WIXLIB

Managing Security ThroughServices Process LeadershipMark BaniewiczXerox Corporation1 2008 AFSMI , SSPA , TSPA

Xerox Services info The Xerox Support Organization9 The Xerox Support Organization, Xerox Services,is comprised of Technical Services, Professional Servicesand Managed Services9 With over 50,000,000 touch points each year,our customers interact with Xerox and experience ourcapabilities in three ways:14,214Services Offered:Online, On-Call, and On-Siteservices and solutionsProducts Supported:Award winning color and black-andwhite printers, digital presses,multifunction devices, digital copiers,and various software offerings Online: with easy, flexible instant accessServices Delivery: On-Call: responsive, live call support, 24/760% Onsite Visit40% Remote Solution On-Site: proactive, highly trained, certified professionals9 Xerox Services provides coverage that is second to none.We have over 14,000 highly skilled support personnel whoknow Xerox products and are dedicated to servicing them9 Providing the highest levels of support for every Xeroxsolution – support that’s convenient, fast, responsive andreliable; dedicated to protecting our customer’sinvestments, maximizing their performance and givingthem peace of mind – that’s the Xerox commitment2Services Employees:Support Cases HandledAnnually:Online: 668,965On-Call: 5.3 millionOn-Site: 2.6 millionSupport CentersOperated: 5Locations: Saint John, NB;Halifax, NS; Montego Bay, JASt. Lucia; Manila, Philippines 2008 AFSMI , SSPA , TSPA

Workshop Goals To build awareness that customers need adelivery strategy for security To build awareness that customers need adelivery process to comply with security To share the building blocks to deliveringsecurity--the right people, processes, andtechnology3 2008 AFSMI , SSPA , TSPA

08/4 2008 AFSMI , SSPA , TSPA

Global Landscape ofEnterprise SecuritySecurity attacks are increasingly: more strategic, more sophisticated, and morefocused on high value targets and informationworldwide5 2008 AFSMI , SSPA , TSPA

What is at Risk?PCINERCBasil IIAccordSOXGLBHIPAAFISMASAS70FERPAPatriot Acthttp://www.xeroxnewways.com/SB 1386FCPAInformation the new currency of the Internet economy6 2008 AFSMI , SSPA , TSPA

How can I help keep mycustomers secure?Do I have the Technology?Do I have the People?Do I have the Process?7 2008 AFSMI , SSPA , TSPA

Challenge Question # 1To maintain network security, Acme corporation tightlycontrols software on devices connecting to their network.Each vendor must pass a rigorous testing andcertification process before their equipment can beconnected. No changes allowed without recertification.Your technician Jan is covering for Dave who is away onvacation. She is called to an Acme device to address apower supply problem. A new software release resolvesthis issue. Jan upgrades the device to the new softwarelevel.Later that day, your account manager gets a call from AcmeIT Security about (yet another) security violation.How was this a security violation?8 2008 AFSMI , SSPA , TSPA

Challenge Question # 2Sales is working through the details of the managed servicesrenewal for Acme. The final workshop with the customer isjust closing out. Your products have the security featuresAcme is looking for and the pricing is favorable for bothparties.Suddenly, the door opens and in walks the newly appointedAcme Security Officer. Casually, they hand you anInformation Security Agreement (ISA) that they’d like youto sign. The ISA has questions about security incidentresponse, change management, business resumption, HRpolicies, and etc.Internally, where do you go for answers?9 2008 AFSMI , SSPA , TSPA

Challenge Question # 3Your Call Center is now using remote management toolswhich allow them to manage devices in the Acmenetwork over a secure Internet connection. This hasbeen ideal for trouble-shooting and the number of on-siteservice calls has been reduced with a positive benefit toyour bottom line.At 10:00 am Joe phones in a panic. A VP conference startsin 15 minutes. Sally is on vacation and no one knows theadmin password.What should the Call Agent do next?10 2008 AFSMI , SSPA , TSPA

How can I help keep mycustomers secure?Do I have the Technology?Do I have the People?Do I have the Process?11 2008 AFSMI , SSPA , TSPA

Designed for SecurityPowerful computer inside!Network ControllerWeb Server Disk Drive(s)Local Hardware PortsOperating Systems 1 PDLInterpreter(s)Fax SystemLocal User InterfaceInput ScannerSecurity Feature Fax/NetworkSeparation Disk ImageOverwrite NetworkAuthentication DataEncryption Internal Firewall Audit logging Secure Print Removable harddrivesSecurity features added to protect functions:copy, print, fax, scan.12 2008 AFSMI , SSPA , TSPA

Take-away for Services suppliers Select devices and software tools that have been‘designed for security’ Look for independent validation of security features– Common Criteria, International Standards– Full system validation Consider all software and hardware elements – includeservice personnel laptops and other mobile and/orremote technology13 2008 AFSMI , SSPA , TSPA

How can I help keep mycustomers secure?Do I have the Technology?Do I have the People?Do I have the Process?14 2008 AFSMI , SSPA , TSPA

The ‘Thought Leader’15 2008 AFSMI , SSPA , TSPA

Security Knowledgebase –Monitorfor urity16 2008 AFSMI , SSPA , TSPA

Take-away for Services suppliers Establish clear leadership for security Build a knowledgebase specific to security Make security training available17 2008 AFSMI , SSPA , TSPA

How can I help keep mycustomers secure?Do I have the Technology?Do I have the People?Do I have the Process?18 2008 AFSMI , SSPA , TSPA

Security ServicesCreate the Plan Assess and discover risk Establish governing policies Consider product and operationsDeliver the Plan Configure and Monitor Incident Response Patch managementAudit the Plan Controls in place Comply with regulation19 2008 AFSMI , SSPA , TSPA

Current State to Secure Future StateHP La serJe t 4Plus230 4H P Laserjet IIIP7 68HP Lase rJet 4Plus2304HP LaserJet 4Plu s20 38Pitney Bowes 993096 0*Mac/Lacie*Te ktroni x/Phaser 849HP Lase rJet 4Plus728HP La serJe t 5Si MX460 8vi sioneer/610 0*Ca non/Bjc-2110Pitney Bo wes 992 0960HP LaserJet 5 N2304Pitney Bowes 993 0960HP La serJe t 4Plus2304HP L aserJe t 5Si MX820 2HP Lase rJet 4000N1920*HP/Colo r laserj etPi tney Bowes 993096 0HP Lase rj et IIP 0HP L aserJet 5M261 4H P Deskjet col or 2000C Pro2Ri coh 3800 L960HP Lase rJet 4Plus2988Pi tne y Bowes 93009 60vi si oneer/Paperpo rtPitne y Bowes 97 504 80Pitney Bowes 993096 0H P LaserJet 405 0N3 264* Canon /ima gewriter5 502H P LaserJet 400 0N3 445Pitney Bowes PB 993096 0R icoh 28 00L9 60HP La se rJet 4Si MX5269H P LaserJet 4Plus2 304HP Lase rJet 4Si5101H P LaserJet 4Plus2 304Pitney Bo wes 9 930960HP Lase rJet 4050N3264DC 440 SLXVolume replacin gCop ies- 5,502Prin ts – 12,042Faxes –960DC 440 SLXVo lu me replacingCopies- 4,838Print s – 7,310Faxes – 1,920DC 440 SLXVo lu me replacingCopies- 4,839Prints – 7,309Faxes – 1,920R icoh 37 00L9 60Pitne y Bowes 99309 60HP Lase rJet 4Plus2304H P LaserJet 4Plus2 304Pitney Bowes PB 993096 0H P LaserJet 405 0N1 511HP Lase rjet IID768H P Laserjet III1 536Pitney Bo wes 99 30960*Ap ple/Laserwri te r 2HP Lase rJet 4Plus2304HP L aserJe t 2100192 0Ricoh 3500L0DC 440 SLXVo lume rep lacingCopies- 2,000Prints – 14,648Faxes – 1,920R icoh 35 00L9 60HP LaserJet 5 MP1152HP La serJe t 4Plus106 9HP L aserJet 4Plu s2304H P Laserjet III1 536HP De skje t color 2500 C1824HP Lase rJet 4Plus2304SecuritySecurityPlanPlanvi si oneer/Paperpo rtH P LaserJet 4MV3 072*Hp/L j4HP L aserJe t 4Plus230 4HP La serJe t 4Plus230 4HP La serJe t 4Plus230 4Xerox 56 801488 9H P LaserJet 52 304**Hp/Lj4Hp/Dj12 20cRi cohR370icoh0L3 700L96 0 9 60HP LaserJet 5N23H04P LaserJet 4Plu s23 04HP Lase rJet 4Plus2304HP La se rJet 4Plus2408HP LaserJet 4 MV3072H P LaserJet 8 000 DN4 608R icoh 28 00L0Pitney Bo wes PB 99 30960HP La se rJet 5N2304HP LaserJet 5 N2304DC 440 SLX - dual faxVolume rep lac in gCop ies- 4,839Print s – 10,303Faxes – 3,360Plus 2,616 colorimages to b emigrated t o graphicsDC 440 SLX - du al faxVolume replacingCo pies- 1,764Prin ts – 13,720Faxes – 2,880Plus 1,824 colorimages to b emigrated t o graphicsH P Laserjet III1 536*Apple /La se rw riter 2*Apple/Imagew rite r 2R icoh 3 200L9 60H P LaserJet 4 Pl us6Complexity andUnidentified RisksDC 440 SLXVolume rep lac in gCop ies- 4,839Print s – 9,200Faxes – 2,880Pi tne y Bowe s 993 09 60HP LaserJet 4Plus2304DC 440 SLXVolume replacingCo pies- 2,000Prin ts – 14,151Faxes – 2,880 Job urgency Simple to use Local control Specialty user needs Immediate access CultureDC 440 SL XVolume replacingCo pies- 7,889Prin ts – 8,950F axes – 960DC 440 SL XVolume replacingC opies- 2,000Prints – 12,350F axes –960DC 440 SLXVolume replacingCo pies- 2,000Prin ts – 12,350Faxes – 1,920DC 440 SLXVolume rep lacin gCop ies- 3,156Print s – 12,351Faxes – 1,920Risks identified,Documented and mitigated20 2008 AFSMI , SSPA , TSPA

Take-away for Servicessuppliers? Create Plan Deliver Plan Audit Plan21 2008 AFSMI , SSPA , TSPA

How can I help keep mycustomers secure?Do I have the Technology?Do I have the People?Do I have the Process?Summing it up22 2008 AFSMI , SSPA , TSPA

The Secure Approach9Build the professional team Certified Information System Security Professional (CISSP) Certified Security Certified Lean Six Sigma Black Belts9Utilize best practices methodologies Lean Six Sigma (LSS) ISO 27001 Code of Practice for Information SecurityFacilitiesTechnology9Deploy secure products and solutions ISO 15408 (Common Criteria)Data Remote management toolsProcess9Secure DeliveryPeople Security policy and plan for customer Security training Auditing and reporting23 2008 AFSMI , SSPA , TSPA

Workshop Questions24 2008 AFSMI , SSPA , TSPA

Challenge Question # 1“The Software Upgrade”The violation: Customer policy documented in the Security Planprohibits unapproved/uncertified software updates. Technician didnot follow the upgrade process.Discussion Points:Many customers maintain consistent software across their device fleetfor management and security purposes.If you upgrade one, then you need to upgrade all.Controls to consider:On-going security trainingNote attached to deviceNote added to technician work ticket – paper or electronicPlaybook for account documenting all things securityService closeout checklist updated for security25 2008 AFSMI , SSPA , TSPA

Challenge Question # 2“The Sales Response”Security subject matter experts and a knowledgebase or repository forproduct/services security is a must-have.Discussion Points:Security is very complex and touches many business elementsincluding: HR, physical, electronic, network, and environmental.Approaches to consider:Identify an internal resource to focus on securityGather existing security information to seed a knowledgebaseCreate security whitepapers or FAQ to address common questionsContract with third party security serviceObtain external security certifications of products (Common Criteria) orservices (ISO standards)26 2008 AFSMI , SSPA , TSPA

Challenge Question # 3“Social Engineering”This is a process in which an attacker attempts to acquire informationabout your network and system by social means.Discussion Points:This attack method has over 80% effectiveness. In 2007, attacks weresplit 50-50 between external and internal origination.Controls to consider:Identify ‘sensitive’ data in your systems (like passwords)Have documented processes for handling sensitive dataRefresh and validate customer contact lists frequentlyAlways identify a primary and back-up contact at customer siteNever provide passwords over the phone – use known emailAuthenticate service technicians with employee # and last 4 digits of SS#Train call center agents to avoid giving out unnecessary informationPost reminders about security prominently in call centers27 2008 AFSMI , SSPA , TSPA