Upload
lycong
View
231
Download
6
Embed Size (px)
Citation preview
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Information Security:
The First 90 Days and Beyond Renee Guttmann
VP, Information Risk Management
Office of the CISO
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Our Changing World Requires
Us to Adapt
• Infrastructure revolution
• An always-on, always-connected world
• Data explosion
• Tougher regulation and standards
• Media sensationalizing information
security breaches
• Board-level attention
• Shortage of skilled Information security
practitioners
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Lessons Learned
Get to know the Business and People (Inside/Key vendors)
Understand Perceptions: What’s working, what’s not working
Benchmarking is Important and an Art Form
Define Key Assumptions and Risks- Socialize
Application Security Pulls a Long Train
Six Month Rule
Having Difficult Conversations
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
The Goal:
Seek stakeholder engagement
and drive business value.
Requires:
• Understanding and involvement
• Transparency
Be pragmatic. And patient.
Evangelize in business
language.
Develop and document the plan.
Establish the CISO and Security
Team as Trusted Resources
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
The State of Information Security
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Security Program Map
Comprehensive Capabilities
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Planning and Risk
Management Policies and Procedures
Compliance Management
Team Development
Situational Awareness
Testing and Assessment
Incident Response
System Network Endpoint Application Data User Emerging
Business
Technical
Threats and Intelligence
Defenses and Controls
Planning and Management Monitoring and Operations
Security Strategy
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
State of Information Security
Trending
Threats:
Risk
Drivers:
Information Security Strategy: Clear and concise statement that summarizes key objectives
State in 2014:
Metrics describing the
initial state
State in 2017:
Metrics describing the
future state
Top Initiatives
Top Beliefs and Assumptions
one
two
three
four
five
one
two
three
four
five
one
two
three
four
five
one two three four five
one two three
one two three
one two three
one two three
text
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Directors need to
understand and
approach
cybersecurity as an
enterprise-wide risk
management issue,
not just an IT issue.
#1
Summarized from: Cyber Risk Oversight: A Director’s Handbook,
National Association of Corporate Directors, 2014.
Role of the Executives and Board
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Directors should
understand the
legal implications of
cyber risks as they
relate to their
company’s specific
circumstances.
#2
Summarized from: Cyber Risk Oversight: A Director’s Handbook,
National Association of Corporate Directors, 2014.
Role of the Executives and Board
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Role of the Executives and Board
Boards should have
adequate access
to cybersecurity expertise,
and discussions about
cyber-risk management
should be given regular
and adequate time on the
board meeting agenda.
#3
Summarized from: Cyber Risk Oversight: A Director’s Handbook,
National Association of Corporate Directors, 2014.
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Directors should set the
expectation that
management will
establish an enterprise-
wide cyber-risk
management framework
with adequate staffing
and budget.
#4
Summarized from: Cyber Risk Oversight: A Director’s Handbook,
National Association of Corporate Directors, 2014.
Role of the Executives and Board
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Governance and Risk Management
Service Maturity
Level
Relative
Risk Likelihood
Impact of
ThreatKey Attributes Observations
Relative
Costs
Relative
Level of
Effort
Information
Security Policies4 Low Low High
• Written Security Policies
• Policies are structured according to a recognized
standard (e.g. ISO27001)
• Policies have been approved by executive management
• Policies been published and communicated
• Policies been formally reviewed and updated within the
last 12 months
Policies exist and are updated annually. No executive
management approval. Not developed to meet security
standards
1 Establish update process and executive approval/support $$
Information
Security Awareness
& Training
2 Medium High Moderate
• Training provided to all new staff
• Refresher training provided annually
• Training is job role related
• Training includes testing component
• Logs of training are maintained
No training for new employees and refresher training for
existing staff1
Utilize Phishme,
Catch of the Day $
Information Risk
Governance1 High High High
• Steering Committee exists
• Steering Committee is made up of corporate support
functions, executive management and security leader
• Steering Committee meets monthly
• Steering Committee is briefed on current events,
approves new projects and policy exceptions
• Minutes are kept of meeting
No information steering committee implemented. 1
Develop Strategy / Plan
Resource Plan / Staff
Steering Committee$
Information
Security Project
Risk Reviews
3 Medium Medium Moderate
• Information security requirements are integrated into
project
• Internal SDLC process includes information security
gates
• Information security is a required sign-off prior to
implementation
• Outsourcing projects are reviewed and approved by
information security
Projects that use the change management system are
reviewed by information security. Unclear if a consistent
criteria for approval is used.$$
Incident Response 3 High Medium High
• IRP developed and documented
• IRP is tested on regular basis
• Different IRP scenarios are tested
• IRP team members are trained
• Incidents are classified by risk level
IRP Plan, needs update and testing. Additional scenarios
developed1
Update IR Process
Tabletop test IR Plan scenarios $
Security Metrics 1 Low High Low
• Operational security metrics are measured and
reported
• Risk posture is measured and reported to senior
management
No security metrics 2 Establish security operations metrics $
Third Party Risk
Management1 High High High
• Inherent risk is measured for all third-parties
• Business profile risk is measured for all third parties
• Due-diligence reviews are based on level of risk
• Due-diligence is performed by risk level for all third-
parties
No third party management process 2 Implement third-party processes and reviews $$$$
Governance and Risk Management
Recommendation
The services in the Governance and Risk Management Domain provides the people, processes, and technology to properly identify and manage the overall information risk program. The key
services in this domain are designed to inform the executive team of the risk to the critical information assets, how to manage the risk and provide a governance process to report on current risk
levels and manage the risk levels over time.
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
#5 Board-management
discussion of cyber risk
should include identification
of which risks to avoid,
accept, mitigate, or transfer
through insurance, as well
as specific plans associated
with each approach. Summarized from: Cyber Risk Oversight: A Director’s Handbook,
National Association of Corporate Directors, 2014.
Role of the Executives and Board
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
The Security Journey
A business aligned strategy includes understanding
the business objectives, compliance objectives,
threats, and risks and then creating a security
program that enables the business. Protecting the
information and organization from real threats.
Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
AD HOC
INFRASTRUCTURE
BASED COMPLIANCE
BASED
THREAT BASED
BUSINESS-
ALIGNED
RISK BASED/
DATA CENTRIC
Shortcut =
Failure to
Pass
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Establish a culture of Information Risk Management – Call to Action
Obtain/review NACD Cyber risk Oversight.
Seek stakeholder engagement and create a governance committee.
Understand key business risks and objectives. Document assumptions.
Develop a roadmap and socialize.
Be pragmatic. And patient.
Speak and write in business terms.
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Q&A
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
1125 17th Street, Suite 1700, Denver, CO 80202
800.574.0896