Crown Jewels Risk Assessment: Cost- Effective Risk Identification

Similar documents
Threat and Vulnerability Assessment Tool

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Objectives of the Security Policy Project for the University of Cyprus

Unit Compliance to the HIPAA Security Rule

Department of Management Services REQUEST FOR INFORMATION

Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification

Advanced Security Tester Course Outline

Best Practices & Lesson Learned from 100+ ITGRC Implementations

A Risk Management Platform

FISMAand the Risk Management Framework

Onapsis: The CISO Imperative Taking Control of SAP

Four Deadly Traps of Using Frameworks NIST Examples

Fabrizio Patriarca. Come creare valore dalla GDPR

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

Cyber Resilience. Think18. Felicity March IBM Corporation

align security instill confidence

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

TEL2813/IS2820 Security Management

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Ensuring System Protection throughout the Operational Lifecycle

Avanade s Approach to Client Data Protection

E-guide CISSP Prep: 4 Steps to Achieve Your Certification

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Microsoft Security Management

Trustwave Managed Security Testing

Developing a Model for Cyber Security Maturity Assessment

Automating the Top 20 CIS Critical Security Controls

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1

Security Management Models And Practices Feb 5, 2008

Quality Assurance and IT Risk Management

Information Technology Branch Organization of Cyber Security Technical Standard

Improving Cybersecurity through the use of the Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program

Adaptive & Unified Approach to Risk Management and Compliance via CCF

WELCOME TO ITIL FOUNDATIONS PREP CLASS AUBREY KAIGLER

IBM Proventia Management SiteProtector Sample Reports

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Designing and Building a Cybersecurity Program

The Common Controls Framework BY ADOBE

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

NEN The Education Network

Business Context: Key for Successful Risk Management

HIPAA Compliance Assessment Module

Risk Management. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Certified Information Security Manager (CISM) Course Overview

CompTIA Security+ Study Guide (SY0-501)

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Certified Information Systems Auditor (CISA)

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

NCSF Foundation Certification

01.0 Policy Responsibilities and Oversight

Information Technology General Control Review

RiskSense Attack Surface Validation for IoT Systems

How to Prepare a Response to Cyber Attack for a Multinational Company.

Dr. Stephanie Carter CISM, CISSP, CISA

From Russia With Love

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

External Supplier Control Obligations. Cyber Security

IBM services and technology solutions for supporting GDPR program

MIS Week 9 Host Hardening

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

WELCOME TO ITIL FOUNDATIONS PREP CLASS AUBREY KAIGLER

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Professional Services Overview

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

THE POWER OF TECH-SAVVY BOARDS:

The new cybersecurity operating model

Math is Hard: Compliance to Continuous Risk Management

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

Nebraska CERT Conference

Principles of Information Security, Fourth Edition. Chapter 1 Introduction to Information Security

A Methodology to Build Lasting, Intelligent Cybersecurity Programs

Third Party Security Review Process

MANAGING THE EFFECTIVENESS OF A CYBER SECURITY PROGRAM THROUGH A NIST CYBER SECURITY FRAMEWORK EVALUATION

Effectively Measuring Cybersecurity Improvement: A CSF Use Case

Threat Centric Vulnerability Management

The Open Group. Cybersecurity Risk Management

MIS5206-Section Protecting Information Assets-Exam 1

K12 Cybersecurity Roadmap

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Course No. S-3C-0001 Student Guide Lesson Topic 5.1 LESSON TOPIC 5.1. Control Measures for Classified Information

GDPR: The Day After. Pierre-Luc REFALO

FISMA Cybersecurity Performance Metrics and Scoring

Getting Security Operations Right with TTP0

Cybersecurity & Privacy Enhancements

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Transcription:

SESSION ID: GRC-W11 Crown Jewels Risk Assessment: Cost- Effective Risk Identification Douglas J. Landoll, CISSP, MBA, ISSA Distinguished Fellow CEO Lantego @douglandoll

Information Security Risk Assessment (ISRA) Definition- An objective analysis of the current security controls effectiveness to protect an organization s assets and a determination of the probability of losses to those assets. Benefits Information Security Program Oversight Periodic Review e.g., checks and balances review effectiveness after threats, environment, and business process changes Basis for Risk-based Spending buy greatest risk reductions not pet projects and squeaky wheels 2

Information Security Risk Assessment ISRA Process The risk assessment process follows these five steps for EVERY risk assessment subject. Preparation Data Gathering Risk Analysis Risk Remediation Reporting and Resolution Scope Assets Boundaries Controls Review Interview Observe Test Threat Vulnerability Impact Safeguards Cost Effectiveness Report Repository Guidance Tracking 3

Traditional Centralized System Risk Assessments Traditional organizations have centralized information systems Common organizational controls Security policy, human resources, training, incident response Common system controls Authentication, configuration management, incident monitoring Limited systems General Office Services: Authentication, File Server Mission Applications Network Infrastructure 4 Database

De-Centralized System Risk Assessments Many organizations have expanded from centralized information systems Cloud-based applications File storage, marketing, expense tracking, business intelligence Third party management System hosting, out-sourced development, human resources, sales Unlimited systems General Office Services: Authentication, File Server Mission Applications Network Infrastructure 5 Database

Information Security Risk Assessment ISRA Process The Data Gathering step of the ISRA process does not scale well. 300 250 200 150 100 50 0 Preparation Data Gathering Risk Analysis Risk Remediation Preparation Data Gathering Risk Analysis Risk Remediation Reporting and Resolution Reporting and Resolution 1-2 systems 3-5 systems 6-10 systems 6

Effect of Increasing # of Systems Cost drastically increase $ $ $ $ $ as # of systems increases. 7

Effect of Increasing # of Systems Data quality suffers as # of systems increases. 8

Data Quality Typically Suffers Self- Assessments ask each system owner to rate the strength of their systems Surveys-based assessments send questionnaires to control custodians 9

10 Crown Jewel Approach Most Critical Data & Systems Threats Impact All System Threats + Unique threats + Targeted attacks Catastrophic Impact upon system loss upon data loss

Crown Jewels Approach Most Critical Data & Systems Volume Impact For most organizations 0.01% - 2.0% of total sensitive data Represents up to 70% of sensitive data value Source: U.S. President s 2006 Economic Report to Congress 11

12 Crown Jewels Project Environment Fortune 500 Subsidiary 189 information systems; 80%+ cloud-based 36 System owners; 15 System custodians

Crown Jewels Project Reduced systems from 186 to 20 here. Define Discover For Each Business Unit: For Each Crown Jewel: Identify Critical Systems Identify Lifecycle, Environment, and Flows Define Critical Data Identify System & Environment Controls Baseline For Each Crown Jewel: Identify Requirements Assess Control Effectiveness Analyze Secure Identify Control Gaps Create Security Solution Sets Identify Security Risk Deploy Solutions Prioritize Security Gaps Monitor Solutions Applied risk remediation to overall program here. ITAR CM.01.2014 13

Crown Jewels Project Define Discover Baseline Analyze Secure Key Project Artifacts Application Risk Survey & Interview Results Responses & Scoring Required Controls Risk Analysis Solutions Development Controls Assessment ITAR CM.01.2014 14

15 Crown Jewels Project Results Identification of Corporate Crown Jewels Determination of Crown Jewel Risk Limitation of Assessment to Most Impactful Elements Creation of Security Controls Plan with Most Significant Risk Reduction Less Work More Results

ITAR CM.01.2014 16 Applying Crown Jewel Lessons Define Discover Baseline Analyze Secure Next Week Identify Organization s Security Assessment Plan Self vs. Third Party Frequency Rigor / Technique (tests vs. assessments) Determine Adequacy of Plan

Applying Crown Jewel Lessons Define Discover Baseline Analyze Secure Within 1 Month Identify and Review Contractual and Legal Security Requirements Review Latest Security Assessment Reports Identify Business Process Owners Within 3 Months Conduct Crown Jewels Project Apply Lessons Learned ITAR CM.01.2014 17

ITAR CM.01.2014 18 Thank You Contacts Doug Landoll, CEO Lantego dlandoll@lantego.com

ITAR CM.01.2014 19 Project Challenges Define Discover Baseline Analyze 1. Common Organizational Definition of Crown Jewels 2. Identification of Business Processes 3. Identification of Business / Systems Owners 4. Identifying a Business Champion Secure

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback