF)
Data Protection Act
70 Minimum Mandatory Measures
Information Act
Freedom of
Information Assurance Maturity Model
(IAMM)
HMG IA Standard No. 6 Accreditation
Data Handling Review
Guidelines CoCo’s
Other Legal / Compliance Requirements (PCI, RIPA, etc)
SOCITM Conference Oct 2009
16
17. Some new lighthouses Government Reviews
Government Reviews
Local Authority Data Handling Guidelines
Data Handling Report
Data Handling Report
Data Handling (NHS)
Enhanced Governance Security Policy F/Work
Govt level – IADG / IAOB
Security Policy F/Work
Locally – SIRO / Data ownership
Improved professionalism - IISP
New Guidance
New Guidance
IA Good Practice Guides
Currently 15
Outsourcing
Data Aggregation
IA Maturity Model
IA Maturity Model
Laptops
Remote working
Secure bulk data transfers Looking Forward
Looking Forward
IA Standards
Existing standards reviewed
New risk assessment methodology
New Standards (IAS 6)
SOCITM Conference Oct 2009
17
18. Protecting personal data
HMG IA Standard No.6 - Protecting Personal Data and
Managing Information Risk
Outlines minimum measures MUST be implemented by
Departments & Agencies bound by the SPF.
Key Principles
Departments and delivery partners must protect personal data
Sensitive personal information must be handled in accordance
with specific measures
Those with access to sensitive personal data must have
appropriate training.
SOCITM Conference Oct 2009
18
19. Government model for IA
“The pressure is to deliver quicker, but the advantage will be on those who can build in assurance”
(Sir E. Burton)
EXTRINSIC
INTRINSIC
Evaluate Solutions
Design in IA
Determine Residual Risk
OPERATIONAL IMPLEMENTATION
Ongoing IA Management Build in IA
SOCITM Conference Oct 2009
19
20. IA Maturity Model (IAMM) Government Reviews
Government Reviews
IAMM and IA Assessment Framework Published
Data Handling Report
Data Handling Report
in Sept 2008 to assist Senior Information Risk
Owners (SIROs) develop IA maturity within their
Departments Security Policy F/Work
Security Policy F/Work
Will assist boards to report improvements in their
IA and IRM in their annual reports to Cabinet New Guidance
New Guidance
Office.
Incorporates SPF and DHR requirements and is
IA Maturity Model
IA Maturity Model
aligned to ISO 27001.
Looking Forward
Looking Forward
Departments will need to provide evidence of IA
maturity in their Agencies, NDPBs and delivery
partners
5 levels – Initial (1) to Optimised (5)
Self-assessment and supported self-assessment
SOCITM Conference Oct 2009
20
21. On the horizon Government Reviews
Government Reviews
NIAS Delivery
Data Handling Report
Data Handling Report
Continued focus on DH (>ICO powers)
Security Policy F/Work
Security Policy F/Work
Increased focus on
Training
Audit New Guidance
Benchmarking New Guidance
WIAC adoption
DH guidelines
IA Maturity Model
IA Maturity Model
SPF
Governance measures
Looking Forward
Looking Forward
Delivery Partner scrutiny
Partner with Industry Initiative (PWI)
Government Cyber security strategy
PCI incorporated into policy
SOCITM Conference Oct 2009
21
22. Safety equipment
Education, education, education!
Through-life assurance approach
build security in & prove it
Risk management advice
CESG CLAS scheme
Ensure 3rd parties know what they need to do & do it!
flowdown of any CoCo requirements
Technology solutions
encryption, DLP, etc
Proven ability to react in the event of an incident
forensics readiness
Ongoing technical assurance
CESG CHECK scheme
SOCITM Conference Oct 2009
22
23. Prove that your security is effective
Penetration Test (s) (Annual /bi-annual/quarterly) (including CHECK)
External Network Mapping
Vulnerability Scanning Service of external network
Monthly reports
Workshops with Security Consultants
SOCITM Conference Oct 2009
23
24. Point of view
The recent global events around data loss has been cause for
significant reflection as to the effectiveness of information risk
management & compliance globally – expect more ‘regulation’
The pace of change in UK Government in particular has been
unprecedented – the assurance elements have yet to mature
Quality and clarity of guidance available in the UK is unlike any other
country globally
It is possible to implement an information centric security assurance
strategy which reduces compliance cost and minimises duplication of
effort
Effective information assurance supported by sound governance is key
to not repeating the mistakes of the past
SOCITM Conference Oct 2009
24 24
25. A final word from the Information Commissioner
… The blunt truth is that all organisations need to
take the protection of customer data with the utmost
seriousness. I have made it clear publicly on several
occasions over the past year that organisations
holding individuals’ data must in particular take steps
to ensure that it is adequately protected from loss or
theft. … Getting data protection wrong can bring
commercial reputational, regulatory and legal
penalties. Getting it right brings rewards in terms of
customer trust and confidence. …
Richard Thomas
April 2008
SOCITM Conference Oct 2009
25