Governance of Enterprise Security: CyLab 2012 Report How ... - RSA

More documents

Recommendations

Info

About About Jody Jody R. R. Westby Westby About Jody R. Westby Drawing upon a unique combination of more than 20 years of technical, legal, policy, and business experience, Ms. Westby provides consulting and legal services to public and private sector clients in the areas of privacy, security, cybercrime, breach management, and IT governance. Her services include governance assistance to boards and senior management, security risk assessments, global compliance reviews, security investigations, and high-value data protection evaluations. Her company, Global Cyber Risk LLC, is a preferred provider of privacy and security consulting services to Reed Smith. Ms. Westby serves as Adjunct Distinguished Fellow at Carnegie Mellon CyLab. She was lead author on Carnegie Mellon’s Governing for Enterprise Security Implementation Guide, 1 Drawing upon a unique combination of more than 20 years of technical, legal, policy, and business experience, Ms. Westby provides consulting and legal services to public and private sector clients in the areas of privacy, security, cybercrime, breach management, and IT governance. Her services include governance assistance to boards and senior management, security risk assessments, global compliance reviews, security investigations, and high-value data protection evaluations. Her company, Global Cyber Risk LLC, is a preferred provider of privacy and security consulting services to Reed Smith. which was developed for boards and Ms. Westby serves as Adjunct Distinguished Fellow at Carnegie Mellon CyLab. She was lead author on senior management, and its 2008 and 2010 Governance of Enterprise Security Survey reports. Ms. Westby’s work Carnegie Mellon’s Governing for Enterprise Security Implementation Guide, for Carnegie Mellon on the governance responsibilities of boards and senior executives for the security of their organizations’ systems and data has been showcased by the CISO Executive Network and Bloomberg BNA’s Privacy & Security Law Report. Prior to founding Global Cyber Risk, Ms. Westby served as senior managing director for PricewaterhouseCoopers (PwC) where she was responsible for information security, privacy, information sharing, and critical infrastructure protection issues across the federal government. She also was co-lead in launching their outsourcing practice. Before joining PwC, Ms. Westby founded the Work-IT Group, and specialized in serving government and private sector clients on legal and regulatory issues associated with information technology and online business. Ms. Westby has advised government officials and industry in countries around the world on the development of their legal frameworks for e-commerce and security. Previously, Ms. Westby launched In-Q-Tel, an IT solutions/venture capital company founded by the CIA, was Senior Fellow & Director of IT Studies for the Progress & Freedom Foundation, and was Director of Domestic Policy for the U.S. Chamber of Commerce. She also practiced law with the New York firms of Shearman & Sterling and Paul, Weiss, Rifkind, Wharton & Garrison. Ms. Westby is a professional blogger for Forbes on cybersecurity and privacy issues. She is chair of the American Bar Association’s (ABA) Privacy and Computer Crime Committee and was chair, co-author and editor of its International Guide to Combating Cybercrime, International Guide to Cyber Security, International Guide to Privacy, and Roadmap to an Enterprise Security Program (endorsed by the Global CSO Council). She was editor and co-author of the 2010 UN publication, The Quest for Cyber Peace and is author of two books on legal issues associated with cyber security research. She is co-chair of the World Federation of Scientists’ Permanent Monitoring Panel on Information Security and was appointed to the United Nations’ ITU High Level Experts Group on Cyber Security. She also serves on the advisory board of The Intellectual Property Counselor and Bloomberg BNA’s Privacy and Security Law Report. Ms. Westby is a member of the bars of the District of Columbia, Colorado, and Pennsylvania, and of the ABA. She received her B.A., summa cum laude, from the University of Tulsa and her J.D., magna cum laude, from Georgetown University Law Center. She is a member of the Order of the Coif, the American Bar Foundation, and the Cosmos Club. 1 Drawing upon a unique combination of more than 20 years of technical, legal, policy, and business experience, Ms. Westby provides consulting and legal services to public and private sector clients in the areas of privacy, security, cybercrime, breach management, and IT governance. Her services include governance assistance to boards and senior management, security risk assessments, global compliance reviews, security investigations, and high-value data protection evaluations. Her company, Global Cyber Risk LLC, is a preferred provider of privacy and security consulting services to Reed Smith. Ms. Westby serves as Adjunct Distinguished Fellow at Carnegie Mellon CyLab. She was lead author on Carnegie Mellon’s Governing for Enterprise Security Implementation Guide, which was developed for boards and senior management, and its 2008 and 2010 Governance of Enterprise Security Survey reports. Ms. Westby’s work for Carnegie Mellon on the governance responsibilities of boards and senior executives for the security of their organizations’ systems and data has been showcased by the CISO Executive Network and Bloomberg BNA’s Privacy & Security Law Report. Prior to founding Global Cyber Risk, Ms. Westby served as senior managing director for PricewaterhouseCoopers (PwC) where she was responsible for information security, privacy, information sharing, and critical infrastructure protection issues across the federal government. She also was co-lead in launching their outsourcing practice. Before joining PwC, Ms. Westby founded the Work-IT Group, and specialized in serving government and private sector clients on legal and regulatory issues associated with information technology and online business. Ms. Westby has advised government officials and industry in countries around the world on the development of their legal frameworks for e-commerce and security. Previously, Ms. Westby launched In-Q-Tel, an IT solutions/venture capital company founded by the CIA, was Senior Fellow & Director of IT Studies for the Progress & Freedom Foundation, and was Director of Domestic Policy for the U.S. Chamber of Commerce. She also practiced law with the New York firms of Shearman & Sterling and Paul, Weiss, Rifkind, Wharton & Garrison. Ms. Westby is a professional blogger for Forbes on cybersecurity and privacy issues. She is chair of the American Bar Association’s (ABA) Privacy and Computer Crime Committee and was chair, co-author and editor of its International Guide to Combating Cybercrime, International Guide to Cyber Security, International Guide to Privacy, and Roadmap to an Enterprise Security Program (endorsed by the Global CSO Council). She was editor and co-author of the 2010 UN publication, The Quest for Cyber Peace and is author of two books on legal issues associated with cyber security research. She is co-chair of the World Federation of Scientists’ Permanent Monitoring Panel on Information Security and was appointed to the United Nations’ ITU High Level Experts Group on Cyber Security. She also serves on the advisory board of The Intellectual Property Counselor and Bloomberg BNA’s Privacy and Security Law Report. Ms. Westby is a member of the bars of the District of Columbia, Colorado, and Pennsylvania, and of the ABA. She received her B.A., summa cum laude, from the University of Tulsa and her J.D., magna cum laude, from Georgetown University Law Center. She is a member of the Order of the Coif, the American Bar Foundation, and the Cosmos Club. 1 which was developed for boards and senior management, and its 2008 and 2010 Governance of Enterprise Security Survey reports. Ms. Westby’s work for Carnegie Mellon on the governance responsibilities of boards and senior executives for the security of their organizations’ systems and data has been showcased by the CISO Executive Network and Bloomberg BNA’s Privacy & Security Law Report. Prior to founding Global Cyber Risk, Ms. Westby served as senior managing director for PricewaterhouseCoopers (PwC) where she was responsible for information security, privacy, information sharing, and critical infrastructure protection issues across the federal government. She also was co-lead in launching their outsourcing practice. Before joining PwC, Ms. Westby founded the Work-IT Group, and specialized in serving government and private sector clients on legal and regulatory issues associated with information technology and online business. Ms. Westby has advised government officials and industry in countries around the world on the development of their legal frameworks for e-commerce and security. Previously, Ms. Westby launched In-Q-Tel, an IT solutions/venture capital company founded by the CIA, was Senior Fellow & Director of IT Studies for the Progress & Freedom Foundation, and was Director of Domestic Policy for the U.S. Chamber of Commerce. She also practiced law with the New York firms of Shearman & Sterling and Paul, Weiss, Rifkind, Wharton & Garrison. Ms. Westby is a professional blogger for Forbes on cybersecurity and privacy issues. She is chair of the American Bar Association’s (ABA) Privacy and Computer Crime Committee and was chair, co-author and editor of its International Guide to Combating Cybercrime, International Guide to Cyber Security, International Guide to Privacy, and Roadmap to an Enterprise Security Program (endorsed by the Global CSO Council). She was editor and co-author of the 2010 UN publication, The Quest for Cyber Peace and is author of two books on legal issues associated with cybersecurity research. She is co-chair of the World Federation of Scientists’ Permanent Monitoring Panel on Information Security and was appointed to the United Nations’ ITU High Level Experts Group on Cybersecurity. She also serves on the advisory board of The Intellectual Property Counselor and Bloomberg BNA’s Privacy and Security Law Report. Ms. Westby is a member of the bars of the District of Columbia, Colorado, and Pennsylvania, and of the ABA. She received her B.A., summa cum laude, from the University of Tulsa and her J.D., magna cum laude, from Georgetown University Law Center. She is a member of the Order of the Coif, the American Bar Foundation, and the Cosmos Club. Carnegie Carnegie Mellon Mellon CyLab CyLab Carnegie Mellon CyLab ! !
About RSA About RSA Founded in 1982, RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world’s leading organizations Founded solve their in most 1982, complex RSA, The and Security sensitive Division security challenges. of EMC, is These the premier challenges provider include of managing security, risk organizational and compliance risk, safeguarding management mobile solutions access and for collaboration, business acceleration. proving compliance, RSA helps the and world’s securing leading virtual organizations and cloud solve environments. their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, encryption & key management, SIEM, Data Loss Prevention, Continuous Network Monitoring, and Fraud Protection with industry-leading eGRC capabilities and Combining robust consulting business-critical services, controls RSA brings in identity visibility assurance, and trust encryption to millions & key of user management, identities, SIEM, the transactions Data Loss that Prevention, they perform, Continuous and the Network data that Monitoring, is generated. and Fraud Protection with industry-leading eGRC capabilities and RSA’s robust industry consulting leading-solutions services, RSA are brings designed visibility to work and together trust to to millions create a of systematic user identities, approach the transactions to managing that security, they risk perform, and compliance and the data – eliminating that is generated. the hundreds of security and compliance silos that exist in most RSA’s organizations industry today. leading-solutions Our technology are designed solutions to for work physical, together virtual to create and cloud a systematic computing approach environments to managing security, include: risk and compliance – eliminating the hundreds of security and compliance silos that exist in most organizations • Authentication today. Our – A technology wide range solutions of strong for two-factor physical, authentication virtual and cloud solutions computing to help environments organizations include: assure user identities and meet compliance requirements. • Access Authentication Control – Access A wide control range of solutions strong two-factor manage access, authentication federate identities solutions and to help enforce organizations organizational policies assure user across identities multiple and web meet resources, compliance portals requirements. and applications. • Data Access Loss Control Prevention—Identify – Access control and solutions enforce manage policies access, to prevent federate the identities loss or misuse and enforce of sensitive organizational data – policies whether across at rest multiple in a data web center, resources, in motion portals over and the applications. network, or in use on a laptop or desktop. • Data Encryption, Loss Prevention—Identify Tokenization, and Key and Management— enforce policies Secures to prevent sensitive the data loss stored or misuse in file of systems sensitive on data servers – and whether endpoints at rest and in a at data the center, point of in capture. motion over RSA the key network, management or in solutions use on a laptop simplify or the desktop. provisioning, • Encryption, distribution, Tokenization, and management and Key of Management— encryption keys. Secures sensitive data stored in file systems on servers • and Fraud endpoints Prevention—Reduces and at the point the risk of capture. of fraud and RSA identity key management theft by assuring solutions user simplify identities, the monitoring provisioning, distribution, for high-risk and activities, management and mitigating of encryption the damage keys. caused by external threats such as phishing, • pharming, Fraud Prevention—Reduces Trojans, and other the cyber risk of threats. fraud and identity theft by assuring user identities, monitoring • Enterprise for high-risk Governance, activities, Risk and and mitigating Compliance—Helps the damage to caused manage by the external lifecycle threats of corporate such as phishing, policies and objectives pharming, by Trojans, analyzing and and other responding cyber threats. to enterprise risk and demonstrating compliance with a real- • time Enterprise view Governance, into the state Risk of and compliance Compliance—Helps and risk level. to manage the lifecycle of corporate policies and • Network objectives security by analyzing monitoring—Provides and responding real-time to enterprise visibility risk into and network demonstrating traffic and compliance log event with activity a real- for a time precise view and into actionable the state of understanding compliance and of everything risk level. happening on the network. Enables • Network organizations security to monitoring—Provides identify, prioritize, and real-time remediate visibility complex into network IT risks, traffic gain efficiencies and log event in their activity incident for management a precise and process actionable and understanding improve their of overall everything operational happening effectiveness. on the network. Enables • Security organizations Information to identify, and Event prioritize, Management—Transforms and remediate complex raw log IT and risks, event gain data efficiencies into critical in their information incident management to help organizations process and simplify improve compliance, their overall identify operational and respond effectiveness. to high-risk events, and optimize IT • Security and network Information operations. and Event Management—Transforms raw log and event data into critical information For more to information, help organizations please visit simplify www.RSA.com compliance, and identify www.EMC.com. and respond to high-risk events, and optimize IT and network operations. For Carnegie more information, Mellon CyLab please visit www.RSA.com and www.EMC.com. ! Carnegie Mellon CyLab ! >! >!
Page 1 and 2: How Boards & Senior Executives Are
Page 3 and 4: Table of Contents Table of Contents
Page 5: About Carnegie Mellon CyLab About C
Page 9 and 10: Executive Executive Summary Summary
Page 11 and 12: Committee, but indicated that when
Page 13 and 14: Carnegie Mellon University’s Dean
Page 15 and 16: Enterprise governance and IT govern
Page 17 and 18: II. Findings and Conclusions II. Fi
Page 19 and 20: Industry & Region Comparison Table:
Page 21 and 22: management regarding privacy and se
Page 23 and 24: esponsible for risk 65% of the time
Page 29 and 30: Regional Regional Conclusions Carne
Page 31 and 32: Endnotes !!!!!!!!!!!!!!!!!!!!!!!!!!

Governance of Enterprise Security: CyLab 2012 Report How ... - RSA

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?