The Open Group. Cybersecurity Risk Management

Transcription

1 The Open Group Cybersecurity Risk Management

2 About The Open Group Leading international standards organization, with over 400 members worldwide, and tens of thousands of participants, UNIX, TOGAF, EA Jim Hietala: CISSP, GSEC, VP Security, responsible for security and risk management programs and activities Security Forum, Jericho Forum, Real Time & Embedded Systems Forum, Trusted Technology Forum 2/23/2012 2

3 Agenda The Cybersecurity Environment Changing threats and attacks, macro trends in IT, Compliance trends Risk Management Prioritize information security spending, countering the threat, protect the brand Doing Better Risk Assessments Open Group Risk Management Resources, Coming Attractions 2/23/2012 3

4 Changing Threats

5 Political, APT Threats

6 Cyberwar, Hacktivism

7 Threats & Attackers, Then and Now 1980 s: Now: Profit motivated criminals Global, leverage freely available tools Sophisticated attackers and attacks State sponsored or tolerated

8 Site Access For Sale

9 Macro IT Trends Consumerization BYOD Cloud Virtualization Mobility Collaboration 2/23/2012 9

10 Drivers for Risk Management Prioritize security spend Counter the threat Protect the brand Compliance 2/23/

11 Information Security Spending Are we spending wisely on security controls? Are our security controls effective? Are we protecting the right information assets? 2/23/

12 Countering the Threat Is risk decreasing or increasing? Are we protecting assets that don t matter? Have we left critical assets unprotected? 2/23/

13 Protecting the Brand Organization's brand value dropped between 17 to 31 percent following a breach 2/23/

14 Compliance Still driving infosec spend Driving risk management as well Regulations & standards requiring risk assessments include GLBA, HIPAA, PCI DSS, FISMA, and ISO 27002/ /23/

15 Compliance and Risk Management Intersect at the level of controls that enable compliance, and reduce risk Compliance assessment or measurement tends to be done at a more detailed level Compliance assessments can surface risk issues

16 Positive View of Risk Playstation Network $178M breach cost Playstation 3 $1.5B/qtr. 2/23/

17 Risk Mitigation Classically, organizations could: Mitigate or reduce risk through the application of security controls Ignore the risk Accept the risk Transfer 2/23/

18 Transfer the Risk? Cybersecurity breach insurance 3 rd party liability coverage (PII breaches) Some direct cost coverage (e.g. credit monitoring) 2/23/

19 Poll #1 Is your firm using or considering cybersecurity breach insurance? A. Yes B. No C. Planning to D. Not sure 2/23/

20 ITRM Challenge: Communicating about IT Risk Issues Sr. management care about risk and business impact, but they generally don t care about (or for) security tech jargon Suggestions Use a standard taxonomy Use a risk analysis methodology that is approachable to and understandable by Sr. management

21 Poll #2 Which of these is your most difficult risk management challenge? A. Scoping risk assessments B. Getting executive buy-in to do risk assessments C. Getting executive sign off to accept risk D. Getting executive approval and funding to mitigate risks by implementing security controls 2/23/

22 Open Group Risk Management Three publications Risk Taxonomy Standard Requirements for Risk Assessment Methodologies FAIR-ISO27005 Cookbook 2/23/

23 Open Group Risk Taxonomy Standard Based on FAIR

24 Open Group Risk Taxonomy Standard Risk Risk: The probable frequency and magnitude of future loss Loss Event Frequency Probable Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Factors Secondary Loss Factors Contact Frequency Probability of Action Threat Capability Control Strength Asset Factors Threat Factors Organization Factors Environmental Factors

25 Requirements for Risk Assessment Methodologies Companion to Taxonomy Standard Describes: Key risk assessment traits: Probabilistic, Accurate, Defensible, Logical, Risk- Focused, Concise, Feasible, Actionable, Prioritized Quantitative vs. Qualitative measurement Need for SME involvement, including business owners Data gathering issues

26 FAIR and ISO27005 Cookbook Addresses how do I use FAIR and ISO27005

27 2/23/

28 2/23/

29 2/23/

30 Coming Attraction Constructing a Data Model for Organizational Inter-Dependencies Dependency modeling and risk information sharing in support of building trust between interdependent enterprises Ambitious goal: of allow modeling and understanding of risk inter-dependencies between organizations (buyer-supplier, IT outsourcing for example) New Security Forum work project led by researchers from Cardiff University, UK 2/23/

31 Summary Risk management is more necessary than ever (Free) tools exist to make the risk management more effective, consistent, and to make the process and results understandable to management

32 Questions? 2/23/

33 Resources Open Group Open Group Risk Series Risk Taxonomy Standard: Risk Assessment Requirements Guide: FAIR/ISO Cookbook: ils.jsp?publicationid=12239 NIST r1: 2/23/