1. a step by step approach
METRICS, RISK MANAGEMENT & DLP
Rob Kloots Vice-President ISSA-BE ; Webmaster ISSA-BE
Owner CSF b.v. - GRC Consulting
Rob.Kloots@csf.nl
2. DISCUSSION ITEMS
Professionalise, Organise
Compliance Security Framework
Objectives
Metrics
Measures
Achieveable Markerpoints
Risk Management
Data Loss Prevention System
External Standards
Action list
Controls
Conferencias ISSA de Seguridad 2010 15-04-2010 3
3. DATA LOSS PREVENTION
Data Loss Prevention (DLP) is a computer security term
referring to systems that identify, monitor, and protect data in use
(e.g., endpoint actions), data in motion (e.g., network actions),
and data at rest (e.g., data storage) through deep content
inspection, contextual security analysis of transaction (attributes
of originator, data object, medium, timing, recipient/destination,
etc.), and with a centralized management framework. The
systems are designed to detect and prevent the unauthorized use
and transmission of confidential information.
It is also referred to by various vendors as Data Leak
Prevention, Information Leak Detection and Prevention
(ILDP), Information Leak Prevention (ILP), Content
Monitoring and Filtering (CMF) or Extrusion Prevention
System by analogy to Intrusion-prevention system.
4
Conferencias ISSA de Seguridad 2010 15-04-2010
4. FIREFIGHTING DLP INCIDENTS
Data breach causes
According to a Verizon 2009 report
• 74% from external sources
• 20% by insiders
• 32% implicated business partners
• 39% involved multiple parties
What damage can be done?
• Loss of trust
• Reputation damage
• Loss of clients Conferencias ISSA de Seguridad 2010 15-04-2010
• Repair costs
5
5. FIREFIGHTING DLP INCIDENTS
DLP more then a Gartner-hype
DLP
DLP key to GRC
European Commission
enforces DLP in the 2008
Telecom Directive
DLP incidents are a given
fact of operations
If or When?
6
6. ADAPT, ADOPT, IMPROVE
Firefighting
Maturity level
Adopt
What steps?
Learning Management System
Metrics,
Measures, and Improve Adapt
Markerpoints.
7
Conferencias ISSA de Seguridad 2010 15-04-2010
7. MATURITYLEVELS
o Predefined business process
o Clear goals/performance req’s
o Quantitative/qualitative measures
Quantitatively
Managed
Managed
Defined
Repeatable
Incomplete
8
Conferencias ISSA de Seguridad 2010 15-04-2010
8. Conferencias ISSA de Seguridad 2010 15-04-2010
COMPLIANCE SECURITY FRAMEWORK
A Compliance Security Framework should
allow for team-effort for both
Mgt (2) and operators(3) to enter into a
learning system
with respect to Compliance & Risk based
1
security measures (1).
CS
F
2 3
9 9
Conferencias ISSA de Seguridad 2010 15-04-2010
9. COMPLIANCE DEFINED
Compliance is either a state of being in
accordance with established standards,
specifications or legislation or the process of
becoming so.
10
Conferencias ISSA de Seguridad 2010 15-04-2010
10. COMPLIANCE CAN PROVIDE OPPORTUNITIES
Compliance within Organisation can provide a
positive Roi.
Investment
Compliance Management, based on an efficient
control set (e.g. ISO27001/9001/20000) and audit
methodology.
Return; by being compliant, Org.:
has a strong quality statement for existing
customers and prospects;
mitigates risks;
improves quality of service delivery processes.
11
Conferencias ISSA de Seguridad 2010 15-04-2010
11. COMPLIANCE; AGAINST WHAT?
Company internal
policies &
standards
External rules and
regulations
Industry standards
Customer (security)
requirements
…
12
Conferencias ISSA de Seguridad 2010 15-04-2010
12. WELL-CONTROLLED ORGANIZATIONS
Key attributes of a well-controlled
organization include :
# 1. Leadership of Board
# 2. Translation of strategic vision to day-to-day management
# 3. Communication of objectives & values to all levels
# 4. Individual accountability
# 5. Risk management system
# 6. Human resources reinforcement
# 7. Independent, objective and competent oversight
13
Conferencias ISSA de Seguridad 2010 15-04-2010
13. 14
pwc
RISK & CONTROL : SYMBIOTIC SYSTEMS
• Define strategic risk
• Articulate risk philosophy
Objective • Define values and behavioral expectations
• Assess risk
Risk • Manage risk
• Assess existing controls
Control • Select control model
• Continuous communication
• Continuous program for ORC
Alignment
• Develop a control improvement plan
… Operations are dynamic and evolving...
Conferencias ISSA de Seguridad 2010 15-04-2010 14
14. METRICS - 1
Metrics are simply a standard or system of
measurement
Metric - A quantitative measure of the
degree to which a system, component, or
process possesses a given attribute [2]. A
calculated or composite indicator based upon
two or more measures. A quantified measure
of the degree to which a system, component,
or process possesses a given attribute [3].
15
Conferencias ISSA de Seguridad 2010 15-04-2010
15. METRICS - 2
Characteristics & Classification
Process metrics
CSFs, KGIs and KPIs
Asset related vulnerability metrics
What value has Data, when static, dynamic, owned,
stored, lost
Monetary value of Reputation
? Market Capitalisation
! Value of assets in Euro
! Total asset value at Risk
16
Conferencias ISSA de Seguridad 2010 15-04-2010
16. MEASURES
Measure - To ascertain or appraise by
comparing to a standard [1]. A standard or unit
of measurement; the extent, dimensions,
capacity, etc., of anything, especially as
determined by a standard; an act or process of
measuring; a result of measurement [3]. A
related term is Measurement - The act or
process of measuring. A figure, extent, or
amount obtained by measuring [1]. The act or
process of measuring something. Also a result,
such as a figure expressing the extent or value
that is obtained by measuring [3].
17
Conferencias ISSA de Seguridad 2010 15-04-2010
21. DATA LOSS PREVENTION SYSTEM
1. Introduction to the DLPS 10%
2. Creating the Asset Inventory 8%
3. Establishing Information Risk Management process 8%
4. Establish a Continual Improvement process 10%
5. Developing Documentation 5%
6. Establishing a Legal Registry process 8%
7. Establishing a Compliance Management process 5%
8. Establishing an Audit process 10%
9. Establishing a Governance process 10%
10. Establishing Security & Privacy testing process 8%
11. Establishing the Incident Response process 8%
12. Establishing Training & Awareness process 10%
Conferencias ISSA de Seguridad 2010 15-04-2010 22
22. DATA LOSS PREVENTION
SANS Critical Security Controls
1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3: Secure Configurations for Hardware and Software on Laptops,
WorkstationsCritical, and Servers
Control 15 Metric
4: Secure Configurations for Network Devices such as Firewalls, Routers,
and Switches
The5: Boundary Defense capable of identifying unauthorized data
system must be
leaving the organization'sand Analysis whether via network file
6: Maintenance, Monitoring, systems of Audit Logs
7: Application Software Security
transfers or removable media. Privileges
8: Controlled Use of Administrative
9: Controlled Access Based on Need to Know
Control 15Test
10: Continuous Vulnerability Assessment and Remediation
11: Account Monitoring and Control
12: Malware Defenses
13: Limitation and Control of Network Ports, Protocols, and Services
Associated NIST SP 800-53 Rev 3 Priority 1
14: Wireless Device Control
15: Data Loss Prevention
Controls:
AC-4, MP-2 (2), MP-4 (1), SC-7 (6, 10), SC-9, SC-13, SC-28 (1),
SI-4 (4, 11), PM-7
Conferencias ISSA de Seguridad 2010 15-04-2010 23
