SEC’s Cybersecurity Risk AlertPart 2 of 3

How-To: Assessing Cybersecurity Risk

Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting - O’Connor Davies, LLP

Timothy M. Simons, CPA, CFA, CIPM, CSCP, CFPSenior Managing Member – Focus 1 Associates LLC

© 2014 Advent Software, Inc.    Advent ConfidentialFooter 2

Speakers

Tom DeMayo, CISSP, CISA, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting Services - O’Connor Davies, LLP

TDeMayo@odpkf.com

646-449-6353

Tim Simons, CPA, CFA, CIPM, CSCP, CFPSenior Managing Member - Focus 1 Associates LLC

tim@focus1associates.com

267-254-1506

© 2014 Advent Software, Inc.    Advent Confidential 3

Objectives

• Discuss how to perform a true cybersecurity risk assessment for your firm

• Learn how to develop and implement administrative, technical, and physical controls relevant to your firm’s risk exposure

• Establish a sound cybersecurity program based on applicable regulatory requirements and industry best practices

© 2014 Advent Software, Inc.    Advent Confidential 4

Fundamental Components of Risk Assessment

• Threats – Anything that can cause harm.• Common Threat Sources

• Human - Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information).

• Natural - Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.

• Environmental - Long-term power failure, pollution, chemicals, liquid leakage.

© 2014 Advent Software, Inc.    Advent Confidential 5

Fundamental Components of Risk Assessment

• Vulnerabilities – Any hardware, software or procedural weakness that can be exploited (i.e. taken advantage) by a threat.

• A Threat Vulnerability pair must exist in order to have RISK

• Risk – The probability of occurrence (likelihood) that a threat will take advantage of a vulnerability and the resulting business impact

© 2014 Advent Software, Inc.    Advent Confidential 6

Fundamental Components of Risk Assessment

•Types of Risk Assessments• Qualitative – Relative measure of risk or asset

value based on ranking or separation into descriptive categories such as low, medium, high

• Quantitative - the likelihood of occurrence of particular threats and the risks or loss associated with these particular threats are estimated and assessed according to predetermined measurement scalesUnless your business absolutely requires

a Quantitative risk assessment, use a Qualitative approach.

© 2014 Advent Software, Inc.    Advent Confidential 7

Risk Ranking Definitions

•Unacceptable – Mitigation Required

•High – Cost Benefit Analysis Required

•Moderate – Possible Cost Analysis of Mitigation

•Low – No Analysis RequiredWhen assigning values, trust your initial reaction

© 2014 Advent Software, Inc.    Advent Confidential 8

Risk Chart

© 2014 Advent Software, Inc.    Advent Confidential 9

Inherent Vs Residual Risk

• Inherent Risk – The risk associated with a threat and vulnerability pair in the absence of any controls (i.e. what is the risk posed if you don’t apply any controls)

• Residual Risk – The amount of risk that remains after the application of controls.

Understanding the Inherent Risk is key to understanding the extent of controls required to manage the Residual Risk.

• .

© 2014 Advent Software, Inc.    Advent Confidential 10

Risk Treatment

• Accept - Knowingly accept the risk as it falls within the organization's "risk appetite", in other words management deem the risk acceptable, compared to the cost of improving controls to mitigate it;

• Reduce - Implement a suitable control or combination of controls to reduce (mitigate) the risk to a more acceptable level.

• Avoid - Do not undertake the associated business activity;

• Transfer – Shift the risk to another organization (e.g. through insurance or by contractual arrangements with a business partner)

© 2014 Advent Software, Inc.    Advent Confidential 11

Risk Management

© 2014 Advent Software, Inc.    Advent Confidential 12

Risk Areas to Consider

TAB Description TAB Description

01 Risks Chart 13 LS -Remote Access02 U & H Residual Risks 14 LS - VMWare03 Control Environment 15 LS_Share Point/Files and Folders04 Physical 16 LS_Databases05 Environmental 17 LS_Mobile Devices06 Acct Management 18 Data Loss Prevention07 Logical Security ("LS") - Network 19 Problem Management08 LS - Active Directory 20 System Development Lifecycle09 LS - Workstation_Server 21 Change Management_Infrastructure10 LS - Patch Management 22 Backup Management11 LS-Communications 23 Media Disposal12 LS - Removeable Media

CompanyIT Control Areas for Risk Assessment

© 2014 Advent Software, Inc.    Advent Confidential 13

Risk Assessment Framework

• Industry recognized frameworks most commonly used include• NIST SP 800-30

• http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

• OCTAVE• http://

www.cert.org/resilience/products-services/octave/index.cfm

• FAIR• http://fairwiki.riskmanagementinsight.com/

© 2014 Advent Software, Inc.    Advent Confidential 14

Risk Assessment Framework

• Whatever methodology you choose, it should comprise of the following:• Identify all critical information resources, including such

things as servers, applications, data repositories, etc.• Assign a value to those resources. Depending on the

Organization’s risk assessment approach, this can be either a quantitative or qualitative value.

• Determine the threat and vulnerability pairs that exist to those resources.

• Determine the probability of occurrence and potential business impact of the corresponding threat vulnerability pair = Inherent Risk Value (risk value that exists if no controls are implemented)

• Identify the existing controls in place to reduce the inherent risk to an acceptable level = residual risk value

When mapping controls, consider both the design and operating effectiveness when determining the residual risk value.

© 2014 Advent Software, Inc.    Advent Confidential 15

Sample Modified Approach

© 2014 Advent Software, Inc.    Advent Confidential 16

Questions?

Tom DeMayo, CISSP, CISA, CIPP, CEH, CPT, CHFI, MCSE

Director, IT Audit and Consulting Services - O’Connor Davies, LLP

TDeMayo@odpkf.com

646-449-6353

Tim Simons, CPA, CFA, CIPM, CSCP, CFP

Senior Managing Member - Focus 1 Associates LLC

tim@focus1associates.com

267-254-1506