Initiative. Copyright Techdemocracy, 2017

Transcription

1 A Initiative 1

2 A Initiative 2

3 November 2 nd, 2017 Ken Pfeil / Gautam Dev 3

4 What is the purpose of the ACRG? The alliance purpose is to establish a standard framework for risk measurement, reporting and governance. Holistic cyber risk management, which supports (but is not dependent upon) various regulatory and industry standards across the board. A project of this alliance is to develop a common security metric and measurement framework, translating events to actions needed wherever applicable. In Layman s terms: Let s make technology risk more easily understandable at senior levels of management and the boards. Answer the tough questions with answers that are easily supportable by metrics and measurement Be able to talk at the table with other risk areas already well understood by senior executives and board members 4

5 Today s Key Theme Today s Panel sessions are keyed around areas of technology risk Identifying and exploring the challenges and Issues surrounding measurement of technology risk in these areas Let s not just identify the problems with things, let s also identify solutions These are the first building blocks to the framework 5

6 Security Metrics and Measurement Why do we have metrics and measurement? Short answer, We have questions we need to answer, such as: Are we adequately staffed? Are we funded properly? (Both now and down the road) Are our processes efficient as they can be, and do they support the business context Standards should be based on end results, not a checklist 6

7 Operational and Implementation Management Board Security Metrics Alignment with Business Are we spending wisely Are we secure enough for our business Are we resolving issues Are we spending enough How mature is our program Are we in compliance Does security support all critical business processes Security Compliance and Governance Security Integration Security Operations and Processes Security Incident Response and Recovery Are security services effective Is security involved with IT projects & new tech considerations Are key projects and initiatives progressing Do we have effective incident response Do we follow security best practices (e.g. CIA, ISO-17799,Top 10 Risks) Are we resolving Audit Issues effectively Are we implementing process improvements Are we ready for a disaster Are we preventing incidents and resolving vulnerabilities Do we have good problem management help-desk support What is our cost savings, budgets, ROI What are the incidents this period and are we resolving root causes Are policies up-to-date, widely distributed and users aware Does security support Time to market, productivity Are viruses/spam under control How is our compliance with policy Do we have effective identity management (Add, Change and Remove) Are we compliant with security/privacy regulations Are our risk management processes effective Security Compliance and Governance Security Integration Security Operations and Processes Security Incident Response and Recovery - Number of systems in compliance - Number of vulnerabilities detected - Number of systems with up to date AV - % Unpatched Vulnerabilities - % Hardened Servers - % Policy compliance - % new revised policy - % receiving training - Sans, Owasp top 10 - # Awareness Exercises - # New Policy exceptions - # Pre-production assessments Infrastructure - # Pre-production assessments Applications - # Risk Assessments/Mgmt. Risk Acceptance Discussions - # New Technology Assessments - # Second Level help-desk support - # Audit Support - # Audit issues resolved/total issues - Time to resolve audit issues - % Project Completion - SLA related (vol/except) - Customer satisfaction - Customer rejection & complaints - # exceptions - # Spam & Spyware Issues - # Viruses - % Networks covered by IDS - % Hosts with IDS or monitoring - # Firewall issues - User adds, changes deletes - # firewall rule changes - # Users added and % of defects/rework - % Users added/removed late - # Systems covered by DRP - % Processes covered by BCP - # Attempted Intrusions -external, internal, DMZ, apps - # Investigations - % Investigations resolving root cause issues - # CERT reported - # Incidents - Incident severity, trends, process impact) - % Incidents resolving root case issues 7

8 NJAS Not Just Another Standard Most Standards work out to be nothing more than a good check list At the end of the day, in order to report compliance against these standards, you must interpret the results. Usually an excel based nightmare results from this. Many board members and execs see the same results interpreted differently. Credibility becomes an issue Many organizations have to conform with more than one standard. One to many is difficult to keep a handle on 8

9 November 2 nd, 2017 Gautam Dev 9

10 What is it that we are trying to address? Background What qualifies as a risk? "Wrongful access or an attempt towards wrongful and anomalous access towards any data element So What is plaguing us in our quest for a robust, scalable Risk based Program to tackle the above statement? Increasing, evolving industry regulations and standards Increasing, evolving business models Increasing, evolving cyber security tools and technology developments Increasing, evolving cyber breaches 10

11 Build a Foundation for Cyber Risk Governance Where do we begin Well defined and executed Cyber Risk Governance involves and informs all stakeholders. It enables an organisation to effectively oversee and assess cyber security risks and make adequate, efficient and consistent risk management decisions. - KuppingerCole (Cyber Risk Governance Whitepaper 70360) Core functions enabling such a foundation: Well defined Service vectors/groups Easy synergy between those service vectors and technology platforms that exist Driven by definitive and situational use cases critical to the business Measurable index for those individually defined situations and with respect to: Compliance Vulnerability towards being Breached Insider threats and anomalies Adaptive in nature to strike a balance between risk and trust in near real-time Real-time, continuous assessment of those situational indexes Return on Investment - A Measure for Financial liability against Security spending 11

12 Framework 4 Core Service Dimensions Informed, Secured, Governed and Resilient Maps to Gartner s Adaptive Architecture & CARTA (Continuous Adaptive Risk and Trust Assessment) vision 12

13 Areas of Concentration Points of Intersection Service Dimensions Within each of the 24 intersected segments, Business Critical Situational Use cases are defined and then continuously assessed for risk. 13

14 Situational Intersections Informed Services Secured Services Governed Services Resilient Services Risk Visibility Security Architecture & Implementation Monitor Security Effectiveness per Plan Vulnerability Scan & Network Security Testing Example of the situational intersections for continuous assessment against the 4 Dimensions. Compliance Adherence New Application & Data req. registration Identity & access Mgmt. Infrastructure Security Compliance Mgmt. & Escalations Risk Scoring & Escalations Application security Testing Attack & Penetration Business Unit focused predictive analysis report on Risk & Compliance Application & Data Security Risk Awareness & Agile Threat Prevention Forensic & Readiness evaluation Informed Business Secured I.T. Governed Compliance Resilient Readiness 14

15 Situational Variables & Risk Metrics Each Defined Situational Use case can be: Evaluated against a set of situational variables to determine the Risk Criticality and Risk Liability for that situation failing Above evaluation can then provide a composite Risk score and Financial Liability value for each failing situation. The consolidated Metrics can then be aligned organizationally to address Questions at different levels. Loss of Confidentiality ($) Loss of Integrity ($) Loss of Availability ($) Executive View Are We Secure Enough for Our Business? Are We in Compliance? Loss of Accountability ($) Risk Liability Loss of Business ($) Management View Loss of Reputation ($) Risk Liability & Criticality Score Card Do We have Efficient Incident Response? Are We Ready for Disaster? Loss of Privacy ($) Loss of Compliance ($) 15

16 And To Sum it Up Adopt a measurable risk based framework Identify the Problem Statements Clearly Understand Situations critical to your business Prioritize and Concentrate on Identified Areas Don t Fire and Forget, Continuously Measure and Monitor Progress Use a Solution + Product Partner who can support your journey 16

17 Ken Bigelow In Conversation with Peter Alterman Scott Lyons Ken Pfeil 17

18 Scott Gordon In Conversation with Matt King Mark Goebel Ken Pfeil 18

19 Jon Klein In Conversation with Carole Fennely Matt King Scott Lyons 19

20 Michael Yaffe In Conversation with Gautam Dev Christine Marciano Ken Pfeil 20

21 Kyle Flaherty In Conversation with Carole Fennely Josh Marpet Jon Klein 21

22 Mike Palitto In Conversation with Gautam Dev Josh Marpet Alan Leung 22

23 Daniel Clayton In Conversation with Scott Lyons Mark Goebel Jean-Claude Franchitti 23

24 24