Embed Size (px)
Citation preview
Offentlig digitalisering16.-17. marts 2016
RESILIA - Er din organisation modstandsdygtig over for cyber-risici? Christian F. Nissen, CEO, CFN People
RESILIA- Is your organization resistant to cyber risks?
Christian F. Nissen, CFN People A/S
© 2016 of CFN People a/s unless otherwise stated
RESILIATM, ITIL®, PRINCE2® MSP®, MoP® and MoV® are Registered Trade Marks of AXELOS in the United Kingdom and other countriesCOBIT® is a registered trademark of the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)
TOGAFTM is a trademark of The Open Group
3
Agenda
1. Cyber threats
2. Cyber Resilience
3. Cyber Resilience Lifecycle
❍ Strategy
❍ Design
❍ Transition
❍ Operation
❍ Continual Improvement
4. Segregation of duties and dual controls
Age
nda
Age
nda
© 2016
Why bother?
4 © 2016
Cyb
er th
reat
sC
yber
thre
ats
Why bother?
According to the ISACA’s January 2016Cybersecurity Snapshot,
84 percent of respondents believe there is a medium to high likelihood of a cybersecurity attack disrupting critical infrastructure (e.g., electrical grid, water supply systems) this year.
20 percent of the respondents have experienced a ransomware incident
72 percent of respondents say they are in favor of the US Cybersecurity Act, but only 46% say their organizations would voluntarily participate in cyber threat information sharing, as outlined in the Act.
5 © 2016
Cyb
er th
reat
sC
yber
thre
ats
Best practices and standards
Some standards and frameworks that can help organizations to manage cyber threats include: NIST Framework for Improving Critical Infrastructure Cybersecurity
- A US risk-based approach to managing cybersecurity risk.
Management of Risk (M_o_R) - Best practice for managing risk
ISO/IEC 27001 - International standard for information security management
ISO 31000 - International standard defining risk management principles and guidelines.
ISO 22301 - International standard for business continuity
COBIT 5 – Best practice for governance and management of enterprise IT.
ITIL – Best practice for IT service management
ISO/IEC 20000 - International standard for IT service management
6 © 2016
Cyb
er th
reat
sC
yber
thre
ats
Cyber security versus cyber resilience
Security is defined as ‘the state of being free from danger or threat’ and involves the protection (confidentiality, integrity, availability & non-repudiation) of what is important, often with more emphasis on prevention and less emphasis on recovery from an incident. However prevention alone is no longer a realistic strategy.
Resilience is the ability of a system or component to resist an unplanned disturbance or failure, and to recover in a timely manner following any unplanned disturbance or failure.
7 © 2016
Resilience
Security
Cyb
er R
esilie
nce
Cyb
er R
esilie
nce
What is cyber resilience?
Cyber resilience is the ability to prevent, detect, and correctany impact that incidents have on the information required to do business.
Right balance between three types of control activity:
8 © 2016
Cyb
er R
esilie
nce
Cyb
er R
esilie
nce
.
..
Preventive
Detective Corrective
What is RESILIA?
A best practice from Axelos released in 2015
A balanced and holistic approach to cyber resilience
The missing chapter in ITIL
Risk and control based
Lifecycle based
A qualification scheme (RESILIA Foundation &RESILIA Practitioner)
9 © 2016
Cyb
er R
esilie
nce
Cyb
er R
esilie
nce
RESILIA
Key principles: Clear understanding of what the organization’s critical
assets are, especially information. Clear view of the organization’s key threats and
vulnerabilities arising from their environment, including their customers, partners, and supply chain.
Adoption of a common language used by all stakeholders in the organization.
Assessment of the organization’s cyber resilience maturity and design of appropriate, prioritized, and proportionate plans using best practice guidance.
An appropriate balance of controls to prevent, detect, and correct.
10 © 2016
Cyb
er R
esilie
nce
Cyb
er R
esilie
nce
RESILIA
Risk-based
11 © 2016
AssetVulnera-bilityThreat
Cyb
er R
esilie
nce
Cyb
er R
esilie
nce
RESILIA
Addressing risk
12 © 2016
Cyb
er R
esilie
nce
Cyb
er R
esilie
nce
The Cyber Resilience Lifecycle
13 © 2016
Cyb
er R
esilie
nce
Life
cycl
eC
yber
Res
ilienc
e Li
fecy
cle
Strategy
Cyber Resilience Strategy – Controls
14 © 2016
Controls for Cyber Resilience
Strategy
Controls for Cyber Resilience
Strategy
Establish governance of
cyber resilience
Establish governance of
cyber resilience
Vision and mission
Vision and mission
Governance rolesGovernance roles
Manage stakeholders
Manage stakeholders
Identifying and categorizingstakeholders
Identifying and categorizingstakeholders
Gathering stakeholder
requirements
Gathering stakeholder
requirements
Stakeholder communications
Stakeholder communications
Create and manage cyber
resilience policies
Create and manage cyber
resilience policies
Cyber resiliencepolicies
Cyber resiliencepolicies
Structure of the policies
Structure of the policies
Management of the policies(Process)
Management of the policies(Process)
Manage cyber resilience audit and compliance
Manage cyber resilience audit and compliance
AuditAudit
Compliance managementCompliance
management
Cyb
er R
esilie
nce
Stra
tegy
Cyb
er R
esilie
nce
Stra
tegy
Cyber Resilience Strategy - Processes
Interaction of ITSM Processes with Cyber Resilience Activities:
Strategy management for IT services
Service portfolio management
Financial management for IT services
Demand management
Business relationship management
15 © 2016
Cyb
er R
esilie
nce
Stra
tegy
Cyb
er R
esilie
nce
Stra
tegy
Cyber Resilience Strategy - Processes
Example: Cyber Resilience Interfaces with Service Portfolio Management
16 © 2016
Cyb
er R
esilie
nce
Stra
tegy
Cyb
er R
esilie
nce
Stra
tegy
Cyber Resilience Design – Controls
17 © 2016
Controls for Cyber Resilience DesignControls for Cyber Resilience Design
Human Resource Security
Human Resource Security
RecruitmentRecruitment
Pre-employment, employment, exit and termination
Pre-employment, employment, exit and termination
Training & awarenessTraining & awareness
System Acquisition, Development,
Architecture, and Design
System Acquisition, Development,
Architecture, and Design
Requirement analysis
Requirement analysis
Architecture design and development
Architecture design and development
Threat and vulnerability modelling
Threat and vulnerability modelling
Secure design and development
Secure design and development
Cyber resilience security testingCyber resilience security testing
Supplier and Third-Party Security Management
Supplier and Third-Party Security Management
Supply chain risk management
Supply chain risk management
Managing third-party risks
Managing third-party risks
Confidentiality and non-disclosure for
suppliers
Confidentiality and non-disclosure for
suppliers
Compliance and auditing of the supply chain
Compliance and auditing of the supply chain
Endpoint Security Endpoint Security
Data-in-transitData-in-transit
Data-at-restData-at-rest
Cryptography Cryptography
. . .. . .
Business Continuity Management
Business Continuity Management
Business impact analysis
Business impact analysis
Cyb
er R
esilie
nce
Des
ign
Cyb
er R
esilie
nce
Des
ign
Cyber Resilience Design - Processes
Interaction of ITSM Processes with Cyber Resilience Activities:
Design Coordination
Service Catalogue Management
Service Level Management
Availability Management
Capacity Management
IT Service Continuity Management
Supplier Management
18 © 2016
Cyb
er R
esilie
nce
Des
ign
Cyb
er R
esilie
nce
Des
ign
Cyber Resilience Design - Processes
Example: Cyber Resilience Interfaces with IT Service Continuity Management
19 © 2016
Cyb
er R
esilie
nce
Des
ign
Cyb
er R
esilie
nce
Des
ign
Cyber Resilience Transition – Controls
20 © 2016
Controls for Cyber Resilience Transition
Controls for Cyber Resilience Transition
Asset management and
configuration management
Asset management and
configuration management
Classification and handling
Classification and handling
Data transportation and removable
media
Data transportation and removable
media
Change management
Change management
Authorization, control and secure
implementation
Authorization, control and secure
implementation
TestingTesting
Code reviewCode review
Unit, system and integration testingUnit, system and integration testing
Regression and user-acceptance
testing
Regression and user-acceptance
testing
Penetration testingPenetration testing
TrainingTraining Documentation management
Documentation management
Information retention and
disposal
Information retention and
disposal
Cyb
er R
esilie
nce
Tran
sitio
nC
yber
Res
ilienc
e Tr
ansi
tion
Cyber Resilience Transition - Processes
Interaction of ITSM Processes with Cyber Resilience Activities:
Transition planning and support
Change management
Service asset and configuration management
Release and deployment management
Service validation and testing
Change evaluation
Knowledge management
Management of organizational change21 © 2016
Cyb
er R
esilie
nce
Tran
sitio
nC
yber
Res
ilienc
e Tr
ansi
tion
Cyber Resilience Transition - Processes
Example: Cyber Resilience Interfaces with Release and Deployment Management
22 © 2016
Cyb
er R
esilie
nce
Tran
sitio
nC
yber
Res
ilienc
e Tr
ansi
tion
