Risk Mitigation and Security

Security incidents, the average size of their financial impact, and the cost of security spending as a percentage of the overall information technology budget continue to rise at a healthy pace. Cyber security forecasts of future vulnerabilities and threat scenarios offer little reassurance that the inherent complexities of this phenomenon will diminish in the foreseeable future. Traditional targeted messaging threats are expected to increase in sophistication in the form of spam disguised as authentic business traffic and malware concealed within IM (Instant Messaging), while botnets exploit DNS in open recursive servers and leverage the distributed nature of peer-to-peer networks to expand their disruptive presence.

As mobile convergence availability and adoption increases, its peripheral devices will be vulnerable to voice spam, vishing, smishing and DoS (Denial of Service) attacks. The client-side code-intensive nature of Ajax and mashup technologies significantly increases the opportunity for malcode distribution via social networking, and dynamic web exploits (aka poloymorphic exploits) may limit the effectiveness of signature-based protection mechanisms, expanding the probability of data theft and privacy invasion. Emerging web-based technologies like Microsoft WPF and Adobe Air may also introduce vulnerabilities given their OS-intensive dependencies.

These onerous yet predictable trends serve to reinforce our view that organizations must synthesize risk management, governance and compliance to establish proactive compliance-centric philosophies. The technology aspect of the familiar information risk management ‘pillars’ (people, process, technology) persists as the most unpredictable variable to manage, and strategies driven by an overemphasis on it generally realize limited success.

The financial sector’s experience mirrors these perspectives. Financial services companies are attacked with greater frequency than other verticals. Yet, over the years, respondents from this sector have reported these security incidents unaccompanied by statistics revealing an appreciable increase in losses or downtime. If these organizations can implement best practices without having significantly larger security budgets than other companies, it means that you can do likewise.

How We Help

• Select security-centric frameworks (ISO 17799 /27001), classifications and controls, and map applicable domains to the governance framework in use
• Baseline security environments to assess gap, patch and vulnerability deficiencies
• Evaluate undeployed / underutilized security solutions and conduct third party supplier application control audits
• Create and deliver employee security awareness programs
• Recommend pragmatic security metrics and thresholds programs with realistic milestone and goal strategies that can be transformed into a relevant impact to the core business
• Complete PCI DSS internal assessments and preparation of self assessments for Level 1 vendors -- guaranteed compliance recognition with external QSAs / ASVs

Security Awareness

Reducing fraud, minimizing identity theft and protecting confidential information can be critical to the success and longevity of your company, but are employees aware of the processes in place to satisfy these objectives?

This brief explains what is required to establish the security-centric enterprise.

To download the complete document, click on the link below