Saturday, October 27, 2007

Where can I get consolidated list of IT best practices for Finance industry?

Q:Where can I get consolidated list of IT best practices for Finance industry?

A:In US, the best path is to go with FFIEC. The FFIEC IT Examination Handbook is the source for technology related risk management considerations for financial institutions. You can get a lot of documentation from the following URL:
http://www.ffiec.gov/ffiecinfobase/index.html

In some countries the banking regulation and supervision agencies enforce Control Objectives for Information and related Technology (COBIT) which is developed by the IT Governance Institute (ITGI). . You can find more information on the following URL:
http://www.isaca.org/cobit/

As discussed above ISO forms the standards and best practices in information security. There are several standards. The following URL will be very helpful to understand what is out there for ISO. It also discusses SSE-CMM and ITIL in security:
http://www.unob.cz/spi/2007/presentace/2007-May-02/01-Novak-Standards.ppt

That being said BASEL-II will be a global requirement for risk management in financial services. Basel II encourages banks to identify the risks, and to develop or improve their ability to manage those risks..You should check that one.

SOX and JSOX still apply to publicly traded companies in US and Japan. COBIT is the framework.

PCI DSS is the framework where credit card data is stored, transmitted and processed.

US government entities use NIST best practices. Check the following link for references:
http://csrc.nist.gov/publications/CSD_DocsGuide.pdf

Let me know if you have any specific questions,
regards,
- yinal ozkan

Sunday, October 14, 2007

Functionality or ROI?

Q: When you look at new IT projects what do you consider first: Functionality or ROI? EWeek just published an article stating that in 2008, CIOs would be looking at functionality and strategic purpose and down playing extensive ROI calculations. What do you as an IT professional think about that?

A: Hi ..,
I think the ROI calculations are just a part of the full governance in IT projects and CIOs must govern the projects. I simply do not recommend going with ROI alone, terms of return must be defined in advance. It is not feasible to compare functionality vs. ROI since both of them may include each other. Full life-cycle of the solution should be interpreted into evaluation for CIOs. When you look at all IT projects, you may classify them in 4 main categories or a mix these 4:
1- Projects that increase efficiency
2- Projects that reduce cost
3- Projects that reduce risk
4- Projects that increase competitiveness

A CIO must have a grand plan with targets (tactical/strategic) and this plan must be carried out with a structured program. Any new project should be weighted against the program where ROI is just an initial evaluation item. The programs are not static, and the governance of the program itself should be structured as well.

Let me know if you have a specific question,
regards,
- yinal

Security Consultant: How do you define your scope?

Q: Security Consultant: How do you define your scope?
As I make my foray into the security consulting world of side work, I am wondering how other security consultants out there have defined their scope as to what services they offer and where they know to draw the line and/or keep a client within the bounds of what the scope actually is. I know it has a lot to do with your areas of expertise, but what helps you (anyone who might wish to answer) make this definition?

A: Hi ....,
This is a good question. And there is no silver bullet.

I have been managing hundreds of information security SOWs (statement of work documents) every month for the last 5 years..This is a lot about security; it is more about the delivery. Here are a few things that we learned by tough experience (in no particular order):

1- Do not make it one security consultant's job to define scope and the deliverables of the SOW. Build a workflow with multiple check points for peer review. If one consultant defines the scope, make sure that others review it. Peer review is the harshest part for every security project. I think that it is easier to criticize than doing the actual job so you ca get a good reality check prior to sharing your draft scope with client. Engineers/Consultants have a tendency to omit their own mistakes. Shortcuts are always favored by engineers (by nature). Use different teams, e.g. security consultants define the scope, delivery team verifies it...

2- Always share draft versions of the scope with the client. Verbally communicate deliverables. Give client a chance to review to the draft SOW and allow changes. Use change control on the SOW documents.(make sure all revisions are recorded)

3- Create an internal risk document; where you internally discuss possible risks about the project in advance. Make sure that risks are addressed prior to final approval

4- Keep all parties involved. Make sure that your process is transparent to all key stakeholders including project management, client, account management, finance, legal, consultants, engineering, support, vendors etc.

5- You may try using pre-defined scopes with predefined deliverables. Even if this is the ideal, it rarely works, every client is unique. You may better have standard methodology documents and customized deliverables based on top level methodology document. I may elaborate more on the à la carte scoping with prebuilt blocks for security, based on the security project type (e.g. policy /compliance consulting is different than hardware/software deployment or deployment is different than assessments etc)

6- Put everything is writing. No verbal communication will help when there is a dispute. All deliverables should be clearly defined. I like the following clause from our SOWs: "The scope of this project excludes all services and related issues that are not mentioned in this SOW and any additions or changes will be done as set forth in the change control procedures contained herein. Any services not part of this SOW are considered Out of Scope and additional charges may apply"

7- Make the security consultants are responsible for the delivery. They should understand what is easy what is not on the field. They should be able to perform actual deliverables on time, and they should be liable when their scope does not match the reality. Continuous audit of deliverables and the improvement is a must. Make sure that you have post mortems on failures and all of the failures are addressed.

8- Share your internal workflow with the client; make sure that the client understands how you work. Share service descriptions, SLAs, professional service agreements in advance. Make sure that your security consultants relay this information properly. Clients will understand whatever they would like to hear, so you need to cover all bases for confidentiality, deliverables, lead times, cutover times, success criteria, privacy, change management, costs, points of contact, project management, test plans etc.. If they are not written, client's expectations may certainly be different than your consultants’...

Well I think we have a limit on the answers page, but let me know if you have a specific question.

regards,
- yinal ozkan

Thursday, October 11, 2007

BPO market

When I was managing a FWTK firewall in 1994, I was pretty sure that the firewall market will be larger than anything... Every office would need 1 firewall when they were connected to Internet. And every firewall required 1 administrator…..

The server installation, configuration, maintenance, administration, everything was complex with the slackware based firewall. It required dedicated, highly educated manpower for the management.

1 security engineer per firewall seemed pretty reasonable in 1994.

Today, when I look at the BPO industry and the projections for growth such as “McKinsey Report Predicts Robust Growth For Indian IT Services and IT Enabled Services Industry”, I have some sort of déjà vu… There is a belief that more jobs will be created in linear with the market growth, and the BPO cities will be big job markets, and the countries with access to larger human capital will be more successful. That is a dangerous assumption. Job markets will not grow with market especially the low-end/low-cost BPO market. Job markets will shrink with the advancement of technology, there will be need for less people, even the highly trained ones


My “1 firewall 1 administrator” idea was not realistic neither the job market projections for BPO are. From 1994 to 2000, we really worked hard to centralize management, automate operation and improve efficiency with a tremendous investment in high technology services and products. The things done were unbelievable for firewall market, all software moved to appliances, virtual inline firewalls were invented, every type of high availability solutions were integrated, log management became easy with high end event management tools, software got more stable, people needed less support, self service systems were delivered etc….And the result was the elimination of the workforce component. Today 1 group of firewall administrators (e.g. 2 per shift) can manage hundreds/thousands of sites. We do not need a dedicated firewall wizard per site, which was expected. I do expect the similar results in BPO markets, the more technology will be available, the more low-cost routine work BPO jobs will be out of the picture,

BPO industry will continue to grow regardless of the access to low-cost human capital. The need for massive numbers of workers in the industry will shrink regardless.

Creative / well educated minds will always be on demand, but that will take away the advantage having hundreds of thousands of poorly educated engineers. I strongly support the initiatives in India and China on increasing the technical quality of the delivery, and powering the creativity, instead of increasing the low-cost human capital based offerings... In the mean time we may see more Ukraine, Hungary or Egypt as a competitive outsourcing centers.

Wednesday, October 10, 2007

What are your thoughts on Key Performance Indicators or Criteria for Information Security?

Q:What are your thoughts on Key Performance Indicators or Criteria for Information Security?

A: Hi ...,
I strongly believe that key performance indicators for information security have 2 major categories:

1- Risk Related
2- Business Related

There are several readers on this page who can elaborate more about the risk related KPIs. A security KPI can only indicate something relevant only if it is tied to a risk measurement framework. You can measure any metric delta in any of the systems that you can get data from (viruses blocked, attacks succeeded, malware identified etc), but only the metrics that create the risk visibility and the naturally the business impact will help you to have the right measurement. Long story short, good KPIs are the ones that show delta in your risk status. A change in number of the spam e-mail received on a certain domain may mean nothing if it is hosted and filtered at a remote provider and the domain is not in use by your operation.

Second and important category is naturally your business. There are times when your security initiatives are driven by tactical and strategic business needs. I can list hundreds of them but if you want to categorize here are the main business drivers.

1- Reducing cost
2- Increasing efficiency
3- Competitive Advantage’

You may try to map the 3 items into a risk framework but I would rather not. You need to share the same goals with the business (the old aligning IT/Security with the business problem). And if your security related activities can create qualitative/quantitative metrics on how you reduce cost, increase efficiency and create competitive advantage, there you have the good KPIs. e.g. “We moved our e-mail cleansing to a 3rd party, now our cost is lower, we have more resources to focus on core projects, we have due diligence with e-discovery requirements, and now we have a greener data center :) here are the KPIs….”
Let me know if you have a specific question,
regards,
- yinal ozkan

Wednesday, October 3, 2007

EMC should buy Check Point - How to Secure Virtual Machines ?

Virtualization security is an interesting topic. For years many security vendors tried to focus on hardware security, assuming that all network world will be appliance only soon (It is a small Cisco world after all) Now the times are changing, there is a new phenomenon on the market which pushes all software platforms into a single virtual platform...

In the old world of 1 server per blade designs, many enterprise shops have done the right segmentation, by building multiple server farms segregated by beefy firewalls. Server to server communication control was always a challenge. Only a few enterprise shops were lucky enough to deploy firewall appliances and blades between servers. And even less could find out a way to deploy a multi gigabit IPS. Playing with switch ACLs, VLANs inline firewalls were the instant remedies, that didn't really answer the real security question.

Nowadays, 1 server per blade racks are out. It is a green world (and a datacenter) where we have multiple virtual systems (VMs) on 1 box. Segmenting these servers, checking the traffic flow and detecting/blocking malicious activity in between VMs is close to impossible. The nice chic ASIC appliances do not fit there. There are solutions like Bluelane, but there are problems...
- The security solution should be on the vmkernel…
- The security solution must cover CPU virtualization, and memory virtualization issues.
- The security solution should not be another VM (that acts like a virtual switch/router) where the server-to-server communication is filtered. Too much overhead, too many VMs
- Security solution must be trusted, tested approved, and must have certifications from 3rd parties.
- Existing legacy security licenses should be portable (firewall to virtual firewall, ips to vips.
- Security solution should cover virtualized crypto devices (hardware accelerators, host security modules)
- Security solution should be managed by a different console and access right system, probably a different company for risk management and segregation of duties purposes etc... Basically VMware is not the right solution developer (integrating Determina VIPS was a good idea though)
- …..and the list goes on.

EMC may certainly develop a new security solution for the VMware spin-off using parent company links, or acquire another security company after RSA and Network Intelligence.

But there is one another company who sticks to software only security with a full portfolio of security products... I think it is a good match. Being an IT Security Professional (my main expertise is not the M&A area) and knowing Gil Shwed’s expansion plans, (I do not own any stocks) the "EMC should buy Check Point" idea may not fly. But Check Point would a good and quick response to address VMware security concerns with lots of new expansion possibilities for both operations

Disclaimer: Blog posting on this site are my own and don't necessarily represent my employers' positions, strategies, or opinions