SESSION ID: GRC-W11 Crown Jewels Risk Assessment: Cost- Effective Risk Identification Douglas J. Landoll, CISSP, MBA, ISSA Distinguished Fellow CEO Lantego @douglandoll
Information Security Risk Assessment (ISRA) Definition- An objective analysis of the current security controls effectiveness to protect an organization s assets and a determination of the probability of losses to those assets. Benefits Information Security Program Oversight Periodic Review e.g., checks and balances review effectiveness after threats, environment, and business process changes Basis for Risk-based Spending buy greatest risk reductions not pet projects and squeaky wheels 2
Information Security Risk Assessment ISRA Process The risk assessment process follows these five steps for EVERY risk assessment subject. Preparation Data Gathering Risk Analysis Risk Remediation Reporting and Resolution Scope Assets Boundaries Controls Review Interview Observe Test Threat Vulnerability Impact Safeguards Cost Effectiveness Report Repository Guidance Tracking 3
Traditional Centralized System Risk Assessments Traditional organizations have centralized information systems Common organizational controls Security policy, human resources, training, incident response Common system controls Authentication, configuration management, incident monitoring Limited systems General Office Services: Authentication, File Server Mission Applications Network Infrastructure 4 Database
De-Centralized System Risk Assessments Many organizations have expanded from centralized information systems Cloud-based applications File storage, marketing, expense tracking, business intelligence Third party management System hosting, out-sourced development, human resources, sales Unlimited systems General Office Services: Authentication, File Server Mission Applications Network Infrastructure 5 Database
Information Security Risk Assessment ISRA Process The Data Gathering step of the ISRA process does not scale well. 300 250 200 150 100 50 0 Preparation Data Gathering Risk Analysis Risk Remediation Preparation Data Gathering Risk Analysis Risk Remediation Reporting and Resolution Reporting and Resolution 1-2 systems 3-5 systems 6-10 systems 6
Effect of Increasing # of Systems Cost drastically increase $ $ $ $ $ as # of systems increases. 7
Effect of Increasing # of Systems Data quality suffers as # of systems increases. 8
Data Quality Typically Suffers Self- Assessments ask each system owner to rate the strength of their systems Surveys-based assessments send questionnaires to control custodians 9
10 Crown Jewel Approach Most Critical Data & Systems Threats Impact All System Threats + Unique threats + Targeted attacks Catastrophic Impact upon system loss upon data loss
Crown Jewels Approach Most Critical Data & Systems Volume Impact For most organizations 0.01% - 2.0% of total sensitive data Represents up to 70% of sensitive data value Source: U.S. President s 2006 Economic Report to Congress 11
12 Crown Jewels Project Environment Fortune 500 Subsidiary 189 information systems; 80%+ cloud-based 36 System owners; 15 System custodians
Crown Jewels Project Reduced systems from 186 to 20 here. Define Discover For Each Business Unit: For Each Crown Jewel: Identify Critical Systems Identify Lifecycle, Environment, and Flows Define Critical Data Identify System & Environment Controls Baseline For Each Crown Jewel: Identify Requirements Assess Control Effectiveness Analyze Secure Identify Control Gaps Create Security Solution Sets Identify Security Risk Deploy Solutions Prioritize Security Gaps Monitor Solutions Applied risk remediation to overall program here. ITAR CM.01.2014 13
Crown Jewels Project Define Discover Baseline Analyze Secure Key Project Artifacts Application Risk Survey & Interview Results Responses & Scoring Required Controls Risk Analysis Solutions Development Controls Assessment ITAR CM.01.2014 14
15 Crown Jewels Project Results Identification of Corporate Crown Jewels Determination of Crown Jewel Risk Limitation of Assessment to Most Impactful Elements Creation of Security Controls Plan with Most Significant Risk Reduction Less Work More Results
ITAR CM.01.2014 16 Applying Crown Jewel Lessons Define Discover Baseline Analyze Secure Next Week Identify Organization s Security Assessment Plan Self vs. Third Party Frequency Rigor / Technique (tests vs. assessments) Determine Adequacy of Plan
Applying Crown Jewel Lessons Define Discover Baseline Analyze Secure Within 1 Month Identify and Review Contractual and Legal Security Requirements Review Latest Security Assessment Reports Identify Business Process Owners Within 3 Months Conduct Crown Jewels Project Apply Lessons Learned ITAR CM.01.2014 17
ITAR CM.01.2014 18 Thank You Contacts Doug Landoll, CEO Lantego dlandoll@lantego.com
ITAR CM.01.2014 19 Project Challenges Define Discover Baseline Analyze 1. Common Organizational Definition of Crown Jewels 2. Identification of Business Processes 3. Identification of Business / Systems Owners 4. Identifying a Business Champion Secure