Friday, June 19, 2009

Enterprise Risk Conference - campIT

The conference included presentations and panel discussions; as well as voluntary items from the audience—framework for a repeatable risk assessment, how to involve business and get executive level understanding, end point security for wireless, budget cuts-how to distribute load and a governance model for best practices, collaboration of security risks; and data ownership or classification.


Some key takeaways included:
  • The Malware and threat landscape has seen exponential growth particularly over the last couple years, thus, risk becomes proportionally larger, requiring more resources and time/effort to just reactively combat
  • Five steps to managing IT risk are: risk awareness, business impact quantification, solution design, IT and business alignment, and then build & management of solution
  • The basis for information security is policy documentation and implementation that leverage the organization’s culture, identification of stakeholders, leveraging regulatory and compliance standards, and also partnering with Internal and External auditors
  • Metrics that matter resides with an automated and repeatable metric (re)produceable as well as owner identification. With that, smarter decisions can be made, regulatory readiness can be conveyed, measure of effectiveness of risk management, and visibility into deviation and weaknesses. The consensus was free tools (as a starting point) can be your jumping off point such as Splunk
  • Cloud computing does have advantages for certain situations such as anti-virus solution to leverage the general communities security vulnerabilities identification and resonse; but SIM/SIEM solution would not be preferred since you’ll be pushing very large (log) data into the cloud; and, cost reduction may not always be the case when factoring in the security control and visibility to your information and/or traffic
  • Security gaps made known to auditors can advance any agenda; and partnership with the business and particular financial departments will propel the risk management framework and practice [getting them to really understand risk in dollars & productivity means funding]
You’ve just been enlightened...at least to a small degree so future post will consist a deeper drive on some of these key topics. But contemplate this security analogy [as mentioned in the presentation], how good would your security be if a member did not adhere to policies?
I caught on to an analogy that would be perfect for a security awareness article. A group of individuals on a boat where one person decides to drill a hole under his own seat...thereby allowing water to start seeping into the boat. While this individual may be working within one's own confinements, the end result is clear--the boat sinks with everyone on board. Of course, the real world is just that simple (to recoginze or for that matter identify/remediate), right? So awareness, business integration and appropriate sponsorship is the important trifecta of any successful security practice and implementation (as in the well known people, process, and technology).

To conclude, the vendors/sponsors provided trinkets as usual and noteworthy conversation from colleagues that run the same circles (yet varying sectors). But I must note one item that I found to be contradictive to my own experiences (at least in today's environment). That is the BITS shared assessment movement and current industry acceptance. While the overall premise is sound, I would disagree that an organization having completed the exercise would merely present the relative sections in response to an external audit and that to suffice. Has the industry really accepted a single version of a questionnaire? What about customized business and technical parameters and controls that needs to be asked/answered? While I would asert that providing a SAS 70 Type II saves you some effort in having to answer all components, I dought the industry as a whole is ready for a single, all emcomosing questionnaire. I can't wait for that time (but how would risk assessors make that extra cash).

No comments:

Post a Comment