People, Process and

Technology

Andy Papadopoulos
Fighting Fraud
Go after low hanging fruit
– start with the most sensitive data and the areas
where they are vulnerable
- then work outwards

Leverage existing investments in Microsoft

technologies

Implement Scorecards and Monitoring

Today’s Information Challenge
More than 80% of enterprise's digitized information reside in
individual hard drives and in personal files and 80% of the
data is unstructured, not secure nor backed up.

Employees get 50%-75% of their relevant

information directly from other people

Individuals hold the key to the knowledge

economy and most of it is lost when they leave the
enterprise

Source: Gartner Group/CIBC World Markets

 Availability Integrity
Maximize functionality and Ensure accuracy of data
uptime and data processing

Trust
Confidence to transact

Confidentiality
Ensure privacy of user information
and transmission
 Workplace E-mail Stats

Emails per day (%) 100+ ≥50 31-49 Weighted

Total
Estimate the percentage email 21 18 10 16
increase in the past 12
months (2002-3)
In your opinion, is email No 0 27 58 35
communication at your Potentially 14 20 17 21
workplace out of control?
Yes 86 53 25 44
Should elimination of bad Yes 90 86 67 78
email habits be a corporate No 10 6 3 9
responsibility?
Don’t know 0 7 29 13

Christina Cavanagh
Professor, Richard Ivey School of Business
Keeping it Confidential

Don’t add layers …. Users won’t use them

Take advantage of tools already in place with the
interfaces they are already used to

Information Rights Management

Common ‘problems’ with data
Common agreed definitions (shared context) lacking
Inconsistent definitions across applications
Manual transformations and analysis
Manual Audit Trails
Poor Data Quality
Poor Connectivity from applications to resources
One Way Data Traffic (errors not corrected at the
source)
What does FINE mean ?

“Don’t worry everything is Fine”

How do I get the validation I need

Make use of dashboards and scorecards
Service Level Reporting
The Identity Lifecycle
Retire User
 Delete/Freeze Accounts
 Delete/Freeze Entitlements

New User
 User ID Creation Password Mgmt
 Credential Issuance  Strong Passwords
 Access Rights  “Lost” Password
 Password Reset

Account Changes
 Promotions
 Transfers
 New Privileges
 Attribute Changes
Identity Business Impact
24% lower productivity
End user spends 16 minutes a day logging in to various system
Provisioning new users take 28 hours longer than business requirements
Increased IT Operational Costs
Roughly 48% of help desk calls are password resets ($45-$153 each)
User management consumers 5.25% of all IT productivity
Most admin tasks (moves, adds, changes) take 10x longer than necessary

23% additional security risks

Only 70% of users deleted on departure
New users provisioned to 16 apps, on departure deleted from 10
A survey of over 600 organizations concluded that the average cost impact of
security breaches on each organization alone is over $972K*

Source: Metagroup/PwC Survey 2002, * CSI/FBI Survey

It’s a Virtual World …
The fine balance between keeping safe and
allowing employees to do their jobs.

Workforce is mobile

Laptops are everywhere

Mobile Workforce
Why We Need Quarantine

VPN Connection
Internal
Mobile Laptop Remote Access Network
Dialup Server

Internet
Cable Modem
or DSL

Home Machine
Internet and PC Usage Policy

“I didn’t know I couldn’t sell stuff on ebay 4

hours a day ….”

Put it in writing, keep it current, make it part of

your HR process.
Microsoft Best Practice Tools
Microsoft Baseline Security Analyzer
Exchange Best Practice Analyzer
SQL Best Practice Analyzer

Validates that your installation and

configuration are done to best practice
guidelines
Microsoft Security Assessment Tool

Free tool to drive security awareness around

people, process and technology

Download from:
www.securityguidance.com
A Layered Approach to
Compliance
Engages the entire
business for success Legislation

Allows for the Policies

allocation of controls Procedures
outside of IT Physical Controls
Application
Features

Inherent
System
Capabilities
A Layered Approach to Security

Data Access controls- data encryption

Applications Application hardening, antivirus

OS hardening, patch management,
Desktop and Servers authentication
Internal Network Firewalls, VPN quarantine

Perimeter Network segments, Isolation

Physical Security Guards, locks, tracking devices

Policies, Procedures, &
Awareness Documented Process and User
Education !
Discovery Session Offer
1-2 day offer from Office Systems Team
Makes use of scorecards and collaboration

Show you how you can use tools to better

communicate/collaborate/share
Show accountability to stakeholders

andy@legendcorp.com
Summary
Leverage investments already made with
Microsoft Technology

Make use of scorecards and monitoring

systems to ensure things really are FINE