Embed Size (px)
Citation preview
1 1
Risk Management:How to Comply with
Everything
July 11, 2013
2 2
Introduction• Chris Cronin– Principal Consultant, Halock Security Labs– GCIH, ISO 27001 Auditor– Recent GSNA Gold– 15+ years experience IT operations, audit,
consulting and incident response
3 3
What You Will Learn
Finding the Investment Sweet Spot
How much security does the organization really need?
On Common Ground
Meeting the agendas of the Executive Suite
Ease Their PainConflict-free audits
Ask and You Shall Receive
Bullet proof risk treatment planning & approvals
How to Comply with Everything
Why risk management is the compliance keystone
4 4
Presentation Layout
What is risk management?
Who benefits?
How to bust the myths.
5 5
What is Risk Management?
6 6
Asset
7 7
Control
8 8
Vulnerability
9 9
Threat
10 10
Likelihood
11 11
Impact to Your Mission
12 12
Risk
Risk = Likelihood x Impact
13 13
Risk Treatment
14 14
The Risk Register
15 15
The Risk Register
16 16
What Risk Management Isn’t
17 17
Gap Assessment
18 18
What Keeps You Up At Night?
19 19
Predicting the Future
20 20
What Risk Management Is
21 21
Risk Management in Regulations
• HIPAA Security Rule– “Conduct an accurate and thorough assessment of the
potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information...”
– “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…”
– “Security measures implemented to comply with standards and implementation specifications …must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of [EPHI]”
22 22
Risk Management in Regulations
• HIPAA Security Rule– “Conduct an accurate and thorough assessment of the
potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information...”
– “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…”
– “Security measures implemented to comply with standards and implementation specifications …must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of [EPHI]”
23 23
Risk Management in Regulations
• Massachusetts 201 CMR 17.00– “Every person that owns or licenses personal
information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program”
– “Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information…”
– “…evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks…”
24 24
Risk Management in Regulations
• Massachusetts 201 CMR 17.00– “Every person that owns or licenses personal
information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program”
– “Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information…”
– “…evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks…”
25 25
Components of Risk Management
Risk Management
Assessment Oversight
Identity Risks Propose Controls
Implement Controls
Test Effectiveness
Improve Ineffective Controls
26 26
Information Risk Management: The Standard of Care
• Required by laws and regulations– SOX (Audit Standard 5) – HIPAA Security Rule / Meaningful Use–Massachusetts 201 CMR 17.00– Gramm Leach Bliley– FISMA – Federal Trade Commission Rulings
27 27
Information Risk Management: The Standard of Care
• Required by Security Standards– PCI DSS 2.0– ISO 27001/ISO 27002– CobiT– NIST Special Publications
28 28
Who is Benefiting from Risk Management?
29 29
A Real-Life Case Study
• An organization that needed to
improve their information compliance
and security program
• Multiple roles that each had
something at stake
• Multiple regulations apply to them
30 30
Whose Jobs are Getting Easier With Risk Management?
Chief Financial Officer
Auditor Chief Information Security Officer
General Counsel Chief Information Officer
IT Staff
31 31
Their Risk Register
32 32
Their Risk Calculations
• Risk = Likelihood x Impact
• Likelihood values: 1-5
• Impact values: 1-5
• Risk rating range: 1-25
• Acceptable Risk = Below 8
33 33
Lesson 1: Finding the Investment Sweet Spot
• Risk:– Local administrator passwords on end-user systems
are identical. They allow a “pass-the-hash” breach.
• Roles:– CIO: Needs to balance business and compliance
requirements– IT Staff: Need an easy way to support desktops– CISO: Needs to be sure requirements are met– General Counsel: Needs to balance business and
compliance while addressing liability
34 34
Lesson 1: “Pass-the-Hash” Risk
35 35
Lesson 1: “Pass-the-Hash” Risk
36 36
Finding the Sweet Spot
37 37
Lesson 2: Finding Common Ground
• Risk:– Lack of secure web application coding practices have
created vulnerable applications.
• Roles:– CIO: Needs to balance demands for new secure
applications with many other demands– CFO: Needs controlled applications for financial
reporting. Needs to control costs.– CISO: Needs to be sure requirements are met– General Counsel: Needs to balance business and
compliance while addressing liability
38 38
Lesson 2: Unsecured Applications Risk
39 39
Lesson 2: Unsecured Applications Risk
40 40
Lesson 3: Ease Their Pain
• Risk:– Client auditor demanding “hard tokens” rather
than “soft tokens” for two-factor authentication.
• Roles:– Auditor: Needs to demonstrate whether
controls are met (while maintaining independence)
– CIO: Needs to respond truthfully to auditor (while balancing business with compliance)
– CISO: Needs to ensure compliance
41 41
Lesson 3: Two-Factor Token Risk
42 42
Lesson 3: Two-Factor Token Risk
43 43
Lesson 4: Ask and You Shall Receive
If you ask for something that reduces a
risk to the mission of the organization,
and the cost is reasonable for reducing
the impact … then you will get it.
45 45
Lesson 5: How to Comply with Everything
46 46
How to Bust Risk Assessment Myths
47 47
“We need actuarial tables”
Actuarial tables are not used for risk
assessments! Information risk assessments
are standard, straight-forward processes.
They require no statistical skills.
48 48
“We can’t predict the future”
Risk assessments are not intended to be
predictions, but should be “due care”
considerations of what could go wrong.
49 49
50 50
“Risk assessments take too much time”
Because risk assessments help
determine reasonable control levels,
less time and cost is invested to get
compliant
Risk management reduces liability
even before full compliance is met.
51 51
“Reasonable means ‘what our competitors do.’”
You don’t know what your competitors
do. The regulations and statutes tell
you to arrive at “reasonable and
appropriate” using risk analysis
52 52
“We can never agree on asset values”
Risk assessment methodologies often
state the need to assess the asset value.
That is often more difficult than what you
need. Try assessing the impact instead.
53 53
“We did a gap assessment. That’s good enough”
Your first gap will be “We didn’t conduct
a risk assessment.” Risk assessments are
the standard of care for laws, regulations
and information security standards.
