RSA CONFERENCE 2013ã¬ããŒã第5匟ã
ã"Psychographics of the CISO"ãš"Managing Risk When Everything is Changing"ã
ã"Psychographics of the CISO"ã¯ã192人ã®CISOã«ã¢ã³ã±ãŒããåããçµæããŸãšããå ±åãçŸåšã®æ å ±ã»ãã¥ãªãã£ã®èª²é¡ã¯ã1.Mobile Device Securityã2.Security Awareness Trainingã3.User Behaviorãšãã¢ãã€ã«ããã€ã¹ã¯ãBYOD(å人ææ端æ«)ã®åé¡ãšãã¿ãã¬ããçã®ããžãã¹å©çš(äŒç€Ÿææ端æ«)ãã©ã管çãããããšãã£ãäž¡é¢ãããã2äœãš3äœã¯æããç¶ã課é¡ãã»ãã¥ãªãã£ã®éã§æã匱ã茪ã¯"人é"ãšããããšã瀺ããŠãããäŸç¶ãšããŠPCãç¡ãã人ã¯æžãããæ¯é±ãPCãç¡ãããªãããã«ããPCã¯ãã©ã³ã¯ã«å ¥ããå©æåžã«çœ®ãããŸãŸè»ããé¢ããªãããã«ããšã¡ãŒã«ããŠãããšããäŸã玹ä»ãããã
ããããã®èª²é¡ã®ãã¡ãåå¥ã®å¯Ÿçã¯ããããã®æ åœè ã«ä»»ããããšãã§ãããããœãŒã·ã£ã«ãšã³ãžãã¢ãªã³ã°å¯Ÿçãªã©ã¯ç·åçãªå¯Ÿå¿ãå¿ èŠã«ãªã£ãŠããã®ã§ãCISOããªãŒããã¹ãã§ããããšããã
ãæ å ±ã»ãã¥ãªãã£ã«é¢ãããããžã§ã¯ããšããŠã¯ã1.Data Leakage Preventionã2.Identity Managementã3.Mobile Device Securityã®é ãDLPã®ãããžã§ã¯ãã23%ãã®äŒæ¥ã§åããŠãããšããããšã«é©ããã
ãå°å ¥æžã¿ã®ã»ãã¥ãªãã£æœçãšããŠã1.Path Managementã2.Vulnerabilty Scanningã3.IDSããã®ãããã¯é åœããMDMãã46%ã®äŒæ¥ã§å°å ¥æžã¿ãšããã®ã¯æ³åãããå€ããDLPã®å°å ¥çã¯28%ãã¡ããã©ä»æ®åæã«ãããšããããšãã
ãæ å ±ã»ãã¥ãªãã£ã®ãã©ã€ããŒã¯äœãããšããåãã«ã¯ããã³ããã§65%ã"Compliance"ãšãçµå±ãªãã ããã èšã£ãŠãæ å ±ã»ãã¥ãªãã£ã¯ã³ã³ãã©ã€ã¢ã³ã¹ã®ãããšèããŠãã人ãã»ãšãã©ãªãã ãªããšåèªèããã
ãäŒå Žããã®è³ªåã§ãCISOã¯èª°ã«reportããã(誰ã®éšäžã«ãªãã¹ãã)ãšãã質åãåºããå¯èœæ§ãšããŠã¯ãCEOãCIOãCTOãªã©ãèããããšãã§ããããçããšããŠã¯ããæãæ å ±ã»ãã¥ãªãã£ã«èå³ãæã£ãŠãã人ãè¯ãããšã®ããšã確ãã«ãèšãããããšã¯ãããã
ã次ã®è³ªåã§ãAuditorãšã©ãã€ããã£ãŠããã¹ããããšããåãã«ããAuditorãšåéã«ãªãã¹ãã§ããããšããåçãããã«ã¯äŒå Žããæ§ã ãªæèŠãåºããAuditorã¯ITãç解ããŠããªãã®ã§ãèŠåœéãã®ããšãèšã£ãŠããããšãã£ãæèŠãå€ããAuditorãšããŸããã£ãŠããªã人ããšãŠãå€ãã®ã ãªããšããããšãããåãã£ãããã®ç¹ã¯æ¥æ¬ã§ãç±³åœã§ãå€ãããªãããããã³ã³ãã©ã€ã¢ã³ã¹ãæ å ±ã»ãã¥ãªãã£æœçå®æœã®æ倧ã®çç±ã§ãããªãã°ãCISOãæšé²ããããšèããŠãããããžã§ã¯ãã«é¢ããŠãAuditorã«äžæã«ææããŠããããããããã³ãšããŠåã«é²ããããšããããšãã§ããã°ããã®ã ãããããªããªãCISOãšAuditorã®éã«ä¿¡é Œé¢ä¿ã¯æ§ç¯ãããªãããã ã
ããã®æ¬¡ã¯ãæ å ±ã»ãã¥ãªãã£éšéã®äººã«å¯Ÿããæªå£ãå§ãŸã£ããæ å ±ã»ãã¥ãªãã£éšéã®äººã¯ãèªåã¯äŸå€ã ãšæã£ãŠããããã«ãŒã«éåããããšããåé¡ãçºçãããä»äººã®ããã«ãããšããæ å ±ã»ãã¥ãªãã£éšéãäžçªã®æ å ±ã»ãã¥ãªãã£ãªã¹ã¯ã ãšããæçŽå€§äŒã«ãªã£ãã
ããã®æ¬¡ã¯ãPCI DSSã®è©±ãPCI DSSã§ã¯ãWAF(Web Application Firewall)ããããã¯ãœãŒã¹ã³ãŒãåæãå¿ é ã«ãªã£ãŠããŠãããããšãŠãå³ããããšãã話ã«ãªã£ããããã§çºè¡šè ããããäžã®äžã§èšçœ®ãããŠããWAFã®10%ããBlocking modeã§åäœããŠããªããããšããããšããããšã¯ãPCI DSSãã¯ãªã¢ããããã ãã«WAFãå°å ¥ãããã©ã誀åäœãããå°ãããBlocking modeã«ããŠããªãããšããããšããããã£ãŠ...ã
ãæåŸã«ãé©æ£ãªæ å ±ã»ãã¥ãªãã£ããŒã ã®äººæ°ã¯ã©ããã£ãŠæ±ºããã°è¯ããããšãã質åãåºããã¿ã¹ã¯ãå解ããããå·¥æ°ç®¡çã·ã¹ãã ã䜿ã£ãããåèŠæš¡ã®ä»ç€ŸäŸãåèã«ãããªã©ãããã®ã§ã¯ãªããããšåçããã£ãã
ã"Managing Risk When Everything is Changing"ã¯ãISACAãšããŠã®çºè¡šããªã®ã«äœæ ãçºè¡šè ã®Ed Moyleã¯CISSPã®è³æ Œããã«ããŒããŒãžã«è¡šç€ºããŠããªããCISAæã£ãŠããªãã®ããªãSocial MediaãBig dataãCloudãSmartphoneãªã©ããã¯ãããžãŒãã©ãã©ãå€ãã£ãŠããäžã§ã"Best Performer"ãšåŒã°ããäŒæ¥ãã©ã®ããã«ãªã¹ã¯ãäœæžããŠãããã®èª¬æã
ãç·ããŠãBest Performerã¯ããªã¹ã¯ã¢ã»ã¹ã¡ã³ããé »ç¹ã«ãã£ãŠããããšããISACAãããå 容ã
ãããžã¿ã«ããŒãŠã£ããºã ããšããã³ã³ã»ããã玹ä»ããããããžã¿ã«ã®ç°å¢ã¯ãäŒæ¥ãé©åãããããéãå€åãç¶ããŠãããé©æ°ãç¶ããŠãããªããã°ãäŒæ¥ã¯çãæ®ããªãããšã
å°ç