Embed Size (px)
Citation preview
Securing your supply chain & vicarious liability
Ollie Whitehouse, Technical Director
Cyber Risk and Insurance, November 3, ’15 - London
Topics we will cover (broadly speaking)
Information classification systems and why they are used
Evaluating third party risks posed to your data and computing estate
Assessing the provision and limits of cover throughout your supply chain
Challenges around unencrypted media in the control of your suppliers
Analysing your culture of interacting with suppliers and customers
What does a good security and risk assessment look like when vetting third parties?
2
3
Cyber security challenge – part 1
4
Cyber security challenge – part 2
6
Supply chains…
• Software: common-off-the-shelf (COTS) and proprietary
• Equipment: the routers, servers, tablets, phones, storage, multi function
devices, the doors, conditional access devices, building management
system etc.
• Services: business process outsourcing, data processing, IaaS, PaaS,
SaaS, people, other generic terms like data feeds, cloud and managed
service etc.
7
Supply chains…
8
Supply chains… risk of contagion
9
Supplier tiers..
Tiers of suppliers..
.. need to focus on
tier 1 and 2 initially ..
the tier a supplier exists in
will be dictated by the business
criticality of the what they supply
10
Supplier tiers..
Tiers of suppliers
have tiers of suppliers
it is an exponential problem creating
inadvertent centralized hot pockets
of data or function for certain roles
(legal, HR etc.) or sector niches
11
So why does this matter?
12
So why does this matter?
13
How to approach cyber security
Resilience
14
What does cyber resilience mean?
We will have incidents both of internal and external origin
we will contend with accidents and malicious acts
we will face an evolving set of threats requiring agility
We will build services for the business which are appropriately secure and resilient
… which frustrate threat actors and reduce likelihood of accidents
… which minimize the impact of any incident whilst being useable
We will be in a position to detect incidents in a timely fashion
… whilst being able to answer who, what, when and how … and then recover
15
How we deal with risk today• Elements / Tenants: CIA and Parkerian Hexad etc.
• Models / Indexes: custom or off the shelf.
• Taxonomies / Frameworks: FAIR, NIST RMF, OCTAVE, TARA, EBIOS,
ISO/IEC 13335-2, SP800-30 etc.
• Standards / Regulation: ISO/IEC 27001, PCI, FCA/PRA, SOC-1, SOX etc.
• Maturity Models: recognizing risk isn’t static nor do we need to be perfect
• Audit: tell us the gaps against regulation, standards, taxonomies etc.
16
Suffice to say
Suppliers are increasingly operating
business critical functions
17
Suffice to say – part II
You can outsource the business function
but you can’t outsource* the risk ownership
* you can however spread the liability i.e. who pays when it goes wrong
18
Today it is a challenge for customers
Suppliers today need to show good will in order to support
supply chain cyber maturity programs..
Legacy contractual cover is typically weak beyond compliance
against standards such as ISO27001..
Cost of contract renegotiating is typically high..
If a supplier is unique or niche then commercial leverage evaporates..
19
Current approach to the supply chain
today only the most
mature
20
Some have started down this route
21
cyber maturity model for the supply chain
Immature Early Starter Progressive Semi-Mature Mature
Cyber security
strategy
Approach to
risk management
Contractual cover /
supplier relationship
Standards and
validation
Overall cyber
resilience
Reactive
Ad-hoc
None
Cyber Essentials
None
Regulatory (customer)
driven
Conformance and
audit driven
Minimal cyber security
requirements
Cyber Essentials +
ISO 27001
Ability to defend
against some attacks
Regulatory, customer
and maybe peer driven
Audit and proactive
Allows independent
cyber security review
CE+, ISO plus paper
validation
Ability to defend and
detect common
incidents
Regulatory, customer,
peer & threat driven
Audit, proactive with
dynamic risk models
Independent validation
/ information shared
CE+, ISO, paper &
tech validation
Ability to defend, detect
and respond to most
incidents
Regulatory, peer,
customer, threat and
intelligence driven
.. plus continual
validation of risk
models
… plus requires pro-
active notification of
incidents
CE+, ISO, paper, tech
& end-to-end ongoing
validation
Ability to defend,
detect, respond and
gain intelligence
Imple
menta
tion
NCC Group Supply Chain Cyber Security Maturity Model for Enterprise Risk Management
22
So where is the best supply chain today?
Immature Early Starter Progressive Semi-Mature Mature
Cyber security
strategy
Approach to
risk management
Contractual cover /
supplier relationship
Standards and
validation
Overall cyber
resilience
Reactive
Ad-hoc
None
Cyber Essentials
None
Regulatory (customer)
driven
Conformance and
audit driven
Minimal cyber security
requirements
Cyber Essentials +
ISO 27001
Ability to defend
against some attacks
Regulatory, customer
and maybe peer driven
Audit and proactive
Allows independent
cyber security review
CE+, ISO plus paper
validation
Ability to defend and
detect common
incidents
Regulatory, customer,
peer & threat driven
Audit, proactive with
dynamic risk models
Independent validation
/ information shared
CE+, ISO, paper &
tech validation
Ability to defend, detect
and respond to most
incidents
Regulatory, peer,
customer, threat and
intelligence driven
.. plus continual
validation of risk
models
… plus requires pro-
active notification of
incidents
CE+, ISO, paper, tech
& end-to-end ongoing
validation
Ability to defend,
detect, respond and
gain intelligence
Imple
menta
tion
NCC Group Supply Chain Cyber Security Maturity Model for Enterprise Risk Management
23
Information classification systems
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/251480/Government-Security-Classifications-April-2014.pdf
24
Why?
25
Why?
26
Information classification systems
• Know what data/information/assets we care about
• Identify where the data/information/assets we care about is
• Protect what we care about to sufficiently with controls (people, physical,
ICT)
• Do so cost effectively proportional to the risk
• Appropriate controls means we minimize hindrance of use thus enable
27
Wrapping up
• Cyber is very complex problem
• A technology and people blended problem
• Interdependencies are rarely fully understood in complex systems*
• Component / functional element risk management doesn’t work
• Prevention alone is not a robust strategy – resilience is what is needed
28
Europe
Manchester - Head Office
Amsterdam
Cambridge
Copenhagen
Cheltenham
Edinburgh
Glasgow
Leatherhead
London
Luxembourg
Munich
Zurich
Australia
Sydney
North America
Atlanta
Austin
Chicago
New York
San Francisco
Seattle
Sunnyvale
Ollie Whitehouse
Thanks! Questions?
