Cyber Security from the Front Lines - Institute of Internal · PDF file ·...
-
Upload
nguyenphuc -
Category
Documents
-
view
216 -
download
2
Transcript of Cyber Security from the Front Lines - Institute of Internal · PDF file ·...
Cyber Security from
the Front Lines
“Finding the Risk Lens”
October 2014
Dennis Van Ham
ISACA Conference, Bermuda
1© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. 1
2© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. 2
3© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
Kevin Mandia, CEO of Mandiant, says
“international hacking will continue to grow as
countries seek any possible economic advantage.”
Retail giant testimony...
A representative from Target,
which recently suffered from
a data breach putting the
financial and personal
information of at least 70
million customers at risk,
testified in front of the House
Commerce subcommittee on
trade in Q1.
4© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
5© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Bad “Actors”
Isolated criminals
“Script Kiddies”
YESTERDAY…
TODAY…
Targets
Identity Theft
Self Promotion
Opportunities
Theft of Services
Bad “Actors”
Organized criminals
Foreign States
Hactivists
Targets
Intellectual Property
Financial Information
Strategic Access
“Target of
Opportunity”
“Target of Choice”
6© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
External
Threats
1
Organized crime, nation-states, cyber
espionage, hactivism, insider threats.
Change in the
way business
is conducted
2
Cloud computing, big data, social media,
consumerization, BYOD, mobile banking.
Rapid
technology
change
3
Critical national infrastructure, smart/metering,
internet of all things.
Changing
market and
client need
Strategic shift, situational awareness,
intelligence sharing, cyber response.
Regulatory
compliance
4
Data loss, privacy, records management.
5
7© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
8© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
Board/CEO CIO/CISOBusiness
Management
IT ManagementLegal &
ComplianceInternal Audit
9© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
Stakeholder Concerns
Board/CEO • Establish management responsibilities; require ongoing reporting,
monitoring and review of information risks and controls
• Monitor legislative, policy, industry, contractual, litigation,
marketplace, consumer and employee developments and
expectations
Business
Management
• Ownership of overall risk management activities for business units
and supporting systems
• Responsible for identifying and classifying mission critical data
• Oversight for the identification and implementation of controls for
business systems and data
CIO/CISO • Understand system and network vulnerabilities; plan for possible
“persistent” threats
• Ensure that the company has a comprehensive and customized
incident response team and plan
• Appoint Cross-functional incident response team
• Anticipate common cyber attack scenarios and develop
preventative and responsive measures for each
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated
with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or
any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
10© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
Stakeholder Concerns
IT
Management
• Ownership of IT specific risk management activities for supported
systems
• Responsible for implementation and monitoring of controls for
supported systems to minimize risks and ensure continuity of
operation
• Continuous improvement of ability to respond to and withstand
cyber security risks
Internal Audit • Assess and review overall governance and risk management
capabilities of the organization
• Perform independent assessments of process and controls in
place to minimize risks to business systems
• Reporting to the Board/CEO regarding results of assessment of
governance and risk management capabilities
Legal &
Compliance
• Identify what existing and prospective laws apply to cyber security
• List all IP assets, trade secrets, account records, consumer data
that could be subject to cyber-attack
• Establish an up-to-date cyber security risk assessment
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated
with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or
any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
11© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Emerging Risks
■ Targeted Malware Attacks/Spearphishing
■ Intellectual Property Protection
■ BYOD/Consumerization
■ Foreign National Threats
■ Increased Data Leakage and Portability
■ “Zero Day” Attacks
■ Insider Threats
■ Diverse Compliance Challenges
■ Critical Infrastructure Protection
■ Integration with ERM Initiatives
Business Enablement
■ Rapidly Changing Business Needs
■ Increased Value Chain Integration
■ Globalization
■ Expanding New Revenue Streams
■ Mergers, Sourcing and Workforce
Changes
■ Need for Improved Business Intelligence
■ E-Discovery and Investigations
■ Social Media Platforms
Security Management
■ Better Integration with Risk Management
■ Security Organization Model and Structure
■ Awareness and Training
■ Crisis Management
■ “Doing More with Less”
■ Vendor and 3rd Party Management
■ Asset and Configuration Management
■ Executive Reporting and Metrics
■ Managed Security Services
Technical Architecture
■ Security Analytics & Threat Intelligence
■ Public/Private “Cloud” Computing
■ Incident Response & Logging
■ GRC Solutions and Integration
■ Application and Code Review
■ Data Loss Prevention
■ IAM Governance and Process (Role
Optimization, Privileged Management)
■ Increased Encryption (Data Level and Mobile)
■ Endpoint Protection & Validation
12© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
13© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
Board demonstrating due diligence, ownership, and effective
management of risk
Topics
Understanding of Cyber
Board Involvement
Third-Party Supplier Relationships
Identification of Critical Data
Ownership and Governance for Data Protection
Program Management
14© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
The level and integration of a security culture that empowers and ensures
the right people, skills, culture, and knowledge
Topics
Training and Awareness
Culture
Personnel Security Measures
Talent Management
Organizational Roles and Responsibilities
15© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
The approach to achieve comprehensive and effective risk
management of information throughout the organization and its
delivery and supply partners
Topics
Risk Management Approach and Policies
Risk Tolerance Identification
Risk Assessment and Measures
Asset Management
Information Sharing
Third-Party Accreditation
Ability to Detect Attacks & Integrate Improvements
16© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
Preparations for a security event and ability to prevent or minimize the
impact through successful crisis and stakeholder management
Topics
Ability to Manage Cyber Events
Financial Ramifications & Budget
Resources Required & Training
Robust Plans
Communications
Testing
17© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
The level of control measures implemented to address identified risks
and minimize the impact of compromise
Topics
Threat and Vulnerability Management
Logical Security Controls
Physical Security Controls
Security Monitoring
Incident Response
Integration with IT Service Management
18© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
Regulatory and international certification standards as relevant
Topics
Inventory of compliance requirements
Compliance program components
Role of the Audit Committee
Litigation inventory
Cyber insurance
19© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG
Europe LLP and a member firm of the KPMG network of independent member
firms affiliated with KPMG International Cooperative, a Swiss entity. All rights
reserved.
The KPMG name, logo and “cutting through complexity” are registered trademarks
or trademarks of KPMG International Cooperative (KPMG International).