Cyber Security from the Front Lines - Institute of Internal · PDF file ·...

Cyber Security from

the Front Lines

“Finding the Risk Lens”

October 2014

Dennis Van Ham

ISACA Conference, Bermuda

1© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. 1

2© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. 2

3© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.

Kevin Mandia, CEO of Mandiant, says

“international hacking will continue to grow as

countries seek any possible economic advantage.”

Retail giant testimony...

A representative from Target,

which recently suffered from

a data breach putting the

financial and personal

information of at least 70

million customers at risk,

testified in front of the House

Commerce subcommittee on

trade in Q1.

5© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Bad “Actors”

Isolated criminals

“Script Kiddies”

YESTERDAY…

TODAY…

Targets

Identity Theft

Self Promotion

Opportunities

Theft of Services

Bad “Actors”

Organized criminals

Foreign States

Hactivists

Targets

Intellectual Property

Financial Information

Strategic Access

“Target of

Opportunity”

“Target of Choice”


External

Threats

1

Organized crime, nation-states, cyber

espionage, hactivism, insider threats.

Change in the

way business

is conducted

2

Cloud computing, big data, social media,

consumerization, BYOD, mobile banking.

Rapid

technology

change

3

Critical national infrastructure, smart/metering,

internet of all things.

Changing

market and

client need

Strategic shift, situational awareness,

intelligence sharing, cyber response.

Regulatory

compliance

4

Data loss, privacy, records management.

5


Board/CEO CIO/CISOBusiness

Management

IT ManagementLegal &

ComplianceInternal Audit


Stakeholder Concerns

Board/CEO • Establish management responsibilities; require ongoing reporting,

monitoring and review of information risks and controls

• Monitor legislative, policy, industry, contractual, litigation,

marketplace, consumer and employee developments and

expectations

Business

Management

• Ownership of overall risk management activities for business units

and supporting systems

• Responsible for identifying and classifying mission critical data

• Oversight for the identification and implementation of controls for

business systems and data

CIO/CISO • Understand system and network vulnerabilities; plan for possible

“persistent” threats

• Ensure that the company has a comprehensive and customized

incident response team and plan

• Appoint Cross-functional incident response team

• Anticipate common cyber attack scenarios and develop

preventative and responsive measures for each

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated

with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or

any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.


Stakeholder Concerns

IT

Management

• Ownership of IT specific risk management activities for supported

systems

• Responsible for implementation and monitoring of controls for

supported systems to minimize risks and ensure continuity of

operation

• Continuous improvement of ability to respond to and withstand

cyber security risks

Internal Audit • Assess and review overall governance and risk management

capabilities of the organization

• Perform independent assessments of process and controls in

place to minimize risks to business systems

• Reporting to the Board/CEO regarding results of assessment of

governance and risk management capabilities

Legal &

Compliance

• Identify what existing and prospective laws apply to cyber security

• List all IP assets, trade secrets, account records, consumer data

that could be subject to cyber-attack

• Establish an up-to-date cyber security risk assessment

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated

with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or

any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

11© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Emerging Risks

■ Targeted Malware Attacks/Spearphishing

■ Intellectual Property Protection

■ BYOD/Consumerization

■ Foreign National Threats

■ Increased Data Leakage and Portability

■ “Zero Day” Attacks

■ Insider Threats

■ Diverse Compliance Challenges

■ Critical Infrastructure Protection

■ Integration with ERM Initiatives

Business Enablement

■ Rapidly Changing Business Needs

■ Increased Value Chain Integration

■ Globalization

■ Expanding New Revenue Streams

■ Mergers, Sourcing and Workforce

Changes

■ Need for Improved Business Intelligence

■ E-Discovery and Investigations

■ Social Media Platforms

Security Management

■ Better Integration with Risk Management

■ Security Organization Model and Structure

■ Awareness and Training

■ Crisis Management

■ “Doing More with Less”

■ Vendor and 3rd Party Management

■ Asset and Configuration Management

■ Executive Reporting and Metrics

■ Managed Security Services

Technical Architecture

■ Security Analytics & Threat Intelligence

■ Public/Private “Cloud” Computing

■ Incident Response & Logging

■ GRC Solutions and Integration

■ Application and Code Review

■ Data Loss Prevention

■ IAM Governance and Process (Role

Optimization, Privileged Management)

■ Increased Encryption (Data Level and Mobile)

■ Endpoint Protection & Validation


Board demonstrating due diligence, ownership, and effective

management of risk

Topics

Understanding of Cyber

Board Involvement

Third-Party Supplier Relationships

Identification of Critical Data

Ownership and Governance for Data Protection

Program Management


The level and integration of a security culture that empowers and ensures

the right people, skills, culture, and knowledge

Topics

Training and Awareness

Culture

Personnel Security Measures

Talent Management

Organizational Roles and Responsibilities


The approach to achieve comprehensive and effective risk

management of information throughout the organization and its

delivery and supply partners

Topics

Risk Management Approach and Policies

Risk Tolerance Identification

Risk Assessment and Measures

Asset Management

Information Sharing

Third-Party Accreditation

Ability to Detect Attacks & Integrate Improvements


Preparations for a security event and ability to prevent or minimize the

impact through successful crisis and stakeholder management

Topics

Ability to Manage Cyber Events

Financial Ramifications & Budget

Resources Required & Training

Robust Plans

Communications

Testing


The level of control measures implemented to address identified risks

and minimize the impact of compromise

Topics

Threat and Vulnerability Management

Logical Security Controls

Physical Security Controls

Security Monitoring

Incident Response

Integration with IT Service Management


Regulatory and international certification standards as relevant

Topics

Inventory of compliance requirements

Compliance program components

Role of the Audit Committee

Litigation inventory

Cyber insurance

© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG

Europe LLP and a member firm of the KPMG network of independent member

firms affiliated with KPMG International Cooperative, a Swiss entity. All rights

reserved.

The KPMG name, logo and “cutting through complexity” are registered trademarks

or trademarks of KPMG International Cooperative (KPMG International).

Cyber Security from the Front Lines - Institute of Internal · PDF file ·...

Documents

Transcript of Cyber Security from the Front Lines - Institute of Internal · PDF file ·...