Post on 26-May-2020
Amalia Barthel, Raluca Blidaru, Carlos ChalicoSeptember 29th 2018
PM Toolbox 2.0: Managing Information Risk for Agile & DevOps
WELCOME!
3
Agenda
Section Presenter Time
Breakfast 8:00-8:30 am
Welcome and Introductions PMI 8:30am
Overview of Information Security Key Concepts Carlos Chalico 8:45 – 9:05
Information Security Alignment with IT Governance Carlos Chalico 9:05 – 9:35
Break 10 min
Introduction to DevOps - fit within other approaches (Waterfall and Agile Environments Raluca Blidaru 9:45 – 10:00
DevOps and Traditional Project Management Amalia Barthel 10:00 – 10:25
Overview of Integrated Cybersecurity Risk Management Carlos Chalico 10:25 – 10:50
Break 10 min
Cybersecurity and Project Risk Management Amalia Barthel 11:00 - 11:15
Putting All Together - Security DevOps and Risk Management Raluca Blidaru 11:15 – 11:30
Break 10 min
Key Take - Aways Amalia Barthel 11:40 – 12:05
Q&A All 12:05 - 12:20
Closing PMI 12:20-12:30
Amalia Barthel
20+years
CISMCISM
CRISC
PMP
LSigma
CIPTCIPM
Raluca Blidaru
10+years
CISACRISCCISM
GSEC
CISSPCIPTPMP
Carlos Chalico
20+years
CISACISSPCISM
ISO27001LA
CGEITCRISCPbDA
@carloschalico
OVERVIEW OF INFORMATION SECURITY KEY CONCEPTS
Data Vs. Information
Knowledge
Information
Data
Intelligence
Lowest level of abstraction from which information and then knowledge are derived
Sequence of symbols, data, that can be
interpreted as a message
Acquaintance with facts, truths or
principles;
Why?
Automated data processing is growing
Things are getting connected
Source: CISCO, 2011
What?
What to protect?
Information Governance
Nonrepudiation
Authentication
Availability
Information Security
Cybersecurity(Electronic)
InformationProtection
Confidentiality
Integrity
Privacy
Security Gap
Security Gap
IT is important!
How?
Related Frameworks
TARA
COSO
ValIT RiskIT
NIST
ISO 38500
COBIT
INFORMATION SECURITY ALIGNMENT WITH INFORMATION GOVERNANCE
Information Governance
ISACA, where COBIT comes from• Founded in 1969, as the EDP Auditors Association
• Evolved to the Information Systems Audit and Control Association
• More than 140,000 members in over 180 countries
• Over 200 chapters worldwide
• Toronto Chapter has over 2,800 members, largest in Canada
• Developed COBIT and Cybersecurity Nexus
• Four industry-leading certifications:
COBIT History
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
A business framework from ISACA, at www.isaca.org/cobit
Audit
COBIT1
2005/7
20001998
Evo
lutio
n of
sc
ope
1996 2012
Val IT 2.0(2008)
Risk IT(2009)
© 2012 ISACA® All rights reserved.
COBIT 5
COBIT 5
COBIT 5Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced,agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making;and monitoring performance and compliance against agreed-on direction and objectives.
Management plans, builds, runs and monitors activities in alignment with the direction set by the governancebody to achieve the enterprise objectives.
COBIT 5
COBIT 5
What´s the challenge now?
INTRODUCTION TO DEVOPS
What is DevOps?
“Devs are from Venus. Ops are from Mars” - Steve Haines
From Waterfall to Agile, to DevOps
“Growing” from Agile to DevOps
https://en.wikipedia.org/wiki/DevOps
https://bikeshsrivastava.blogspot.com/2017/01/part-43what-is-agile-methodology.html
Why DevOps?
Goals of DevOps
How does DevOps work?
DEV
OPS
(+ UX)
Where does Risk fit in DevOps?
● Security built-in ● Risk management frameworks● Compliance audit processes
Break – 10 minutes
DEVOPS AND TRADITIONAL PROJECT MANAGEMENT
38
OK: WHY DevOps?
• IT Enterprises need to compete – who has time for regular development?
• Agility vs. Stability : Customers are demanding : better products, more features,
RIGHT NOW!!!
• Information is the new GOLD which enables products on the market
• Applications are a highway for information exchanges and business gains
• Strategic IT Leaders win but their budgets are shrinking: shared infrastructure!
• IT Leaders are pressured to better align IT with Business Goals & support
revenue generation
• Information Governance: know what data you have, where, who has access to
it, who needs to have access to it, how do we monetize it?
CONFIDENTIAL
39
Project Managers
• Manage projects which produce a product or a result IN SUPPORT of a Business objective
• Understand application development, QA, testing, release into production
• Practice Risk Management
• Motivate Teams
• Facilitate learning and exchange of information between team members
• Are great communicators
40
Does DevOps mean?• No planning? ADAPTIVE LEARNING
• No change control? ADAPTIVE PLANNING
• No documentation? Code documentation requirements
• No meetings? SHORT AND FOCUSED MEETINGS
• No process? VERY WELL DEFINED PROCESS
• Bullet proof? INTEGRATE & FAIL OFTEN
• Just need to know how to code? DEVELOPER SECURITY TRAINING
• No project manager? Developers run amock???
41
Project Manager Strengths ….and Opportunites
• Need to create a CULTURE of DevOps (what does “culture” mean?)
• Focus on software development delivery success
• Integrate Quality into delivery
• Ability to react rapidly and adjust to a fast pace
• Understanding Regulatory requirements (for security & privacy)
• Be conversant with “Availability” as a parameter/attribute in rapid development: performance is directly linked with availability
• Management Reports …. How are the DevOps Teams prepared to support SecDevOps* (security testing tools to act as Acceptance Testing)
• Security Tools Integration
42
A Culture of DevOps• Developers need to be trained on security for DevOps
• Culture of learning (kinda’ like Lessons Learned but Postmortems)
• NO SILOS : Share the learning (blameless Postmortems)
• Proactive Product Managers : look at the history, at what you know (vulnerabilities) and push training (update the training)
• Adapting to change – the 3 Part Framework (Larry Maccherone) DevSecOps Manifesto :
»Build Security in (*by design, not afterthought)»Empowered Engineer Teams (*not security specialists)»Implement features securely (*not security features)»Build on a Culture of Change (*rather than Policy Enforc)
43
The DevOps Continuum
44
Just one example……
But…..Traditional vs. Agile
⇥ Predictability, stability⇥ Heavy bureaucracy, rigid procedures ⇥ Process driven ⇥ Upfront, extensive design & planning⇥ Sequential⇥ Hierarchical, top to bottom approach⇥ Large teams, multi-tasking⇥ Perfection focused⇥ Change process to follow
Traditional Project Management Agile Project Management
⇥ Acceptance of unpredictability, adjustment to reality⇥ Minimal Bureaucracy, follows principles⇥ Activity driven⇥ Design & Plan as needed⇥ Iterative and Incremental ⇥ Flat, lean structure⇥ Small, empowered teams⇥ Just enough focused⇥ Quick to respond change
CONFIDENTIAL
Agile ….. Or DevOps?• Agile works in “sprints” which is considered 1 unit of code
• DevOps cannot assess the security of the application with 1 unit of code at the time = it works with chunks of code
• Chunks can be evaluated in production to understand if the functionality and security of code was achieved
• When Agile sprints include “shippable code” – this can be evaluated for security
• Not handy to have “shippable code” – you also need a “ready” environment to try out the code = DevOps
DevOps Roles and Responsibilities
• Project Manager or Product Manager
• Application Developers
• Risk Management (Infrastructure Security, Code/ Application security)
• Reporting?
• Budget Tracking?
• Schedule Tracking?
• Quality Tracking?
• ?????Facilitate learning and exchange of information between team members
DevOps Roles and ResponsibilitiesBusiness Objectives
Business capability
PLATFORM
Application environment
Infrastructure
Quality + Availability +Performance
Information Security/ IT Risk Management
49
Roles….cont’d
CONFIDENTIAL
50
51
Waterfall vs. Agile vs. DevOps
52
OVERVIEW OF INTEGRATED CYBERSECURITY RISK MANAGEMENT
Why is risk management important?
Organization
Stakeholders Customers
Risk Management
$
What is risk?
“The possibility of an event occurring that will have an impact on the achievement of
objectives, and it is typically measured in terms of likelihood and impact”
Possibility Threat
Vulnerability Asset
Likelihood Impact
Source: CGEIT Review Manual 2015 ISACA
What to do with a risk?
Risk
Control Ideal Scenario
Source: EY Mexico
What to do with a risk?
Risk Control
Over-Controlling
Source: EY Mexico
What to do with a risk?
Risk
Control
Residual or Remanent Risk
MitigateEliminateTransferAssume
Source: EY Mexico
How?
NIST Cybersecurity Framework
Source: NIST Cybersecurity Framework
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdfhttp://www.nist.gov/itl/csd/the-stakeholders-have-spoken-nist-to-refine-cybersecurity-framework.cfm
Using COBIT 5 to implement NIST CSFNIST Steps to use the CSF to implement a new cybersecurity program or maintain an existing one:
• Prioritize and scope
• Orient
• Create a current profile
• Conduct a risk assessment
• Create a target profile
• Determine, analyze and prioritize gaps
• Implement action plan
Using COBIT 5 to implement NIST CSF
Using COBIT 5 to implement NIST CSF
Going beyond the CSF
Going beyond the CSF
• Prioritize and scope
• Orient
• Create a current profile
• Conduct a risk assessment
• Create a target profile
• Determine, analyze and prioritize gaps
• Implement action plan
Going beyond the CSF
Summarizing
• There are valuable frameworks to help implement an effective cybersecurity risk management program.
• There are effective frameworks to integrate the cybersecurity risk management program into a broader ERM program.
• You can decide which frameworks to use.
• The most important exercise includes.
– Understanding risk appetite and tolerance.– Organization’s current and future state.– Gaps.– How to close them.
• DevOps can be part of that current or future state.
Break – 10 minutes
CYBERSECURITY RISK AND PROJECT RISK
70
History of Risk
According to Peter L. Bernstein dividing line between what we should call ancient
times and modern times is mastering risk!*
• Earliest concept of managing risk arose because of gaming
• Gaming gave rise to probability theory
• First actuaries worked in England as early as the 1700s
• The modern terms for managing risk rose after World War II (Risk
Management: History, Definition, and Critique by Georges Dionne)
• 1950s to the 1970s, risk discipline began to expand to alternatives
* Against the Gods: The Remarkable Story of RiskCONFIDENTIAL
71
Risks vs. Issues
Uncertain Certain
Futuristic Current
May impact objectives Has/will impact objectives
Unknown impact value Known impact value
Risks vs. Issues
CONFIDENTIAL
Organisational Risk Management
Strategic
Programmes
Projects
Operational
Long term
Medium term
Short term
CONFIDENTIAL
73
Risk Management Overview
Project Risk is when an uncertain event, or condition occurs, that has a positive or negative effect on one or more project objectives, such as; Scope, Schedule, Cost and Quality.
Objective of Risk Management is to increase the likelihood of positive events, and decrease the likelihood of negative events that will impact the project.
CONFIDENTIAL
74
Risk Management Overview
75
Projects, Programs & Portfolios in the IT Organization (COBIT 5)
Projects
76
77
Residual Risk in DevOps
78
Project Management Risk• Inherent in every Project Management process & activities
• Residual risk needs to be reviewed and stays in the Risk Register
79
DevOps Risk Management
80
Empowered DevOps Teams….• Developers will know to balance out the business risk vs.
security/privacy risks → they are closer to the business
• They need to feel they are trusted– the Team knows they will do the right thing!
• Security Team needs to provide tools and knowledge resources to help the Empowered Developer Team
• Security Team is no longer the Gate Keeper but trusted Advisors
• Development team needs to trust the Security Team to provide the right tools at the right cost/effort ratio
• Security Team to guide the Development Team on preventative security practices and assist assist assist with security incidents!
81
DevSecOps Self Assessment
• More mature practices : green belt training, security architecture review (threat modelling?), security POC for components of the app, etc.
• DevSecOps Tools: Policies will stop the development unless scans are clean, use OWASP and set targets
PUTTING ALL TOGETHER – SECURITY, DEVOPS AND RISK MANAGEMENT
Today’s story is ...
84
Let’s remember how everything started ...
• “The Problem”: Delivery time was too long.
• Testing a platform software enabling faster deployments• Infrastructure• Code
• Dev&Ops in a “platform”• Configuring resources in a programmatically manner• Pipelines for development lifecycle• Automated testing (security, functional)• Reporting bugs automatically• Promotion of the code to the next environment
PoC - Continuous Deployments
Champion Team:• Project Managers• Developers• System Administrators• Integrators• 3rd party Consultants
R&D
MVP
Scope:• Test the platform• Develop one Minimal Viable
Product• Reengineer processes
The result: a Minimum Viable Product
Experience Towers
DEVTESTPROD
DEVTESTPROD
DEVTESTPROD
DEVTESTPROD
Moving from MVP to Enterprise
… with Advantages
andDisadvantages
88
What Could Have Gone Wrong?
• Security is not turned on “by default”• Encryption, High Availability• Hardening, Patching, Vulnerability Management• Segregation of duties• …
• Skills are not transferred automatically
• Architects, Developers, QA, DBAs, System Admins, …
• Project Managers, Project Coordinators, ….
• Automating the solution delivery ≠ the automation of compliance
One solution: updated Risk Management framework
What happened next?
90
Organizational Changes
91
Building the future state
92
Updating Risk Management methodology• risk assessments are part of the Agile
processes• roles and responsibilities were
assigned: Developers/Engineers (risk owners), Risk Officers (risk controls implementation, L1), Risk Bench Team (risk governance, L2)
• developed Security Stories• created Risk adjusted
Backlog • documented accepted risks
93
And not only ...
• Cross functional domains training:– Info Risk team is trained about Agile Frameworks– Developers, Engineers, Architects take Security training– Product Managers learn about Information Risk Management
• Train the Trainer:– Project managers become Scrum Master Certified
94
Why? To go SecDevOps.
To change this…. into this:
95
Questions?
96
References• ISACA COBIT 5 & COBIT 5 for Risk www.isaca.org
• https://medium.com/@cote/roles-and-responsibilities-for-devops-and-agile-teams-fdacbffb4cb4 Tbd
• http://www.isaca.org/Education/Conferences/Documents/COBIT/2.3.pdf
• COBIT 5 for Information Security
• Bright Talk Webcast :How to Achieve a DevSecOps Culture Using a Lean-Agile Approach (https://www.brighttalk.com/webcast/15811/330332?utm_campaign=viewing-history&utm_source=brighttalk-portal&utm_medium=web)
• https://resources.whitesourcesoftware.com/white-papers-datasheets/the-main-pillars-of-the-devops-2
Thank you!
& SPECIAL THANKS TO UNIVERSITY OF TORONTO FOR THE VENUE
Email: Contact Us, Questions about this presentationAmalia Barthel: amsteiu@gmail.com; amalia.barthel@utoronto.caRaluca Blidaru: rblidaru@gmail.comCarlos Chalico: carloschalico@aim.com; carlos.chalico@utoronto.ca
WEBSITE: http://www.soc.pmi.on.ca/ ➢ PDUs: 2.0 Technical, 1.0 Leadership, 1.0 Strategic
➢ Interested in IT Risk Management & Cybersecurity?➢ Visit School of Continuous Studies – course SCS_3373