10/4/2018. Prepare For When. About George Usi

Transcription

1 Prepare For When Every cyber breach or failure incident comes back to the failure of policy, procedure or the lack of having a policy or procedure. DOJ Homeland Security, James Abignale, FBI About George Usi Internet Pioneer Operations & Standards Pioneer Strategic operations & management origin Proud Father & Lucky Husband 1

2 What You Will Learn Today Difference Between Cyber Security & Cyber Compliance Cyber Security Risks, Exposures, & Regulations Five Key Governance Problems Leaders Should Know Top Ten Lines Before Being Hacked The US Government Has (Somewhat) Come To The Rescue Security Program Leadership Methods & Requisite Organization What To Do Next Cyber Differences What s The Difference? Computer security, cybersecurity [1], or IT security is the protection of computer systems from theft of or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide (Wikipedia definition as of September 1, 2018). Regulatory Compliance, In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws, policies, and regulations. [1] 2

3 How You Might Relate to Both Cyber Risks & Exposures Risk Of A Cybersecurity Breach in 2018 Ref: Ponemon Institute 2018 Global Data Breach Study by IBM & Datto Inc TREND: 62% of construction & manufacturing attacked report ransomware incident for small businesses <50. 3

4 Low Records = Low Risk Right? Think Again! Source: 2018 Ponemon Institute all businesses 24-month horizon 27.9% Probability of records Data Breach Basic Formula To Calculate Lowest Risk Point (Employees * $233) + (Records * $233) + $68,000^ = $ Risk $ Risk* Likelihood of Breach by Records Count = Calculated Risk $ Example - Small Water Agency Risk of Breach Calculation: 1) 90 current employees plus 565 previous employee in archive, for total of 655 records operating over 30 years; 2) Handling privacy data name/address, and SSN of 20,000 customers. (655 x $233) + (20,000 x $233) + $68,000 = $4,880,615 Risk $4,880,615 * = ~$937,000 Calculated Risk (STARTS AT!!!) ^Breach Consulting Minimal Cost to Respond/Recover according to Ponemon Institute/IBM 2018 Oh Wait, We Forgot Oregon! Oops 1) 100 previous employees moved to Oregon where the ORS Privacy law fines are $767 more per record; 2) 400 of your customers also moved to Oregon at $767 more per record 3) Total ORS 646a record count 500ea Original Calculated Risk Exposure = ~$937,000 Calculated Risk (130 x $767) x days not ORS 646a proactive = Up to $73,632 POTENTIALLY MORE PER DAY! 4

5 Fox Watching Henhouse 5

6 Five Key Problems Problem 1: Laws Changing New CA Consumer Privacy Act of 2018 Many state privacy laws added if then clause Alphabet Soup of Compliance Yes, suits can be brought between two or more states Problem 2: All Is Not As It Seems 6

7 Problem 5: $ecurity $pend Leaders who failed to plan & invest wisely in cybersecurity spent 58% more then those who have a security plan in place.* Cyber Risk How Secure Do You Need To Be? * 7

8 The Top Ten! Top Ten Things We Hear Before The Help We Were Hacked Rescue Call Top Ten Lines Heard Right Before A Hack 1. We don t have any data anyone would want to steal. 2. Security is an overhead and is too expensive. 3. IT Guy/Team is great and everything is 100% secure. 4. Cloud/service provider already provides my security. 5. Business too small to get a regulatory fine/penalty. 6. We change our passwords. 7. I bought cyber security insurance. 8. We follow best practices in cyber security. 9. I hired a security leader to handle this. 10. We have never been hacked before (that we know of). 8

9 Federal Government To The Rescue (Somewhat) With NIST CSF & NIST v1.0 9

10 The Framework Path with SIMM 5300 SIMM = Statewide Information Management Manual SIMM 5300 = OIS (Office of Information Security) 30 Control Areas NIST influenced Publication on CDT Site Maps NIST & SAM Security Program Leadership & Requisite Organization Cyber Leadership Lemonade Governance Minimum Controls Security Program Standards, Policy, & Procedure Risk Management Metrics Privacy Usage Restrictions, Authorizations, & Compliance Continuous Monitoring 10

11 Elliot Jaques & Requisite Organization? What Is Elliot Jaques Known For? Set Standard for Corporate Lifecycles Finance & Risk Drivers Growth & Big Decisions Shift to Thrive Business Scaling Sell & Survive What Else Is Elliot Jaques Known For? Posited that the complexity of a work role can be determined by measuring how long the incumbent could work on their own before being checked by the boss. Use of Stratum Levels to organize operational outcomes

12 Roles & Stratum According to Jaques Mismatch of Role To Human Resource 12

13 Align Capability With Measured Tasks Effectiveness Use CDT SIMM 5300-C Maturity Metric 13

14 Here Is What I Told You With Proper Awareness, We Make Wise Choices Cyber Compromise is a Matter of When With A Formal Security Program, Cyber Risk Reduction is ~30% Regulations/Laws are Changing & More Stringent All Is Not As It Seems; Training Necessary Cyber Assurance Laws, 3 rd -Party Checklists, & Audits Are Looming Breaches No Longer About Just Losing Data Conduct POAM & Spend Wisely NIST & SIMM To The Rescue Requisite Cyber Security Leadership Simplify the Complicated With Free Toolsets Here Is What I Recommend You Do Now 14

15 Cyber Security Program 7-Step Punch List 1. Understand Agency Business Risk With Cyber Compliance Evaluation 2. Construct Action Plan for People, Process, & Technology 3. Launch/Relaunch Security Program with CDT Resources 4. Prepare for SIMM 5300 Security Compliance Reports (TRPs) and visit CDT site 5. Mitigate People Risk (Suggest Security Assurance Training) 6. Manage Remaining Risk via Plan of Action/Milestones (POAM) & Oversight 7. Evaluate for Fox Watching the Hen House Principle in Continuous Monitoring The Easy Button Give us your business card and we will deliver Free DIY templates Or have SACTECH help with Conducting cyber compliance deep dive assessment Agency Requisite Organization capabilities assessment for SIMM 5300-B Two-party maintenance of SIMM 5300 & NIST We are CA Small Certified Business #35606 Omnistruct Cyber Compliance Consulting & Cyber Governance Maintenance SIMM + Data Privacy Audit + Compliance Analysis + GAP Analysis + 2-Party Oversight + Security Posture Audit + SIMM/NIST Adoption + Work Plan to Comply + Security Policy WISP + Risk & Recovery Plan + Business Associate & 3 rd -Party Agreements + Drive Action Plan + Continuous Consult + Cyber Awareness + Incident Handling + Cyber Insurance Guidance 15

16 Case Study 1 Organizational Risk A regional water/power organization was struggling with regulatory cyber compliance due to separation of internal business units. They adopted NIST and identified a number of regulatory cyber gaps between operating administrative and operational entities. With a proper oversight and compliance maintenance plan in place, they were able to use Vendor Management principles internally to avoid the potential for a compliance violation between their segmented operation and vendor communities and reduce risk exposures by 20%. Case Study 2 School Is In (The Money) A large school district (top 20) was struggling to understand their cyber security business risk. Although they were following a framework, technology tools were unable to see when unmonitired exceptions and policy violations were happening. They conducted a cyber compliance deep dive and adopted NIST CSF reducing their security spend by 18% while investing wisely in cyber risks that matter. Case Study 3 The SCAP Hurts A major state agency was struggling with their STIG/SCAP visibility. They adopted continuous visibility/monitoring of endpoints with SCAP visibility and remediation for their cyber compliance passing audits with FISMA enforcement. 16

17 Thank You George Usi, CEO Questions & Answers and Team 17