Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

Transcription

1 Ian Speller CISM PCIP MBCS Head of Corporate Security at Sopra Steria

2 Information Risk in the Real World Realistic security management on a tight budget

3 Or some things I have done to make the security budget go further whilst keeping adequate protection

4 Prioritising - or a risk based approach Sorting the real threats from the many documented Consider the business from the outside What does the business have to offer? What is attractive to the threat actor? Points of weakness in the business model

5 Management buy-in Critical Has to be from the very top Requires extensive use of business language Engage in the risk process

6 Visualising risk in a business context Confidentiality: Personal data Commercial data Customer data Partner data Intellectual property Security controls: Identity and access Segregation of duties Encryption Authentication Vulnerability management Malware mitigation Awareness Impact: Legal action Regulatory sanctions Contract breach Reputation Brand damage Business disruption Loss of sales Enabler: Reduce cost Efficiency Compliance Flexibility Improve brand Performance Support sales

7 Provide proactive Controls across domain Remove lack of controls Ensure Flexibility to Respond to Change Remove lack of security visibility & threat assessment Average 21,695 breaches per annum Prevent Litigation Prevent Loss of Reputation Improve Brand Image Reputation losses & diminished 1.07m per annum Mitigate Risks Comply with regulatory requirements Reduce Costs Security Control Solution Enabler 90 per capita cost - employee mistakes Prevent data lost through non malicious action or poor controls 104 per lost or stolen record Prevent data lost through non malicious action or poor controls Increase Profit Initiative Benefit Objective Measurable benefit (not financial) Prevent website defacement through weak controls and/or vulnerabilities 49% incidents are malware 123 per capita cost Prevent website defacement through weak controls and/or vulnerabilities Prevent Financial Loss Reduce staff hours lost Non cashable benefit (less provable) Cashable benefit (clearly provable) Prevent denial of service attacks impacting availability of systems & data Prevent denial of service attacks impacting availability of systems & data Improve Performance Impact data sourced from Ponemon Institute study 2015 Cost of Data Breach Study: United Kingdom (May 2015)

8 Provide proactive Controls across domain Remove lack of controls Ensure Flexibility to Respond to Change Remove lack of UK network security visibility & threat assessment Average 21,695 breaches per annum Prevent Litigation Prevent Loss of Reputation Improve Brand Image Reputation losses & diminished 1.07m per annum Mitigate Risks Comply with regulatory requirements Reduce Costs Security Control Solution 90 per capita cost - employee mistakes Prevent data lost through non malicious action or poor controls 104 per lost or stolen record Prevent data lost through non malicious action or poor controls Increase Profit Prevent website defacement through weak controls and/or vulnerabilities 49% incidents are malware 123 per capita cost Prevent website defacement through weak controls and/or vulnerabilities Prevent Financial Loss Disbenefits Unit Cost Unit Unit Value Perfect Storm Impact Cost Risk Rating Adjusted Impact Cost Cost of Mitigation Saving Data lost through non malicious action or poor controls 90 Per Capita 6, ,000 25% 144,000 Malicious code (malware) impacting availability, integrity or confidentiality of systems & data 123 Per Capita 6, ,200 20% 157,440 57, ,000 Unauthorised manipulation, removal, copying, destruction and/or blocking of data 104 Records 10,000 1,040,000 15% 156,000 56,000 Loss of reputation 1,070,000 Per Annum 1 1,070,000 25% 267, ,500 Grand Total 3,473, , , ,940 44,000

9 Top threats currently Malware via External attacks on the network perimeter Digital Cloud Big data Mobile IoT Mishandling of data Lack of understanding PEOPLE } Agile

10 People Source: INFORMATION SECURITY BREACHES SURVEY 2015 by PwC for HMG

11 Awareness on a shoestring Keep it simple (a picture is worth a thousand words) Give advice applicable to the home as well as workplace (make it personal) Definitely get some audio visual material (get their attention) Wherever possible seek some face to face opportunities (interaction) Keep up at it continually and tie in with training (programme not a project)

12 Multi-channel awareness Classify Data! Courtesy of Twist and Shout Encrypt Sensitive Data

13 Work with a recognised standard ISO/IEC ISO/IEC PCI DSS - prescriptive controls COBIT maturity model Check the domains which require controls and ensure those applicable are being addressed to reduce risk

14 Clear security management system Assets Risk Policy Controls Report Security Board Security Working Group Stakeholders

15 Get the policy set right Policies Standards Processes Guidelines Rules Principles Methods Advice

16 How are we doing? Set targets at the outset Measure at sensible intervals Report in a way that means something If possible show how risk has been reduced

17 Communication Security Operations Security Board Security Risk Security Working Group Security Incidents Security Compliance Interested Parties

18 Supply chain Third party supplier assurance approach. Engage Procurement Classification Classification spreadsheet Questionnaire Levels of Assurance Follow-up annually

19 S c o r i n g Supplier information risk classification Contact Centre Data Hosting H/W Supply S/W Supply S/W Dev IAAS SAAS F/M PII Marketing Card data Billing Volumes Storage Processing 10k LOW MEDIUM HIGH

20 Summary Determine the key risks Communicate risks as business risks Concentrate on current and real threats People are potentially the most effective defence Check your controls against a standard like ISO Ensure you have a clear governance structure Keep the policy document set simple

21 Questions