Upload
isalliance
View
217
Download
0
Embed Size (px)
Citation preview
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
1/31
Larry ClintonPresident
Internet Security [email protected]
703-907-7028
202-236-0001
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
2/31
Larry Clinton President ISA
Former Academic came to DC in mid-80sLegislative Director for Chair Congressional Internet Committee12 years w/USTA including rewrite of telecommunications law & WIPOJoined ISA in 2002 w/former Chair Congressional IntelligenceCommitteeWritten numerous articles on Info Security, edited Journals, testifybefore Congress, electronic and print media
Boards: US Congressional I-net Caucus I-Net Education foundation,Cyber Security Partnership, DHS IT and Telecom Sector CoordinatingCommittee, CIPAC, CSCSWG
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
3/31
ISA Board of Directors
Ty Sagalow, Esq. ChairPresident Innovation Division, ZurichTim McKnight Second V Chair,CSO,Northrop Grumman
Ken Silva, Immediate Past Chair. CSO VeriSignGen. Charlie Croom (Ret.) VP Cyber Security, Lockheed MartinJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, bank of New York/Mellon FinancialLawrence Dobranski, Chief Strategic Security, NortelPradeep Khosla, Dean Carnegie Mellon School of ComputerSciencesJoe Buonomo, President, DCRBruno Mahlmann, VP Cyber Security, Perot SystemsLinda Meeks, VP CISO Boeing corp.
J. Michael Hickey, 1st Vice ChairVP Government Affairs, Verizon
Marc-Anthony Signorino, Treas.National Assoc. of Manufacturers
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
4/31
Core Principles
1. The Internet Changes Everything2. Cyber Security is not an "IT" issue
3. Government and industry must rethink and evolve newroles, responsibilities and practices to create a
sustainable system of cyber security
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
5/31
ISAlliance Mission
Statement
The ISAlliance mission is to use the collective
experience of the members of the InternetSecurity Alliance to promote sound information
security practices, policies, and technologies
that enhance the security of the Internet and
global information systems.
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
6/31
Our Partners
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
7/31
The Old Web
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
8/31
The Web Today
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
9/31
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
10/31
Post 9-11 Cyber Security Policy
National Strategy to Secure Cyber Space DIB EffortComprehensive National Cyber Initiative(CNCI)
CSIS and ISA Proposals to Obama/Congress
60-day review & Obama Speech (5/29/09)
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
11/31
National Strategy to Secure CyberSpace (2002-03)
First comprehensive Administration viewof problem
Raised many key issues Predicted market forces would adequately
motivate private sector
General lack of follow through by USG
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
12/31
Releasing the Cyber Security Social ContractNovember, 2008
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
13/31
ISA Cyber Social Contract
Similar to the agreement that led to publicutility infrastructure dissemination in 20th C
Infrastructure develop -- market incentives Consumer protection through regulation Gov role is more creativeharder
motivate, not mandate, compliance Industry role is to develop practices and
standards and implement them
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
14/31
President Obamas Report onCyber Security (May 30 2009)
The United States faces the dual challenge ofmaintaining an environment that promotes efficiency,innovation, economic prosperity, and free trade whilealso promoting safety, security, civil liberties, andprivacy rights. (Presidents Cyber Space PolicyReview page iii)
Quoting from Internet Security Alliance CyberSecurity Social Contract: Recommendations to theObama Administration and the 111th CongressNovember 2008
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
15/31
The need to understand businesseconomics to address cyber issues
If the risks and consequences can be assignedmonetary value, organizations will have greaterability and incentive to address cybersecurity. Inparticular, the private sector often seeks a businesscase to justify the resource expenditures needed forintegrating information and communications systemsecurity into corporate risk management and forengaging partnerships to mitigate collective risk.Government can assist by considering incentive-based legislative or regulatory tools to enhance the
value proposition and fostering an environment thatencourages partnership. --- Presidents CyberSpace Policy Review May 30, 2009 page 18
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
16/31
Regulation vs. Incentives
ISA Social Contract argues vs. regulationwhich is slow/limited in effect/anti-UScompetitiveness/anti-security and wont
work.
Obama: Let me be very clear, we are notgoing to regulate cyber security standards
to the private sector. (May 29 2009)
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
17/31
Congressional TestimonyOctober, 2007
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
18/31
ISA Proposed Incentives(Testimony E & C May 1, 2009)
1. R & D Grants2. Tax incentives3. Procurement Reform4.
Streamlined Regulations5. Liability Protection
6. Public Education7. Insurance8. SBA loans9. Awards programs10. Cyber SAFETY Act
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
19/31
President Obamas Report onCyber Security (May 30, 2009)
The government, working with State and local partners,should identify procurement strategies that will incentivizethe market to make more secure products and servicesavailable to the public. Additional incentive mechanismsthat the government should explore include adjustments to
liability considerations (reduced liability in exchange forimproved security or increased liability for theconsequences of poor security), indemnification, taxincentives, and new regulatory requirements andcompliance mechanisms. Presidents Cyber Space PolicyReview May 30, 2009 page v
Quoting Internet Security Alliance Cyber Security SocialContract: Recommendations to the Obama Administrationand 111th Congress
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
20/31
Proposed Incentives: Liability
The Federal government should consider options forincentivizing collective action and enhancecompetition in the development of cybersecuritysolutions. For example, the legal concepts forstandard of care to date do not exist for
cyberspace. Possible incentives include adjustmentsto liability considerations (reduced liability inexchange for improved security or increased liabilityfor the consequences of poor security),indemnification, tax incentives, and new regulatory
requirements and compliance mechanisms. ---Obama Administrations Report on Cyber SecurityMay 2009 page 28)
Fi i l M t f b
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
21/31
Financial Management of cyberRisk
It is not enough for the information technologyworkforce to understand the importance ofcybersecurity; leaders at all levels of government andindustry need to be able to make business andinvestment decisions based on knowledge of risks
and potential impacts. Presidents Cyber SpacePolicy Review May 30, 2009 page 15
ISA-ANSI Project on Financial Risk Management ofCyber Events: 50 Questions Every CFO should Ask----including what they ought to be asking theirGeneral Counsel and outside counsel. Also, HR, BusOps, Public and Investor Communications &Compliance
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
22/31
Financial Impact of Cyber RiskOctober, 2008
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
23/31
The Economic Assessment ofCyber Security: 50 ?s for CFOs
Business Operations General CounselCompliance Officer
Media (Investors and PR) Human Resources Rick Manager/Insurance
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
24/31
Sample Questions: Risk Manger/Insurance
Are we insured for this? (probably no) What can we get insurance for?What is the D & O Exposure?
Where can we find cyber insurance andwhat does it cover (& doesnt it cover)?
Whats the cost benefit to insurance? How do we evaluate policies?
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
25/31
Calculate Net Financial Risk
Threat (frequency of risk event/probablynumber of events per year) X
Consequence (Severity of risk event/possible loss form event) X
Vulnerability (likelihood or % of damages/given mitigation actions) MINUS
Risk Transferred (e.g. insurance) = NET FINANCIAL RISK
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
26/31
Sample Questions: BusinessOperations
Whats our single biggest vulnerability? How long are we down? Want to be up?Are we complying w/ SoA standards?Are we properly staffed? Have we assessed physical security Incident response/continuity plans? Risk exposure vendors? How often to we re-evaluate risks?
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
27/31
Sample Questions: Legal
Analyzed liabilities? What legal rules apply to us or 3-parties?Vulnerable class action/shareholder suits?
Leg Exposure to Gov investigations? Do our contracts protect us enough? Multi-state laws apply? Exposed to trade secrete theft?
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
28/31
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
29/31
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
30/31
Sample Questions: HumanResources
Does everyone understand our $ Risk?Attract/retain the right personnel?Are we managing the human vulnerability? Is the org structured for team work?Audit network access (esp at termination)?Address soc. Networking & pub sites? HR assessment include cyber security? Discipline policy adequate for monitoring?
7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen
31/31
Larry ClintonPresident
Internet Security [email protected]
703-907-7028202-236-0001