Information Security: The First 90 Days and Beyondstatic1.squarespace.com/static/5419be5de4b062d1159... · Information Security: The First 90 Days and Beyond Renee Guttmann VP, Information

Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.

Information Security:

The First 90 Days and Beyond Renee Guttmann

VP, Information Risk Management

Office of the CISO

Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.

Our Changing World Requires

Us to Adapt

• Infrastructure revolution

• An always-on, always-connected world

• Data explosion

• Tougher regulation and standards

• Media sensationalizing information

security breaches

• Board-level attention

• Shortage of skilled Information security

practitioners


Lessons Learned

Get to know the Business and People (Inside/Key vendors)

Understand Perceptions: What’s working, what’s not working

Benchmarking is Important and an Art Form

Define Key Assumptions and Risks- Socialize

Application Security Pulls a Long Train

Six Month Rule

Having Difficult Conversations


The Goal:

Seek stakeholder engagement

and drive business value.

Requires:

• Understanding and involvement

• Transparency

Be pragmatic. And patient.

Evangelize in business

language.

Develop and document the plan.

Establish the CISO and Security

Team as Trusted Resources


The State of Information Security



Security Program Map

Comprehensive Capabilities


Planning and Risk

Management Policies and Procedures

Compliance Management

Team Development

Situational Awareness

Testing and Assessment

Incident Response

System Network Endpoint Application Data User Emerging

Business

Technical

Threats and Intelligence

Defenses and Controls

Planning and Management Monitoring and Operations

Security Strategy


State of Information Security

Trending

Threats:

Risk

Drivers:

Information Security Strategy: Clear and concise statement that summarizes key objectives

State in 2014:

Metrics describing the

initial state

State in 2017:

Metrics describing the

future state

Top Initiatives

Top Beliefs and Assumptions

one

two

three

four

five

one

two

three

four

five

one

two

three

four

five

one two three four five

one two three

one two three

one two three

one two three

text


Directors need to

understand and

approach

cybersecurity as an

enterprise-wide risk

management issue,

not just an IT issue.

#1

Summarized from: Cyber Risk Oversight: A Director’s Handbook,

National Association of Corporate Directors, 2014.

Role of the Executives and Board



Directors should

understand the

legal implications of

cyber risks as they

relate to their

company’s specific

circumstances.

#2







Boards should have

adequate access

to cybersecurity expertise,

and discussions about

cyber-risk management

should be given regular

and adequate time on the

board meeting agenda.

#3





Directors should set the

expectation that

management will

establish an enterprise-

wide cyber-risk

management framework

with adequate staffing

and budget.

#4






Governance and Risk Management

Service Maturity

Level

Relative

Risk Likelihood

Impact of

ThreatKey Attributes Observations

Relative

Costs

Relative

Level of

Effort

Information

Security Policies4 Low Low High

• Written Security Policies

• Policies are structured according to a recognized

standard (e.g. ISO27001)

• Policies have been approved by executive management

• Policies been published and communicated

• Policies been formally reviewed and updated within the

last 12 months

Policies exist and are updated annually. No executive

management approval. Not developed to meet security

standards

1 Establish update process and executive approval/support $$

Information

Security Awareness

& Training

2 Medium High Moderate

• Training provided to all new staff

• Refresher training provided annually

• Training is job role related

• Training includes testing component

• Logs of training are maintained

No training for new employees and refresher training for

existing staff1

Utilize Phishme,

Catch of the Day $

Information Risk

Governance1 High High High

• Steering Committee exists

• Steering Committee is made up of corporate support

functions, executive management and security leader

• Steering Committee meets monthly

• Steering Committee is briefed on current events,

approves new projects and policy exceptions

• Minutes are kept of meeting

No information steering committee implemented. 1

Develop Strategy / Plan

Resource Plan / Staff

Steering Committee$

Information

Security Project

Risk Reviews

3 Medium Medium Moderate

• Information security requirements are integrated into

project

• Internal SDLC process includes information security

gates

• Information security is a required sign-off prior to

implementation

• Outsourcing projects are reviewed and approved by

information security

Projects that use the change management system are

reviewed by information security. Unclear if a consistent

criteria for approval is used.$$

Incident Response 3 High Medium High

• IRP developed and documented

• IRP is tested on regular basis

• Different IRP scenarios are tested

• IRP team members are trained

• Incidents are classified by risk level

IRP Plan, needs update and testing. Additional scenarios

developed1

Update IR Process

Tabletop test IR Plan scenarios $

Security Metrics 1 Low High Low

• Operational security metrics are measured and

reported

• Risk posture is measured and reported to senior

management

No security metrics 2 Establish security operations metrics $

Third Party Risk

Management1 High High High

• Inherent risk is measured for all third-parties

• Business profile risk is measured for all third parties

• Due-diligence reviews are based on level of risk

• Due-diligence is performed by risk level for all third-

parties

No third party management process 2 Implement third-party processes and reviews $$$$

Governance and Risk Management

Recommendation

The services in the Governance and Risk Management Domain provides the people, processes, and technology to properly identify and manage the overall information risk program. The key

services in this domain are designed to inform the executive team of the risk to the critical information assets, how to manage the risk and provide a governance process to report on current risk

levels and manage the risk levels over time.


#5 Board-management

discussion of cyber risk

should include identification

of which risks to avoid,

accept, mitigate, or transfer

through insurance, as well

as specific plans associated

with each approach. Summarized from: Cyber Risk Oversight: A Director’s Handbook,





The Security Journey

A business aligned strategy includes understanding

the business objectives, compliance objectives,

threats, and risks and then creating a security

program that enables the business. Protecting the

information and organization from real threats.


AD HOC

INFRASTRUCTURE

BASED COMPLIANCE

BASED

THREAT BASED

BUSINESS-

ALIGNED

RISK BASED/

DATA CENTRIC

Shortcut =

Failure to

Pass


Establish a culture of Information Risk Management – Call to Action

Obtain/review NACD Cyber risk Oversight.

Seek stakeholder engagement and create a governance committee.

Understand key business risks and objectives. Document assumptions.

Develop a roadmap and socialize.

Be pragmatic. And patient.

Speak and write in business terms.


Q&A


1125 17th Street, Suite 1700, Denver, CO 80202

800.574.0896

[email protected]

Documents

Information Security: The First 90 Days and Beyondstatic1.squarespace.com/static/5419be5de4b062d1159... · Information Security: The First 90 Days and Beyond Renee Guttmann VP, Information