Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi...
-
Upload
festival-ict-2016 -
Category
Technology
-
view
555 -
download
3
Transcript of Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi...
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Security Risk Management:
How to mitigate risks and protect data
Security Managed Services
Security BU Director & Sales Director North Italy
11/11/2015
Denis Cassinerio
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
2. Hitachi Systems CBT
4. Managed Security Services
Agenda
1
1. Hitachi Ltd. & Hitachi ITSG
3. Risk Management Scenario
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
1. Hitachi Ltd. & Hitachi ITSG
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Power Systems 4%
Social Infrastructure & Industrial Systems
15%
Electronics Systems & Equipment
11%
Construction Machinery
7%
High Functional Materials &
Components 14%
Automotive Systems 9%
Smart Life & Ecofriendly Systems
7%
Others (Logistics & Other services)
11%
Financial Services 3%
Information & Telecommunication
Systems 19%
1. Hitachi Ltd.
(as of end of Mar. 2015)
81.60 billion
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
1.2 Hitachi Systems Global
Italy
20
14
- IN
DIA
Hitachi
Systems
Micro Clinic 20
13
– S
OU
TH
EA
ST
AS
IA
Hitachi
Sunway
Information
Systems
20
15
- ITA
LY
Hitachi
Systems
CBT
20
14
- C
HIN
A
Hitachi
Systems
(Guangzhou)
20
12
– N
OR
TH
AM
ER
ICA
Cumulus
Systems
20
15
- C
AN
AD
A
Above
Security
1. Establish a base of operation in Italy
2. Contribution to the social
infrastructure business of Hitachi
3. Expand into greater Europe
STRATEGY
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
2. Hitachi Systems CBT – Italy
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
2.1 Vision & Mission
“Cloud, Service,
Application &
Technology
Integrator
“Transfer the
complexity and
start focusing on
your business only
Over the last 35 years we have been supporting
medium and large enterprises, both in the
private and public sector, by implementing and
improving their infrastructure, integrating them
with services and application solutions with high
technological content.
Assist organizations in their strategic path
to Business Transformation through
outsourcing of infrastructure, services
and applications
VISION
MISSION ”
”
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
2.2 Business Areas
Data Center, Networking, Devices, Middleware
TECHNOLOGY
APPLICATIONS
MANAGED SERVICES
(2014: Revenues 31,1M€)
(2014: Revenues 22,3M€)
(2014: Revenues 3,7M€)
BU
SIN
ES
S A
RE
AS
Engineering Projects & Services
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
2.3 Highlights
All our customers
will be free to focus
on their core
business only
SOFTWARE
FACTORY
Bologna HEADQUARTER
Roma
BRANCHES
Milano
Venezia
Torino
Novara
DATA CENTERS
Roma
Milano
+300 TEAM
6 LOCATIONS
OVER
1.200 CERTIFICATIONS
OVER
100 PARTNERS
LONG EXPERIENCE
>35 YEARS
100% SECURITY & COMPLIANCE
57MIO € REVENUE +7% FY 2013
2 DATA CENTER
365 24/7 SERVICES
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
3. Risk Management Scenario
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
ATTACK SURFACE
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Vulnerability & Threats
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
DATA BREACH SNAPSHOT
12
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
CLUSIT Report 2015
13
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
3.1 Compliance changes
14
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
NORMATIVE : Regolamento Europeo
15
• La Commissione europea ha proposto una riforma globale della
normativa UE sulla protezione dei dati delle persone fisiche. • Il nuovo Regolamento ha lo scopo di fissare delle regole chiare e
uniformi
sulla privacy online e offline
• Una volta approvato dal Parlamento e dal Consiglio UE, varrà per
tutti i Paesi europei.
Principali novità del Regolamento
1. Obbligo di «Data Protection Impact Analysis» in caso di trattamenti
rischiosi
2. Obbligo di «Privacy by Design and Default » nella progettazione e
nell’architettura di Infrastrutture ICT e nelle Pratiche Commerciali
3. Obbligo di «Data Breach Notification» entro 24 ore dall’evento al Garante
Privacy
4. Obbligo per le aziende con più di 250 dipendenti e per gli enti pubblici di
nominare un «Data Protection Officer »
5. Diritto all'oblio, per cui ogni interessato potrà richiedere la rimozione di
propri dati personali.
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
SANZIONI Previste dal NUOVO Regolamento Europeo
16
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
3.2 Risk Management Maturity
17
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Crisis = Opportunity
18
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
The Opportunity : Skills Gap
19
DATA PROTECTION
DLGS. 196/2003 e s.m.i.
DLGS. 231/01 e s.m.i.
Legge 547/93 e s.m.i. ISO/IEC 27001:2013
COBIT ITIL ……
Virus Worm Trojan Payloads Man in te Middle Brute Force Authentication.. APT
SKILLS GAP
SECURITY RISK MANAGEMENT
Legal & Compliance Threats Vulnerabilities
CVE MS 2008-067 CVE 2014-62-71 ISO NIST OWASP OSST Vectors of Attack Technical Impacts Business Impacts
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Information Security Risk Management Fundamentals
20
AVAILABILITY
INTEGRITY
CONFIDENTIALITY
© Hitachi Systems CBT S.p.A. 2015. All rights reserved. 21
VULNERABILITY Processes Systems Network Applications Continuous check Continuos remediation
THREATS New threats every 1.5 seconds Variants Exploit kits Botnets APT Penalties
COUNTERMEASURES
Processes Checks AV IPS FW APT WAF HIPS APP CTRL……. Consultancy
VALUATION Data Assets
ANALYSIS
Qualitative Quantitative
Information Security Risk Management Fundamentals
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Situational Awareness Security
22
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
4. Managed Security Services
23
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Security Business Unit
24
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
EasyShield: Vision
VISION
EasyShield
Legal & Compliance
Architectural Design
Security Engineers
Security Analysts
Integrated Services
Manage the Security IT Complexity
Managed Security Services
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
COMPLIANCE
TECHNOLOGY
MANAGED SERVICES
CYBERSECURITY
EasyShield: Keywords and Benefits
Keywords & Benefits
Reduction & Cost
Control
Security Posture
Improvement
Ad hoc Installation
& Configuration
Up to date
Certification
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
EasyShield: Security Risk Management
Identify &
Analiyze Exposures
Monitor
Results
Examine Risk
Management
Select Risk
Management Implement
Techniques
Identify assets and their value to the
organization.
Identify vulnerabilities and threats
Quantify the probability and business
impact of these potential threats.
Provide an economic balance
between the impact of the threat
and the cost of the
countermeasure”.
Shon Harris, CISSP
«Security Partner»
“ “
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
4. EasyShield Offering Structure
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Security BU Offering
SKILLS
EXTENDED PORTFOLIO
SRM CYCLE
COST EFFECTIVE
Compliance
Professional
Services
Technology
Cyber Security
Managed Security
Services
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
CY
BE
R S
EC
UR
ITY
T
EC
HN
OL
OG
Y
EasyShield® represents a 360°security approach, from Compliance to Cloud
services, through the best technology solutions via Managed Services
3.4 Offering: EasyShield®
• APT Assessment
• Multi Protocol Network Detection
• Spear Phishing Mitigation
• Anti Bot Net
• Sandboxing and behavioral monitor
• Forensic Analysis
• Intrusion Detection / Prevention
• Ethical Hacking
• Penetration Test
• Web Application Protection
• Zero Day Protection
• Security & Compliance Risk
Assessment
• Risk Management, Governance &
Certification
• Business Continuity & Disaster
Recovery
• Regulatory Compliance Management
• Business Process Reengineering
• Security Awareness Training
• Security & Compliance Audit
• Content security
• Datacenter & Cloud Security
• Network Security
• Security Management
• Vulnerability Management
Compliance Management Penetration Test
Privileged Account Management
Web Application Protection
Vulnerability Assessment
Virtual Patching Patch Management
Professional Services Penetration Test
Vulnerabiility,Mobile
Web Application , Wireless
PCI DSS (/ Scan & compliance)
Managed Security Services Anti Malware policy Management
Mobile Security
Firewall Configuration and policies
IPS / IDS Management
Wireless Assessm
CO
MP
LIA
NC
E
Compliance
Cyber
Security
Managed
Services
Technology
MA
NA
GE
D S
ER
VIC
ES
Professional
Services
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
4.2 Global SOC
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Global SOC: Security Strategy
WAF: Web Application Firewall; NGFW: Next Generation Fire Wall ; SIEM: Security Incident and Event Management
Cyber Security
(Anti-Phishing, Anti-
Malware)
Proactive Defense
with Real-time
Analytics and Global
Intelligence Service
Global SOC
Protection of Critical
Infrastructure
(Social Infrastructure)
SHIELD
SecurityOperationCenter
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
ABOVE SECURITY Integration
33
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
ARKANGEL Platform
34
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Conclusion
35
It is better to look ahead and prepare than to look back and
regret. Jackie Joyner Kersee, athlete and olympic medails
Thanks!!
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Security BU Offering: Main Technologies
APT IOC DETECTION IAM / PAM
CONTENT SECURITY NETWORK SECURITY SECURITY MANAGEMENT
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Contacts
HEADQUARTER
ROME
Via Francesco P. Da Cherso, 30 - 00143
+39 06 519931
www.hitachi-systems-cbt.com
MAIN SITES
MILAN
Via Dei Gracchi, 7 – 20146
+39 02 489571
VENICE - QUARTO D’ALTINO
Via L. Mazzon, 9 – 30020
+39 0422 19702
TURIN
Via Gian Domenico Cassini, 39 - 10129
+39 011 5613567
NOVARA
Via Biandrate, 24 - 28100
+39 0321 670311
BOLOGNA - CASALECCHIO DI RENO
Via Ettore Cristoni, 84 - 40033
+39 051 8550501
TOLL FREE
800 228 228
800 899 228 (WebRainbow)
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
ICT Festival 2015 - Milano
11/11/2015
Denis Cassinerio
END
Security Business Unit & Sales Director
- DirectSecurity
38
Security Risk Management: How mitigate and handle the data through the Managed Services
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
CYBERCRIME TRICHOTOMY
40
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
References: Case Studies Security
SHIELD: The Brand Name for Hitachi Systems Security Solution
HDI Assicurazioni - Log Management
Consorzio ATR – Adeguamento
Privacy
IntesaBCI – Processi di Gestione della
Sicurezza IUAV - Privacy Risk Assessement RM ASL B - AV IPS IDS
Poste Italiane – Risk Management AgID – Security Audit Telecom – Politiche di Log Retention
G.Matica – Certificazione integrata
ISO 27001 - 9001 LND – Security & Privacy Risk
Assessement
RFI – Corso Privacy
FIP – Data Loss Prevent
Realizzazione e certificazione del Sistema di
Gestione Integrato Qualità e Sicurezza delle
Informazioni aziendali,
Installazione, configurazione e gestione
sistema di tracciatura dei log di accesso degli
Amministratori di Sistema a norma privacy
Progettazione ed erogazione di due moduli
didattici sui temi della sicurezza informatica e
della protezione dei dati;. Formazione dei
formatori.
Realizzazione di una attività Assessment di
sicurezza rispetto alla normativa sulla privacy
ed ai Provvedimenti del Garante .
Disegno dei processi di Gestione della
Sicurezza ISO 27001 e valutazione degli
impatti organizzativi sulla Banca.
Assessment di Sicurezza. Elaborazione
sistema documentale privacy.Integrazione dei
contratti. Erogazione della formazione.
Installazione e configurazione di una
piattaforma di protezione degli ambienti virtuali
da violazione dei dati e interruzioni dell’attività,
Verifica dello stato di conformità del modello
organizzativo, gestionale e tecnologico
adottato dall’Ateneo rispetto alle misure di
sicurezza privacy.
Definizione del processo di Risk
Management ISO 31000 e della
metodologia di Risk Assessment secondo
ISO 27005.
Installazione e configurazione di un sistema di
protezione dei dati su PC e Mobile a sostegno
della conformità e prevenzione della perdita di
dati.
Definizione delle politiche di sicurezza per la
raccolta, la conservazione e l’utilizzo dei log a
norma ai fini del monitoraggio dell’utilizzo dei
sistemi informatici.
Audit di sicurezza ISO/IEC 27001,
Dlgs.196/2003 e Dlgs 231/2001 condotto sulla
RIPA (Rete Internazionale della Pubblica
Amministrazione).
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
1.3 Hitachi ITSG & HISYS Organization
Hitachi Data Systems Corporation
Hitachi Consulting Corporation
Hitachi Solutions Ltd.
“Products and System Development”
“System Solution & Services”
“Platforms (Storage Systems, Server, Platform
Software)”
Information &
Telecommunication Systems
Group (ITSG)
Research & Development Group
Healthcare Group
Power & Infrastructure Systems
Group
“IT Consulting”
Hitachi Systems Ltd.
Cumulus Systems
Hitachi Sunway Information Systems
Hitachi Systems Micro Clinic
Hitachi Systems (Guangzhou)
Hitachi Systems CBT
HITACHI Ltd.
“System Solutions and Services”
Above Security
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
1.2 History of Hitachi ITSG
Establishment
of Totsuka
factory (produced
telephones &
switchboards)
1937
194 9
Automated
switchboard
1959
Electric
computer
1959
Train seat
reservation
system 1965
Mainframe
1969
Online
Banking
System
198
0
Beijing
meteorological central
system for Chinese
Central
Meteorological
Agency
198 1
Digital
switch
board
198
2 Super
computer
198 5
Work Station
1993 Integrated
system
management
middleware
199 4
Outsourcing
solution
199
5
RAID
disk
Array
1997
EDI system
2003
Finger vein
authentication
system
200 4
Blade
Server
200
7
Hitachi
virtualization
technology
“Virtage”
2009
Hitachi
cloud solution/
Environment
-conscious
data center
2012
Big data related
services
2013
Smart
information
related products
and services
“intelligent
Operations”
2014
IoT (Internet of
Things),
M2M (Machine to
Machine)
TODAY 1910
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Security Risk Management
45
ERRORS/ OMISSIONS
USERS NOT
AUTHORIZED
VANDALISM
TAMPERING PHYSICAL
CHANGE OR COPY OF DATA
UNAUTHORIZED
SOFTWARE
EXECUTION
NATURAL
EVENTS
INTRODUCTION OF
ILLEGAL SW
THEFTS
ORGANIZATION
ARIAL
BUSINESS -
OPERATIONS
CONTINUITY
LOGICAL ACCESS
PHYSICAL ACCESS
DISTRIBUTED
ARCHITECTURE
DATA
DOCUMENTATIONS
APPLICATIONS
SYSTEMS
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Misure Minime - Misure Idonee
46
Punto di ottimo economico
Costo complessivo
Costo della sicurezza
Livello di sicurezza
Costo
Costo diEsposizione
COST
TOTAL COST
Security cost
Cost exposure
Security Level
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
KE
Y S
TR
EN
GT
HS
Strategic transformation of business and organizational processes with
high experience in Outsourcing and Cloud Computing
Manage the customer’s technological complexities, leaving them free to
focus exclusively on their core business
More than 1,200 hardware and software technology certifications to
design tailor-made solutions also in Private and Public Cloud
infrastructure, already available in our Data Centers CUSTOMISED SOLUTIONS
TIME AND COST SAVINGS
COMPLEXITY TRANSFER
BUSINESS TRANSFORMATION
2.4 How do we do it
Speed of delivery and “Pay-per-use” logic of EasyCloud®, EasyWare®
and WebRainbow® and EasySHIELD ® Solutions to generate economic
efficiency switching from investments to fee
© Hitachi Systems CBT S.p.A. 2015. All rights reserved. 48
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
PROVVEDIMENTI – 28/10/2015
49
…TUTTO CIÒ PREMESSO IL GARANTE 1) dispone la caducazione dell'autorizzazione adottata dal Garante in data 10 ottobre 2001 con deliberazione n. 36 e per l'effetto vieta, ai sensi degli artt. 154, comma 1, lett. d) e 45 del Codice, ai soggetti
esportatori di trasferire, sulla base di tale delibera e dei presupposti indicati nella medesima, i dati personali dal
territorio dello Stato verso gli Stati Uniti d'America; 2) si riserva, ai sensi dell'art. 154, comma 1, lettere da a) a d) del
Codice, di svolgere in qualsiasi momento i necessari controlli sulla liceità e correttezza del trasferimento dei dati e, comunque, su
ogni operazione di trattamento ad essi inerente, nonché di adottare, se necessario, i provvedimenti previsti dal Codice; 3) dispone la trasmissione del presente provvedimento all'Ufficio
pubblicazione leggi e decreti del Ministero della giustizia per la sua pubblicazione nella Gazzetta Ufficiale della Repubblica Italiana.
Trasferimento dati personali verso gli USA: caducazione provvedimento del Garante del 10.10.2001 di riconoscimento dell'accordo sul c.d. "Safe Harbor" - 22 ottobre 2015
© Hitachi Systems CBT S.p.A. 2015. All rights reserved.
Corporate Data at Risk
50
Network Credentials Intellectual Property
Calls
Privileged Communication
Employee Location
Superior service empowered by combining the strength of our people and information technology.