Robert Garigue

VP and Chief Information Security Officer

Controlling Order and Disorder

The evolving role of the CISO within
the new structures of Information Systems
Page 1

Outline of our expedition

Background and Analysis

Frameworks
Business models
The nature of the threats
The strategic information security
framework
Environmental factors
Information security processes
Evolution of information security
functions
Alignment and Integration
challenges
Emerging new risks and concerns

Travels in a foreign land

Reflections on the nature and

evolving role of the Chief
Information Security Officer

Page 2

BMO Financial Group

Founded in 1817 First Canadian Bank
Highly diversified financial institution
retail banking
wealth management
investment banking
Assets of $256 billion at October 31,
2003
34,000 employees
Strong presence in US Mid-West
through Harris Bankcorp
Overseas offices around the world

Page 3

Metrics of the Digital BMO

200+ Mainframes
276+ Open System Business
Critical Applications
37 000 Desktops
2500 support servers
6000 main network devices
165 Terabytes of data
storage 50%+ a year
Several Million Transactions/sec

Page 4

Myths and Realities

For some the world is a

multidimensional place

and for other it is still flat

There are always Myths and

Realities.

Page 5

An evolving organizational context : Information Society

Some of the New Realities:

Information based productivity

Computer mediated decisions

Rise of the knowledge worker

Network centric structures and

value chains

Command and Control

hierarchies are displaced by
Cooperative, Commutative
and Coordinated organizations

a burden shared is a burden

halved .. an intellectual asset
shared is one doubled

Page 6

The Integrated Informational Value-Chain

Linked
Complementary
Interdependent

From Goods or Services

To
Goods with Services

Page 7

Information Flows : Health Care Ecosystem

Page 8

The impact will be felt in the three realms of cyberspace

Physical
Process
Content

Page 9

The Evolution of the Noosphere (Teilhard de Chardin )

Ubiquitous
Trusted
Affective
Social
Advisory
Always on
Main Frame

Organizations
(command and control)

Client Server

focus

Mobile and Peer to Peer

Individuals
(cooperation, coordination,
and communication)
Page 10

It is full of Risk: These are the shape of Things Now

Dead

Page 11

But there will always be conflict between

Open systems and Closed systems. Violent conflict

Pablo Picasso. Guernica. 1937. Oil on canvas. Museo del Prado, Madrid, Spain

Page 12

Zero-day virus
Slammer 30 minutes later

Page 13

Information Security: A new oxymoron

Security
Information

The debate

Page 14

Arguments For Getting Funding :

Levels of Maturity of the Organization
Fear, Uncertainty and Despair:
The Hackers, virus, will get us
unless..
The Heard Mentality:
The king needs Taxes
The Analytical ROI ?
Investment in Intrusion Prevention
Systems are better than
Arguments that have yet to
come:
Because we can take on more
business and manage more risks
(brakes enable cars can go faster)
Page 15

Information Security Managing Expectations

Sometimes it is just a communication issue

Page 16

Consequence A: Information Security Officer

as The Jester
Sees a lot
Can tell the king he has no
clothes
Can tell the king he really is
ugly
Does not get killed by the king
Nice to have around buthow
much security improvement
comes from this ?

Page 17

Consequence B: Information Security Officer

as Road Kill
Changes happened faster that
he was able to move
Did not read the signs
Good intentions went
unfulfilled
A brutal way to ending a
promising career
Sad to have around buthow
much security improvement
comes from this ?

Page 18

Maybe a better model for CISO: Charlemagne

King of the Franks and Holy Roman Emperor;
conqueror of the Lombards and Saxons (742-814)
- reunited much of Europe after the Dark Ages.
He set up other schools, opening them to
peasant boys as well as nobles. Charlemagne
never stopped studying. He brought an English
monk, Alcuin, and other scholars to his court encouraging the development of a standard
script.
He set up money standards to encourage
commerce, tried to build a Rhine-Danube canal,
and urged better farming methods. He especially
worked to spread education and Christianity in
every class of people.
He relied on Counts, Margraves and Missi
Domini to help him.
Margraves - Guard the frontier districts of the
empire. Margraves retained, within their own
jurisdictions, the authority of dukes in the feudal
arm of the empire.
Missi Domini - Messengers of the King.

Page 19

Knowledge of risky things is of strategic value

How to know today tomorrows

unknown ?
How to structure information
security processes in an
organization so as to identify and
address the NEXT categories of
risks ?

This is the mandate of information security.

Page 20

The Interconnected Societies: the critical Infrastructure

LAYERS

TELECOM

OPERATIONS
LAYER

Billing &
Resource
Planning

UTILITIES

FINANCIAL

GOV

Sector
Dependent
Layers

TECHNICAL
APLICATION
LAYER

CONTROL
LAYER

Common
Layers

Billing &
Resource
Planning

Load
Balancing
Reliability

Grid /
Pipeline
Monitoring &
Control

SS7

SCADA

Billing &
Payment
Internet
Banking
Stock / Financial
Exchanges
POS Terminals
ATMs

Financial
Services
Utilities

Legislation
Taxation
Law - Order

Hospitals
Labs &
Clinics
Pharmacies

Prov, and Fed

HL7

Services

(Internet, Data, Voice, Fax)

TRANSPORT SERVICES LAYER

(SONET Rings, ATM, PSTN)

FEATURE LAYER
TERRAIN LAYER

GEOGRAPHICAL MAP LAYER

Billing
Administration
Diagnostics
Electronic
Records

Secure
channels

TELECOM SERVICES LAYER

PHYSICAL BACKBONE LAYER

HEALTH
CARE

(Cables, Fiber Routes, Satellites)

(Land Use, Cities, Buildings, Towers)
(Elevation)
(Geo-political boundaries)

Page 21

Indicators and warnings

External environment : the rates of evolutions

Hackers
Script kiddies
Industrial espionage
Cyber-terrorists,
Competitors
Suppliers

16
16new
newmalware
malwareproducts
products
launched
every
day:
launched every day:
viruses,
viruses,worms,
worms,trojan
trojan
horses,
spyware
etc
horses, spyware etc
77new
newvulnerabilities
vulnerabilities
discovered
discoveredevery
everyday
day
20
20minutes
minutesguaranty
guaranty
Probes
Probesagainst
againstFinancial
Financial
Institutions
web
Institutions websites
sites
launched
every
6
launched every 6seconds
seconds
Social
Socialengineering
engineeringisison
on
the
rise:
People
are
the
the rise: People are the
weak
weaklink
link
Page 22

Indicators and warnings : Threats and targets

The McKinsey Quarterly, 2002 Number 2 Risk and resilience

Daniel F. Lohmeyer, Jim McCrory, and Sofya Pogreb

Page 23

Manufacturing exploits: The electronic Petrie Dish

Malware : spyware + trojan + spam + exploits + social
engineering

Page 24

Indicators and warnings

How money was lost Rough order of magnitude (ROM)

Source:

CFI/FBI Report 2003

530 US based corporations, government and educ. inst.
Page 25

Identity Theft in Canada

Page 26

Hacking Beliefs
Identity Theft
One of the fastest growing crimes.
Statistics Canada reports 13,359
cases, $21.5 million losses in 2003
Account takeover (credit cards, bank
accounts)
Application fraud (open new accounts
with victims ID)
Industry needs improved identity
management solutions and strong
public awareness
Phishing (using email scams to collect
confidential information)
Key issues: detection, shutting down
bogus sites, customer awareness
Banks are posting warnings on their
public sites, and updating security
page information with Q&A type of
information.
Page 27

Emergent Complexity : Spam Space as Risk

Page 28

Structuring Risks
An Organizational Risk Categorization Taxonomy

Page 29

Structuring Risks
Regulatory Environment: where are the controls ?

Personal Information Protection and Electronic

Documents Act (PIPEDA) - Canada
Gramm-Leach-Bliley Financial Services
Modernization Act (GLBA) - U.S
California Law SB1386 - California
HIPPA (Health)
Office of the Superintendent of Financial
Institutions (OSFI) Canada - Guideline B10
The Financial Services Authority (FSA)
England - OS Section 4
Federal Financial Institutions Examination
Council (FFIEC) - U. S.
Office of the Comptroller of the Currency
(OCC) - U.S. OCC 2001 - 47
The Bank Act - OSFI Canada Guidelines
B6, B7, B10
Federal Financial Institutions Examination
Council (FFIEC) - U.S. SP-5 Policy
Sarbanes- Oxley Act (SOX) - U.S.
Bill 198 - Canada
SEC Rule 17a-4
Basel II Accord
European Union Directives on Information
Security
Canadas National Security Program
Patriot Act - US

Privacy

Security
Page 30

Regulatory Penalties & Fines Grid

Name of Regulatory
Mandate

Some Potential
Penalties

Potential Fines

SOA

20 years in prison

$15 million

Basel II

Regulatory agency
penalties: vary by G-20
country

Regulatory agency
fines: vary by G-20
country

HIPAA

10 years in prison

$250,000

GLBA

10 years in prison

$1 million

Patriot Act

20 years in prison

$1 million

Dod 5015.2

Failure to qualify for

DoD contract; Contract
breach; FAR penalties

Contract penalties

California SB 1386

Unfair trade practice

law penalties: vary by
state

Private civil and class

actions; unfair trade
practice law fines: vary
by state

SEC Rule 17a-4

Suspension/expulsion

$1 million+
Page 31

Emergent Behaviors:
An Ecological View of Organizational Risk
Environment

priorities
priorities

standards
standards

projects
projects

+
+

Network
Network
Security
Security
Council
Council

laws
laws

Inet, etc
Ipt,
ARB,
ARB, etc

threats
threats

New
New
Technology
Technology

Governance
Governance
bodies
bodies
Inet,
Ipt,

+
-

compliance
compliance

resources
resources

The
The
market
market
Drivers
Drivers

practices
practices

Organizational accumulated
technical residual risk =

The
The
information
information
infrastructur
infrastructur
ee

Tech
Residual
Tech
Risks
Residual
Risks

IPC
IPC

Tech
Tech
Residual
Residual
Risks
Risks

audit
audit

Active
Active
Information
Information
Security
Security
Strategy
Strategy

+
Education
Education
awareness
awareness

Risk
Risk
mangt
mangt

RCSA
RCSA

Data
Data
Classif.
Classif.

reviews
reviews

Identity
Identity
mangt
mangt
Vulner.
Vulner.
Analysis
Analysis

Alerts
Alerts

outsourcing
outsourcing

Lob RISK
Lob RISK
officers
officers
Capital
Capital
AtRisk
AtRisk

Certificates
Certificates
Access
Access
mangt
mangt

escalations
escalations

Crypto
Crypto
policy
policy
Page 32

Information Security organization as result of the

knowledge transfer process

The Knowledge
Transfer Cycle
High

Digital Rights
Management

Security Functions

Organizational
Complexity/Capability

Role base identity

Access management
Real Time Response
Intrusion Detection
Monitoring
Vulnerability Analysis

Technical Threats

Virtual Private Networks

Firewalls
Virus Scanners

Low
Passive

Real time

Page 33

Knowledge transfer

FIRST

CBA
Vendors

BMO
IS

wireless

High

Role base identity

Access management

Organizational
Complexity/Capability

PSECP

Digital Rights
Management

Security Functions

FI CIRT
& other
Banks

Projects
Clients
and
Businesses

Telecom

CANCERT
Info/infra
structure

Utilities

Real Time Response

Intrusion Detection
Monitoring

Health

Knowledge networks

Vulnerability Analysis

The Knowledge
Transfer Cycle 2

Virtual Private Networks

Firewalls
Virus Scanners

Low
Passive

Real time

Page 34

Control Framework is a hierarchy of accountability

structures
Privacy
Content Certification

Clients/Users

Content control

Digital Signatures
Info
structure

Object Integrity
User Access

Infra
structure

Control and Authorization

Operating System Protection
Network Protection

Access
Management

Business
Applications

Operational
Support

Perimeter
Protection

Security
Page 35

Information Security Management Framework

TACTICAL

STRATEGIC

OPERATIONAL

RISK LEVEL: MEDIUM

RISK LEVEL: HIGH

RISK/COST

RISK LEVEL: LOW

Risk curves

Business
Requirements

Design

Development

Implementation

STRATEGIC

TACTICAL

OPERATONAL

Governance
and policies

Application/system
development and
deployment

Active security
posture

Policies
Standards
Procedures
Guidelines
Awareness
Research

Design reviews
IS solutions
Due care
Risk acceptance
New technology insertion

Antivirus
management
Vulnerability
assessments
Intrusion
detection
Incident
response

Operations

OPERATONAL
IS services
Access
management
Key
management
Security token
management
Other
operational
services

Page 36

Information Security Key Performance Indicators

Policy
Number of Policy Exceptions
Number of Risk Acceptances
Value of Residual Risk
Process
Number of security issues in new
projects
Number of ID accounts
(active/dead)
Number of keys / digital certificates
/ tokens
Time to respond to patches,
incidents
Losses due to security incidents
People
Number of certified personnel
Overall capital investment ratio
security to IT spend

per system
per person
per incident
Tycho Brahe (1546-1601)

Page 37

Information Security Key Performance Metrics

Risk Acceptance and ISM Exception Forms

160
140
120
100
80
60

Active ISM Exceptions (+4.2%

vs. Q2)
Active Risk Acceptance
(+4.2% vs. Q2)

40
20
0
Q3 2003

Q4 2003

Q12004

Q2 2004

Q3 2004

April Microsoft Security Patch Deployment

(Servers + Workstations = 36,000 systems reported)

100
90

70

500

60

400

50
40

300

30

200

20

100

10

0
Q3 2003

Q4 2003

Open Issues (+8.17% vs. Q2)

Open Projects (+2.57% vs.Q2)

Q1 2004

Q2 2004

Q3 2004

Closed Issues (+58.7% vs. Q2)

Number of Projects

Number of Issues

80

80

600

% Complete

700

Patch Announced
Zero days elapsed

100

Project & Issue Tracking

800

Major Areas Complete

16 days elapsed

60
Advisory upgraded
(exploit emerges)

40

Sasser wormemerges
17 days elasped

20
0
1

11

16

Days Elapsed

Page 38

Microsoft Patch Deployment

April Microsoft Security Patch Deployment

(Servers + Workstations = 36,000 systems reported)

Patch Announced
Zero days elapsed

% Complete

100

Major Areas Complete

16 days elapsed

Proposed "Accelerated"
Threshold
7 days elapsed

80
60

Advisory upgraded
(exploit emerges)

40

Sasser wormemerges
17 days elasped

20
0
1

"Accelerated" Threshold
2 days elapsed

11

Days Elapsed

16
"Normal" Threshold
2 weeks elapsed

Historical Trend Analysis

April 2004 February 2004 Nachi/ Blaster SQL Slammer
Patch/ Incident Critical (4)
Critical
(August 2003) (J anuary 2003)
Days to Patch
(90% Complete)
16
9
34
209

Emergency

Accelerated

Accelerated

Accelerated

Accelerated

Normal

Accelerated

Normal

Normal

Note:
April 2004 release required 4
separate patches

Page 39

Active security posture Vulnerability Analysis results

CWAN

Major Networks
Year/Quarter

Capital Markets

CWAN

BWAN

Nesbitt
Burns

Capital
Market
s

Harris

2001

1.84

2.91

6.04

3.35

2002 Q1

2.53

3.38

5.34

2.04

2002 Q2

2.08

2002 Q3

2.93

3.19

4.77

2002 Q4

3.01

2003 Q1

2.63

1.84
2.41

2.35
2.98

3.59

Nesbitt Burns

Page 40

Quarterly Information Security Dashboard

Information
Security Group

Security
Practices &
Technology

Information
Protection
Centre

Information
Security
Operations

Business
Analytics

Information Security
Service

Details
on
Page

Enterprise
Posture

Forecast

Last Q

IS Policy & Strategy

Standards & Architecture

Project Assessments

Training

Anti Virus

11

Vulnerability Assessment

12

Intrusion Detection

13

Response/Management

14

Key Management

15

Encryption (PKI)

16

=positive trend

Access Management

17

=negative trend

CSPIN (devices)

18

Remote Access

19

= unsatisfactory

Analytics/ reporting

20

= fully satisfactory

Education & Awareness

21

Legend
=Key Issues

=stable

Page 41

Making The Case for Security Investments

Return on Investment (ROI) has failed to

demonstrate it economically because
there are too many variables

Benefits hard to quantify: whats

the value of good health?
Statistical data unreliable and
changing fast
Cost avoidance not the same as
cost savings
The language divide: accounting
vs. security
Loss of credibility more costly than
loss of physical assets
Technology substitution is not a
guaranty of more capability

Total Security costs

?
Security Investments
Incidents Costs

Page 42

The Security Challenge: Alignment

The Digital Divide

Two solitudes, in virtual isolation

Security services
Intrusion
detection

Application
security

IT processes
Anti-Virus
Availability

Project
assessment

Application
development

Architecture
Problem management

Capacity

Patches
IT Service
continuity

Access
management

Vulnerability
Assessments

Firewall rules
Key
management

Incident
management

Incident
management

Configuration
Service level

Change
management

Page 43

Maturity Framework Levels: Stages of Evolution of a

system

Phase

0. Absence
1. Initiation

Description

Nothing present
Concrete evidence of development

Characteristics:
2. Awareness

3. Control

Resources allocated

Formalized

4. Integration

Synergy between processes

5. Optimization

Continuous self improvement &

optimization

visible results
management reports
task/authorities defined
active rather than reactive
documentation
formal planning

Page 44

Maturity Frameworks pedigree : The reference framework

It is better not to proceed at all than to proceed without method

Descartes

Page 45

Information Security Maturity model - ISO 17799

Information Technology Infrastructure Library (ITIL)
SEI CMM (Capability Maturity Model)

Page 46

A proposal for a new integrated risk framework

Organizational focus

The objective
is to lower the
overall risk
through
capability
maturity
framework
integration

Bus. Req.

Design

Development Implementation

ISO Project SEI CMM

Operations

ITIL

ISO 17799

Risk Management through Maturity Framework alignment

Page 47

Strategic Evolution of Information Security

Packet
Level
Integrity

Closed
Business
systems

Perimeter
Control

IP level
Protocol aware
Perimeter based

Closed API
Limited to # of User
Single Admin
Simple Provisioning

Node Based
Heterogeneous
Island of security
Under-maintained

Present Security Model

Application
Level
Assurances

XML Based
Application Control
Content Aware
Higher value

Integrated
Business
Systems

Accessible API
Many Users
Multiple connections
Cross organization
access

Managed
Security
Services

Integrated Network
View
Consistent Policies
Tiered
Administration
Remote monitoring
and management

Target Security Model

Page 48

The new Information Security challenge:

Managing the Roles and Content via Rights and Privileges

Business
Automation

Number of
Digital IDs

Partners
(B2B)

Company
(B2E)

Customers
(B2C)

ROLES

Mobility

p
Ap

tio
a
lic

s
nInternet

Growth of
unstructured Documents

Client Server

CONTENT
Mainframe
Page 49

Information centric organization

Content increasingly easy to collect and digitize
Has increasing importance in products and services
Is very hard to value or price
Has a decreasing half life
Has increasing risk exposure
integrity-quality
regulation privacy/SOX
Is a significant expense in all enterprises
(IT Governance Weill and Ross)

Michael C. Daconta
Page 50

Where are the risk coming from the rise of the infostructure
Where is the locus of control outside the
boundaries of the organization ?

Policy: Rules

Information Security Management has to

recognize a requirement for a content
control model that is independent from
a specific technical solution.

Tag/ CONTENT /tag

XML

Infostructure: Content
Infrastructure: Technology

To deal with the new info

in semantics management
Then the focus to content
management and issues:
Topic Maps, XML, RDF,
UDDI, XBRL,
SAML, Ontologies,
And more and more
Page 51

The Integrated Architecture : Content and Technology

Web

Application

Customized XML Docs/Info

Provisioning Engine
Content request

Application

Cell

Web Server

Request and User ID /password

Profiles
Rights and Privileges

PDA

Rules

Content response

Content Management
System
Syndication
Server

Static
Content

Style
Sheets

Application
Application

Data
Server
Page 52

The Architecture of the Infostructure

The Ontology of Information Management
Policies
Rule Mapping
From Policies to XML
Process
Architecture
SOA
Peer to Peer
Groupware

Standards
NetBiz
RosetaNet

Offerings
Resources
Transactions
References
Locations
Policy and
regulations
Directions
Contracts Finances
Markets

E-Content
Life Cycle
Management

Syntax
XML
Topic Maps
RDF
UDDI
XBRL

Outcomes
Quality
Of
Service

Risk
Assessment

Content Classification
Sensitivity

Data

Quality

Information

Life cycle

Knowledge

ROI on
Intellectual Capital

Taxonomies
Organizations
Business
Applications
Roles
Page 53

Information Management as Information Security

NEW
NEW
IMPERATIVES
IMPERATIVES
Data
Data Classification
Classification
Information
Information
stewards
stewards

Public

Examples of content

Recommended Controls ( accumulates as you go down )

News clippings

Contracts, Licensing, usage and log files for activity purpose

Market Data
Internal

Policy documents

Assets should be labeled with Classification

Routine Procedures

Log files
Broad Access Control

Passwords lists

Encryption anonymizing - pseudomizing

Content
Content lifecycle
lifecycle
management
management

Customer Names

Separation of Duties

Project documentation

Secured log files and Access Control

Customer Snapshots

Review of Sample Logs

Identity
Identity
Management
Management

Credit Card Numbers

Systems involved are assessed periodically and around

significant changes

Digital
Digital Rights
Rights
Management
Management
Services
Services

Confidential

Account Numbers

Trained and certified people involved in design and operation

Highly Sensitive

Customer public
identification associated
with account information

Review and sign off of Logs by stewards and custodians

Customer Data with SIN

Host/device monitoring for intrusion

Strategic Plans

Trained and certified information security people involved in the

th
review of operations

Systems involved are assessed periodically and around

significant changes

Page 54

The New Audit Space

Control of Content : Digital Rights Management
Reports to

HR
HRReporting
Reporting
Hierarchy
Hierarchy

Employee
Employee

Generates

Applies to

Has a

Is Granted

Application
Application
System
System

Enterprise
Enterprise
Asset
Asset
User
UserInterface
Interface
(Desktop)
(Desktop)
Identifies access
needs of role

Is part
of

Role
Role

Position
Position

Includes

Right
Right/ /
Privilege
Privilege

Has a

Actual
Actual
Target
Target

Is needed to
access

Application
Application
User
UserID
ID

Is a

Individual
Individual
Position
Position

Updates

Activity
Activity

EnID Maps to

Requires

NonNonEmployee
Employee

Individual
Individual
Occupies

Is a

Is part
of

Provision
Provision
Role
RoleGroup
Group

CPM
CPM
Role
RoleGroup
Group

Reports to
Position
Position
Hierarchy
Hierarchy

Is at a

Org
OrgUnit
Unit/ /
Location
Location

Standard
Standard
Target
Target

Targets are
based on

Page 55

The next level of challenge

Aligning the Infostructure with the Infrastructure

Organizational Complexity/Capability
Semantic Management
Content Management

Infostructure
Architecture

High

XML Firewalls
Digital Rights
Management

Security Functions
Role base identity
Access management

Daconta

Real Time Response

Intrusion Detection Monitoring
Vulnerability Analysis

Virtual Private Networks

Virus Scanners

Infrastructure
Architecture

Firewalls

Low

Real
time
Passive

Page 56

The New Security Debate Space

The B2B market forces are
enabling standards.

B2B models
Taxonomies and ontologies
XML Protocols
WS-Security standards

What protocol and standards

drive your business ?
Do you have an Information
Security Officer debating
these issues ?

Page 57

The Role of the Chief Information Security Officer

1.

Information Risk identification

2.

Information Risk formalization

3.

Development of practices and

tools

4.

Integrate root cause analysis

into governance framework

5.

Devolve processes from exception

management into operations

6.

Improve Information asset

identification and management
accountability

Page 58

The Dynamics of Systems Changes

"There is no problem so complicated that you can't find a very

simple answer to it if you look at it the right way."
-- Douglas Adams

Pink Floyd

Norbert Wiener

The key to progress is the process of feedback

in its most simple form, two-way communication.
Page 59

Social Engineering at its best

Page 60

The future of information security is bright ..

Become a CISO and survive

Page 61

Colophon

Page 62

Thank you

Page 63