Summarizing points form the Presentation of Joh Moynihan on Mass Law focusing on incident response -
The Mass Law -201 CMR 17 is effective from March 1, 2010. It applies to any entity collecting "personal information (PI)" of Massachusetts residents. In order to comply with it all entities processing Massachusetts resident’s personal information should have preventive measures in place. The law imposes severe penalties for violations. It requires having Incident Response Plan and applies to handling employee and customer records, avoid internal threats for employee or vendor data.
There are Administrative, Technical and Physical Requirements to comply with the law.
The organizations should adhere to administrative requirements by performing assessment of internal and external risk, have written Information security program, and develop policies to protect PI. This can be accomplished with ongoing employee training, having incident response plan, formal disciplinary standards, and third party controls.
Adherence to technical requirements requires that the PI to be encrypted, have updated virus protection and firewalls, have controls for password protection and measures to disable account after failed logon attempts. This can be accomplished with monitoring to detect unauthorized access, having patch management, and access controls in place.
Adherence to Physical requirements requires restricted physical access to PI, monitoring of areas housing PI and applies to both electronic and paper records.
It’s evident from the requirements that having an incident response plan is essential. It must be organized in a timely and efficient manner with engagement from independent participants. Organizations should adapt to change and evolve toward a pro active approach to data protection.
Wednesday, August 18, 2010
Saturday, July 31, 2010
DSCI Best Practies Meet
From the DSCI(Data Security Council of India) Best Practices Meet I attended this week (28th July 2010), some of the quick notes I would like to share are here.
DSCI has come up with 2 frameworks
- DSCI Security Framework (DSF)
- DSCI Privacy Framework (DPF)
Both DSF and DPF have Best Practices to be followed to achieve data protection. DSF focuses on Security related to Application,Infrastructure,Business Continuity etc., and DPF is based on global privacy best practices and frameworks.
Implementing DSF would help companies to achieve compliance with ease. I am sure that if all of the relevant Best Practices in each of the 9 disciplines of DSF are implemented in organizations, compliance objective would be met without any question. The benefits of implementing DSCI framework was also presented in a session and it was interesting to know how it helped in increased business profits. My quick notes ends here i would request you to visit http://www.dsci.in for more details.
DSCI has come up with 2 frameworks
- DSCI Security Framework (DSF)
- DSCI Privacy Framework (DPF)
Both DSF and DPF have Best Practices to be followed to achieve data protection. DSF focuses on Security related to Application,Infrastructure,Business Continuity etc., and DPF is based on global privacy best practices and frameworks.
Implementing DSF would help companies to achieve compliance with ease. I am sure that if all of the relevant Best Practices in each of the 9 disciplines of DSF are implemented in organizations, compliance objective would be met without any question. The benefits of implementing DSCI framework was also presented in a session and it was interesting to know how it helped in increased business profits. My quick notes ends here i would request you to visit http://www.dsci.in for more details.
Wednesday, June 30, 2010
Complex Event Processing
Complex Event processing(CEP) provides a means to gain actionable information from various events coming from desperate systems in real-time or near real-time. Increase in the number of attacks has increased the need for real-time processing of events and hence need for CEP system/product. Detection of attacks/vulnerabilities has shown that additional details are required to aggregate, correlate and analyze apart from the individual events coming out of various systems. Most products in market for event processing support query language which supports pattern matching, joining events on arbitrary criteria and creating time-based windows. Like other security deployments,i see that it is a challenge to deploy it for enterprises, handling many events from multiple streams of data and monitoring queried events to detect abnormalities in real time. And so, would also need some one who is expert and focused to make use of information derived from CEP systems.
Sunday, May 30, 2010
SIEM for Compliance and Risk management
Security Information and Event Management technology is driven by compliance and security needs in enterprise. Another factor for its use is for monitoring activity from different applications/devices/technology software’s for internal and external threat and fraud detections. The output form these technology can be used for automation of IT to meet Compliance and Risk Management needs.
Compliance management can be achieved from log management capability of SIEM technology and it is known as Security Information Management (SIM). This involves collection of logs from various devices/applications in the enterprise to a central location, analyze log data and provide the capability to generate useful reports meeting compliance requirements. The generated reports can be mapped to the IT procedures in organization as first step in achieving It automation. As SIM is compliance oriented it is also a means to store and archive logs for later investigations and for data retention requirements.
Risk management can be achieved from real-time monitoring and incident management capability of SIEM technology and its known as Security Event Management (SEM). This involves collection of events from various devices/applications within scheduled short intervals, correlating the related events, applying filters if required and generating alerts which can be monitored for analysis and addressed with in short duration of time.
Exploiting the capabilities from data mining and analytics to meet SIEM requirements is now the vision of some of the leading SIEM technology vendors. It’s evident that having SIEM technology which can scale, collect data from all applications, meet regulatory compliance reporting requirements, improve threat management and incident response capabilities is essential factor for automation of Compliance and Risk Management in enterprises now and in future.
Compliance management can be achieved from log management capability of SIEM technology and it is known as Security Information Management (SIM). This involves collection of logs from various devices/applications in the enterprise to a central location, analyze log data and provide the capability to generate useful reports meeting compliance requirements. The generated reports can be mapped to the IT procedures in organization as first step in achieving It automation. As SIM is compliance oriented it is also a means to store and archive logs for later investigations and for data retention requirements.
Risk management can be achieved from real-time monitoring and incident management capability of SIEM technology and its known as Security Event Management (SEM). This involves collection of events from various devices/applications within scheduled short intervals, correlating the related events, applying filters if required and generating alerts which can be monitored for analysis and addressed with in short duration of time.
Exploiting the capabilities from data mining and analytics to meet SIEM requirements is now the vision of some of the leading SIEM technology vendors. It’s evident that having SIEM technology which can scale, collect data from all applications, meet regulatory compliance reporting requirements, improve threat management and incident response capabilities is essential factor for automation of Compliance and Risk Management in enterprises now and in future.
Friday, April 30, 2010
Fundamentals of Risk Management
Here are some details I got to hear from a session on Leveraging Technology for Risk Management. The talk was a part of NASSCOM tech series and Mr. Vijay from KPMG was an excellent speaker talking about risk management.
As in one of his slides, the fundamentals of risk management are to
Know your risks
Know your Obligations
Know your Systems
Tie them up together and leverage technology for risk management.
He also talked about use cases on risk management and how it was overboard. One quote i recollect is ' What's the point in risk management if the result of analysis is not used!'.
He emphasized how risk management can really help organization in mitigating risk. Steps to initiate risk management would be to start small, merge physical and system access identities, get incidents and slowly respond to them globally, Security should be monitored on global basis.
To conclude on my understanding, many organizations now realize the need for Risk management. To what extent the technology can be leveraged in meeting risk management objectives would depend on the strategic plan and steps initiated to taken in this direction.
As in one of his slides, the fundamentals of risk management are to
Know your risks
Know your Obligations
Know your Systems
Tie them up together and leverage technology for risk management.
He also talked about use cases on risk management and how it was overboard. One quote i recollect is ' What's the point in risk management if the result of analysis is not used!'.
He emphasized how risk management can really help organization in mitigating risk. Steps to initiate risk management would be to start small, merge physical and system access identities, get incidents and slowly respond to them globally, Security should be monitored on global basis.
To conclude on my understanding, many organizations now realize the need for Risk management. To what extent the technology can be leveraged in meeting risk management objectives would depend on the strategic plan and steps initiated to taken in this direction.
Tuesday, March 30, 2010
IT GRC and Risk Management
For success of GRC in any enterprise, it should be a process driven by management i.e., a top-down approach. GRC would enable enterprises to have a consistent, consolidating data which in-turn can serve audit, risk management and control and compliance purposes.Good governance needs Risk Management. Assessing risk in IT is at the heart of enterprise GRC and it can be performed as a qualitative or quantitative approach. Data collection process for arriving at risk can be from many means such as offline interviews, web questionnaires, email, mobile or any other devices. But automation can only be achieved from technology resources. Risk calculation is an interesting part in risk management. Some input factors required as for arriving at risk are risk with respect to Policy adherence, established controls for meeting compliance, handling incidents and events, mitigating risk with remediation on time. NIST (800-30) and ISO Guide 73 provide enough guidance on how the risk assessment should be performed. There are few products in market which have the capability to automate data collection as evidence technology sources and provide risk analysis reports. Risk is closely related business and specific to each organization. How much of automation is really possible in Risk Management, will it be really usefulness for enterprises are open questions i am trying to find answers now.
Thursday, February 18, 2010
Attacks with Virtualization
Virtualization makes the provision and movement virtual machines faster in enterprises today. But the companies should make sure that they have implemented proper security control for the Virtual Machines (VM) and adhere to the compliance requirements and policies of the company. Advances in virtualization technology has also led to new methods to attack and penetrate into the networks of companies. Simple pictorial representation of the different layers in virtual environment and some of the attacks in those layers is given below.
Most common among the type of attacks on virtual environments is Hyper-Jacking. In this type of attack, the hypervisor itself is attacked and used by the attacker for harmful purposes.
Next type of attack is VM escape. This type of attack can cause serious threat to VM security. Here the attacker's code breaks OS of the VM and interacts directly with the hypervisor. With this type of attack they can discover other VM's and eventually take over entire virtual environment.
VM poaching is similar to Denial of Service attack. The aim for the attacker is to overload the hypervisor, drain all its resources and make eventually make it non functional.
To gain maximum benefit of virtual environments, they should be monitored and managed well. Ensuring virtual machine software patched, Installing only the resource-sharing features that are really needed and minimizing software installations to a minimum are some the steps the VM administrators can follow to keep it safe from attacks.
Save this article
Most common among the type of attacks on virtual environments is Hyper-Jacking. In this type of attack, the hypervisor itself is attacked and used by the attacker for harmful purposes.
Next type of attack is VM escape. This type of attack can cause serious threat to VM security. Here the attacker's code breaks OS of the VM and interacts directly with the hypervisor. With this type of attack they can discover other VM's and eventually take over entire virtual environment.
VM poaching is similar to Denial of Service attack. The aim for the attacker is to overload the hypervisor, drain all its resources and make eventually make it non functional.
To gain maximum benefit of virtual environments, they should be monitored and managed well. Ensuring virtual machine software patched, Installing only the resource-sharing features that are really needed and minimizing software installations to a minimum are some the steps the VM administrators can follow to keep it safe from attacks.
Save this article
Subscribe to:
Posts (Atom)