CYBER RISK ASSESSMENTCYBER SECURITY WORKSHOP

Agenda

• Protecting your company’s valuable information• Cyber risk and corporate governance• Cyber risk assessment methodology• Why Coalfire

Cyber Incidents Are On the Rise

• The annual average cost per company of successfulcyber attacks were:

– $20.8 million in financial services– $14.5 million in technology– $12.7 million in communications industries– $8.6 million in retail

• The total number of security incidents detected in 2014grew 48% from 2013.

• 82% of companies predicted they were either “likely” or“very likely” to be victimized in 2015.(1)

• Organizations detect 135 cybersecurity incidents eachyear(2)

(1) Source: Ponemon Institute; State of Cybersecurity: Implications for 2015 ISACA and RSAConference Study

(2) PWC, Managing Cyber Risks in an Interconnected World, Sept. 30, 2014

3

9

2325

29

43

0

5

10

15

20

25

30

35

40

45

2009 2010 2011 2012 2013 2014

Num

ber o

f Cyb

erse

curit

y In

cide

nts

in M

illio

ns (1

)

Protecting an Organization’s ValuableInformation• More than 80% of public

company board members reportthat cybersecurity isdiscussed at most or allboardroom meetings(1)

• A surprising 66% of them arenot fully confident theircompanies are properly securedagainst cyberattacks(1)

(1) Security Week: NYSE Survey Examines Cybersecurity in the boardroom, May 28, 2015

AVERAGE COST OF REMEDIATING CYBERBREACHES IS $8.6 MILLION(1)

(1) Ponemon Institute; State of Cybersecurity: Implications for 2015 ISACA and RSA Conference Study

World’s Largest Data Breaches Since 2012

Impacts of a Cyber Event

• Lost Productivity• Time to identify and contain the breach• Business continuity management• System down time

• Loss of Competitive Advantage• Trade secrets• Patents• Customer records• M&A activities

• Damaged Reputation• Brand/PR• Perceived valuation

• Compliance Breaches and Fines• PCI DSS• HIPAA• SOX• Privacy Rules

Regulation & Penalties

• The FTC has won the right to take action on behalf of consumers, when acompany fails to take reasonable steps to protect sensitive consumer

• The SEC has been raising its expectations for what cybersecurity detailscompanies must disclose in public filings

• The Cybersecurity Disclosure Act has consequences forpublicly tradedcompanies

“The Cybersecurity Disclosure Act… would requirecompanies to say whether anyone on their board has

cybersecurity experience or expertise...”

“Appeals Court ruling solidifies Federal TradeCommission’s authority to take action against

companies whose data breaches expose customerinformation.

http://ubm.io/1KIjjC9 http://on.wsj.com/1Qqoizh

Top Board of Directors Questions

What arethe crown

jewels of ourcompany?

What arethe crown

jewels of ourcompany?

How does ourCybersecurity

program compareto our peers?

How does ourCybersecurity

program compareto our peers?

Are we spendingthe right amount

of money onsecurity?

Are we spendingthe right amount

of money onsecurity?

Could somethinglike ______

happen to us?

Could somethinglike ______

happen to us?

Would we beable to

recover froma cyberattack?

Would we beable to

recover froma cyberattack?

Cyber Risk is Now a Matter of CorporateGovernance• Cyber risks present real and present dangers to business operations,

profits, and for some, continued viability.• Cyber risks are not just technology problems. They have legal, financial,

operational and board governance implications.• Corporate leaders have a fiduciary responsibility to understand and

manage cyber risks.• Leaders must bring together key components

of the organization to develop joint ownershipof risks and a comprehensive approach tocybersecurity.

What Should Company Leadership Do?

• Complete a Risk & Controls Assessment• Develop a Plan to Get to a Target State of Cybersecurity• Monitor Progress

– Audits– Penetration Testing– Key Risk Indicators

Copyright Text

Overal Methodology

Phase 1: Risk Assessment• Information Assets• Threats (Adversarial & Non-adversarial)• Vulnerabilities• Loss Exposure

Phase 2: Controls Assessment• Frameworks & Standards• Audits & Testing• Maturity Ratings• Gap Analysis

Phase 3: Remediation Plan (Risk Reduction)• Best Practices• Quick Wins• Dependencies• ROI Analysis

Copyright Text

Phase 1: Coalfire Risk Assessment

IDENTIFYInformation Assets

Classify

ANALYZELoss Exposure

Threats

DEFINEPriorities

Current State

DEVELOPRecommendations

RecommendTreatment

Business Impact

VulnerabilitiesPrioritize Target State of Risk Controls & RiskRegister

Copyright Text

Risk Assessment Deliverables

High Impact, moderatelylikely occurrence

Public WebsitesIntellectual Properties

Global Ad Mgmt Svc

Customer Data

Product Review Data

HRStrategic Business Plan

Financial Application

Like

lihoo

d

Impact

NON-Adversary Asset Risk

Unlikely

SomewhatLikely

HighlyLikely

Limited Serious Catastrophic

Risk Analysis

Findings Register

Risk ID Risk Description Business ImpactRisk

Category(Select)

RiskFunction(Calc

ulation)Risk

Type(Select)

InherentLikelihood(Sel

ect)

InherentImpact(S

elect)Risk ReductionRecommendation

ReduceLikelihood

ReduceImpact

ResidualLikelihood(S

elect)

ResidualImpact(S

elect)

ResidualRiskRating(Calcul

ation)

1Roles and Responsibilities are notscoped for least privilege

Accounts are not identified by role,resulting in overly permissive privileges Communications Respond Adversarial Very High High

Sample reductionrecommendation X X High Moderate Moderate

2

Formalized process for classifyingassets and data are not adequetelydefined

Assets or data may be mishandled,compromised or not protectedadequately Asset Management Identify

Non-Adversarial Moderate Moderate

Sample reductionrecommendation X Moderate Low Low

Copyright Text

Risk Assessment Deliverables

ThreatEvent

(Select)

ThreatSource(Select)

Rangeof

Effects(Select)

Relevance(Select)

Likelihoodof

EventOccurring

(Select)

Vulnerabilitiesand

PredisposingConditions

(Select)

Vulnerability

Severity(Select)

LikelihoodEvent

Results inAdverseImpact(Select)

Levelof

Impact(Select)

OverallLikelihood

(Calculation)

Levelof

Risk(Calculation)

Mishandling of critical and/or sensitive information by authorized users IT Storage High Possible Moderate

PR.AC: Procedures are not defined forthe add, enable, modify, delete, ordisable of information system accounts. High Moderate High Moderate Moderate

Copyright Text

Phase 2: Controls Assessment Methodology

DETERMINEScope & Approach

Scope

TEST &EVALUATE

Controls

DEVELOPGap Report

Framework

Approach

Policy

Design

Effectiveness

Current Maturity

Desired Maturity

Control Assessment Deliverable

• The assessment results employ 1-5 maturity scale; 1 being the leastmature (Initial or Ad-Hoc) and 5 being the most mature (Optimized)

• Each component/category within the assessment domain area wasassigned a maturity rating indicated by the symbol C to represent thecurrent state; and the symbol G to represent the short term target (or goal)state

Little or no evidence ofprocess and achievement ofpurpose

Initial or Ad-hoc

Processes are largelyreactive, informal orinconsistent

Repeatable / Intuitive Defined

Processes are implementedand operate effectivelywithin defined limits toachieve outcomes

Managed & Measured

Processes are continuouslyimproved to meet currentand projected enterprisegoals and objectives

Optimized

1 2 3 4 5

C G

Processes are defined,documented andimplemented with acapability to achieve desiredoutcomes

1 2 3 4 5

C G

Copyright Text

Phase 3: Remediation Plan

ANALYZEControl

Recommendations

Cost

DEVELOPSchedule

Priority

ESTABLISHGovernance

Oversight

DependenciesBenefit Accountability

Quick Wins

Copyright Text

Phase 3: Remediation Plan

Quick Wins Near Term Long Term

Year 1 Year 2

• Admin Access Controls• Vulnerability Management• Incident Response• Security Logging• System Hardening• Encryption Standardization

• Multi-Factor Authentication• Role Based Access Controls• Security Alert Monitoring• Configuration Management• Security Policy and

Procedures

• SDLC and Secure Coding• Vendor Risk Management• Data Loss Prevention• Threat Intelligence• On Going Cyber Risk

Management

Why Coalfire?

METHODOLOGY

RIG

OR

OU

S

EFFICIENT

TRUSTWORTHY

INDEPENDENTVENDOR-NEUTRAL

VALUEEXPERIENCE

TEAM

CONFIDENCE

EXACTING

METICULOUS

KN

OW

-HO

WMATURITY

PATIENCE

SKIL

L

Client Experience

Cloud Service Providers Financial Institutions Government/Public Sector

Healthcare & Life Sciences Higher Education Hospitality

Retail

Payments

Restaurants Utilities

Insurance Private Equity

Presenters Contact Information

Greg MillerSr. Practice Dir.303-548-8887Greg.Miller@coalfire.com