Post on 24-Jul-2020
CYBER RISK ASSESSMENTCYBER SECURITY WORKSHOP
Agenda
• Protecting your company’s valuable information• Cyber risk and corporate governance• Cyber risk assessment methodology• Why Coalfire
Cyber Incidents Are On the Rise
• The annual average cost per company of successfulcyber attacks were:
– $20.8 million in financial services– $14.5 million in technology– $12.7 million in communications industries– $8.6 million in retail
• The total number of security incidents detected in 2014grew 48% from 2013.
• 82% of companies predicted they were either “likely” or“very likely” to be victimized in 2015.(1)
• Organizations detect 135 cybersecurity incidents eachyear(2)
(1) Source: Ponemon Institute; State of Cybersecurity: Implications for 2015 ISACA and RSAConference Study
(2) PWC, Managing Cyber Risks in an Interconnected World, Sept. 30, 2014
3
9
2325
29
43
0
5
10
15
20
25
30
35
40
45
2009 2010 2011 2012 2013 2014
Num
ber o
f Cyb
erse
curit
y In
cide
nts
in M
illio
ns (1
)
Protecting an Organization’s ValuableInformation• More than 80% of public
company board members reportthat cybersecurity isdiscussed at most or allboardroom meetings(1)
• A surprising 66% of them arenot fully confident theircompanies are properly securedagainst cyberattacks(1)
(1) Security Week: NYSE Survey Examines Cybersecurity in the boardroom, May 28, 2015
AVERAGE COST OF REMEDIATING CYBERBREACHES IS $8.6 MILLION(1)
(1) Ponemon Institute; State of Cybersecurity: Implications for 2015 ISACA and RSA Conference Study
World’s Largest Data Breaches Since 2012
Impacts of a Cyber Event
• Lost Productivity• Time to identify and contain the breach• Business continuity management• System down time
• Loss of Competitive Advantage• Trade secrets• Patents• Customer records• M&A activities
• Damaged Reputation• Brand/PR• Perceived valuation
• Compliance Breaches and Fines• PCI DSS• HIPAA• SOX• Privacy Rules
Regulation & Penalties
• The FTC has won the right to take action on behalf of consumers, when acompany fails to take reasonable steps to protect sensitive consumer
• The SEC has been raising its expectations for what cybersecurity detailscompanies must disclose in public filings
• The Cybersecurity Disclosure Act has consequences forpublicly tradedcompanies
“The Cybersecurity Disclosure Act… would requirecompanies to say whether anyone on their board has
cybersecurity experience or expertise...”
“Appeals Court ruling solidifies Federal TradeCommission’s authority to take action against
companies whose data breaches expose customerinformation.
http://ubm.io/1KIjjC9 http://on.wsj.com/1Qqoizh
Top Board of Directors Questions
What arethe crown
jewels of ourcompany?
What arethe crown
jewels of ourcompany?
How does ourCybersecurity
program compareto our peers?
How does ourCybersecurity
program compareto our peers?
Are we spendingthe right amount
of money onsecurity?
Are we spendingthe right amount
of money onsecurity?
Could somethinglike ______
happen to us?
Could somethinglike ______
happen to us?
Would we beable to
recover froma cyberattack?
Would we beable to
recover froma cyberattack?
Cyber Risk is Now a Matter of CorporateGovernance• Cyber risks present real and present dangers to business operations,
profits, and for some, continued viability.• Cyber risks are not just technology problems. They have legal, financial,
operational and board governance implications.• Corporate leaders have a fiduciary responsibility to understand and
manage cyber risks.• Leaders must bring together key components
of the organization to develop joint ownershipof risks and a comprehensive approach tocybersecurity.
What Should Company Leadership Do?
• Complete a Risk & Controls Assessment• Develop a Plan to Get to a Target State of Cybersecurity• Monitor Progress
– Audits– Penetration Testing– Key Risk Indicators
Copyright Text
Overal Methodology
Phase 1: Risk Assessment• Information Assets• Threats (Adversarial & Non-adversarial)• Vulnerabilities• Loss Exposure
Phase 2: Controls Assessment• Frameworks & Standards• Audits & Testing• Maturity Ratings• Gap Analysis
Phase 3: Remediation Plan (Risk Reduction)• Best Practices• Quick Wins• Dependencies• ROI Analysis
Copyright Text
Phase 1: Coalfire Risk Assessment
IDENTIFYInformation Assets
Classify
ANALYZELoss Exposure
Threats
DEFINEPriorities
Current State
DEVELOPRecommendations
RecommendTreatment
Business Impact
VulnerabilitiesPrioritize Target State of Risk Controls & RiskRegister
Copyright Text
Risk Assessment Deliverables
High Impact, moderatelylikely occurrence
Public WebsitesIntellectual Properties
Global Ad Mgmt Svc
Customer Data
Product Review Data
HRStrategic Business Plan
Financial Application
Like
lihoo
d
Impact
NON-Adversary Asset Risk
Unlikely
SomewhatLikely
HighlyLikely
Limited Serious Catastrophic
Risk Analysis
Findings Register
Risk ID Risk Description Business ImpactRisk
Category(Select)
RiskFunction(Calc
ulation)Risk
Type(Select)
InherentLikelihood(Sel
ect)
InherentImpact(S
elect)Risk ReductionRecommendation
ReduceLikelihood
ReduceImpact
ResidualLikelihood(S
elect)
ResidualImpact(S
elect)
ResidualRiskRating(Calcul
ation)
1Roles and Responsibilities are notscoped for least privilege
Accounts are not identified by role,resulting in overly permissive privileges Communications Respond Adversarial Very High High
Sample reductionrecommendation X X High Moderate Moderate
2
Formalized process for classifyingassets and data are not adequetelydefined
Assets or data may be mishandled,compromised or not protectedadequately Asset Management Identify
Non-Adversarial Moderate Moderate
Sample reductionrecommendation X Moderate Low Low
Copyright Text
Risk Assessment Deliverables
ThreatEvent
(Select)
ThreatSource(Select)
Rangeof
Effects(Select)
Relevance(Select)
Likelihoodof
EventOccurring
(Select)
Vulnerabilitiesand
PredisposingConditions
(Select)
Vulnerability
Severity(Select)
LikelihoodEvent
Results inAdverseImpact(Select)
Levelof
Impact(Select)
OverallLikelihood
(Calculation)
Levelof
Risk(Calculation)
Mishandling of critical and/or sensitive information by authorized users IT Storage High Possible Moderate
PR.AC: Procedures are not defined forthe add, enable, modify, delete, ordisable of information system accounts. High Moderate High Moderate Moderate
Copyright Text
Phase 2: Controls Assessment Methodology
DETERMINEScope & Approach
Scope
TEST &EVALUATE
Controls
DEVELOPGap Report
Framework
Approach
Policy
Design
Effectiveness
Current Maturity
Desired Maturity
Control Assessment Deliverable
• The assessment results employ 1-5 maturity scale; 1 being the leastmature (Initial or Ad-Hoc) and 5 being the most mature (Optimized)
• Each component/category within the assessment domain area wasassigned a maturity rating indicated by the symbol C to represent thecurrent state; and the symbol G to represent the short term target (or goal)state
Little or no evidence ofprocess and achievement ofpurpose
Initial or Ad-hoc
Processes are largelyreactive, informal orinconsistent
Repeatable / Intuitive Defined
Processes are implementedand operate effectivelywithin defined limits toachieve outcomes
Managed & Measured
Processes are continuouslyimproved to meet currentand projected enterprisegoals and objectives
Optimized
1 2 3 4 5
C G
Processes are defined,documented andimplemented with acapability to achieve desiredoutcomes
1 2 3 4 5
C G
Copyright Text
Phase 3: Remediation Plan
ANALYZEControl
Recommendations
Cost
DEVELOPSchedule
Priority
ESTABLISHGovernance
Oversight
DependenciesBenefit Accountability
Quick Wins
Copyright Text
Phase 3: Remediation Plan
Quick Wins Near Term Long Term
Year 1 Year 2
• Admin Access Controls• Vulnerability Management• Incident Response• Security Logging• System Hardening• Encryption Standardization
• Multi-Factor Authentication• Role Based Access Controls• Security Alert Monitoring• Configuration Management• Security Policy and
Procedures
• SDLC and Secure Coding• Vendor Risk Management• Data Loss Prevention• Threat Intelligence• On Going Cyber Risk
Management
Why Coalfire?
METHODOLOGY
RIG
OR
OU
S
EFFICIENT
TRUSTWORTHY
INDEPENDENTVENDOR-NEUTRAL
VALUEEXPERIENCE
TEAM
CONFIDENCE
EXACTING
METICULOUS
KN
OW
-HO
WMATURITY
PATIENCE
SKIL
L
Client Experience
Cloud Service Providers Financial Institutions Government/Public Sector
Healthcare & Life Sciences Higher Education Hospitality
Retail
Payments
Restaurants Utilities
Insurance Private Equity
Presenters Contact Information
Greg MillerSr. Practice Dir.303-548-8887Greg.Miller@coalfire.com