2015
ApproachingCyberRiskManagementModel
SimplifiedmodelforSecurityGovernance
Rome|2015 2
Introduction andFrame
TheCyberRisk ManagementModel
Overview
CyberRisk Managementgovernance approach:taskanalysis
Q&A
Agenda
Rome|2015 3
Summary
Introduction andFrame
TheCyberRisk ManagementModel
Overview
CyberRisk Managementgovernance approach:taskanalysis
Q&A
Rome|2015 4
Introduction
WhothehellareYou?????
Rome|2015 5
Frame:theterm “Cybernetics”
• Cyber istheprefixoftheword“cybernetics”descendingfromthegreekadjectiveκυβερνητικός (goodataddress,operate)
• Theterm'cybernetics'wasusedforthefirsttimebyNorbertWiener,“CyberneticsorControlandCommunicationintheAnimalandtheMachine (MITPress,1948)”
Rome|2015 6
Frame:preliminaryQuestions
Network
Infrastructure /Layer
Telcos
Internet
ComputerSystem
s
SCAD
A
WhereisCyberspace?
Data
Controls
Data
Controls
Data
Controls
Rome|2015 7
WhyaCyberAttack?
InformationtheftCorporate Finance/Brand
impair Fraud
Dueto:
• Unfair Competition• InformationSale
Dueto:
• Unfair Competition• Sabotage,Vandalism
Dueto:
• Unlawfulmoneymaking
Consequences:
•Loss ofopportunity /market•LawInfringement (Privacylaw)•Damage claim,•Extraexpenses
Consequences:
•Operational interruption•Reputational loss•Corporate goods /assets loss•Reparations,penalties
Consequences:
• Property Loss• Reputational loss• Reparations
Frame:preliminaryQuestions
Rome|2015 8
How aCyberAttack?
Frame:preliminaryQuestions
Adversary
TargetResearch
Infiltration
Defiltration
Capture
Discovery
Rome|2015 9
How todealwithaCyberAttack?
Frame:preliminaryQuestions
DIGITALINVESTIGATION
INCIDENTRESPONSE
CYBERGOVERNANCE
CorporateResiliencyAwareness(potentialThreatsscenarios)
Controlonrealbreakdowns/violations
(aretheyin?)
ControlonCorporatesources
FormalizedandeffectivePlanon:
• CrisisManagement• IncidentResponse• Forensics• Communications
• Testing• Disclosure
CyberComplianceframework
CyberSecurityProgram:
• CyberSecurityRA• CyberMaturity
Report• CyberRoadmap
Rome|2015 10
Frame:real cases
INCIDENTRESPONSE
CYBERGOVERNANCE § “Cyber attacks should be intended as the most dangerous
emerging risk for economy” (World Economic Forum, 2014)10
50%Corporaterespondents ofaSurvey onthemost critical
risk.(GlobalITSecurityRisks:2012– Kaspersky)
$250
Top5GlobalRisksLikelyhood /Severity
GlobalRiskReport,2014
Pricetoloan 15.000infectedlaptops (bot)foracyberattack
Rome|2015 11
Frame:real cases
11
JPMorganChasedatabreach (Ottobre2014)•Hcker oninternal networksforseveral monthsbefore discovered
Rome|2015 12
Frame:real cases
12
Rome|2015 13
Summary
Introduction andFrame
TheCyberRisk ManagementModel
Overview
CyberRisk Managementgovernance approach:taskanalysis
Q&A
Rome|2015 14
Risks• CyberAttack• Compliance• Risks inoperation• Fraud• ServiceContinuity• DataBreach• Intellectual Property
Convenience•Cleverness oftheIT
systems•Flexibility
•Innovation•Costs saving
Risk oftheCyberspaceEqualize risk controlaccording tobusinessrequirements
Overview oftheManagementModel
Rome|2015 15
A thorough understanding of your riskprofile is critical, and thatmeans morethan the typical compliance audit. Youneed to inventory cyber-vulnerableassets, identify new and emergingthreats— internal and external— andmodel an event's potential impact.The evolving nature of cyber riskrequires you to continuously monitorchanges in your organization's riskprofile — then adapt.
Cyber risk management typicallyrequires a balance of:• Prevention— to stop cyber-attacksfrom succeeding• Preparation— tomake sure you areready when an event happens.• Risk transfer— to transfer theexposure off your balance sheet
CyberRiskManagementFramework
You likely cannot stop a cyber-attackfrom occurring, but you can control howyou respond to them. A quick, effectivereaction is essential, and the decisionsyou make after an event canhavelasting implications
Assess Manage Respond
REACT IRECOVER ICOMMUNICATEIDENTIFY IQUANTIFY IANALYZE PREVENT IPREPARE ITRANSFER
Overview oftheManagementModel
Rome|2015 16
Overview oftheManagementModel
A thorough understanding of your riskprofile is critical, and thatmeans morethan the typical compliance audit. Youneed to inventory cyber-vulnerableassets, identify new and emergingthreats— internal and external— andmodel an event's potential impact.The evolving nature of cyber riskrequires you to continuously monitorchanges in your organization's riskprofile — then adapt.
Cyber risk management typicallyrequires a balance of:• Prevention— to stop cyber-attacksfrom succeeding• Preparation— tomake sure you areready when an event happens.• Risk transfer— to transfer theexposure off your balance sheet
CyberRiskManagementFramework
Assess Manage
IDENTIFY IQUANTIFY IANALYZE PREVENT IPREPARE ITRANSFER
You likely cannot stop a cyber-attackfrom occurring, but you can control howyou respond to them. A quick, effectivereaction is essential, and the decisionsyou make after an event canhavelasting implications
Respond
REACT IRECOVER ICOMMUNICATE
RiskManagement
Rome|2015 17
Summary
Introduction andFrame
TheCyberRisk ManagementModel
Overview
CyberRisk Managementgovernance approach:taskanalysis
Q&A
Rome|2015 18
InfoGathering
RiskIdentification
RiskAnalysis
RiskEvaluation
RiskTreatment
Monitoring&Review
CyberRiskManagementFramework
Assess Manage Respond
RiskAssessm
ent
ISO31000– RISKMANAGEMENT
Every risk managementmodelrefers totheinternation standard:
Overview oftheManagementModel
Rome|2015 19
InfoGatheringInfoGathering
§ Requirements identification§ Definitionoftheevaluation criteria§ Detailed planning§ Checklist implementation
§ documentation analysis§ interviewwiththeprocess/systemowner
§ Identification oftheassets (primary andsupporting assets orgroups ofassets)
§ Identificatione ofexisting controls§ Customer Review
Control1.1Domain1
Domain Control
Control1.n
Control…
Notes
AnswersOwner
StandardControlsISO27001(AnnexA)§ Process§ Technologies§ Sites§ Personnel§ Thirdparties
Criticality
§ …§ …
CustomChecklistCorporateGuidelinesITILv.3SANSCriticalControls…
Controlx.1Domainx
Controlx.n
Control…
q Adopting anOverviewandStandardapproach,theProcess/SystemOwneris thefocal point oftheanalysis
ð Documentation analysis +interviews
Note
1 2
1 2
InfoGathering
CyberRiskManagementMethodologyInformation gathering
Rome|2015 20
CyberRiskManagementFramework
Analisi Gestione Response
R=LxV xI
Likelihood (L) ð probability athreat harm anasset
Vulnerability (V) ðVulnerability level ofanassetexposed toathreat
Impact(I) ð Potentialconsequences (connected totheassetcriticality)
Risk Scenario(R)ð LevelofRisk ofaspecific assetandtherelated threat
§PreliminaryAssessmentidentification ofprimaryassets,includingorganzation,processes andactivities able toprovideservices
§ITAssessmentidentification ofsupportingassets,interms ofhardware,softwareandnetworkdevices
§Phisical Assessmentdescription ofthephysicalcomponents used toprovide services(infrastructures,workingareas,environment,etc.)
Evaluationofthecriticalitylevel oftheinformation ,considering severaltypologies ofevents thatcanaccomplish losses of:
§Confidentiality
§Integrity
§Availability
Evaluationofboth ThreatsandVulnerabilities foreachassetidentified intheprevious step:
§Threatð potentialeventthatmaycauseanunwantedincidentthatharmanorganizationorsystem
§Vulnerabilityð exposurelevel ofanassettoapotential threat
RiskAssessmentProcess
Context establishment Evaluationoftheassets Threats andvulnerabilitiesAssessment
LevelofRisk determination(Risk Scenario)
CyberRiskManagementMethodologyRiskAssessment– ISO27005
Rome|2015 21
CyberRiskManagementFramework
Analisi Gestione Response
RiskAssessmentProcess
Context establishment AssetEvaluation ThreatsandvulnerabilitiesAssessment
LevelofRiskdetermination(RiskScenario)
Organizationevaluation
Identify theprocess andtheactivity needed fordeliveryofbusinessservices
ITAssessment:
IdentifytheICTassets,intermsofhardware,softwareandnetworkdevices
Phisical AssessmentIdentifythephysicalcomponentsusedtoprovideservices(infrastructures,workingareas,environment,etc.)
AssetID Asset Description
CyberRiskManagementMethodologyRiskAssessment– ISO27005
Rome|2015 22
CyberRiskManagementFramework
Analisi Gestione Response
RiskAssessmentProcess
Context establishment AssetEvaluation ThreatsandvulnerabilitiesAssessment
LevelofRiskdetermination(RiskScenario)
Assess the criticality level of the informationwith drivers (Confidentiality, Integrity andAvailability)
• Bind the tiplogy of the information and theassets
• Associate the asset with worst impactscenario
Informationtypology
ConfidentialityIntegrity
AvailabilityIssues
AssetValue
CyberRiskManagementMethodologyRiskAssessment– ISO27005
Rome|2015 23
CyberRiskManagementFramework
Analisi Gestione Response
RiskAssessmentProcess
Context establishment AssetEvaluation Threats andVulnerabilitiesAssessment
LevelofRiskdetermination(RiskScenario)
Threatsmaybedeliberate,accidentalorenvironmental(natural)andmayresult,forexample,indamageorlossofessentialservices.
§ Deliberate:alldeliberateactionsaimedatinformationassets
§ Accidental:allhumanactionsthatcanaccidentallydamageinformationasset
§ Environmental:allincidentsthatarenotbasedonhumanactions.
Each assethas their own particula vulnerabilitysuch as:
§Hardware(ei:Insufficientmaintenance/faultyinstallation ofstoragemedia)
§Software(ei:Noorinsufficientsoftwaretesting)
§Network(ei:Insecurenetworkarchitecture,Transferofpasswordsinclear)
§Personnel(ei:Unsupervisedworkbyoutsideorcleaningstaff,Lackofpoliciesforthecorrectuseoftelecommunicationsmediaandmessaging)
§Site(ei:Lackofphysicalprotectionofthebuilding,doorsandwindows)
Threats Vulnerability
CyberRiskManagementMethodologyRiskAssessment– ISO27005
Rome|2015 24
CyberRiskManagementFramework
Analisi Gestione Response
RiskAssessmentProcess
Context establishment AssetEvaluation Evaluationofthreatsandvulnerabilities
LevelofRiskdetermination(RiskScenario)
LR(i;j) =Pi xAj xVij
RiskLevel
LR(i;j) =assetRisk Levelforeach threat
Pi =probability ofthreat could harm theasset“i”
Aj =Criticality oftheasset“j”
Vij =Exposure level ofanasset“j” toapotentialthreat“i”
Likelihood
Impact
CyberRiskManagementMethodologyRiskAssessment– ISO27005
Rome|2015 25
CyberRiskManagementFramework
Analisi Gestione ResponseCyberRiskManagementMethodology
RiskTreatment
RISK MODIFICATION: Thelevelofriskshouldbemanagedbyintroducing,removingoralteringcontrolssothattheresidualriskcanbereassessedasbeingacceptable
RISK RETENTION:thedecision onretaining theriskwithout furtheraction should betaken depending onriskevaluation
RISK AVOIDANCE: Theactivity orcondition that gives risetotheparticular riskshould beavoided
RISK SHARING: Theriskshould besharedwithanother partythatcanmost effectively manage theparticular riskdepending onriskevaluation
Risktreatmentplansshoulddescribehowassessedrisksaretobetreatedtomeetriskacceptancecriteria.
Itisimportantforresponsiblemanagerstoreviewandapproveproposedrisktreatmentplansandresultingresidualrisks,andrecord
anyconditionsassociatedwithsuchapproval
Rome|2015 26
Reporting
AnalisidellametodologiadiCyberRiskManagement
RISK MANAGER/CISO/CSO:– Ensure connectivitybetween stakeholders.
CFO:– Potential costs ofacyberevent andwhat theimpactcould beonthebottomline.– Securityofthesensitiveinformationthat theofficecontrols.
CEO/BOARD:– Accountable foroverall businessandcompanyperformance.– Fiduciary dutytoassess andmanage cyberrisk.Regulators expect topleadershiptobeengaged.
LEGAL/COMPLIANCE: – Keep stakeholders informed andcompliant.– If acyberincident occurs,lawsuits oftenfollowwithin hours.
Rome|2015 27
Summary
Introduction andFrame
TheCyberRisk ManagementModel
Overview
CyberRisk Managementgovernance approach:taskanalysis
Q&A
Rome|2015 28
??
Q&A