Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

Similar documents
Cybersecurity in Higher Ed

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

DeMystifying Data Breaches and Information Security Compliance

Why you should adopt the NIST Cybersecurity Framework

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Exploring Emerging Cyber Attest Requirements

Information Security Risk Strategies. By

The Impact of Cybersecurity, Data Privacy and Social Media

Cybersecurity The Evolving Landscape

Cyber Risks in the Boardroom Conference

HITRUST CSF: One Framework

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

INTELLIGENCE DRIVEN GRC FOR SECURITY

01.0 Policy Responsibilities and Oversight

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

SOC for cybersecurity

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Protecting your data. EY s approach to data privacy and information security

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Data Security Standards

Effective Strategies for Managing Cybersecurity Risks

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Updates to the NIST Cybersecurity Framework

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

ISACA Cincinnati Chapter March Meeting

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

Cybersecurity and Nonprofit

Keeping It Under Wraps: Personally Identifiable Information (PII)

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Cybersecurity, safety and resilience - Airline perspective

Cyber Security Program

Hacking and Cyber Espionage

Sage Data Security Services Directory

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Putting It All Together:

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Google Cloud & the General Data Protection Regulation (GDPR)

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

Tracking and Reporting

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

GLBA, information security and incident response a compliance perspective

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY

Hot Topics in Privacy

Hot Topics in Privacy

The value of visibility. Cybersecurity risk management examination

HIPAA Privacy, Security and Breach Notification

Using Metrics to Gain Management Support for Cyber Security Initiatives

Administration and Data Retention. Best Practices for Systems Management

Demonstrating Compliance in the Financial Services Industry with Veriato

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

PROFESSIONAL SERVICES (Solution Brief)

SECURITY & PRIVACY DOCUMENTATION

University of Pittsburgh Security Assessment Questionnaire (v1.7)

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Rethinking Information Security Risk Management CRM002

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

BHConsulting. Your trusted cybersecurity partner

Best Practices in Securing a Multicloud World

Balancing Between Risk and Compliance

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

The Evolving Threat to Corporate Cyber & Data Security

NCSF Foundation Certification

To Audit Your IAM Program

Post-Secondary Institution Data-Security Overview and Requirements

Cloud Communications for Healthcare

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Cybersecurity Auditing in an Unsecure World

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Applying ISO and NIST to Address Compliance Mandates The Four Laws of Information Security

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Managing Cybersecurity Risk

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

The NIS Directive and Cybersecurity in

MITIGATE CYBER ATTACK RISK

NW NATURAL CYBER SECURITY 2016.JUNE.16

Effective Cyber Incident Response in Insurance Companies

Cybersecurity It Matters to SMB

Will your application be secure enough when Robots produce code for you?

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Assurance over Cybersecurity using COBIT 5

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Transcription:

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy Orus Dearman, Director, Business Advisory Services, Grant Thornton Johanna Terronez, Senior Manager, Business Advisory Services, Grant Thornton Professional Strategies S13

Aligning your business to manage cybersecurity risks Learning objectives Describe how recent changes in cybersecurity regulation and enforcement can impact your business Determine how to leverage the NIST Framework for Improving Critical Infrastructure Cybersecurity across your organization Identify best practices for aligning your organization s business units to achieve a cohesive cybersecurity strategy Achieve multiple reporting demands through a test once apply to many approach 2

Agenda Current cybersecurity threat landscape Standards, regulation and enforcement Leveraging the NIST framework Best practices Test once, apply to many 3

Current cybersecurity threat landscape Reasonably current events. Apple icloud allegedly suffers privacy breach of celebrity photos Target Data Breach Shellshock Michaels says breach at its stores affected nearly 3M payment cards Russian cyber gang steals over one billion passwords 4

Current cybersecurity threat landscape Cybersecurity breach incidence is on the rise The cost of responding to each cyber breach event in the U.S. rose to $5.4 million in 2013 2 Cybercrime and cyber espionage costs the worldwide economy about $400 billion per year 3 Over 740 million online records were exposed in 2013 1 at an average cost of $145 per compromised record 2 There were around 500 data breaches in the first half of 2013 1 1. Online Trust Organization 2. The Ponemon Institute's "2013 Global Cost of Data Breach" study 3. The Center for Strategic and International Studies' "The Economic Impact of Cybercrime and Cyber Espionage" study 5

Current cybersecurity threat landscape How are your peers responding? General Counsel More than 40% of General Counsel claim that the risk of a cybersecurity/data privacy breach has increased in the past year, and that risk was at record-high levels last year. Change in cybersecurity and data privacy risk 5% 13% 43% 39% Increased Stayed the same Decreased Not sure 6

Current cybersecurity threat landscape How are your peers responding? General Counsel Top cybersecurity concerns for General Counsel include: 57% Customer and client data 49% Fear of unknown risks 46% Legal compliance with laws 42% Potential for undetected breaches 42% Employee and workplace privacy Respondents may select more than one answer. 7

Current cybersecurity threat landscape How are your peers responding? General Counsel Responses to cybersecurity risk are lacking. 17% of General Counsel respondents were unsure about what was being done to deal with these risks within their organizations. Responses to cybersecurity and data privacy risks Monitor cybersecurity/data privacy internal controls Prepare cybersecurity/data privacy policies & procedures Determine locations of sensitive/private data Perform vulnerability assessments & penetration testing Develop and test incident response plan Evaluate cybersecurity & data privacy insurance coverage [VALUE]% [VALUE]% [VALUE]% [VALUE]% [VALUE]% [VALUE]% I'm not sure [VALUE]% Other [VALUE]% Respondents may select more than one answer. 8

Current cybersecurity threat landscape How are your peers responding? Chief Audit Executives 42% of Chief Audit Executive respondents cite data privacy and security as a risk area that has the potential to impact their organizations' growth. 9

Current cybersecurity threat landscape How are your peers responding? CFOs Top cybersecurity concerns for CFOs include: 59% Potential for undetected breaches 54% Customer/client data privacy 50% Unknown and identified risks 42% Employee and workplace privacy 32% Compliance with data security laws Respondents may select more than one answer. 10

Agenda Current cybersecurity threat landscape Standards, regulation and enforcement Leveraging the NIST framework Best practices Test once, apply to many 11

Standards, regulation and enforcement Cybersecurity: Compliance timeline Privacy Act of 1974 HIPAA 1996 GLBA 1998 Sarbanes- Oxley Act 2002 PCI DSS 2006 Massachusetts Privacy Law 2010 FINRA 2012 FFIEC 2013 NIST framework 2014 2014 SEC Act of 1934 EU Safe Harbor 1998 Cybersecurity Act of 2001 California Data Breach Law 2003 HITECH 2009 Illinois State Privacy Law 2012 Executive Order 13636 2013 12

Standards, regulation and enforcement Drivers of Framework Adoption Adoption of a Cybersecurity Framework A framework is a data structure that organizes and categorizes an organization s internal controls, and which are practices and procedures established to create business value and minimize risk. Focus on using business drivers to guide Cybersecurity activities and considering Cybersecurity risks as part of the organization s risk management processes. Drivers of Adoption Increased litigation surrounding Cybersecurity events. The cost of responding to each cyber breach event in the U.S. rose to $5.4 million in 2013. (2) Over 740 million online records were exposed in 2013 at an average cost of $145 per compromised record. (1) There were approximately 500 data breaches in the first half of 2013. (1) 13

Standards, regulation and enforcement Common Frameworks ( not all inclusive) Established frameworks include: NIST Cybersecurity Framework - Consists of standards, guidelines, and practices that enable a prioritized, flexible, repeatable, and cost-effective approach to managing cybersecurity related risk. NIST SP 800-37, Risk Management Establishes a common framework to improve information security and strengthen risk management processes SANS Critical Security Controls - Focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on "What Works" (Subset of the NIST SP 800-53 controls) ISO 27001 Establishes an Information Security Management System COBIT 5 Provides guidance to help IT and security professionals understand, utilize, implement and direct important information security-related activities, and make more informed decisions. 14

Standards, regulation and enforcement A Framework can help Driver Process Maturity Benefit Develops process maturity enabling formal, repeatable procedures Enables proactive responses to changes in business conditions and direction Drives the definition and operationalization of controls Reporting & Measurement Once baseline is established, enables insightful reporting on Cybersecurity preparedness Enables measurement of success and ongoing monitoring Risk Management Alignment to Business Objectives & Strategy Enables the organization to clearly demonstrate how they monitor and manage Cybersecurity risk throughout the security lifecycle In the event of a breach event, better position an organization to demonstrate that it made a good faith effort to implement a framework that encompasses best practice Cybersecurity practices and guidelines Clear view of how ongoing projects align with defined business objectives enabling strategic adjustments while understanding objective dependencies 15

Standards, regulation and enforcement How a framework works Monitor Identify Common Controls Base External Compliance Requirements Respond Trust Services Criteria SOC 2/3 ISO Privacy EU Safe Harbor Protect Detect 16

Standards, regulation and enforcement NIST Framework for Improving Critical Infrastructure Cybersecurity Created through collaboration between industry and government Consists of standards, guidelines, and practices to promote the protection of critical infrastructure Based on existing standards, guidelines, and practices - for reducing cyber risks Identify Protect Detect Respond Recover Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Access Control Awareness and Training Data Security Information Protection and Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Process Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications 17

Standards, regulation and enforcement NIST Framework for Improving Critical Infrastructure Cybersecurity Experts warn that recommendations included in the Framework may be used by courts, regulators, and even consumers to hold institutions accountable for failures that could have been prevented if the cybersecurity framework had been fully implemented by the institution Since the Framework was created with industry best practices in mind, its recommendations may be recognized as industry standards in litigation 18

Standards, regulation and enforcement Enforcement The Federal Trade Commission (FTC) has begun bringing lawsuits against entities in relation to their cybersecurity policies. The SEC's Office of Compliance Inspections and Examinations (OCIE) is issuing a Risk Alert concerning cybersecurity preparedness in the securities industry. The NIST Framework is listed as information it may request when conducting an examination. 19

Standards, regulation and enforcement The NIST Framework for Improving Critical Infrastructure Cybersecurity was designed to? 20

Agenda Current cybersecurity threat landscape Standards, regulation and enforcement Leveraging the NIST framework Best practices Test once, apply to many 21

Leveraging the NIST framework IDENTIFY PROTECT DETECT RESPOND RECOVER Asset management Business environment Governance Risk assessment Risk management strategy Access control Awareness and training Data security Information protection and procedures Maintenance Protective technology Anomalies and events Security continuous monitoring Detection process Response planning Communications Analysis Mitigation Improvements Recovery planning Improvements Communications 22

Leveraging the NIST framework Where do we start? External Extended data supply chain Third parties Cloud/SaaS Breach detection Prevention and response Internal Financial and IT systems PCI, PII, NPI, HIPAA Regulatory Legal/compliance Governance/audit NIST, CCS, COBIT, ISA, ISO 23

Leveraging the NIST framework What is the most effective method of managing cybersecurity risk across your organization? Who is really responsible for cybersecurity risk management, response planning and strategy? 24

Agenda Current cybersecurity threat landscape Standards, regulation and enforcement Leveraging the NIST framework Best practices Test once, apply to many 25

Best practices Common misconceptions It will never happen to me Our network is secure We are in compliance with industry standards We are not a big company We don't have any personal information so we aren't a target We have never been attacked 26

Best practices Planning ahead Align your organization's cybersecurity risk strategy to the overall business strategy Determine your business unit's role in assessing organizations capabilities Form a cross-functional cybersecurity task force and incident response team (IRT) Determine who manages communication between management and board Develop relationships with outside companies Perform a vendor management assessment 27

Best practices Planning ahead Constant vigilance Vendor management program responsibility Have warm standby systems Effective DR or BCP plan can allow for an investigation to proceed while recovery is effected Have IRT trained and ready 28

Agenda Current cybersecurity threat landscape Standards, regulation and enforcement Leveraging the NIST framework Best practices Test once, apply to many 29

Test Once, Apply to Many: Company Challenge Service providers in every industry find themselves having to comply with multiple regulations (e.g. federal-, state- or industry-related) Additionally, enforcement actions for noncompliance are increasing in highly regulated industries, such as, healthcare and financial services Service providers are struggling with developing and maintaining adequate controls that address multiple regulations and frameworks and reporting its compliance on multiple standards to customers for an affordable spend Historical viewpoint: the differences across the compliance mandates are greater than the similarities, resulting in companies using different vendors and having different owners across the organization. Inefficient!! 30

Test Once, Apply to Many: Company Challenge cont'd - Survey of US CFOs and Senior Controllers revealed: Nearly 50% believe that regulatory compliance is a barrier to growth 60% are concerned that new and pending regulations will further constrict business expansion AND 60% view regulatory compliance as a strategic imperative to the org. Common Regulatory Compliance Standards and Frameworks Service Organization Control (SOC) 2 / 3 based on the AICPA's Trust Services Principles (TSP) criteria Gramm-Leach-Bliley Act (GLBA) International Organization for Standardization (ISO) controls Federal Information Security Management Act of 2002 (FISMA) Payment Card Industry Data Security Standard (PCI-DSS) Health Insurance Portability and Accountability Act (HIPAA) National Institute of Standards and Technology (NIST) 31

Test Once, Apply to Many: In Practice Reality is that we are using a lot of the same information for the different regulating bodies and are asking similar or the same questions of the same people We recommend a Test Once, Apply Many approach to manage the complexity of complying with and reporting on multiple regulations Rather than performing separate compliance testing and reporting on each requirement, efforts can be streamlined to test once and comply with multiple mandates. SOC HIPAA GLBA PCI ISO 27001/2 FISMA NIST 32

Test Once, Apply to Many: In Practice cont'd - EX: A Bank that also provides commercial and personal banking services, and lockbox services for healthcare organizations (e.g. patient payments) They collect, use and retain PII and PHI. The organization s compliance requirements include some type of data security program that ensures compliance with privacy regulations, as well as with non-disclosure and confidentiality clauses within customer agreements. The obligations may require generating a report on controls relevant to PCI DSS; or to Security, Confidentiality or Privacy, three of the TSP criteria; and even a report regarding compliance with HIPAA requirements SOC HIPAA GLBA PCI ISO 27001/2 FISMA NIST 33

Test Once, Apply to Many: In Practice cont'd - We would begin the compliance for SOC/PCI/HIPAA integration by first selecting one highly applicable standard for its company and industry. EX: The TSP criteria, which underlie SOC 2/3 reports, can be used to develop a listing of all controls or criteria applicable to the Bank. We would then align the Bank's existing controls to address the TSP criteria AND map those control requirements to meet PCI and HIPAA. Where a particular compliance standard may demand additional controls or processes, those additional elements can be noted, and the control can be elevated to satisfy the highest standard. Leverage existing testing information, approaches and scripts; minimize unnecessary duplication of walk-throughs and testing; and maximize the use of test results across reports or other mandates. 34

Test Once, Apply to Many: In Practice cont'd - EX: The NIST framework may be mapped to Company controls and other standards, such as ISO and COBIT, allowing the incorporation of multiple standards and establishing of overall compliance monitoring. Function Category Sub Category Common Controls References Identify Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization s risk strategy. ID.AM-1: Physical devices and systems within the organization are inventoried ID.AM-2: Software platforms and applications within the organization are inventoried Defined and mapped to establish adherence to the framework CCS CSC 1 COBIT 5 BAI09.01, BAI09.02 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8 CCS CSC 2 COBIT 5 BAI09.01, BAI09.02, BAI09.05 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8 35

Test Once, Apply to Many: Benefits Reduce risk of noncompliance and associated penalties and/or fees Decrease the complexity and disruption inherent in working with multiple auditors and consultants by consolidating compliance and audit activities with one service provider Refocus resources and spending on activities that drive business growth Reduce the burden on functional areas that must respond to multiple data requests for compliance information Cost savings to the business in terms of spending and resources. Create a competitive advantage by meeting certain quality standards associated with compliance and valued in the marketplace 36

Questions? 37

Contact Information Orus Dearman Director, Business Advisory Services San Francisco, CA T: 415-318-2240 E: orus.dearman@us.gt.com Johanna Terronez Senior Manager, Business Advisory Services San Francisco, CA T: 415-318-2228 E: johanna.terronez@us.gt.com 38

Disclaimer This Grant Thornton LLP presentation is not a comprehensive analysis of the subject matters covered and may include proposed guidance that is subject to change before it is issued in final form. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this presentation. The views and interpretations expressed in the presentation are those of the presenters and the presentation is not intended to provide accounting or other advice or guidance with respect to the matters covered. For additional information on matters covered in this presentation, contact your Grant Thornton, LLP adviser. 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback