Information Security Risk Strategies. By

Transcription

1 Information Security Risk Strategies By

2 Meeting Agenda Challenges Faced By IT Importance of ISO & NIST The Security Pyramid Benefits of Identifying Risks Dealing or Not Dealing With Risks Applying Real-World Risk Management Methodologies Conclusion

3 Challenges Information & System Availability Complex Environments Connectivity Requirements (Work From Anywhere \ Anytime) Fast Paced Growth (Acquisitions) Regulation Requirements Transitioning from Reactive to Proactive Practices Limited Resources (Biggest Challenge)

4 Regulations HIPAA Health Insurance Portability & Accountability Act GLBA Gram-Leach-Bliley Act Sarbanes-Oxley- Sarbanes-Oxley Act Payment Card Industry Credit Card Industry Specific Requirements

5 Key Methodologies ISO National Institute of Standards & Technology (NIST) ITIL CoBIT

6 Importance of NIST & ISO National Institute of Standards & Technology Referenced Throughout Most Regulations Policies and Procedures Are Critical to NIST Best Practices ISO is Industry Recognized Standard for Security ISO Covers 10 Areas of Security Each ISO Area Has Individual Security Items If You Follow NIST and ISO You Would Have a Strong Security Posture and Should Pass Almost Every Audit Combine NIST Levels and ISO-17799

7 ISO Covered Areas Security Policies Organizational Security Asset Classification & Control Personnel Security Physical and Environmental Security Communications & Operations Management Access Control System Development & Maintenance Business Continuity Management Compliance

8 NIST Legend Level 1 control objective documented in a security policy Level 2 security controls documented as procedures Level 3 policies and procedures have been communicated & implemented Level 4 procedures and security controls are tested and reviewed Level 5 procedures and security controls are fully integrated into a comprehensive program.

9 ISO Graph Sample Business Continuity Actual Practice Peer Comparison NIST Level Business Continuity Management Process Business Continuity & Impact Analysis Writing & Implementing Continuity Plan Business Continuity Planning Framework Testing Maintaining & Reassessing BC Plan

10 Assess the Pyramid

11 What is the Pyramid Holistic\Integrated Approach to Security Represents the key building blocks to a strong Information Security Posture Represents Berbee s approach to security Much Like Malsow s Hierarchy of Needs or USDA s Food Pyramid

12 Three Types of Clients Those that are maintaining the pyramid Those who are building the pyramid Those that need to start building the pyramid They all have different pyramid needs

13 Security Professional s Goals Reduce Risk Reduce Cost Reduce Complexity

14 Policies, Procedures, Standards & Leadership Support Policies Procedures Standards Leadership Support

15 Assessments & Risk Management Risk Management Provide a roadmap to strengthen weaknesses Provide an idea of remediation budget If you re regulated, it will save you time when the audit occurs Assessments Types Baseline Compliance Progress Purposes Facilitation Education Justification

16 Benefits of Identifying Risks Can t Manage if You Can t Measure Knowing Risks will allow you to determine what and how to protect against threats It will identify costs of dealing with threats Roadmap for Protection Mechanisms Knowing Risks will be the first step towards evaluation & implementation of protection practices and solutions Project Plans and Head Count Necessary for Risk Mitigation will be defined Enhances Proactive Response Practices Knowing Risks will allow for more effective Incident Handling, IT Contingency, and Physical protection mechanisms With Risk Prioritization, when multiple issues occur, it will reduce time to respond

17 Dealing or Not Dealing With Risks Three ways to deal with risks Accept the risk as it is Mitigate or reduce the risk Transfer the risk (insurance) Not taking the time to identify risks has these potential consequences Significant monetary loss due to attacks Regulatory Penalties Civil Penalties (class action lawsuits by victims) Damage to Reputation Intellectual Property Loss Customer Privacy Compromised Physical Loss Loss of Life in Critical Infrastructures (Transportation, Health Care, Government, Utilities)

18 How To Identify and Prioritize Risk First Step is a Business Impact Analysis Utilize ISO Checklist Send out a BIA Questionnaire to Business Units Fill out the Risk Assessment Spreadsheet for each System, Application and Process from the BIA and ISO Checklist Create Priority Matrix & Tasks Lists With the results from the Risk Assessment Spreadsheet and other Material, a Task Plan can be built Identify resources that should be part of the Risk Management Project Risk Management Team First Steps Should each risk be: Accepted, Mitigated, Transferred For those that need to be mitigated: determine next steps

19 Key Processes In Overall InfoSec Program Assess policies, standards, procedures by conducting a gap analysis Author policies and procedures that are not in place based on the gap analysis Implement an internal Audit and Assessment process Conduct a Risk Analysis to identify systems, applications and their critical priority level Build an Incident Response\Handling process

20 Key Processes Continued Implement Release, Configuration and Management processes Create a Security Awareness Program for all internal personnel Conduct a Cost\Benefit Analysis (CBA) on technologies that can assist in reducing the complexity and costs associated with security risks Designate staff to lead the security initiatives and allow them time to do so Assess what organizations in your industry and that are similar in size, strategy, etc, are doing for their security initiatives

21 Key Take Aways ISO and NIST Are Important Components in Identifying, Measuring and Managing Risks Risk Management involves Leadership support to get the resources to deal with it Not dealing with risk has consequences There are free tools available for initiating & maintaining the risk management process Risk Management involves diligence, key personnel involvement and keeping it simple

22 Links & Tools (Auditor) (Whoppix)

23 More Links & Tools

24 Thank You