Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi...

© Hitachi Systems CBT S.p.A. 2015. All rights reserved.

Security Risk Management:

How to mitigate risks and protect data

Security Managed Services

Security BU Director & Sales Director North Italy

11/11/2015

Denis Cassinerio


2. Hitachi Systems CBT

4. Managed Security Services

Agenda

1

1. Hitachi Ltd. & Hitachi ITSG

3. Risk Management Scenario


1. Hitachi Ltd. & Hitachi ITSG


Power Systems 4%

Social Infrastructure & Industrial Systems

15%

Electronics Systems & Equipment

11%

Construction Machinery

7%

High Functional Materials &

Components 14%

Automotive Systems 9%

Smart Life & Ecofriendly Systems

7%

Others (Logistics & Other services)

11%

Financial Services 3%

Information & Telecommunication

Systems 19%

1. Hitachi Ltd.

(as of end of Mar. 2015)

81.60 billion


1.2 Hitachi Systems Global

Italy

20

14

- IN

DIA

Hitachi

Systems

Micro Clinic 20

13

– S

OU

TH

EA

ST

AS

IA

Hitachi

Sunway

Information

Systems

20

15

- ITA

LY

Hitachi

Systems

CBT

20

14

- C

HIN

A

Hitachi

Systems

(Guangzhou)

20

12

– N

OR

TH

AM

ER

ICA

Cumulus

Systems

20

15

- C

AN

AD

A

Above

Security

1. Establish a base of operation in Italy

2. Contribution to the social

infrastructure business of Hitachi

3. Expand into greater Europe

STRATEGY


2. Hitachi Systems CBT – Italy


2.1 Vision & Mission

“Cloud, Service,

Application &

Technology

Integrator

“Transfer the

complexity and

start focusing on

your business only

Over the last 35 years we have been supporting

medium and large enterprises, both in the

private and public sector, by implementing and

improving their infrastructure, integrating them

with services and application solutions with high

technological content.

Assist organizations in their strategic path

to Business Transformation through

outsourcing of infrastructure, services

and applications

VISION

MISSION ”

”


2.2 Business Areas

Data Center, Networking, Devices, Middleware

TECHNOLOGY

APPLICATIONS

MANAGED SERVICES

(2014: Revenues 31,1M€)

(2014: Revenues 22,3M€)

(2014: Revenues 3,7M€)

BU

SIN

ES

S A

RE

AS

Engineering Projects & Services


2.3 Highlights

All our customers

will be free to focus

on their core

business only

SOFTWARE

FACTORY

Bologna HEADQUARTER

Roma

BRANCHES

Milano

Venezia

Torino

Novara

DATA CENTERS

Roma

Milano

+300 TEAM

6 LOCATIONS

OVER

1.200 CERTIFICATIONS

OVER

100 PARTNERS

LONG EXPERIENCE

>35 YEARS

100% SECURITY & COMPLIANCE

57MIO € REVENUE +7% FY 2013

2 DATA CENTER

365 24/7 SERVICES


3. Risk Management Scenario


ATTACK SURFACE


Vulnerability & Threats


DATA BREACH SNAPSHOT

12


CLUSIT Report 2015

13


3.1 Compliance changes

14


NORMATIVE : Regolamento Europeo

15

• La Commissione europea ha proposto una riforma globale della

normativa UE sulla protezione dei dati delle persone fisiche. • Il nuovo Regolamento ha lo scopo di fissare delle regole chiare e

uniformi

sulla privacy online e offline

• Una volta approvato dal Parlamento e dal Consiglio UE, varrà per

tutti i Paesi europei.

Principali novità del Regolamento

1. Obbligo di «Data Protection Impact Analysis» in caso di trattamenti

rischiosi

2. Obbligo di «Privacy by Design and Default » nella progettazione e

nell’architettura di Infrastrutture ICT e nelle Pratiche Commerciali

3. Obbligo di «Data Breach Notification» entro 24 ore dall’evento al Garante

Privacy

4. Obbligo per le aziende con più di 250 dipendenti e per gli enti pubblici di

nominare un «Data Protection Officer »

5. Diritto all'oblio, per cui ogni interessato potrà richiedere la rimozione di

propri dati personali.


SANZIONI Previste dal NUOVO Regolamento Europeo

16


3.2 Risk Management Maturity

17


Crisis = Opportunity

18


The Opportunity : Skills Gap

19

DATA PROTECTION

DLGS. 196/2003 e s.m.i.

DLGS. 231/01 e s.m.i.

Legge 547/93 e s.m.i. ISO/IEC 27001:2013

COBIT ITIL ……

Virus Worm Trojan Payloads Man in te Middle Brute Force Authentication.. APT

SKILLS GAP

SECURITY RISK MANAGEMENT

Legal & Compliance Threats Vulnerabilities

CVE MS 2008-067 CVE 2014-62-71 ISO NIST OWASP OSST Vectors of Attack Technical Impacts Business Impacts


Information Security Risk Management Fundamentals

20

AVAILABILITY

INTEGRITY

CONFIDENTIALITY

© Hitachi Systems CBT S.p.A. 2015. All rights reserved. 21

VULNERABILITY Processes Systems Network Applications Continuous check Continuos remediation

THREATS New threats every 1.5 seconds Variants Exploit kits Botnets APT Penalties

COUNTERMEASURES

Processes Checks AV IPS FW APT WAF HIPS APP CTRL……. Consultancy

VALUATION Data Assets

ANALYSIS

Qualitative Quantitative

Information Security Risk Management Fundamentals


Situational Awareness Security

22


4. Managed Security Services

23


Security Business Unit

24


EasyShield: Vision

VISION

EasyShield

Legal & Compliance

Architectural Design

Security Engineers

Security Analysts

Integrated Services

Manage the Security IT Complexity

Managed Security Services


COMPLIANCE

TECHNOLOGY

MANAGED SERVICES

CYBERSECURITY

EasyShield: Keywords and Benefits

Keywords & Benefits

Reduction & Cost

Control

Security Posture

Improvement

Ad hoc Installation

& Configuration

Up to date

Certification


EasyShield: Security Risk Management

Identify &

Analiyze Exposures

Monitor

Results

Examine Risk

Management

Select Risk

Management Implement

Techniques

Identify assets and their value to the

organization.

Identify vulnerabilities and threats

Quantify the probability and business

impact of these potential threats.

Provide an economic balance

between the impact of the threat

and the cost of the

countermeasure”.

Shon Harris, CISSP

«Security Partner»

“ “


4. EasyShield Offering Structure


Security BU Offering

SKILLS

EXTENDED PORTFOLIO

SRM CYCLE

COST EFFECTIVE

Compliance

Professional

Services

Technology

Cyber Security

Managed Security

Services


CY

BE

R S

EC

UR

ITY

T

EC

HN

OL

OG

Y

EasyShield® represents a 360°security approach, from Compliance to Cloud

services, through the best technology solutions via Managed Services

3.4 Offering: EasyShield®

• APT Assessment

• Multi Protocol Network Detection

• Spear Phishing Mitigation

• Anti Bot Net

• Sandboxing and behavioral monitor

• Forensic Analysis

• Intrusion Detection / Prevention

• Ethical Hacking

• Penetration Test

• Web Application Protection

• Zero Day Protection

• Security & Compliance Risk

Assessment

• Risk Management, Governance &

Certification

• Business Continuity & Disaster

Recovery

• Regulatory Compliance Management

• Business Process Reengineering

• Security Awareness Training

• Security & Compliance Audit

• Content security

• Datacenter & Cloud Security

• Network Security

• Security Management

• Vulnerability Management

Compliance Management Penetration Test

Privileged Account Management

Web Application Protection

Vulnerability Assessment

Virtual Patching Patch Management

Professional Services Penetration Test

Vulnerabiility,Mobile

Web Application , Wireless

PCI DSS (/ Scan & compliance)

Managed Security Services Anti Malware policy Management

Mobile Security

Firewall Configuration and policies

IPS / IDS Management

Wireless Assessm

CO

MP

LIA

NC

E

Compliance

Cyber

Security

Managed

Services

Technology

MA

NA

GE

D S

ER

VIC

ES

Professional

Services


4.2 Global SOC


Global SOC: Security Strategy

WAF: Web Application Firewall; NGFW: Next Generation Fire Wall ; SIEM: Security Incident and Event Management

Cyber Security

(Anti-Phishing, Anti-

Malware)

Proactive Defense

with Real-time

Analytics and Global

Intelligence Service

Global SOC

Protection of Critical

Infrastructure

(Social Infrastructure)

SHIELD

SecurityOperationCenter


ABOVE SECURITY Integration

33


ARKANGEL Platform

34


Conclusion

35

It is better to look ahead and prepare than to look back and

regret. Jackie Joyner Kersee, athlete and olympic medails

Thanks!!


Security BU Offering: Main Technologies

APT IOC DETECTION IAM / PAM

CONTENT SECURITY NETWORK SECURITY SECURITY MANAGEMENT


Contacts

HEADQUARTER

ROME

Via Francesco P. Da Cherso, 30 - 00143

+39 06 519931

www.hitachi-systems-cbt.com

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

MAIN SITES

MILAN

Via Dei Gracchi, 7 – 20146

+39 02 489571

VENICE - QUARTO D’ALTINO

Via L. Mazzon, 9 – 30020

+39 0422 19702

TURIN

Via Gian Domenico Cassini, 39 - 10129

+39 011 5613567

NOVARA

Via Biandrate, 24 - 28100

+39 0321 670311

BOLOGNA - CASALECCHIO DI RENO

Via Ettore Cristoni, 84 - 40033

+39 051 8550501

TOLL FREE

800 228 228

800 899 228 (WebRainbow)

http://www.hitachi-systems-cbt.com





mailto:[email protected]


























ICT Festival 2015 - Milano

11/11/2015

Denis Cassinerio

END

Security Business Unit & Sales Director

- DirectSecurity

38

Security Risk Management: How mitigate and handle the data through the Managed Services


CYBERCRIME TRICHOTOMY

40


References: Case Studies Security

SHIELD: The Brand Name for Hitachi Systems Security Solution

HDI Assicurazioni - Log Management

Consorzio ATR – Adeguamento

Privacy

IntesaBCI – Processi di Gestione della

Sicurezza IUAV - Privacy Risk Assessement RM ASL B - AV IPS IDS

Poste Italiane – Risk Management AgID – Security Audit Telecom – Politiche di Log Retention

G.Matica – Certificazione integrata

ISO 27001 - 9001 LND – Security & Privacy Risk

Assessement

RFI – Corso Privacy

FIP – Data Loss Prevent

Realizzazione e certificazione del Sistema di

Gestione Integrato Qualità e Sicurezza delle

Informazioni aziendali,

Installazione, configurazione e gestione

sistema di tracciatura dei log di accesso degli

Amministratori di Sistema a norma privacy

Progettazione ed erogazione di due moduli

didattici sui temi della sicurezza informatica e

della protezione dei dati;. Formazione dei

formatori.

Realizzazione di una attività Assessment di

sicurezza rispetto alla normativa sulla privacy

ed ai Provvedimenti del Garante .

Disegno dei processi di Gestione della

Sicurezza ISO 27001 e valutazione degli

impatti organizzativi sulla Banca.

Assessment di Sicurezza. Elaborazione

sistema documentale privacy.Integrazione dei

contratti. Erogazione della formazione.

Installazione e configurazione di una

piattaforma di protezione degli ambienti virtuali

da violazione dei dati e interruzioni dell’attività,

Verifica dello stato di conformità del modello

organizzativo, gestionale e tecnologico

adottato dall’Ateneo rispetto alle misure di

sicurezza privacy.

Definizione del processo di Risk

Management ISO 31000 e della

metodologia di Risk Assessment secondo

ISO 27005.

Installazione e configurazione di un sistema di

protezione dei dati su PC e Mobile a sostegno

della conformità e prevenzione della perdita di

dati.

Definizione delle politiche di sicurezza per la

raccolta, la conservazione e l’utilizzo dei log a

norma ai fini del monitoraggio dell’utilizzo dei

sistemi informatici.

Audit di sicurezza ISO/IEC 27001,

Dlgs.196/2003 e Dlgs 231/2001 condotto sulla

RIPA (Rete Internazionale della Pubblica

Amministrazione).


1.3 Hitachi ITSG & HISYS Organization

Hitachi Data Systems Corporation

Hitachi Consulting Corporation

Hitachi Solutions Ltd.

“Products and System Development”

“System Solution & Services”

“Platforms (Storage Systems, Server, Platform

Software)”

Information &

Telecommunication Systems

Group (ITSG)

Research & Development Group

Healthcare Group

Power & Infrastructure Systems

Group

“IT Consulting”

Hitachi Systems Ltd.

Cumulus Systems

Hitachi Sunway Information Systems

Hitachi Systems Micro Clinic

Hitachi Systems (Guangzhou)

Hitachi Systems CBT

HITACHI Ltd.

“System Solutions and Services”

Above Security


1.2 History of Hitachi ITSG

Establishment

of Totsuka

factory （produced

telephones &

switchboards）

1937

194 9

Automated

switchboard

1959

Electric

computer

1959

Train seat

reservation

system 1965

Mainframe

1969

Online

Banking

System

198

0

Beijing

meteorological central

system for Chinese

Central

Meteorological

Agency

198 1

Digital

switch

board

198

2 Super

computer

198 5

Work Station

1993 Integrated

system

management

middleware

199 4

Outsourcing

solution

199

5

RAID

disk

Array

1997

EDI system

2003

Finger vein

authentication

system

200 4

Blade

Server

200

7

Hitachi

virtualization

technology

“Virtage”

2009

Hitachi

cloud solution／

Environment

-conscious

data center

2012

Big data related

services

2013

Smart

information

related products

and services

“intelligent

Operations”

2014

IoT (Internet of

Things),

M2M (Machine to

Machine)

TODAY 1910


Security Risk Management

45

ERRORS/ OMISSIONS

USERS NOT

AUTHORIZED

VANDALISM

TAMPERING PHYSICAL

CHANGE OR COPY OF DATA

UNAUTHORIZED

SOFTWARE

EXECUTION

NATURAL

EVENTS

INTRODUCTION OF

ILLEGAL SW

THEFTS

ORGANIZATION

ARIAL

BUSINESS -

OPERATIONS

CONTINUITY

LOGICAL ACCESS

PHYSICAL ACCESS

DISTRIBUTED

ARCHITECTURE

DATA

DOCUMENTATIONS

APPLICATIONS

SYSTEMS


Misure Minime - Misure Idonee

46

Punto di ottimo economico

Costo complessivo

Costo della sicurezza

Livello di sicurezza

Costo

Costo diEsposizione

COST

TOTAL COST

Security cost

Cost exposure

Security Level


KE

Y S

TR

EN

GT

HS

Strategic transformation of business and organizational processes with

high experience in Outsourcing and Cloud Computing

Manage the customer’s technological complexities, leaving them free to

focus exclusively on their core business

More than 1,200 hardware and software technology certifications to

design tailor-made solutions also in Private and Public Cloud

infrastructure, already available in our Data Centers CUSTOMISED SOLUTIONS

TIME AND COST SAVINGS

COMPLEXITY TRANSFER

BUSINESS TRANSFORMATION

2.4 How do we do it

Speed of delivery and “Pay-per-use” logic of EasyCloud®, EasyWare®

and WebRainbow® and EasySHIELD ® Solutions to generate economic

efficiency switching from investments to fee


PROVVEDIMENTI – 28/10/2015

49

…TUTTO CIÒ PREMESSO IL GARANTE 1) dispone la caducazione dell'autorizzazione adottata dal Garante in data 10 ottobre 2001 con deliberazione n. 36 e per l'effetto vieta, ai sensi degli artt. 154, comma 1, lett. d) e 45 del Codice, ai soggetti

esportatori di trasferire, sulla base di tale delibera e dei presupposti indicati nella medesima, i dati personali dal

territorio dello Stato verso gli Stati Uniti d'America; 2) si riserva, ai sensi dell'art. 154, comma 1, lettere da a) a d) del

Codice, di svolgere in qualsiasi momento i necessari controlli sulla liceità e correttezza del trasferimento dei dati e, comunque, su

ogni operazione di trattamento ad essi inerente, nonché di adottare, se necessario, i provvedimenti previsti dal Codice; 3) dispone la trasmissione del presente provvedimento all'Ufficio

pubblicazione leggi e decreti del Ministero della giustizia per la sua pubblicazione nella Gazzetta Ufficiale della Repubblica Italiana.

Trasferimento dati personali verso gli USA: caducazione provvedimento del Garante del 10.10.2001 di riconoscimento dell'accordo sul c.d. "Safe Harbor" - 22 ottobre 2015


Corporate Data at Risk

50

Network Credentials Intellectual Property

Calls

Privileged Communication

Employee Location

Superior service empowered by combining the strength of our people and information technology.

Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi...

Technology

Transcript of Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi...