Upload
ollie-whitehouse
View
605
Download
3
Tags:
Embed Size (px)
Citation preview
Assuring the Security of the Supply ChainDesigning best practices for cybersecurity in supply chains
Ollie Whitehouse, Technical Director
Agenda
Supply Chains and the Cyber Challenge
Regulatory (FCA) Outsourcing Requirements
Historic Approaches
Models for the Future – our maturity model2
3
Supply chains…
• Software: common-off-the-shelf (COTS) and proprietary
• Equipment: the routers, servers, tablets, phones, storage, multi function devices, the doors, conditional access devices, building management system etc.
• Services: business process outsourcing, data processing, IaaS, PaaS, SaaS, people, other generic terms like data feeds, cloud and managed service etc.
4
Supply chains…
5
Supply chains cyber risk ..
6
Supplier tiers..
Tiers of suppliers.... need to focus on tier 1 and 2 initially ..
the tier a supplier exists inwill be dictated by the business criticality of the what they supply
7
Supplier tiers..
Tiers of suppliers have tiers of suppliers
it is an exponential problem creatinginadvertent centralized hot pockets of data or function for certain roles (legal, HR etc.) or sector niches
8
Supply chains cyber risk ..
9
Suffice to say
Suppliers are increasingly operatingbusiness critical functions
10
Today it is a challenge for customers
Suppliers today need to show good will in order to support supply chain cyber maturity programs..
Legacy contractual cover is typically weak beyond compliance against standards such as ISO27001..
Cost of contract renegotiating is typically high..
If a supplier is unique or niche then commercial leverage evaporates..
11
FCA outsourcing regulatory requirements
• Senior Management Arrangements, Systems and Controls
• SYSC 8.1: General outsourcing requirements
• SYSC 13.7.9: Geographic location considerations
• Threshold Conditions
• COND 2.4: Appropriate resources
• COND 2.5: Suitability..
.. then there is the DPA etc…
Handbookhttp://fshandbook.info/FS/
12
FCA outsourcing regulatory reality
At the time of authorisation, a firm’s regulated activities must be supported by IT services which are effective, resilient and secure and have been appropriately designed to meet expected future as well as current business needs so as to avoid risks to our (the FCA’s) objectives.
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
13
FCA outsourcing regulatory reality
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
The firm must have undertaken sufficient preparatory work to provide reasonable assurance that each OSP will deliver its services effectively, resiliently and securely.
14
FCA outsourcing regulatory reality
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
The firm has established appropriate arrangements for the on-going oversight of its OSPs and the management of any associated risks such that the firm meets all its regulatory requirements.
15
FCA outsourcing regulatory reality
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
Above all, a regulated firm should be clear that it retains full accountability for discharging all of its regulatory responsibilities. It cannot delegate any part of its responsibility to a third party.
16
FCA protection considerations
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
17
FCA protection considerations
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
18
FCA protection considerations
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
19
FCA protection considerations
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
20
FCA protection considerations
Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
21
Current approach to the supply chain
today only the most mature
22
This is not enough…
Resilience
23
What does cyber resilience mean?
We will have incidents both of internal and external origin
we will contend with accidents and malicious acts
we will face an evolving set of threats requiring agility
We will build services for the business which are appropriately secure and resilient
… which frustrate threat actors and reduce likelihood of accidents
… which minimize the impact of any incident whilst being useable
We will be in a position to detect incidents in a timely fashion
… whilst being able to answer who, what, when and how … and then recover
24
How we deal with risk today• Elements / Tenants: CIA and Parkerian Hexad etc.
• Models / Indexes: custom or off the shelf.
• Taxonomies / Frameworks: FAIR, NIST RMF, OCTAVE, TARA, EBIOS, ISO/IEC 13335-2, SP800-30 etc.
• Standards / Regulation: ISO/IEC 27001, PCI, FCA/PRA, SOC-1, SOX etc.
• Maturity Models: recognizing risk isn’t static nor do we need to be perfect
• Audit: tell us the gaps against regulation, standards, taxonomies etc.
25
How we deal with risk today
C AIthis priority is good for your sensitive data
C = confidentiality, I = integrity or A = availability
26
How we deal with risk today
CA Ithis priority is good for your buildings management system
27
How we deal with risk today
N I Cthis priority is good for high frequency trading
A
N = nonrepudiation
28
Biggest challenges today are still
• Where will my organizations data or the ability to significantly impact my business end up (logically and physically)?
• Who will have access to it?
• What is my suppliers ability to protect themselves in the first instance?
• What is their ability to detect an incident, respond and notify me?
• How cyber resilient is my supplier?
29
A maturity model for the supply chain
Immature Early Starter Progressive Semi-Mature Mature
Cyber security strategy
Approach to risk management
Contractual cover / supplier relationship
Standards and validation
Overall cyber resilience
Reactive
Ad-hoc
None
Cyber Essentials
None
Regulatory (customer) driven
Conformance and audit driven
Minimal cyber security requirements
Cyber Essentials +ISO 27001
Ability to defend against some attacks
Regulatory, customer and maybe peer driven
Audit and proactive
Allows independent cyber security review
CE+, ISO plus paper validation
Ability to defend and detect common
incidents
Regulatory, customer, peer & threat driven
Audit, proactive with dynamic risk models
Independent validation / information
shared
CE+, ISO, paper & tech validation
Ability to defend, detect and respond to most
incidents
Regulatory, peer, customer, threat and
intelligence driven
.. plus continual validation of risk
models
… plus requires pro-active notification of
incidents
CE+, ISO, paper, tech & end-to-end ongoing
validation
Ability to defend, detect, respond and
gain intelligence
Impl
emen
tatio
n
NCC Group Supply Chain Cyber Security Maturity Model for Enterprise Risk Management
30
CBEST in this context
As a critical supplier to the UK economy of an economic function it validates
• Level of threat awareness of the supplier i.e. tier 1 institution
• Their ability to protect their estate in the first instance
• Their ability to detect an incident, respond and notify in the second
• The end-to-end technical and soft defence countermeasure effectiveness including from vectors such as the Internet and trusted partners etc.
31
So where is the best supply chain today?
Immature Early Starter Progressive Semi-Mature Mature
Cyber security strategy
Approach to risk management
Contractual cover / supplier relationship
Standards and validation
Overall cyber resilience
Reactive
Ad-hoc
None
Cyber Essentials
None
Regulatory (customer) driven
Conformance and audit driven
Minimal cyber security requirements
Cyber Essentials +ISO 27001
Ability to defend against some attacks
Regulatory, customer and maybe peer driven
Audit and proactive
Allows independent cyber security review
CE+, ISO plus paper validation
Ability to defend and detect common
incidents
Regulatory, customer, peer & threat driven
Audit, proactive with dynamic risk models
Independent validation / information
shared
CE+, ISO, paper & tech validation
Ability to defend, detect and respond to most
incidents
Regulatory, peer, customer, threat and
intelligence driven
.. plus continual validation of risk
models
… plus requires pro-active notification of
incidents
CE+, ISO, paper, tech & end-to-end ongoing
validation
Ability to defend, detect, respond and
gain intelligence
Impl
emen
tatio
n
NCC Group Supply Chain Cyber Security Maturity Model for Enterprise Risk Management
32
Closing… CBEST is mature
But we can expect it to be trickle down in terms of what is looked at in the supply chain…
33
Further reading / viewing…
http://www.slideshare.net/OllieWhitehouse/red-teaming-and-the-supply-chainhttps://www.nccgroup.trust/uk/our-research/cyber-red-teaming-business-critical-systems-while-managing-operational-risk/
34
How we help our customers …
Red Team Assessments
STAR and CBEST
Phishing Assessments
Cyber Incident Response
Cyber Defence Operations
Regulatory Advice
Cyber Resilience
Risk & Governance
Supply Chain Assurance
Operational Support
35
Final thought…
Maturity is happening globally in financial services…
Israeli Cyber Defense Management directive , March 2015
Prescriptive in comparison including 24x7x365 SOCs, incident rooms, mandatory reporting of cyber incidents etc…
http://www.bankisrael.gov.il/en/BankingSupervision/SupervisorsDirectives/ProperConductOfBankingBusinessRegulations/361_et.pdf?AspxAutoDetectCookieSupport=1
36
EuropeManchester - Head Office
Amsterdam
Cambridge
Copenhagen
Cheltenham
Edinburgh
Glasgow
Leatherhead
London
Luxembourg
Munich
Zurich
AustraliaSydney
North AmericaAtlanta
Austin
Chicago
New York
San Francisco
Seattle
Sunnyvale
Ollie [email protected]