FREE WITH YOUR COPY OF CHIEF TECHNOLOGY OFFICER FORUM
Safeguarding
Enterprise Through
Audits
Exploring the state of IS audit process, the associated threat information and relevance to the ISMS environment PAGE 05
IN-SHORT
BPO Receives PCI DSS
Infosys PAGE 02
OPINION
Time to Adopt Grid
IN-PERSON
Cyber Security Standards
Moving up the Security Agenda
PAGE 07
PAGE 04
A 9.9 Media Publication
IN-SHORT Cyber-Ark Software Announces Alliance with Dell
PHOTO BY PHOTOS.COM
C
RBS WorldPay Hacker Gets Four Year Probation THE mastermind behind one of the biggest hack“This is not a regular crime but a cybercrime, and Pleshchuk didn’t really have a full understanding of ing paydays in history has been sentenced to four the damage he was causing,” Novolodsky said in an years’ probation and an USD 8.9 million fine, interview. “He pleaded guilty and is fully collaborataccording to reports. ing with authorities.” A hacker was handed a six-year suspended senThe U.S. Justice Department last year indicted tence after he pleaded guilty to participating in a Pleshchuk and seven other hackers in Russia and worldwide scheme to withdraw $9 million from elsewhere in Eastern Europe, saying the group used automated teller machines. “sophisticated hacking techniques” in Viktor Pleshchuk, 28, received a November 2008 to compromise the data reduced sentence, which includes encryption that was used by RBS Worldfour years of probation, prosecutors Pay to protect customer data on payroll said. He agreed to provide informadebit cards, according to a statement. tion about other hackers who cracked The cards were used to withdraw the a computer system at RBS WorldPay, money from 2,100 ATMs in 280 cities the U.S. payment-processing division increase in worldwide in less than 12 hours, in what of Royal Bank of Scotland Group, and focus on data U.S. prosecutors called “perhaps the most cloning ATM cards, said his lawyer, protection sophisticated and organised computerYury Novolodsky. Pleshchuk was also fraud attack ever conducted,” the stateordered to pay more than 275 million PRICE WATERHOUSE ment said. rubles (USD 8.9 million) to WorldPay. SOURCE: COOPERS (PWC)
DATA BRIEFING
84%
2
CSO FORUM 21 SEPTEMBER 2010
yber-Ark(R) Software, the leading global software provider for protecting critical applications, identities and information, today announced a Global OEM alliance with Dell. Through this alliance, Cyber-Ark will bundle its Privileged Identity Management Suite with Dell’s PowerEdge R410 and R610 rack servers, offering customers a single source appliance for managing privileged identities and passwords on a data centerready platform. “Cyber-Ark is widely recognised as the privileged identity management market leader. This partnership gives our customers the resources they need while mitigating the risks that stem from administrative passwords and accounts,” Ron Pugh, director OEM solutions, Dell. “This partnership should provide new market opportunities on a global basis for both Cyber-Ark and Dell.”
IN-SHORT
Lack of Confidence in Enterprise Cyber Security LESS than 6 percent of respondents polled during a recent Deloitte webcast about cyber crime prevention were “highly confident” that private enterprises have sufficient controls in place to minimise the occurrence of cyber crime. In fact, almost 40 percent of respondents are “not confident” in controls implemented by private enterprises. Results from the webcast showed a fairly even split among respondents regarding whether or not their organisation was likely to experience an electronic security breach
in the next 12 months. According to the results, 41.7 percent believed it was “likely” or “extremely likely” that an electronic security breach would occur in this time frame, while 38.4 percent indicated it was “unlikely” or “extremely unlikely.” “Cyber crime is far more common and creates a larger threat than respondents may recognise. Based on the results of this poll, it appears that many organisations are leaving themselves vulnerable to cyber crime because there might be a false sense of
security, or perhaps even complacency,” said John Kula, Director in the forensic & dispute services practice of Deloitte Financial Advisory Services LLP. “Many organisations are failing to recognise the prevalence of cyber crimes in their IT environments and consequently could be misallocating limited resources to lesser threats.” When asked what their experience was with respect to cyber crime, the majority of participants (68.4 percent) responded that they have received phishing e-mail messages and 12.1 percent of respondents reported their organisations have been targeted by cyber criminals. Participants believed that the type of information senior management in their organisations was most concerned with cyber criminals gaining access to, as it pertains to being vulnerable to attempted breaches of electronic information security, was customer personal information (38.1 percent), financial information (21.8 percent), followed by intellectual property or business plans (12.2 percent). “Cyber crime innovation and techniques have outpaced traditional security models. That’s what makes it so important to gather intelligence data internally and externally to understand the threats, and then to act on that intelligence. If companies don’t have the tools in place to be informed and to prevent breaches, it could lead to significant risks, potentially leading to financial losses, regulatory issues, and a loss of client and public confidence,” said John Clark, Partner, Security & Privacy Services Practice, Deloitte & Touche LLP.
Infosys BPO Receives PCI Data Security Standards Certification INFOSYS BPO, the business process outsourcing subsidiary of Infosys Technologies is now certified compliant with the Payment Card Industry’s Data Security standards V1.2.1 (PCI-DSS). The certification affirms Infosys BPO’s commitment to a strong data protection and information management strategy and places it among a handful of 3rd party service providers around the globe to have achieved this distinction. PCI-DSS is a comprehensive set of standards that require merchants and service providers that store, process, or transmit customer payment card data to adhere to strict information security
controls and processes. The certification involves verification of the implementation of a number of mandated control objectives that are specific to technology design, network and physical data security. “Infosys BPO is proud to be among a handful of organisations globally that are certified under PCI-DSS, one of the most stringent security standards globally”, said Srikant Balan, Head of Risk Management at Infosys BPO. “The certification is a natural outcome of the systematic procedures we have always followed and promoted to provide high level security while ensuring compliance for all clients.”
CSO FORUM 21 SEPTEMBER 2010
3
IN-PERSON
Moving up the Security Agenda Security has moved up the agenda in many organisations, as the Web has become more dynamic in nature explains Didier Guibal, Vice-President, Worldwide Sales, Websense. He spoke to Dominic K, excerpt:
4
CSO FORUM 21 SEPTEMBER 2010
Vice-President, Worldwide Sales, Websense
legacy point security solutions that often fail to recognise these risks, much less to manage them effectively. They assume that threats only manifest themselves in a single channel; data security, web security or email security. As a result, they are unable to correlate threats across multiple applications. Blended Web and email attacks easily evade standalone anti-malware tools. URL filtering and reputation-based tools may catch yesterday’s threats, but they lack the speed and agility to identify threats associated with dynamic online content or attacks against legitimate Web pages. Point-based security solutions of all types leave gaps that attackers will target and exploit. Companies are looking at unified content security solutions that, by comparison, do a better job of managing blended Web, email, and data security risks. These solutions offer the ability to call upon a robust, far-reaching set of threat assessment and intelligence tools.
“The ultimate responsibility of data loss should lie with the board of an organisation.”
How has the global security market evolved in the last couple of years? How has been the evolution of security market in India? For years the security industry built effective defences from security threats using technologies including firewalls, anti-virus software and intrusion prevention systems. However, the majority of security threats have now moved to the Web, blended attacks
DIDIER GUIBAL
have evolved, and attackers’ techniques have become increasingly sophisticated. Today’s attacks are targeted and stealthy—aimed at stealing specific data instead of taking down a company’s infrastructure. Traditional security measures are no longer enough. Threats are blended, so attacks span Web and email and can potentially compromise data. So, as companies aim to manage these new threats, they need to rethink their
Market trends in security software are almost always complex. What have you witnessed till now and what is your view on the Indian security trends? Web 2.0 has not only changed the threat landscape, it’s altered how companies use the Internet. It’s not just social networking sites like Facebook and LinkedIn, but also more traditional sites such as the national news sites, and business applications. And malware can appear on trusted sites with good reputations just as easily as on other sites. Employees are creating content and, in moments, sharing it with thousands of others. Content on these sites is dynamic so it flies under the radar of legacy security systems. To embrace Web 2.0 at work, business needs new ways of protecting essential information. IT professionals struggle to adopt reasonable policy controls to keep their networks safe from external threats.
COVER STORY
Safeguarding Enterprise Through Audits Every IS audit determines the enterprise database and network vulnerability severity, the associated threat information and relevance to the organisation for the ISMS environment. By Dominic K
I
nformation Security (IS) audit and compliance is common in most enterprises across verticals and sector. Inspite of this organisations face multiple challenges and breach externally and internally as well.The need to protect information assets has become a top management priority for every organisation. CSO FORUM 21 SEPTEMBER 2010
5
COVER STORY
The protection is necessary to keep the competitive advantage in the challenging market place. Beyond this IS audit is also about normal human emotions such as fear and nervousness. The last thing any enterprise CISO would ask is someone from the outside world coming into their organisation and pointing out all of their flaws. If an organisation does not take structured steps to safeguard itself, the consequent losses could result in substantial damages in revenue, brand erosion and even legal culpability. Information needs to be protected across its life cycle and must be protected from unauthorised access, changes and non-availability. Budgets are yet another important consideration when securing company resources. As the economy fluctuates over time, security officers struggle to receive their fare share of the budget. When you add in legal requirements, such as those imposed by HIPAA, GLBA and SarbanesOxley, the job of securing a corporate network can be very imposing. The board of directors and senior management team clearly understands that IS auditing will help reduce risks and enhance competitive advantage by protecting their information assets and providing assurance on governance as well. Generally the audit report is presented to the audit committee of the board and compliance is taken up under the guidance of the Chief Information Security Officer (CISO). Asset owners are called for the specific issues mentioned in the report.
Evolving Paradigm Shift There has been dramatic shift in IS audits approach and IS strategy across India over the past few years. Internally enterprises hold assessments, reviews more frequently as security posture changes with time. There are operations security reviews as well for project resources, people practices, and back ground checks specifically. Statutory and compliance audits have been more stringent with expectations on implementing industry best practices and improvements. Customers today are very keen on the risks, review with joint action plans. While data security is being enhanced with both proactive and reactive controls, adequate levels of adherence to processes and con-
6
CSO FORUM 21 SEPTEMBER 2010
Future Trends Key developments in IS Audits globally. Privacy has become a top concern and is central part of IS Audits
Business risk and project risk is gaining importance. Security dashboard with monitoring metrics and trend analysis Event correlation and log analysis More focus on people and practices Joint review with customers on action plan and progress. Shift from data security based audit to data protection based audit. trols are expected. “One of the best way is to address the top priority risks with mitigation plan, rather than taking all. This is also because of the fact that a top priority risk contributes more than 80 percent.” Says BLV Rao, Vice President -Networks & Systems, Infotech Enterprises. Many enterprises today have independent IS audit cell under their inspection and audit department which is headed by a senior or general manager. They periodically carry out internal audit for information assets says Sameer J. Ratolikar,CISO,Bank Of India “ We have our external auditors empanelled to assess security posture of our critical information assets. We make sure that the observations reported out of internal and external audit are presented in the audit committee of the board and complied in time bound manner”
Frequency of IS Audits Many security officers are often seen as performing double duty as network administrators and have little time to stay current on the latest operating system and application vulnerabilities. This is where external security auditing companies can provide a tremendous amount of benefit. The hard part is accepting that someone else will be examining everything that your department has built and making recommendations. Most organisations define their audits to be done quarterly by internal and external risk and compliance authorities. The IS audit standards such as ISO 27001 asks for surveillance to be done once in six months with re-certification audit in two years cycle time. External audits are typically once a year while internal audits are planned bi-yearly. “Internal IS audits for critical Information assets are carried out twice in a year followed by external audit every three months for data centre and disaster recovery centre. ISO 27001, IT act 2008 & PCI-DSS based standard clauses are taken into account during the audit process” says Ratolikar Few organisation in India depend on the business requirement and the magnitude of the operations covered under the audit scope and based on those parameters the audits are performed both by internal teams as well as external companies. Choosing the right IS audit partner depends on their capabilities, the ability to understand and enhance existing systems and more importantly on the aligning with long term plans of the enterprise.
Finally,Will It Stop Frauds? No.At least not directly, unless the frauds are perpetrated within the IT audit function. Audit independence means that auditors do not form part of the routine system of controls in operational areas of an organisation. Managers and staff are responsible for designing, implementing, operating and maintaining the appropriate system of controls to prevent fraud or other control failures (e.g. accidental loss of key data, or even the keys to the fire safe). Auditors are responsible for examining and commenting on those controls but again it is CISO and the senior management’s duty to respond appropriately to audit reports and recommendations.
OPINION BY DOMINIC K dominic.k@9dot9.in
THE AUTHOR IS Associate Editor, CSO Forum
High Time to Adopt Grid Cyber Security Standards ORGANISATIONS, in a quest to gather intelligence on their environment, track and store ever-increasing amounts of event logs and related data. Often, though, they find their use of the data and its value to the business is elusive at best, overlooked at worst. To this effect the national electric grid play a very critical role for any nation across the globe. The National Institute of Standards and Technology (NIST) of the United States issued recently its first guidelines for smart grid cyber security, which includes high-level security requirements, a framework for assessing risks, an evaluation of privacy issues at personal residences, and additional information for businesses and organisations to use as they craft strategies to protect the modernising power grid from attacks, malicious code, cascading errors, and other threats. The product of two formal public reviews and the focus of numerous workshops and teleconferences over the past 17 months, the threevolume set of guidelines is intended to facilitate organisation-specific smart grid cyber security strategies focused on prevention, detection, response and recovery.
This made me ponder on where we stand to modernise India’s electric infrastructure to make it smarter, more efficient, and more capable. Once India’s electric grids are modernised it to the international standards only then can we think of implementing the development of common Smart Grid standards as a national priority, and these cyber security guidelines are undoubtedly an important step toward that goal. To this effect if we are truly serious about modernising our electrical grid, we must have electricity producers, distributors and consumers all speaking the same language and all working together to make our grid more secure. Cyber security is also an integral part of the grid. The guidelines are produced by the 450-member working group, with participants from academia and both the public and private sectors. The new guidelines elaborate on the cyber security overview in the group’s first major output, the January 2010 NIST Framework and Roadmap for smart grid interoperability standards, release 1.0. They provide the technical background and details that can inform organisations’ efforts to securely implement smart grid technologies.
The report advocates a layered or “defense in depth” approach to security.
The report advocates a layered—or “defense in depth”—approach to security. Because cyber security threats are diverse and evolving, the report recommends implementing multiple levels of security. The guidelines identify 137 interfaces—points of data exchange or other types of interactions within or between different smart grid systems and subsystems. These are assigned to one or more of 22 categories on the basis of shared or similar functional and security characteristics. In all, the report details 189 high-level security requirements applicable either to the entire Smart Grid or to particular parts of the grid and associated interface categories.
The new report also includes: A description of the risk assessment process used to identify the requirements; A discussion of technical cryptographic and key management issues across the scope of Smart Grid systems and devices; Initial recommendations for addressing privacy risks and challenges pertaining to personal residences and electric vehicles.
CSO FORUM 21 SEPTEMBER 2010
7
OPINION HARSH SINHA
THE AUTHOR IS Advocate & Partner, Kaden Boriss Legal LLP, Lawyers
Corporate Espionage and the IT (A) Act, 2008 ‘CORPORATE Espionage’ refers to a practice wherein a corporate system or structure is impregnated with the help of spies or systems so as to facilitate the leakage of information which could mar the general growth of the victim organisation. It covers within itself illegal activities such as theft of trade secrets, business plans, customers’ lists etc. resulting in breach of security of an organisation and gaining access to its confidential and sensitive information. The information thieves use many intrusive methods in order to gain such sensitive information for instance eavesdropping by bugging offices, wiretapping, recording telephone conversations, penetrating computer networks etc. In today’s world where it is truly the survival of the fittest, knowing one’s own competition has become very important for most organisations. As already mentioned, Corporate Espionage is the practice of gaining information regarding one’s competitors using unethical or illicit means, without the knowledge of that competitor. There is a very thin line of difference between Corporate Espionage and Competitive Intelligence. Where Competitive Intelligence is ethical and legal, Corporate Espionage is the exact opposite.
8
CSO FORUM 21 SEPTEMBER 2010
The internet has now become a ‘highway of information’ when it comes to gathering and processing information and data in relation to anything and anyone. The means of spying have also undergone substantial transformations with the advent of technology. Spies no longer need to physically break into offices or homes to acquire sensitive information. Spying involves the use of almost the same technology as the one used for Competitive Intelligence i.e. business intelligence procedures. The basic difference between both is that while indulging in Corporate Espionage, the internet and connections used are equipped with a more advanced ‘attacking’ mode. Cyber attacks are becoming increasingly common in both public and private sectors. Thus there is an urgent need to enact and enforce stringent laws pertaining to cyber offences. India has in place the Information Technology Act, 2000 (‘Act’) which provides legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication. Very recently, the Information Technology (Amendment) Act, 2008 was enacted which introduced several new provisions relating to
All organisations need to re-assess their security policies and take appropriate steps in order to protect themselves from becoming a victim of Corporate Espionage
data protection, privacy, cyber terrorism etc. This Amendment was the need of the hour as India does not have a separate statute pertaining to data protection or cyber crimes per se. Chapter IX of the Act refers to provisions relating to penalties, compensation and adjudication and Section 43 covers a wide range of cyber contraventions related to unauthorised access to computer, computer system, computer network or resources. The damages of Rs. one crore (approx. USD 200,000) prescribed under this Section before the Amendment has been deleted and now the defaulter is made liable to pay damages by way of compensation to the person so affected. A new Section 43 A has been inserted to protect sensitive personal data or information possessed, dealt or handled by a body corporate in a computer resource which such body owns, controls or operates. If such a body corporate is negligent in implementing reasonable security practices and it causes wrongful loss or wrongful gain to any person, it shall be liable to pay damages by way of compensation to the person so affected. It must be noted here that the phrase ‘sensitive personal data or information’ has not been defined by the Act.