Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Similar documents
Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Rethinking Information Security Risk Management CRM002

Building a Resilient Security Posture for Effective Breach Prevention

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

State of South Carolina Interim Security Assessment

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

How To Build or Buy An Integrated Security Stack

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

K12 Cybersecurity Roadmap

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

SOLUTION BRIEF Virtual CISO

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

Designing and Building a Cybersecurity Program

2018 MANAGED SECURITY SERVICE PROVIDER (MSSP): BENCHMARK SURVEY Insights That Inform Decision-Making for Retail Industry Outsourcing

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

NYDFS Cybersecurity Regulations

CISO as Change Agent: Getting to Yes

Cyber Resilience. Think18. Felicity March IBM Corporation

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Vulnerability Assessments and Penetration Testing

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

Why you should adopt the NIST Cybersecurity Framework

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

CYBERSECURITY MATURITY ASSESSMENT

State Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Securing Your Digital Transformation

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

PROFESSIONAL SERVICES (Solution Brief)

Jan Nys GM Cyber Security

NCSF Foundation Certification

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

ISE North America Leadership Summit and Awards

ISACA Arizona May 2016 Chapter Meeting

The NIST Cybersecurity Framework

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Twilio cloud communications SECURITY

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Cyber Risks in the Boardroom Conference

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

The Deloitte-NASCIO Cybersecurity Study Insights from

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Cyber Security Program

IoT & SCADA Cyber Security Services

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Critical Hygiene for Preventing Major Breaches

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs

Changing the Game: An HPR Approach to Cyber CRM007

Cybersecurity Auditing in an Unsecure World

Cyber Risk in the Marine Transportation System

RSA Cybersecurity Poverty Index

Background FAST FACTS

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

Effective Cyber Incident Response in Insurance Companies

Address C-level Cybersecurity issues to enable and secure Digital transformation

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Avanade s Approach to Client Data Protection

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

RSA Cybersecurity Poverty Index : APJ

Continuous protection to reduce risk and maintain production availability

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Reinvent Your 2013 Security Management Strategy

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Must Have Items for Your Cybersecurity or IT Budget in 2018

Framework for Improving Critical Infrastructure Cybersecurity

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

THE POWER OF TECH-SAVVY BOARDS:

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Security in Today s Insecure World for SecureTokyo

IT Monitoring Tool Gaps are Impacting the Business A survey of IT Professionals and Executives

White Paper. View cyber and mission-critical data in one dashboard

Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification

Cybersecurity for Health Care Providers

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

Addressing the elephant in the operating room: a look at medical device security programs

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

Healthcare Security Success Story

Transcription:

Mitigating Risk with Ongoing Cybersecurity Risk Assessment Scott Moser CISO Caesars Entertainment

CSO50 Presentation Caesars Entertainment Cybersecurity Risk Management Scott Moser Chief Information Security Officer April 2019

AGENDA Caesars Entertainment Business Environment Strategic, Market, Operational & Investment Drivers Caesars Cybersecurity Risk Management Program Business Need How the Program Works Risk Assessment Benefits

CAESARS BRANDS DIVERSE OFFERING GAMING, HOSPITALITY, ENTERTAINMENT, FOOD & BEVERAGE, AND RETAIL

CAESARS HAS A GLOBAL FOOTPRINT FOR GROWTH 115M+ ANNUAL GUEST VISITORS 55M CAESARS REWARDS MEMBERS 63K+ EMPLOYEES WORLDWIDE INTERNATIONAL EXPANSION DUBAI MEXICO SOUTH KOREA 50+ PROPERTIES IN FIVE COUNTRIES #3 LARGEST LIVE ENTERTAINMENT PROMOTER

DIGITAL INNOVATION MOBILE POINT OF SALE MOBILE CHECK-IN ADVANCED DIGITAL ASSISTANT Digital concierge, keyless entry, Digital RSVP ESPORTS EVENTS & LOUNGES REAL TIME LEADERBOARDS INNOVATION ACCELERATOR Leaderboard action displayed throughout the casino Mobile sports betting in all legal jurisdictions

THE NEED FOR CYBER RISK MANAGEMENT 32% YoY increase In vulnerabilities across industry 31% YoY increase In Cybersecurity threats across industry Challenge: Vulnerabilities increase the risk of Cyber attacks against the enterprise Challenge: Threats must be contained and remediated before impact to business occurs 33% Of 65K network devices are Windows based RISK ENVIRONMENT Millions Active customer records Challenge: Rapid growth in threats against exposed Windows servers Challenge: Criminal organizations constantly targeting customer data 6 Major cloud platform transformations in past two years 10% Staffing increase in past two years 50% increase in board level inquiries Challenge: Cloud platforms require new security controls, processes, and policy Challenge: Recruiting, training and retaining talented Cyber professionals to keep up with the demand increase Challenge: Are the board members asking the best questions or responding to media

RISK MANAGEMENT PROGRAM DRIVERS Environmental Change GOVERNANCE Threat Change Project Submission RISK ASSESSMENT RISK SCORE Technology Steering Committee Project Approval Proof of Concept Cyber Governance Risk Acceptance Innovation Idea REQUIRED SECURITY CONTROLS Vendor Security Mgt Security-bydesign Vulnerability Management Process Controls Change Mgt Vendor Audit Project Acceptance Cyber Governance Approval

ENTERPRISE RISK ASSESSMENT PROCESS NIST 800-30 METHODOLOGY WAS USED TO ASSESS THE CORPORATE SHARED ENVIRONMENT AND THREE REPRESENTATIVE PROPERTIES Threat Source Threat Event Adverse Impact Likelihood of Attempt Risk Overall Likelihood Likelihood of Success Likelihood of Attempt, Likelihood of Success, Overall Likelihood, and Adverse Impact are key components in the calculation of risk. Vulnerability or Weakness Mitigating Factor Risk is reduced by reducing the Likelihood of Success by implementing Mitigating Controls.

ENTERPRISE RISK ASSESSMENT DISCOVERY AND ASSET IDENTIFICATION PHASE SENSITIVE DATA ONLY Customer PII, Employee PII, Financial, Legal/Contracts, Company Strategy DOCUMENTATION REVIEWS, BUSINESS INTERVIEWS, CONTROL REVIEWS Architectural and project information as well as Cybersecurity technology Meetings with business data and process owners SECURITY CONTROL MATURITY ASSESSMENT Based on NIST CSF both at corporate and property level ASSESSMENT OF IMPACT AND EVENT LIKELIHOOD Threat event impact based on modified CVSS 2.0 with a 3-tier qualitative RESULTS: RISK REGISTER AND REMEDIATION RECOMMENDATIONS Over 3,900 risk entries (95 assets, 18 threat sources, 58 threat events, 41 potential vulnerabilities/exposures) 35 prioritized remediation recommendations

CYBERSECURITY MATURITY 2016 2017 2018 2019 Target Identify Recover Respond Tier 1 Tier 4 Protect Detect 108 Cyber Security Framework Controls: *NIST Example maturity projects Security Operating Platform Security Incident Orchestration Automate vulnerability remediation Strengthen password authentication Biometric authentication Implement multi-factor authentication Implement data governance Security-by-design/Privacy-by-design Application Penetration Testing Privileged user certification M&A Cyber risk assessments *NIST Tiers of Cyber Security Readiness Tier 1 Controls not Implemented Ad hoc reaction to cyber threats Tier 2 Controls partially implemented Formal cyber security policies exist, but not enterprise wide Tier 3 Controls fully Implemented Security teams can react to cyber events Tier 4 Controls implemented, enterprise cyber aware & can recover fully from an attack National Institute of Standards and Technology Cyber Security Framework

TAKEAWAYS A DEFENSIBLE CYBERSECURITY PROGRAM RELIES ON RISK MANAGEMENT Focus limited resources both people and budget Address the most important risks first RISK ASSESSMENTS MUST HAVE BUSINESS ENGAGEMENT Business identifies data and system criticality as well as the impact of events REMEDATION ITEMS MUST BE PRIORITIZED, RESOURCED AND EXECUTIVED The list can be overwhelming so prioritization is the essential USE THE RESULTS EFFECTIVELY TO INFORM AND INFLUENCE THE BUSINESS Key metrics/kpis can influence the SMT and BoD Key business leaders and data owners should understand the results Results can influence prioritization of resources and projects

QUESTIONS & DISCUSSION CYBERSECURITY RISK MANAGEMENT

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback