Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
1
2
3
4
5
RachelDixonwastheformerheadofdigitalidentityprojectsattheDigitalTransformationAgencyandisnowresponsibleforprivacyanddataprotectionintheofficeoftheVictorianInformationCommissioner
Rachelhashad“adiverseandimpressivecareerholdingseniorpositionsintheprivatesectorforAustralianandInternationaltechnologycompanies,wheresheledlargeteamsanddevelopedexpertiseintheareasofdata,privacy,cybersecurityandinformationsecurity”
WelcomeRachel
6
7
Tospeaktoyouaboutconsideringinformationsecurityinriskmanagement,wehaveJonathonMasom fromtheVictorianManagedInsuranceAgency(VMIA)
WelcomeJonathon.
8
9
10
11
12
Theconceptofriskisrelatedtootherconceptswhichhaveaslightlydifferentemphasis.Anissue:Apresentproblemorconcerninfluencingorganisationalobjectives.Ariskcanbecomeanissue,butanissueisnotarisk!Ahazard:Anythingthathasthepotentialtoharmpeople,property.Ariskariseswhenitispossiblethatahazardwillactuallycauseharm.Anevent:Anoccurrenceorchangeofaparticularsetofcircumstances.Aneventcan:Beoneormoreoccurrences,andcanhaveseveralcausesConsistofsomethingnothappeningSometimesbereferredtoasan‘incident’or‘accident’.Withoutconsequencescanalsobereferredtoasa‘nearmiss’.
Anincidentis:Aneventorcircumstancewhichcouldhave,ordidleadto,unintendedand/orunnecessaryharm toapersonand/oracomplaint,lossordamage.
13
14
15
KeyMessage
Riskmanagementisnota‘nicetohave’- agencieshavelegislatedobligationswithrespecttoriskmanagementandasanemployeeyouneedtobeawareofwhatthoseobligationsareandoperatewithinthem.
Agenciesareexpecttoattestintheirannualreportsthat:they have risk management processes in place consistent with the Standard (or its successor); these processes are effective in controlling risks to a satisfactory level; and a responsible body or Audit committee verifies that view.
AgencieshaveobligationswithrespecttoRiskManagementthatcomefromstandingdirection4.5.5.andsupportedbyVGRMF
Keypoints:
The Board or Accountable Officer:
Is ultimately responsible for the risk management framework.
Must ensure that it understands its responsibilities and has in place a mechanism to assure itself that it is meeting those.
May choose to delegate some responsibilities to a committee or Executive and senior management.
Delegation of responsibilities does not negate the Board’s or Accountable Officer’s responsibilities and accountabilities with respect to risk management.
• Aboardisultimatelyresponsibleforoversightoftheriskmanagementframework
UnderthePublicAdministrationAct2004(s.81(1)(b))aBoardofapublicentitygovernedbyDivision2ofPart5ofthePublicAdministrationActmustinformtheresponsibleMinisterandtherelevantDepartmentHeadof:
16
17
Talk through the three VMIA’s model RM framework: key elements – Risk Governance, Resources & Capability and Process. “Process” will be dealt with in more detail later in the training.
Also highlight the link to an agency’s overall corporate governance and its corporate planning process.
The Risk Management Framework includes a set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.
A risk management framework is not one discrete policy or document, it comprises the totality of the structures, policies, strategies, procedures and resources within an organisation that support risk management. Each organisation is unique and must ensure that a risk management framework is implemented and appropriate to the activity, size and complexity of the organisation, aligns with the defined risk profile and meets legislative or government policy requirements.
Q.Whatdoyouknowaboutyourorganisation’sriskmanagementframework?
18
Agencies must adopt the approach outlined in this VGRMF and have in place a risk management framework to provide for consistent risk management practices across the public sector; which is aligned with the AS/NZS Standard or its successor.
A Risk Management Framework provides:
Systematic approach to risk identification & management.
Consistent risk assessment criteria.
Accurate and concise risk information, for decisions.
Cost effective and efficient risk treatment strategies.
Ensure risk exposure remains within acceptable level.
18
19
20
Refer participantstothetemplatetowardsthebackofthePG.
21
22
GroupActivity– Card“WriteaRisk”
Theaimofthisistogetthemtopracticeidentifyingafewrisksbeforewegetintoriskassessmentandevaluation
TherearevaryingwaystoidentifyariskandtheStandarddoesn’tprescribe1way.Howariskisdescribedwillinfluencehowitwillbeaddressedorunderstood.Theriskneedstoreflectwhatisusefulandmakessensetopeoplewhoarereadingit.Forexample,itisnogoodsaying‘OHS’isariskasitistoobroad.
Therearecategoriesofrisksthatanorganisationputstogethertohelpmakesenseofrisk.
23
24
25
26
27
28
29
ThankyouJonathon
NowIampleasedtowelcome AnnaHarriswherewewillcoversteps3-5oftheVPDSF5stepactionplaninmoredetail
30
TheVPDSFfivestepactionplanneatlytiesinwiththe existingriskmanagementprocessasJonathondiscussedtoassistyouinidentifyingyoursecurityrisks.Itisnodifferenttoyourcurrentriskmanagementprocess.
Soletsrevisesteps1and2brieflyandwheretheyfitin…
31
Steps1and2havethebeautyofassisting2 fold.
Firstyouhavealreadyundertakensteps1and2toidentifyALL theinformationhandledinyourorganisationandundertakenavaluationassessmentonthesewhichwillformpartofestablishingyouroverallriskcontextwhenyoulookattheriskmethodologyi.e.internaloperatingenvironment(organisationalcontext)alongwithotherinternalandexternalfactorsaffectingyourorganisationsuchasregulatoryandoperationalrequirements.
Second,thesetwostepsalsoplayapartintheriskidentificationstageoftheriskassessmentprocesswherebyyoutaketheinformationassetsthatyouhaveidentifiedinstep2asthemorecriticalinformationinyourorganisation.Thisisaprioritisationstepsoyoucanfocusonthemoreimportantassetsandundertaketheriskassessmentprocessontheseratherthanallyourassets.Wewilltouchuponthisalittlemorefurtherinthepresentation.
Formoreinformationregardingtheactual step1and2processrefertoourpublishedinformationsecuritymanagementcollectionandcheckoutourSeptemberVISNforumrecording(availableonourwebsite)
32
Thefocusofthissessionaresteps3,4and5ofthefivestep actionplanwhereyoutaketheinputfrombothsteps1and2aswelltheVPDSSselfassessmentprocessthatorganisationsareaskedtoundertakewhereyoumayhaveidentifiedsomegapsyouwishtoriskassessiftheycannotbeimplemented.
Thesethreestepsfocusonidentifyingandassessingyoursecurityrisks,makinggoodchoicesonwhichsecuritymeasurestoapplytoprotectyourinformationandmanagingtherisksacrosstheinformationlifecycle
33
Howdoyoucompletethis?Aswellasmakingsureyoufollowyourorganisationsexistingriskmethodology,wehavetriedtoassistyoubydevelopingtheassurancecollectionpublishedonourwebsitewhichcontainsalltheanswersandalsoincludesexamplesandsomeappendicessuchas- sampletemplatessuchastheriskassessmentandtreatmentplanwhichwewill
discussfurther,theVPDSSselfassessmentand- Summariesofthevariousassessmentsteps
Theinformationcontainedinthiscollectionwillassistyouincompletingsteps3– 5oftheVPDSF5stepactionplan
34
Sowhydoweneedtodothis?Nowthatyouknowwhatinformationyouhaveanditscorrespondingvaluetoyourorganisation,youcanidentifythesecurityriskstoyourmoreimportantassets(yourcrownjewels)soyoucanensureeffective,efficientandeconomicinvestmentinsecurity.
ThevalueofthisexercisetoyourorganisationwhichTonywilltouchuponinhispresentationincludes• providingcontextandmeaningoftheevent,causeandimpactforeachrisk for
ongoing managementandoversight• assistingindirectingoutcomesoftreatmentplanning• providingmeaningfulinformationforreporting• reducingoverorunderinvestmentinmeasures,and• aligningthe‘uncertainty’tothebusinessobjectives
Lastly, theotherplusisthatafterthisprocessyouwillhavecompletedsomeofyourobligationsunderthePrivacyandDataProtectionActincludingthesecurityriskprofileassessment,SRPAandthedetailedprotectivedatasecurityplan,PDSP
35
Tothatend,toassist withtheriskassessmentstage,Chapter1AppendixAoftheAssuranceCollectionhasasampleSRPAtemplatethatorganisationswhodonothaveariskregistercanadoptandthosewhodohavearegistercanusetocheckagainst.
FeelfreetocontinuetouseVMIA’srisktemplatesaswellifthesearealreadyusedwithinyourorganisation.Thisisjustanadditionalresource
36
TheriskmanagementprocessoutlinedinChapter1oftheAssurancecollectionfollowsthesameriskmanagementprocessastheinternationalstandard31000thatJonathondiscussed.Wedidnotsetouttodevelopsomethingbespoketosecuritythateveryoneneededtolearnabout.Thesameriskprocessisfollowedtoidentifythesecurityriskstoyourinformationasotherrisksinyourorganisationsuchasfinancial,OHSrisksetc.
37
Soletsstartatthestart- riskidentificationwhichisoutlinedinsection10ofthecollection.Letsworkourwaydown
Nowthatyouhavecompletedsteps1and2toestablishyouroverallinformationriskcontext,itstimetoselectthecrownjewelsortheinformationwiththehighervalue(morecritical)informationassetstofocuson,andThepossibleeventsthatmayoccurtothese,Thepotentialcausesoftheseevents,Thepossibleimpactswhichhavealreadybeenidentifiedinstep2,soyoucankeepthatinyourbackpocketAndthesewillenableyoutoformulateyourriskstatement
Soletswalkthroughanexample…
38
Thebowtieapproachisonewaytoassistwithformulatingyourriskstatement.It’sagreatvisualisation tooltoidentifythepossibleriskscenariosforaparticularevent
Itstimetotelltheriskstory…
Whenyouarelookingatariskevent(inthecentreofyourbowtie)foryourmostcriticalinformationthatyouhaveidentified,itmaybesomethinglike- unauthorisedaccessleadingtocompromiseoftheinformation(whetherthat’sa
compromisetoeitheritsconfidentiality,integrityoravailabilitymaybetheft/modification/disclosure/destruction)
Intermsofcausestotheleftofthebowtie,youarelookingathowthiseventmayeventuatebeitnatural,accidentalordeliberate.TheInternationalStandardISO27005hasalistofthreatsinitsAnnex.Forexample,thisriskeventmayoccurdueto:- Adisgruntledemployee- Maliciousoutsider- Opportunisticcontractor- Anaturalweatheroccurrence
Theconsequencesontherighthandsidethankfullyhavealreadybeentakencareofforthisassetviayourbusinessimpactlevelvaluationassessment(Step2)soyouplug
39
theoutputsoftheaffectedcategoriesthatgaverisetothehighervalueratinginhere.Forexamplethiseventmayresultin:• Personalinjury• Complianceissues• Financialloss
Bringthistogethertonowformulateyourriskstatement.Forexample,TheriskofunauthorisedaccessleadingtodisclosureofinformationCausedbyamaliciousoutsider(upsetabouttheorganisationsstanceonatopic)/oramaliciousinsiderupsetaboutbeingoverlookedforapromotionandexploitingasystem/otherpersonnelResultinginharmtoanindividualssafety/lossofpublicconfidenceandtrust/financialloss
Whatyoumayfindisthatyouridentifiedsecurityrisksarenotallthatdifferenttoyourneighbour,butwhatmaydifferisyourinternalriskcriteriatoratetherisks,yourorganisation’srisktolerance,thecurrentcontrolsyouhaveinyourenvironmentandthecontrolsyouplantoimplementtomitigate/reducetherisk.
39
Soyouhaveyourriskstatement,letsmovetoriskanalysisItstimetoratethelikelihoodofthisriskoccurringunderstandingthecurrentcontrolsyouhaveinplaceandthelevelofconsequencee.g.insignificantvsmajor.
Generally,thecontrolsyouhaveinplacewon’tnecessarilychangetheimpactleveliftheriskwastoeventuatebutwillaffectwhethertheriskactuallyoccursinthefirstinstancei.e.whatisthelikelihoodofthiseventhappeningwiththecurrentcontrols?e.g.rare,possible,almostcertain
Werecommendyouuseyourorganisationsenterpriseriskcriteria/matrixtocompletethissteptoarriveatyourcorrespondingriskrating.
Weoftengetthequestion,whatisthedifferencebetweenthebusinessimpactlevelratingsinstep2andtheconsequencesratingtableusedinrisk?TheBILslookspecificallyattheimpactrelatedtothecompromiseoftheconfidentiality,integrityandavailabilityCIAofinformationandarecloselyalignedwithotherBILtablesonpurposetoenableinformationsharingacrossjurisdictions.Consequencecriteriatakeintoconsiderationotherfactorsincludingtheorganisation’s tolerances.Werecommendthatbusinessimpactsaremappedtoyourorganisation’sriskconsequencecriteria.Whilstnotalwaysaneasymatch,thecategoriesidentifiedintheBILtablearecoveredmoreloosely/broadlyinriskcriteriasoamappingofsortsshouldbemadetoenabletheapplicationofyourenterprise
40
riskframeworktoyourinformationsecurityrisks.
Thebusinessimpactlevelyoucameupwithinstep2whendoingyourvaluationassessmentforthisassetcanbeusedtomaptoyourconsequencecriteria.Section10.2.2intheCollectiondiscussesaligningthebusinessimpactlevelswithyourriskconsequencecriteriasoyoucanmakesuretherisksratingsforyourinformationassetsareproportionatewithyourotherrisksinyourorganisation’sriskframeworkandapplicationoftreatmentoptionsisconsistent.
40
TheriskevaluationprocessisnodifferenttonormalriskmanagementandalsocoveredintheVMIApracticeguideandassurancecollectionsowewillquicklygooverthis…
10.3.1RisktreatmentoptionsThefourpotentialoptionsfortreatingeachriskarethesameasnormalriskmanagementofaccepttheriskasis,avoidorsharetherisk,orreducetheriskbyaddingadditionaltreatmentoptions
10.3.2RiskappetiteRiskappetiteistheamountandtypeofriskthatyourorganisationiswillingtotaketoachieveitsobjectives.Riskappetitewillvaryfromorganisationtoorganisation,anditinfluencesandguidesdecision-making.Riskappetitemayalsovarywithinyourorganisationdependingoncriticalityofinformation/servicesthatmaybeaffectedbytherisk.
10.3.3PrioritisationofrisktreatmentTodeterminewithwhaturgencyyoushouldaddressrisks,theymustfirstbeprioritised.Riskswiththehighestriskratingarenormallyattendedtofirst.Typically,additionalconsiderationsmayinclude:safety– whataretheimplicationsiftheriskisnotaddressed?cost– howmuchwillitcosttoreducetherisk(andwillthebenefitsoutweighthe
41
expenditure)?reputation– whatisthelikelyeffectonreputationiftheriskisnottreated?legalobligations– istheorganisationlikelytobeunabletomeetitslegalobligationsiftheriskisleftinitscurrentstate?occurrence– whichrisksaremorelikelytooccur?whichyouwouldhaveidentifiedwithyourlikelihoodrating(tacklethe‘almostcertain’ onesfirst)
41
Lastly,youhavereachedrisktreatment whereyouidentifypossiblesecuritymeasures acrossthesecuritydomainsof- Information- Personnel- ICT- Physical
Theymay beadditionalequipment,strongerpersonnelscreening,specificcontractclauses,governancearrangements,policiesandprocedures,training…
TheVPDSSelementsmayalsoassistheretoidentifywhatmeasurestoconsiderandtheyarenotalwaysITcontrols!
Andthen,onceyouhaveselectedyoursecuritymeasurestomitigatetheriskfromoccurring,re-assessthelikelihoodandconsequencetogettheresidualriskforacceptancebymanagement
42
Nowthatyouhavealistofsecuritymeasurestoimplement fromtheriskassessmenttominimisetheriskstoyourinformationtoamanageablelevelforyourorganisation,extractthislistofsecuritymeasuresandpopulateyourdetailedprotectivedatasecurityplan(PDSP)whichisintheAssuranceCollectionidentifyingdetailssuchasthe- implementationplan- Implementationowner- TyingitbacktocorrespondingVPDSSelementtohelpyouwithyourreporting- AnyprojectsponsorsifitsnotaBAUactivity- Budget- Status- Duedate
YoushouldalsoaddthegapsofelementsnotimplementedthatwereidentifiedinyourVPDSSself-assessmenttothistreatmentplan(ifnotalreadylisted)sotheyareintheonedocument.
ThiswillensureyouhaveanapprovedsecurityprogramforthenextperiodtofocusyoursecurityinvestmentandyoualsofulfilyourdetailedPDSPobligations.
43
Aspartofthe lifecycleandthefinalstepinthe5stepactionplan,isthereviewstage.
Rememberthisisnotasetandforgetexerciseandtheserisksshouldbemanagedwithregularreviewsacrosstheinformationlifecycle
Triggersforthisreviewmaybe:• Changeofbusinesscontexte.g.machineryofgovernment• Additional/removalofinformationasset• Regularriskreviewcycle• Incidentwheretheriskhaseventuated
Iftheserisks arefedintoyourenterpriseriskregisterthiswillbeincludedaspartofthisexercise.
Thefirsttimethe5stepactionplanisdone,itwillbequiteabigtaskbutoncethehardyardshavebeendonehopefullyitwillgeteasiereachtimeitisundertakenandwitheachreview.
44
AndnowtohearfromaVPSagency’sexperiencewiththefivestepactionplan,wearepleasedtowelcomeTonySmithfromEastGippsland Water.ThankyouTony
45
ThankyouTony andbeforewefinishupandtakequestions,Laurencia willprovideanupdateontheupcoming2018reporting obligations
46
AfterhearingfeedbackfromexecutivesacrosstheVPS,ourofficehaspublishedahigh-levelProtectiveDataSecurityPlan(PDSP)withbuiltinattestationfororganisationstousetoreporttousinAugustthisyear.
Thisisessentiallyanexecutivesummaryofthedetailedtemplatesprovidedinourassurancecollection.Thiswillmakeiteasierforyourexecutivetosignoff.
47
Andhereisonewepreparedearlier…Svenhaswrittentoagenciestoadvise ofthenewreportingtemplatethatwillneedtobesubmittedtoourofficeinAugust2018.
48
Aspartoftheupdatedreportingtemplates,wehavealsoprovidedoptionsfororganisationreportingtoourofficesuchassingleormultiplereporting.
Thereportingoptionsintemplatearejustthat‘OPTIONS’!TheoptionsaredesignedtoreflecttheuniqueoperatingarrangementsthatexistacrossVictoriangovernment.Thisincludesgovernancestructuresthatoftenexistbetweenlargerleadagenciesandsmallerorganisationsthatfallwithintheleadagency’sportfolioofresponsibilitiesandtheprovisionofsharedresources(includinginformationtechnologyandcorporatefunctions).Italsoprovidesanopportunityforcollaborationacrossagenciesorbodiesthatperformasimilarfunction.
Singleorganisationmodel – AnorganisationsubmitsahighlevelPDSPandprovidesanattestationonitsownbehalfonly.Multipleorganisationmodel– AnorganisationsubmitsaconsolidatedhighlevelPDSPandprovidesanattestationonitsownbehalf,andforandonbehalfofoneormoreadditionalpublicsectoragenciesorbodies.
ThemultipleorganisationmodelmaybeusedinaportfoliosettingwhereagenciesorbodiesfallwithintheportfolioofresponsibilitiesofaDepartmentorwhereanumberoforganisationsofasimilarformorfunctionchoosetoconsolidatetheirefforts. Whilethisapproachwillassistyouinmeetingyourreportingobligations,your
49
publicsectorbodyHeadisstillaccountablefortheprotectionofitsinformationassets.Accountabilitycannotbetransferredoroutsourced.
49
Beforeweopenthefloortoquestionsfromtheaudienceandthosethathavecomeinviaslido,theseareahandfulofquestionswecommonlyreceiveinthedataprotectionbranch
50
DoIneedtocompletethetemplatesinthecollection?ThePDSPandVPDSFself-assessmenttemplatesintheassurancecollectionwillactuallyhelpyoutocompletethenewreportingtemplates.Thinkofthemasthedetailtoenableyoutowriteyourexecutivesummaryforyourpublicsectorbodyheadandrelevantcommitteestogetahighlevelunderstandingofyoursecuritypostureandtheplanstoimprovethis.
WhathappensifIdon’t?Withoutcompletingthesemoredetaileddocuments,itwillbedifficulttowritethesummaryfortheexecutivetoattestasthesewillprovideyouwithreasons/explanations/justificationforwhyandhowthesecuritystatuswasderived.Thesedocumentswillalsoberequestedbyourofficeintheeventweconductoneofourassuranceactivitiesundertheassurancemodele.g.walkthrough,reviews.
DoIneedtobecompliantby2018?Westillgetorganisationscallingusaskingiftheyneedtobecompliantwiththestandardsbymidthisyear?Tobecompliantwiththelegislation,yourorganisationneedstosubmitthehighlevelPDSPandattestationtoouroffice– thatisthecompliancepart.Intermsofwhetheryouneedtohaveall18standardsfullyimplementedbyAugust2018,thesimpleanswerisNO,andhopefullytheexecutivesummaryreportthatissubmittedtoourofficere-iteratesthatthisisjustaplanofyoursecurityactivitiesforthenexttwoyearstoimproveinformationsecurityinyour
51
organisation.
WhataretheVPDSSelements?Aretheymandatory?WeintroducedtheelementsintotheVPDSStoassistorganisationswiththebaselinemeasurestheyshouldconsiderwhenimplementingtheStandards.Thesearenotadditionalmeasures,alltheyareisaconsolidatedextractfromeachofthereferencelibrarieslistedundereachstandard.Thishelpsorganisationstonothavetotrawlthroughalltheliteraturetodeterminethekeyactionstomeettheintentofeachstandard.Inawaytheyaremandatory– theonesthatyoudeterminetobeapplicabletoyourorganisationwillbetheonesweexpecttoseeoperatinginyourenvironmentifyoureportedfullcompliancetoouroffice
Whatisaninformationsecuritylead?Asmanyofyoumaybeaware,inthesecondhalfof2017,ourofficesoughtnominationsforaninformationsecurityleadfromeachorganisationtoenableustohaveapointofcontacttoliaiseoninformationsecuritymattersincludinginformingthemofnewmaterialweproduce,upcomingeventssuchastheVISNandanychangestotheframework.This‘lead’shouldnotstopothersfromcontactingus.Wewillcontinuetoansweranysecurityenquirieswereceive.Ifyourorganisationdoesnotwantanyoneelseotherthantheleadtocontactus,thisisaninternalgovernanceissueforyourorganisationtoworkout.Ifyourinformationsecurityleadwouldlikevisibilityofthetypeofquestionsthatcomefromotherswithinyourorganisation,wecanincludetheleadinourreturncorrespondence.Wedoencourageorganisationstokeepusinformedofanychangestoinformationsecurityleadssowecanensureyourorganisationisgettingthelatestinformationfromus.
51
Andtobookintoarisktrainingsession,contactVMIA
52
53