Security - ISACA Denver Chapter

Report
Security Management and
Organizational Change
John G. O'Leary, CISSP
1
Abstract
Outsourcing, migration to the cloud, mergers, acquisitions,
divestitures, "right-sizing,” layoffs and major reorganizations are
facts of life in the second decade of the 21st century. All these
situations can create serious information protection concerns,
but security is usually considered only after financial, legal and
structural issues have been settled and the ink is already dry on
the bottom line. We’ll look at large-scale organizational change
from an IT security perspective and try to provide realistic
strategies for handling the very real and emotionally charged
issues that inevitably arise at the first discussion of moving
functions out the door or offshore or to the cloud. We’ll examine
what to do before, during and after major organizational
upheaval to insure that adequate controls are in place.
2
Speaker Biography
John G. O'Leary, CISSP, has a background that spans four decades as
an active practitioner in information systems, IT Security and
contingency planning. He has designed, implemented and managed
security and recovery for networks ranging from single site to
multinational and has trained tens of thousands of practitioners. John
conducts on-site programs at major corporations and government
facilities worldwide. He also facilitated for 10 years the meetings of
working Peer Groups, where security professionals from diverse
corporations shared ideas, concerns and techniques. John received
the 2004 COSAC award, the EuroSec 2006 Prix de Fidelite and the
2011 ISC2 Lifetime Achievement Award. He has yet to fall for a
Nigerian money scheme, but will almost always divulge a password
for chocolate.
Copyright 2012 by John G. O’Leary
3
Objective
At the conclusion of this workshop,
participants should be more able to
understand, anticipate and handle the
information security issues which appear
in the midst of mergers, acquisitions,
divestitures, outsourcing, migration to
the Cloud, “rightsizing,” major
reorganizations and other species of
large-scale organizational change.
4
Agenda
I. Merging
II. Hunkering Down
III. Outsourcing –including
Migration to the Cloud
IV. Personnel Issues
in any Reorganization
V. Potential Countermeasures
5
Merging Dissimilar Organizations
Company Differences
Intellectual
Technological
Operating Systems
Applications Software
Business structure
6
Intellectual

Views of Company Mission

Corporate Cultures

Key Management People

Management Techniques

Strategic Directions

Setting Priorities
7
Views of Company Mission


Keep the entity alive
Make money





for shareholders (including management)
for growth
to pay off debts
to acquire other companies
to fund research
8
Views of Company Mission

Serve






the public
the industry
the community
some special group
In times of special need
How security supports
the mission
9
Corporate Cultures

Stodgy, conservative

Control-oriented

No surprises

Stay the course

Minimal change

Plan to plan the plan
10
Corporate Cultures

High-flying, wild, unfettered

Exciting, flexible

Latest (if not greatest) technology

Changing directions

Constant upheaval

”Sounds good, let's do it"
11
Corporate Cultures

Dominant
profession

Attitudes toward
security
12
Key Management People

Focus on survival (or parachute)

View of security's role



during transition
in the new organization
Reaction to culture clash
13
Key Management People

"Turf" issues

Possible successors

Leadership by example

Concentrated awareness effort
14
Management Techniques

Participative vs. authoritarian

Policies:

scope

number

wording

compliance

effectiveness
15
Management Techniques

Security as part of annual review?

Punishment of offenders

Visible support for security efforts
16
Strategic Directions

Adjusting security objectives to
align with new corporate thrusts

Effectiveness of old controls in
new environment

Acceptability of proposed
security measures
17
Strategic Directions

3 to 5 year planning
horizon (??)

Migration to cloud

Targets and level of
awareness program

Security
development
projects
18
Setting Priorities

Data sharing and consolidation

Increased web connection

Confidentiality

Management "hot buttons"

New directions

Dealing with multiple audit groups
19
Company Differences
Technological

Leading edge vs. Trailing

Single vs. Multi-vendor

Centralized vs. Decentralized

Integration of data/server centers

Degree of networking

Sophistication of users

Technical prowess of staff
20
Technological Differences
Leading vs. Trailing Edge







Hardware capabilities
Software sophistication
Perception of threat
Susceptibility to outage
Effect of an outage
Vulnerability to disgruntled
employee
Attitudes
21
Technological Differences
Centralized vs. Decentralized

Flagpole vs. boondocks

Span of control

Level of involvement

Familiarity with local conditions

Level of commitment

Full-time vs. part-time

Response time for change requests
22
Technological Differences
Integration of Data/Server Centers

Standalone, separate security domains




Usually for regulatory reasons
No integration, but data storage and
vaulting for backup capabilities
Partial integration, usually by application;
communication links, local control
Full integration; full complete switchover
capability
23
Technological Differences
Sophistication of Users

Awareness of threats and vulnerabilities

Old controls in the new environment

re-justify

re-engineer

replace

eliminate
24
Technological Differences
Sophistication of Users

Acceptance of additional "burden" of
security

Speed and method of implementation for
new controls
25
Operating System

Vendors

Version currency

Future/Migration planning

Maintenance level/procedures

Decentralized operations

“Vanilla” vs. “Hooks”

Compatibility
26
Application Software

Vendors

Contracts

Duplicate systems

Choosing
survivors

Business impact
27
Application Software

Support staff skill

Change control

User sophistication

Compatibility
28
Business Structure

Industry type

Predominant
occupational culture

View of Systems (&
Security)

Asset

Overhead
29
Business Structure

"Turf" battles

Access to Top
Management

Total
expenditures

Systems

Security

Industry norms
30
Consolidation – Post-merger

Controlling Security

centralized administration

distributed administration

selecting administrators

training

audit requirements

strength of audit staff

migration plan
31
Getting it done

Form a team




members from both sides
allot limited time for
grumbling
joint responsibilities and
mixed subcommittees to
foster team spirit
small core, temporary
members as needed
32
Getting it done
 Develop



the plan
dates and
deliverables
personal
responsibility
management
approval (higher-ups
from both sides of
the merger)
33
Getting it done

Work the plan

build a history of small but real
achievements

praise cooperative groups

take the path of least resistance

be flexible, but not a pushover
34
Getting it done

Work the plan

report successes and
failures

ask for help & suggestions

don't waste time on
stonewallers; isolate them
and let peer pressure work
for you

leave slack for management
hot buttons
35
Exercise

HP or Cisco or Oracle or
Walmart or Sony or some
European firm (choose one)
just bought your company

Outline a plan for the
integration of your existing
systems
36
Hunkering Down
Divestiture
Downsizing
Hiring Freezes
Induced Retirements
Layoffs
Facility Closing
Outsourcing / Cloud
37
Divestiture: Selling off to another




Usually the least traumatic form of
corporate contraction

Long-term employees

corporate identity

refusal to accept

feeling of betrayal
Culture clash for "new” employees
No loyalty to either old or new company
Sensitive information and trade secrets
38
Divestiture

Even rumors of divestiture can cause
security problems

Searching for information

Browsing sensitive files

Collecting valuable data or programs for
personal storage and possible future use

Setting logic bombs to detonate if an
employee number vanishes from the
payroll file

...
39
Divestiture

Normally rational employees may attempt
irrational retribution against the company

IT systems are prime targets

Networking, wireless make it easy

In a partial, or staged divestiture,
“former” employees might still be
working at their old desks, using their old
ID’s on their old machines to access
sensitive data
40
Downsizing: Tightening the belt

Hiring freezes





overworked areas get no
relief from constant pressure
can lead to frustration,
anger and blaming the company
too much to do; no help in sight;
something's gotta give
cutting corners and ignoring timeconsuming security practices
temporary abeyance of separation
of duty principles
41
Induced Retirements

Generally not a problem







Might be a win-win for company and retirees
Disgruntlement - “I didn't make the cut”
Hard to motivate those who are leaving
Is it really a choice?
Extra work for those left behind
Allocation of sensitive information and
functions when senior people leave
Organizational memory
42
Layoffs

Always a shock, especially with
no “parachute”

Press coverage is unfailingly
negative

Behavior can be irrational,
unpredictable, violent

Desperation can spur the
revenge motif
43
Layoffs

Strong effect on those who
survive

Dial-up access from home

Logic bombs which go off
unless the programmer is there
to defuse them

Sensitive information for
sale to competitors or
newspapers
44
Layoffs

Security and audit must operate in
a state of heightened awareness

Violation tracking

Follow up

Accurate, timely communication
with personnel and group managers

Audit/security alliance
45
Layoffs






Timing
Advance notice for security
Revoking access to all
systems
Might want other users to
change passwords
Turn up rheostat on
logging and log review
Outprocessing procedures
46
Layoffs

Counseling, even for those who
were not let go

Outplacement services

Benefit package

Publicize penalties for
malicious access
47
Layoffs




Don't delay the process
No negative comments about those who
left
If security people are laid off, stress
professionalism
Audit everything
48
Facility Closing

U. S. law - 60-day notice for plant closing

Invitation to sabotage?

everyone in the place loses his or her job

commiseration
blame the company
"we'll show them!!”
Networks, systems and data warehouses are
obvious targets to strike back at and assuage
feelings of helplessness



49
Facility Closing

Physical sabotage of
company equipment
is not uncommon

Physical violence is a
very real threat

“What are they going
to do, take away my
job?”
50
Facility Closing

Unpredictable behavior by traumatized,
long-term employees who know:







how the organization works
what is truly important
how to hurt it the most
how to inflict that hurt most quickly
how to make recovery difficult to impossible
Each one has a network-connected
workstation on his or her desk
Most can connect in from home
51
Facility Closing

Aggregation of sensitive information
by cooperative sharing of small pieces

Local security people are among those
losing their jobs

Can you expect dedicated, thorough,
professional, ethical performance from
workers who know they will be out of a
job in a short period of time?
52
What can we do?

Close the plant now

Pay people for at least 60 days

many firms have done so

send in team to close up

data security part of team

take financial hit up front

minimize chance for sabotage
or violence
53
What can we do?

Emphasize ethics and
professionalism

Set high expectations
of behavior

Offer bonuses, payable at the
end of the project, to those who
help complete a successful
shutdown
54
What can we do?

Step up security awareness activities

Stress the existence of controls and the
probability of being caught

Advertise punishments for malicious
access

administrative

financial

criminal
55
Exercise

Management has decided to close the
manufacturing plant in Kentucky. You
are in charge of making it go
well and managing the fallout

Outline the steps and timeline in your
plan for this plant closure
56
Outsourcing
Concepts
Managed Services
Variations
Security Issues
Protective Measures
57
MALWARE
Complex Information Security Environment
INTRANET
IPSEC
PKI
Intrusion
Prevention
COMPLIANCE VIRUS
MULTI-PROTOCOL
Forensics
ISO 17799
Wireless
PRIVACY
INTRUSION DETECTION
DENIAL OF SERVICE
NAS vs
SAN
.NET
HIGH
AVAILABILITY
SSL
Identity Management
Sarb-Ox
58
IT Security: Part of a Larger Job
Internet
Electronic Messaging
Security
Application Mgmt.
Storage Area Network
Intranet/Extranet
Wireless/Mobile
Computing
Survivability/Recovery
Enterprise Solutions
International Connections
Regulatory Issues
Platform Migration
………
Help Desk
Customer Relationship Mgmt
Mobile Computing
Governance
Electronic Commerce
Data Warehousing
Collaborative Computing
Supply Chain Mgmt.
Knowledge Management
Third Party Connectivity
Staff Development
Technology Evaluation
Social Networking
………
59
Staffing Alternatives
With the growing number of items falling into
the purview of “Information Security,”
chances are very slim that your
organization will either have enough
people or that they will be knowledgeable
enough to do the job effectively.
Note: This is not a knock on your
people; there are just too
many things, too
interrelated, ….. And they
change too quickly.
60
Concepts
 Back to basics
 Focus on widget making
 Our expertise is in:







manufacturing
marketing
service
finance
?????
but not information systems
especially not IT security
61
Concepts
 Save money
 Cheaper
offshore labor
 Educated, dedicated, workers
 Language not a problem
 Communication technology
simplifies it
 Must stay competitive
 Everyone else is doing it
 May
be viewed as a matter of survival
62
Concepts
 Save money
 Fewer
weird, expensive systems or
security gurus
 Drop out of the “latest
upgrade” rat race
 Stop interdepartmental
“bleeding edge” warfare
 Dam up the constant stream of
security add-ons
63
Concepts
 Better financial planning
Multiple recent surveys have questioned
the amount saved; but outsourcing and
cloud migration still seem to provide:
 Contractually
stipulated amount
for IT or IT security budget
 Even if no appreciable savings,
predictable IT and security costs
 Fewer surprises
 Long term stability
64
Concepts
 Better service

Experts provide our IT Security services





more people
focus on the area
broader experience base
true experts who do this every day
focus on best technology
Contractual obligations
 Contractual penalties for failure to
produce

65
Managed Security Services
 Full
Outsourcing (or full Cloud
Migration)
 Included
 Separate
in facilities management
contract
 Your
people still spell out “owner”
decisions to be implemented
 Contracted
firm does all the security
functions
66
Managed Security Services
 Full
Outsourcing
 Contracted
firm does actual hands-on
administration
 You still need a knowledgeable liaison
 You still need to know enough to:
 Plan
 Analyze
 Make
security-related decisions
67
Managed Security Services
 Partial
Outsourcing
 Might
be stipulated in facilities
management contract
 Probably
separate contracts for specific
outsourced items (usually)
 Menu
of items
 Different
 Not
vendors
all eggs in one basket
 Specialty
areas - “Boutiques”
68
Case Study
Large North American Bank
 Excellent technical skills on staff
 Internal tech staff already heavily loaded
 Opinion that “builders” and “maintainers”
wouldn’t find holes in systems they built
and maintained
 Outsourced penetration testing to a known,
recommended boutique firm

69
Case Study
Technical controls (e.g., firewalls) were
excellent; penetration team couldn’t get
through
 Social engineering of executive assistant in
remote area got a server password
 Financial executive’s remote
password was “Password”
 Firm had specific stop points
 Bank used firm’s reports to close
holes

70
Managed Security Services
 Partial
Outsourcing
 Mixed
staff
 Full-time
employees
 Part-timers
 Contractors
 Different
 You
Vendors
still need to manage them
71
Variations: Cloud Migration
Software as a Service
Platform as a Service
Infrastructure as a
Service
72
Variations: IT Security Outsourcing
Consulting
Risk Assessment
Administration
Implementation
Policy Writing
Awareness
Training
73
Variations: IT Security Outsourcing
Security Architecture Design
Firewall Implementation
PKI
Physical Security
Auditing
Background Checks
Patch Management
74
Variations: IT Security Outsourcing
Product Evaluation
Monitoring
Network Management
Intrusion Detection and
Response
Penetration Testing
Forensics
75
Case Study
Insurance and Financial Services
Company
 Northeastern USA
 Built outstanding forensics capability
internally, using employees
 In court, for lawsuits or prosecutions,
use outsourced forensics capability,
not the internal recognized expert
 Credibility of witness calls for a nonemployee

76
Security Issues

Ownership of data

Access approval authority

Disclosure of sensitive information

Security controls at vendor site
77
Security Issues
 Partitioning
of customer data
by vendor
 Network
security
 Customer
policies vs. vendor
policies
 Laws
in venues where
outsourcing is performed
 India,
Philippines, China, etc.
78
Security Issues

Loss of control

Security and privacy of the
customer's customers

Staff IT & IT Sec personnel

Quality assurance

In the 21st Century, you are in the
Information business
79
Security Issues
 Non-outsourced
 Standalone
items:
PC’s
 Notebooks
 Netbooks
 Smart
phones
 Palmtops
 LAN's
 "Special" systems
 Wireless
80
Outsourcing Issues
 Vendor
 Lack
personnel
of in-house expertise
 analysis
of proposed changes
 problem
resolution
 incident
investigation
 future
plans
 Possible
union problems
81
Case Study
International Cosmetics Firm
 Good Information Security Staff

Manager & Technical staff
 Long-term employees

Outsourced management of Info Security
 Employees reported to Managed Services
firm person – Director of IT Security


Manager and most senior (and best) tech
person quit
82
Outsourcing/Cloud Issues

Level of
commitment

Audit rights and
procedures

Violation reporting
and follow-up

Security
awareness
83
Outsourcing/Cloud Issues
 Viability
of vendor

What if they merge?

What if they get bought?

What if there’s a Board of
Directors insurrection?

What do you do if they go “belly-up”?

What is your “bring it back in-house” plan
84
Outsourcing/Cloud Issues
 Viability
of Vendor – Offshore

What if the government changes and the
incoming one is hostile?

What if they go to war?

What if significant laws relating to
your business being done there change?

What if one of their citizens, in the employ of
the outsourcer you contracted with, commits a
crime against your customers?
85
Outsourcing/Cloud Issues
 Positive
 Cost
savings
 Predictable
 Focus
on core business
 Experience
 Fewer
cost
and expertise of service firms
employees (productivity)
 Insulation
from internal politics (???)
 Contractual
obligations and penalties
86
Outsourcing/Cloud Issues
 Positive
 Extend
your IT Security staff
 Stay
aware of newest
and most dangerous threats
 Keep
up with latest security technology,
techniques and products
 Might
not be inexpensive, but could be
cost-effective
87
Outsourcing/Cloud Issues

Positive

Probably a better chance of getting help
handling massive or multiple rapidly
occurring problems:

….unless they’re swamped, too
88
Security Outsourcing Issues
 Negative
 Loss
of control
 Total
cost might be higher
 Loss
of in-house expertise
 Increased
dependence on outsourcer
89
Security Outsourcing Issues
 Negative
 Customer
Service Concerns
 Language



Accents
Idioms
Dialects
 Lack



of flexibility
Strictly scripted responses
No deviations
No concessions
 Product
knowledge
90
Security Outsourcing Issues
 Negative
 Political
fallout from offshore
outsourcing
 Privacy
concerns
 Abrogation
of responsibilities (?)
 Vulnerability
to disgruntled or
dishonest vendor personnel
91
Case Study
Citibank
 Striving to save money in
a competitive environment
 Outsourced call center operations to
Mphasis BPO, a firm in India
 3 Mphasis employees took credit card #’s
and pins of 4 users they had access to and
withdrew $350,000 from accounts
 Indian police (city of Pune) very cooperative
 Indian laws strong and enforced
 14 arrests

92
Security Outsourcing Issues
 Pro
and Con
 Your
firm gets as much security as
it wants and is willing to pay for
 You
are not constantly annoying
people about security issues
 Politics
overrides cost savings
93
Case Study








State of New Jersey
Like all governments, trying to do
more with less – needed to save money
Outsourced NJ State Welfare
Department call center to a firm in India
Callers heard Indian accents,
called their local politicians … and newspapers
Political firestorm
NJ had been saving substantial dollars ($1m/mo.)
Politicians complained of “Long-term costs” to New
Jersey citizens
Now -severe limits on any State jobs being
outsourced, especially sent offshore
94
Protective Measures

Choose a reputable vendor (not
necessarily the least expensive)

Third party security reviews – not
by your primary audit firm

Stepped-up security
awareness efforts

Rigorous security testing of any
changes to the environment
95
Protective Measures

Detailed security checklist(s) for outsourcer
to fill out and your security people to
analyze prior to signing contracts

Solid legal representation in the country
where the work is being done
 Specialization
in local contract law

Input to recovery plans

Participation in recovery planning exercises
96
Protective Measures
 Contractual
commitments on:
 Troubleshooting
response
 Disaster
recovery
 Violation
follow-up
 Personnel
 Depth
change notification
and length of incident tracking
 Remedies
and penalties for noncompliance
97
Protective Measures

Transition teams

Phased implementation

Bonuses for those who stay
through specified milestones

Joint access approval authority

Inspections by customer auditors of
vendor processing site

Involving users in implementation
plans
98
Protective Measures
 Use
different vendors for different
specialties
 Problem
 It
with ‘one size fits all’
doesn’t
99
Protective Measures

Have a back-out plan in place

Make sure that all security
knowledge hasn’t migrated
out of the organization

Contract for independent
reviews of security
architecture and elements
If it’s not in the contract,
it doesn’t get done
100
Exercise

Your outsourced, offshore
application development firm
says it needs access to your
production files for volume
testing

Design a questionnaire/checklist
for them to fill out before they
get access to your environment
101
Personnel Issues
Any significant
organizational
change can
cause security
problems
102
The Unholy Triangle
Fear
Uncertainty
Doubt
103
Concern for Loss of:
Income
Status
Social group
Corporate identity
Benefits
104
Concern for Loss of:
Power
Opportunity
Time Investment
Effort
105
What Must an Organization do?





Reduce stress
Ease the trauma of job loss or status
reduction
Help people maintain positive attitudes
Discourage retribution
HOW to do these things will vary with
the situation
106
Major Reorganization

Massive turnover

Finding replacements

Screening new hires

Timing of changes

Fixing mistakes
107
Major Reorganization

Removal of old access profiles
FOR
NOW
For now = Forever
108
Countermeasures
Visible support from the top
Clear lines of authority and
responsibility
Specified ownership
of resources
Advertised punishments for violations
109
Countermeasures
Security/Audit
involvement
Site visits
Security reviews
Rigorous audits
110
Countermeasures
Centralized Quality
Assurance group
Thorough and
mandatory change
control procedures
Systems cutover
standards, procedures
and teams
111
Countermeasures
Coordinated risk analysis
Combined contingency plan
Multi-unit disaster tests
Education and Training
112
Countermeasures
Emphasis on
physical security
Visible deterrents
to malicious actions
Outplacement
counseling
113
Summary
We have covered:
I. Merging
II. Hunkering Down
III. Outsourcing
IV. Personnel Issues
in any Reorganization
V. Potential Countermeasures
114
Summary
Keys to success
In periods of large-scale organizational change,
security people must be flexible and adaptable
For better or for worse,
the old organization is gone
Focus on making the new one work
115

similar documents