2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen

7/31/2019 2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen

1/31

Larry ClintonPresident

Internet Security [email protected]

703-907-7028

202-236-0001


2/31

Larry Clinton President ISA

Former Academic came to DC in mid-80sLegislative Director for Chair Congressional Internet Committee12 years w/USTA including rewrite of telecommunications law & WIPOJoined ISA in 2002 w/former Chair Congressional IntelligenceCommitteeWritten numerous articles on Info Security, edited Journals, testifybefore Congress, electronic and print media

Boards: US Congressional I-net Caucus I-Net Education foundation,Cyber Security Partnership, DHS IT and Telecom Sector CoordinatingCommittee, CIPAC, CSCSWG


3/31

ISA Board of Directors

Ty Sagalow, Esq. ChairPresident Innovation Division, ZurichTim McKnight Second V Chair,CSO,Northrop Grumman

Ken Silva, Immediate Past Chair. CSO VeriSignGen. Charlie Croom (Ret.) VP Cyber Security, Lockheed MartinJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, bank of New York/Mellon FinancialLawrence Dobranski, Chief Strategic Security, NortelPradeep Khosla, Dean Carnegie Mellon School of ComputerSciencesJoe Buonomo, President, DCRBruno Mahlmann, VP Cyber Security, Perot SystemsLinda Meeks, VP CISO Boeing corp.

J. Michael Hickey, 1st Vice ChairVP Government Affairs, Verizon

Marc-Anthony Signorino, Treas.National Assoc. of Manufacturers


4/31

Core Principles

1. The Internet Changes Everything2. Cyber Security is not an "IT" issue

3. Government and industry must rethink and evolve newroles, responsibilities and practices to create a

sustainable system of cyber security


5/31

ISAlliance Mission

Statement

The ISAlliance mission is to use the collective

experience of the members of the InternetSecurity Alliance to promote sound information

security practices, policies, and technologies

that enhance the security of the Internet and

global information systems.


6/31

Our Partners


7/31

The Old Web


8/31

The Web Today

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html


9/31


10/31

Post 9-11 Cyber Security Policy

National Strategy to Secure Cyber Space DIB EffortComprehensive National Cyber Initiative(CNCI)

CSIS and ISA Proposals to Obama/Congress

60-day review & Obama Speech (5/29/09)


11/31

National Strategy to Secure CyberSpace (2002-03)

First comprehensive Administration viewof problem

Raised many key issues Predicted market forces would adequately

motivate private sector

General lack of follow through by USG


12/31

Releasing the Cyber Security Social ContractNovember, 2008


13/31

ISA Cyber Social Contract

Similar to the agreement that led to publicutility infrastructure dissemination in 20th C

Infrastructure develop -- market incentives Consumer protection through regulation Gov role is more creativeharder

motivate, not mandate, compliance Industry role is to develop practices and

standards and implement them


14/31

President Obamas Report onCyber Security (May 30 2009)

The United States faces the dual challenge ofmaintaining an environment that promotes efficiency,innovation, economic prosperity, and free trade whilealso promoting safety, security, civil liberties, andprivacy rights. (Presidents Cyber Space PolicyReview page iii)

Quoting from Internet Security Alliance CyberSecurity Social Contract: Recommendations to theObama Administration and the 111th CongressNovember 2008


15/31

The need to understand businesseconomics to address cyber issues

If the risks and consequences can be assignedmonetary value, organizations will have greaterability and incentive to address cybersecurity. Inparticular, the private sector often seeks a businesscase to justify the resource expenditures needed forintegrating information and communications systemsecurity into corporate risk management and forengaging partnerships to mitigate collective risk.Government can assist by considering incentive-based legislative or regulatory tools to enhance the

value proposition and fostering an environment thatencourages partnership. --- Presidents CyberSpace Policy Review May 30, 2009 page 18


16/31

Regulation vs. Incentives

ISA Social Contract argues vs. regulationwhich is slow/limited in effect/anti-UScompetitiveness/anti-security and wont

work.

Obama: Let me be very clear, we are notgoing to regulate cyber security standards

to the private sector. (May 29 2009)


17/31

Congressional TestimonyOctober, 2007


18/31

ISA Proposed Incentives(Testimony E & C May 1, 2009)

1. R & D Grants2. Tax incentives3. Procurement Reform4.

Streamlined Regulations5. Liability Protection

6. Public Education7. Insurance8. SBA loans9. Awards programs10. Cyber SAFETY Act


19/31

President Obamas Report onCyber Security (May 30, 2009)

The government, working with State and local partners,should identify procurement strategies that will incentivizethe market to make more secure products and servicesavailable to the public. Additional incentive mechanismsthat the government should explore include adjustments to

liability considerations (reduced liability in exchange forimproved security or increased liability for theconsequences of poor security), indemnification, taxincentives, and new regulatory requirements andcompliance mechanisms. Presidents Cyber Space PolicyReview May 30, 2009 page v

Quoting Internet Security Alliance Cyber Security SocialContract: Recommendations to the Obama Administrationand 111th Congress


20/31

Proposed Incentives: Liability

The Federal government should consider options forincentivizing collective action and enhancecompetition in the development of cybersecuritysolutions. For example, the legal concepts forstandard of care to date do not exist for

cyberspace. Possible incentives include adjustmentsto liability considerations (reduced liability inexchange for improved security or increased liabilityfor the consequences of poor security),indemnification, tax incentives, and new regulatory

requirements and compliance mechanisms. ---Obama Administrations Report on Cyber SecurityMay 2009 page 28)

Fi i l M t f b


21/31

Financial Management of cyberRisk

It is not enough for the information technologyworkforce to understand the importance ofcybersecurity; leaders at all levels of government andindustry need to be able to make business andinvestment decisions based on knowledge of risks

and potential impacts. Presidents Cyber SpacePolicy Review May 30, 2009 page 15

ISA-ANSI Project on Financial Risk Management ofCyber Events: 50 Questions Every CFO should Ask----including what they ought to be asking theirGeneral Counsel and outside counsel. Also, HR, BusOps, Public and Investor Communications &Compliance


22/31

Financial Impact of Cyber RiskOctober, 2008


23/31

The Economic Assessment ofCyber Security: 50 ?s for CFOs

Business Operations General CounselCompliance Officer

Media (Investors and PR) Human Resources Rick Manager/Insurance


24/31

Sample Questions: Risk Manger/Insurance

Are we insured for this? (probably no) What can we get insurance for?What is the D & O Exposure?

Where can we find cyber insurance andwhat does it cover (& doesnt it cover)?

Whats the cost benefit to insurance? How do we evaluate policies?


25/31

Calculate Net Financial Risk

Threat (frequency of risk event/probablynumber of events per year) X

Consequence (Severity of risk event/possible loss form event) X

Vulnerability (likelihood or % of damages/given mitigation actions) MINUS

Risk Transferred (e.g. insurance) = NET FINANCIAL RISK


26/31

Sample Questions: BusinessOperations

Whats our single biggest vulnerability? How long are we down? Want to be up?Are we complying w/ SoA standards?Are we properly staffed? Have we assessed physical security Incident response/continuity plans? Risk exposure vendors? How often to we re-evaluate risks?


27/31

Sample Questions: Legal

Analyzed liabilities? What legal rules apply to us or 3-parties?Vulnerable class action/shareholder suits?

Leg Exposure to Gov investigations? Do our contracts protect us enough? Multi-state laws apply? Exposed to trade secrete theft?


28/31


29/31


30/31

Sample Questions: HumanResources

Does everyone understand our $ Risk?Attract/retain the right personnel?Are we managing the human vulnerability? Is the org structured for team work?Audit network access (esp at termination)?Address soc. Networking & pub sites? HR assessment include cyber security? Discipline policy adequate for monitoring?


31/31

Larry ClintonPresident

Internet Security [email protected]

703-907-7028202-236-0001

Documents

2009 10 01 Larry Clinton ISA Overview for Estonian Businessmen