2003 10 00 Larry Clinton ISA Best Practices Presentation at Global Security Conference
2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
-
Upload
isalliance -
Category
Documents
-
view
220 -
download
0
Transcript of 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
1/29
The Economy is reliant
on the Internet
The state of Internet security is eroding quickly. Trust
in online transactions is evaporating, and it will
require strong security leadership for that trust to be
restored. For the Internet to remain the juggernaut ofcommerce and productivity it has become, it will
require more, not less, input from security.
PWC Global Cyber Security Survey 2008
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
2/29
Digital Immigrants need
education more than Digital natives
Demographers refer to the current k-12 cohortas the digital natives
The US workplace is mostly populated by digitalimmigrants
The current private sector is the most vulnerableto national security
We will have the current workforce of digitalimmigrants there for decades
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
3/29
President Obamas Report on
Cyber Security(May 30, 2009)
The United States faces the dualchallenge of maintaining an
environment that promotes efficiency,
innovation, economic prosperity, andfree trade while also promoting safety,
security, civil liberties, and privacy
rights.Presidents Cyber Space Policy Review, May 30,
2009 page iii
Quoting from Internet Security Alliance Cyber Security SocialContract: Recommendations to the Obama Administration andthe 111th Congress November 2008
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
4/29
CURRENT ECONOMIC INCENTIVES
FAVOR ATTACKERS
Attacks are cheap and easy Vulnerabilities are almost infinite
Profits from attacks are enormous($ 1 TRILLION in 08)
Defense is costly (Usually no ROI) Defense is often futile Costs of attacks are distributed
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
5/29
Financial Management of
Cyber Risk
It is not enough for the information
technology workforce to understand the
importance of cybersecurity; leaders at all
levels of government and industry need to beable to make business and investment
decisions based on knowledge of risks and
potential impacts.
Presidents Cyber Space Policy Review May 30, 2009 page 15
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
6/29
Senior Executives ARE NOTanalyzing Cyber Risk adequately
There is still a gap between IT and enterprise
risk management. Survey results confirm the
belief among IT security professionals that
Boards and senior executives are notadequately involved in key areas related to
the governance of enterprise security.
2008 Carnegie Mellon University CyLab Governance of enterpriseSecurity Survey
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
7/29
Cyber RISK is not being
Appreciated
75% of US corporations do NOT have a ChiefRisk Officer
5% of US corporations report to the CFO onsecurity risks
65% of US corporations either do not have adocumented process to assess cyber risk, ordo not have a person in charge of the
process ---meaning they have no processDeloitte Enterprise Risk, 2007
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
8/29
Communication Across Corporate
Structures is Inadequate
Intra company communication on privacy andsecurity risks was lacking. Only 17% of
respondents indicated they had a cross
organizational privacy/security team. Less than half had a formal enterprise risk
management plan. (47%)
1/3 of those with a plan did not include IT-relatedrisks in the plan.2008 Carnegie Mellon University CyLab Governance of Enterprise
Security Survey
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
9/29
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
10/29
Problem is more than just
awareness
42% of survey respondents acknowledgethat threats to information security areincreasing
52% acknowledge that cost reductions toinfo security initiatives will make adequatesecurity more difficult
PricewaterhouseCoopers Global Information Security Survey 2009
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
11/29
Financial Impact of Cyber RiskOctober, 2008
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
12/29
Design of ISA/ANSI Program
Open to all (Gov as well as industry), No Charge to ParticipateCross sectors and departments
7 full day working sessions over 2 years Phase I (Questions) complete Nov 08 Phase II (Responses) complete Dec 09 Red Teams Review findings
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
13/29
ISA/ANSI Fund Financial Risk
Management Program
42 Private Sector Organizations, volunteer plus
U.S. Department of CommerceU.S. Securities and Exchange Commission
Department of Justice
Department of TransportationNational Credit Union Administration
U.S. Cyber Consequences UnitU.S. Department of Homeland Security
U .S. DHS Science & Technology (S&T) DirectorateU.S. DHS National Cyber Security Division (NCSD)
U.S. DHS Office of Infrastructure ProtectionU.S. DHS Policy Directorate
U.S. DHS Science & Technology (S&T) DirectorateCalifornia Office of Homeland Security
Peacecorps
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
14/29
The need to understand business
economics to address cyber issues
If the risks and consequences can be assigned
monetary value, organizations will have greater
ability and incentive to address cybersecurity. In
particular, the private sector often seeks a businesscase to justify the resource expenditures needed for
integrating information and communications system
security into corporate risk management and for
engaging partnerships to mitigate collective risk.Presidents Cyber Space Policy Review May 30, 2009 page 18
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
15/29
The Economic Assessment of
Cyber Security: 50 ?s for CFOs
Business Operations General Counsel Compliance Officer Media (Investors and
PR)
Human Resources Risk Manager/
Insurance
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
16/29
Calculate Net Financial Risk
Threat (frequency of risk event/probabilitynumber of events per year) X
Consequence (Severity of risk event/possibleloss form event) X
Vulnerability (likelihood or % of damages/given mitigation actions) MINUS
Risk Transferred (e.g. insurance) = NET FINANCIAL RISK
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
17/29
Sample Questions: Legal
Analyzed liabilities? What legal rules apply to us or 3-parties? Vulnerable class action/shareholder suits? Legal Exposure to Gov investigations? Do our contracts protect us enough?Multi-state laws apply?
Exposed to trade secret theft?
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
18/29
Sample Questions: Compliance
Inventory of applicable regulations? Where is our regulated data? Valid reasons for holding all our data? Policies & procedures documented? Can we opt-out of reg requirements?Are we tracking compliance?Are we reviewing and updating privacycompliance?
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
19/29
Sample Questions:
Risk Manger/Insurance
Are we insured for this? (probably no) What can we get insurance for? What is the D & O Exposure? Where can we find cyber insurance and
what does it cover (& doesnt it cover)?
Whats the cost benefit to insurance?
How do we evaluate policies?
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
20/29
Sample Questions:
Business Operations
Whats our single biggest vulnerability? How long are we down? Want to be up?Are we complying w/ SoA standards?Are we properly staffed? Have we assessed physical security Incident response/continuity plans? Risk exposure from vendors? How often do we re-evaluate risks?
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
21/29
Sample Questions:
Media/Crisis Management Team
Do we have segmented responses for allstakeholders?
Documented crisis communication plan? Identified and trained all who need to be? Have the external contacts we need? Have we run a mock trial?Are we budgeted for a crisis?
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
22/29
Sample Questions:
Human Resources
Does everyone understand our $ Risk?Attract/retain the right personnel? Do we provide training to mitigate risk? Is the org structured for team work?Audit network access (esp. at termination)?Address social networking & pub sites? HR assessment include cyber security? Discipline policy adequate for monitoring?
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
23/29
PROPOSAL
Build a grounded Enterprise Educationprogram consistent with Cyber SpacePolicy Review
Based on 2-years open forum of industryand government
Initial 2-year program completed andfunded by ISA and ANSI
DoC fund final development and testing
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
24/29
Three Phase Program
Phase I: take 50 Questions and 60Responses documents and reformulateinto enterprise training program
Phase II: Beta test Enterprise EducationProgram w/multiple methods and Evaluate
Phase III: Final National Roll Out usingmost cost effective model
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
25/29
Deliverables
Quarterly Status Updates Final Business Plan & launch Phase II 12
months from approval
Pilot strategy report 10 days afterbeginning of Phase II
Metrics on overall effectiveness 12 monthsfollowing Phase II beginning Phase II
Modified Program based on Phase II 12months from beginning Phase II
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
26/29
Phase III National Roll Out
Dependent on Phase II Results & metrics Final Business Plan and Implimentation 10
days after contract signing Phase III
Quarterly Reports Final Summary and Evaluation 36 months
following beginning of National Roll Out
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
27/29
Budget
Phase I - Design and development of acomprehensive business plan
Integrates 2008 and 2009 ISA/ANSI FinancialRisk Management Reports (50 Questions forcorporate CFOs and Responses) into technicalcourse development
Includes various management and direct costs Projected cost - $300,000
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
28/29
Budget
Phase II - Testing/Evaluation/Reformatting
Multi-tier pilot program: Utilizing combination of instructor-led onsite training
and web-based instruction
Offering focused single enterprise course offeringsand/or multi-enterprise training sessions Develop andimpliment metrics to test cost effectivness
Develop and implement metrics to test andevaluation overall cost effectiveness
Projected cost - $400,000-$700,000* (conditionalupon option I, II, or III elements)
-
7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation
29/29
Budget
Phase III Implementation of final businessplan for cyber training and educationprogram
Implement metrics to test and evaluate forcontinual program improvement Includes various management and direct
costs Projected cost TBD/Conditional uponPhase II