ALIGNING SECURITY WITH BUSINESS RISK Platt - Enterprise... · Develop Framework and Key Risk...
20
ENTERPRISE SECURITY ALIGNING SECURITY WITH BUSINESS RISK FRANK PLATT, CISSP INFOSEC ALLIANCE (or, do I spend the same amount protecting my toothbrush as I do protecting my Rolex)
Transcript of ALIGNING SECURITY WITH BUSINESS RISK Platt - Enterprise... · Develop Framework and Key Risk...
ENTERPRISE SECURITY
ALIGNING SECURITY WITH BUSINESS RISK
FRANK PLATT, CISSPINFOSEC ALLIANCE
(or, do I spend the same amount protecting my toothbrush as I do protecting my Rolex)
Presenter
Presentation Notes
What is Risk? Threats to the organization – fire, weather, people, etc. All organizations deal with risk – that’s what insurance is for …… What can be done with risk? Ignore Assign – share Mitigation to reduce Assume What are today’s cyber risk (Travelers 2017) Human Error: lost and stolen notebooks and smartphone, Hackers: stolen PII, EPHI, PCI Email Compromise: tricking employees to do something – wire transfer, etc Extortion: ransomware, rogue / disgruntled employee Hacktivism: Social and Political “Hactivists”
Business Leaders Want to Know
What are My Cyber Risk?• Can someone hold our data for ransom?
• Can, or is someone stealing our data?
• Is someone using our network to conduct illegal activities?
• Are we vulnerable to litigation if we are not following best practice to reduce risk?
• Are we in compliance?Source: National Association of Corporate Directors (NACD)
Presenter
Presentation Notes
According to NACD, investors, the board, CEO, and leadership wants to know
Aligning Goals
Is our data identified and classified
Is our non-public, sensitive information protected
Are we able to detect a breach and loss of data
Are we prepared to respond to an event and recover from an incident
Are we spending appropriately on security priorities
How does the organization’s security posture compare to that of its peers
Source: Gartner
Presenter
Presentation Notes
Data classification: Public Non-public Non-public and sensitive
ALIGNING RISK ENTERPRISE SECURITY ARCHITECTURE
4
Presenter
Presentation Notes
What does ESA do for the organization? Provides structure
Risk of an Unstructured Security Program
Presenter
Presentation Notes
The traffic in these cities could be considered “without architecture” New Delhi and Bangalore Look at the NYC. Which city implemented an architecture? Which traffic pattern would you prefer to be in?
Benefits of a Structured Program
Presenter
Presentation Notes
The traffic in these cities could be considered “without architecture” New Delhi and Bangalore Look at the NYC. Which city implemented an architecture? Which traffic pattern would you prefer to be in?
Security Architecture
Develop Framework and Key Risk Indicators
Presenter
Presentation Notes
Remember these FOUR things: Cybersecurity can no longer be managed in a reactive, patchwork or silo manner. When you consider the risks associated with data or network breaches – in dollars, regulatory penalties and tarnished reputation – it’s clear that cybersecurity is a strategic imperative and should be addressed at the top levels of the organization. The chief information security officer should have a seat at board meetings and a place on the agenda as a key player in the overall risk management program and long-term planning. The ESA methodology is an ongoing process. Periodically revisit and update the enterprise security plan as new knowledge and tools become available. Every security incident should trigger another pass through the Readiness and Awareness steps to continually fortify the offense and defense. Awareness, communication and coordination are key to a cybersecurity culture. Protecting personal and company confidential data is essential to the organization, for reasons of compliance, fiduciary responsibility and protecting trade secrets. Don’t expose it to a misstep by an employee. Everybody should consider cybersecurity to be intrinsic to their job descriptions. Security analytics enables data-driven decision making throughout the cycle. Advanced analytics such as behavioral analysis, predictive analytics and automated machine learning redefine the art. It won’t be like having a GPS tracking collar on every python, but you will see the signs they are afoot, and you’ll continually get better at spotting them.
Key Risk Indicators(NIST)
Identify
Protect
Detect
Respond
Recover
Presenter
Presentation Notes
We know this as NIST Cybersecurity Framework There are two other frameworks that may apply: ISO 27001 and SANS CIS Critical Security Controls Personnally, I prefer NIST for US companies only doing business in the US. ISO is for international based companies doing business on a global basis I’ve found calling the categories “Key Risk and Key Performance Indicators” bring more meaning to the c-suite and board.
Security Architecture
Develop Framework and Key Risk Indicators
Determine Risk Profile Based on KPIs – Current State Assessment
Presenter
Presentation Notes
Remember these FOUR things: Cybersecurity can no longer be managed in a reactive, patchwork or silo manner. When you consider the risks associated with data or network breaches – in dollars, regulatory penalties and tarnished reputation – it’s clear that cybersecurity is a strategic imperative and should be addressed at the top levels of the organization. The chief information security officer should have a seat at board meetings and a place on the agenda as a key player in the overall risk management program and long-term planning. The ESA methodology is an ongoing process. Periodically revisit and update the enterprise security plan as new knowledge and tools become available. Every security incident should trigger another pass through the Readiness and Awareness steps to continually fortify the offense and defense. Awareness, communication and coordination are key to a cybersecurity culture. Protecting personal and company confidential data is essential to the organization, for reasons of compliance, fiduciary responsibility and protecting trade secrets. Don’t expose it to a misstep by an employee. Everybody should consider cybersecurity to be intrinsic to their job descriptions. Security analytics enables data-driven decision making throughout the cycle. Advanced analytics such as behavioral analysis, predictive analytics and automated machine learning redefine the art. It won’t be like having a GPS tracking collar on every python, but you will see the signs they are afoot, and you’ll continually get better at spotting them.
Key Performance Indicators(NIST)
KRI KPI
Identify
Asset ManagementBusiness EnvironmentGovernanceRisk AssessmentRisk Management Strategy
Protect
Access ControlAwareness and TrainingData SecurityInformation Protection Processes & ProceduresMaintenanceProtective Technology
DetectAnomalies and EventsSecurity Continuous Detection Process
Respond
Response PlanningCommunicationsAnalysisMitigationImprovements
RecoverRecovery PlanningImprovementsCommunications
Presenter
Presentation Notes
We know this as NIST Cybersecurity Framework There are two other frameworks that may apply: ISO 27001 and SANS CIS Critical Security Controls Personnally, I prefer NIST for US companies only doing business in the US. ISO is for international based companies doing business on a global basis I’ve found calling the categories “Key Risk and Key Performance Indicators” bring more meaning to the c-suite and board.
Rating Description Process/Policy Technology
4 Adaptive/ Institutionalized
Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on systems and networks.
Comprehensive solutions, full functionality
3 Repeatable/ Functional
The organization’s risk management practices are formally approved and expressed as policy and cybersecurity practices are regularly updated.
Partial solutions, limited functionality
2 Informed / Emerging
There is an awareness of cybersecurity risk at the organizational level but an organization-wide approach to managing cybersecurity has not been established
Point solutions, minimal functionality
1 Partial / ReactiveOrganizational cybersecurity and risk management practices are not formalized
No technology, obsolete
Evaluation Methodology
• Collected factual information
• Collected leadership’s perspectives
• Compared process and technology to state-of-the-art employing NIST Critical Infrastructure Framework
• Investigated findings
• Evaluated across multiple dimensions (policy, process, technology)
• Scored by team consensus
• Reviewed by stakeholders
Example
Industry Range3.0
NIST Scoring Scale & Rating Definitions
2Informed/Emerging
3Repeatable/Functional
4Adaptive/
Institutionalized
1Partial/Reactive
MATURITY SCALE
CURRENT STATE
October2017
Com
posi
te S
core
2.06
Security Architecture
Develop Framework and Key Risk Indicators
Determine Risk Profile Based on KPIs – Current State Assessment
Determine Desired Risk Profile Based on Risk Appetite – Desired State Assessment
Presenter
Presentation Notes
Remember these FOUR things: Cybersecurity can no longer be managed in a reactive, patchwork or silo manner. When you consider the risks associated with data or network breaches – in dollars, regulatory penalties and tarnished reputation – it’s clear that cybersecurity is a strategic imperative and should be addressed at the top levels of the organization. The chief information security officer should have a seat at board meetings and a place on the agenda as a key player in the overall risk management program and long-term planning. The ESA methodology is an ongoing process. Periodically revisit and update the enterprise security plan as new knowledge and tools become available. Every security incident should trigger another pass through the Readiness and Awareness steps to continually fortify the offense and defense. Awareness, communication and coordination are key to a cybersecurity culture. Protecting personal and company confidential data is essential to the organization, for reasons of compliance, fiduciary responsibility and protecting trade secrets. Don’t expose it to a misstep by an employee. Everybody should consider cybersecurity to be intrinsic to their job descriptions. Security analytics enables data-driven decision making throughout the cycle. Advanced analytics such as behavioral analysis, predictive analytics and automated machine learning redefine the art. It won’t be like having a GPS tracking collar on every python, but you will see the signs they are afoot, and you’ll continually get better at spotting them.
February2018
Com
posi
te S
core
2.92
DESIRED STATE
Desired State
Multi-Disciplinary Teams
Security Architecture
Develop Framework and Key Risk Indicators
Determine Risk Profile Based on KPIs – Current State Assessment
Determine Desired Risk Profile Based on Risk Appetite – Desired State Assessment
Prepare Road Map for Risk Reduction – gap analysis
Presenter
Presentation Notes
Remember these FOUR things: Cybersecurity can no longer be managed in a reactive, patchwork or silo manner. When you consider the risks associated with data or network breaches – in dollars, regulatory penalties and tarnished reputation – it’s clear that cybersecurity is a strategic imperative and should be addressed at the top levels of the organization. The chief information security officer should have a seat at board meetings and a place on the agenda as a key player in the overall risk management program and long-term planning. The ESA methodology is an ongoing process. Periodically revisit and update the enterprise security plan as new knowledge and tools become available. Every security incident should trigger another pass through the Readiness and Awareness steps to continually fortify the offense and defense. Awareness, communication and coordination are key to a cybersecurity culture. Protecting personal and company confidential data is essential to the organization, for reasons of compliance, fiduciary responsibility and protecting trade secrets. Don’t expose it to a misstep by an employee. Everybody should consider cybersecurity to be intrinsic to their job descriptions. Security analytics enables data-driven decision making throughout the cycle. Advanced analytics such as behavioral analysis, predictive analytics and automated machine learning redefine the art. It won’t be like having a GPS tracking collar on every python, but you will see the signs they are afoot, and you’ll continually get better at spotting them.
RISK MATRIX – HEAT MAP
17
Busin
ess I
mpa
ct
Likelihood
Cost
Priority
Important
Critical
Moderate
A1 – Virtual Chief Security Officer
B1 - Asset Management
C1 – System Tech Guidelines Configuration
D1 – Monitoring and Logging
Project E1 – Incident Management
Project F1 –Access ControlH1 – BC/DR
Project H – Network Configuration
B2 – Network Access Control
B3 – Software Asses Management
B4 – Two Factor Authentication
C2 – Network Triage & Cleanup
D1 – Implement SIEM
D1 – System LoggingPolicy
D3 – User Access Mgnt
G1 – Wireless Access Ctl
GAP Analysis and Budgets
Security Architecture
Develop Framework and Key Risk Indicators
Determine Risk Profile Based on KPIs – Current State Assessment
Determine Desired Risk Profile Based on Risk Appetite – Desired State Assessment
Prepare Road Map for Risk Reduction – gap analysis
Success factors:• Awareness and communications are key to a cybersecurity culture• Security analytics enables data-driven decision making
Presenter
Presentation Notes
Remember these FOUR things: Cybersecurity can no longer be managed in a reactive, patchwork or silo manner. When you consider the risks associated with data or network breaches – in dollars, regulatory penalties and tarnished reputation – it’s clear that cybersecurity is a strategic imperative and should be addressed at the top levels of the organization. The chief information security officer should have a seat at board meetings and a place on the agenda as a key player in the overall risk management program and long-term planning. The ESA methodology is an ongoing process. Periodically revisit and update the enterprise security plan as new knowledge and tools become available. Every security incident should trigger another pass through the Readiness and Awareness steps to continually fortify the offense and defense. Awareness, communication and coordination are key to a cybersecurity culture. Protecting personal and company confidential data is essential to the organization, for reasons of compliance, fiduciary responsibility and protecting trade secrets. Don’t expose it to a misstep by an employee. Everybody should consider cybersecurity to be intrinsic to their job descriptions. Security analytics enables data-driven decision making throughout the cycle. Advanced analytics such as behavioral analysis, predictive analytics and automated machine learning redefine the art. It won’t be like having a GPS tracking collar on every python, but you will see the signs they are afoot, and you’ll continually get better at spotting them.
www.infosecalliance.com
Questions
Thank you
Frank E Platt, [email protected]
References:
http://www.nist.gov/cyberframework
http://www.iso27001security.com/html/27001
https://www.sans.org/critical-security-controls/guidelines
