Infosec Europe 2009 Business Strategy Theatre. Giving Executives the Security Management Information that they Really Need

Similar documents
Defense in Depth Security in the Enterprise

INTELLIGENCE DRIVEN GRC FOR SECURITY

External Supplier Control Obligations. Cyber Security

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

Information Technology Branch Organization of Cyber Security Technical Standard

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Manchester Metropolitan University Information Security Strategy

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

AUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

UK Permanent Salary Index November 2013 Based on registered vacancies and actual placements

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Penetration Testing and Team Overview

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Cyber Security Program

2015 VORMETRIC INSIDER THREAT REPORT

Cyber Criminal Methods & Prevention Techniques. By

Reinvent Your 2013 Security Management Strategy

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

The Honest Advantage

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

What is ISO ISMS? Business Beam

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

ISACA Arizona May 2016 Chapter Meeting

DOD Medical Device Cybersecurity Considerations

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

Understanding IT Audit and Risk Management

Cyber Security - Information Security & Testing

The Risk-Based Approach in the GDPR, Interpretation and Implications. Gabriel Maldoff, CIPP/US, IAPP Westin Fellow.

Global Security Consulting Services, compliancy and risk asessment services

Audit Report. Chartered Management Institute (CMI)

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

K12 Cybersecurity Roadmap

Wireless e-business Security. Lothar Vigelandzoon

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Combating Cyber Risk in the Supply Chain

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Tripwire State of Cyber Hygiene Report

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Microsoft Security Management

Information Security Controls Policy

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Cloud Under Control. HyTrust Two-Man Rule Solution Brief

Influence and Implementation

Under the hood testing - Code Reviews - - Harshvardhan Parmar

The NIS Directive and Cybersecurity in

Securing Your Secured Data

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

MIS5206-Section Protecting Information Assets-Exam 1

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Automating for Agility in the Data Center. Purnima Padmanabhan Jeff Evans BMC Software

AUTHORITY FOR ELECTRICITY REGULATION

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

Doing it Right: Organizations That Seem Immune to Security Attacks

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Cyber Security. Building and assuring defence in depth

Advent IM Ltd ISO/IEC 27001:2013 vs

How will cyber risk management affect tomorrow's business?

Security Information & Event Management (SIEM)

Corporate Information Security Policy

Network Security Assessment

How to Prepare a Response to Cyber Attack for a Multinational Company.

Cyber Protections: First Step, Risk Assessment

Interim Report Q2/2016 Samu Konttinen, CEO SECOND QUARTER REVENUES INCREASE BY 11% FROM PREVIOUS YEAR

Security Solutions. Overview. Business Needs

A practical guide to IT security

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Background FAST FACTS

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Digital Health Cyber Security Centre

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

NEN The Education Network

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Audit Report. The Prince s Trust. 27 September 2017

White Paper. How to Write an MSSP RFP

A Global Look at IT Audit Best Practices

CCISO Blueprint v1. EC-Council

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Practical Guide to Securing the SDLC

Uncovering the Risk of SAP Cyber Breaches

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

Cybersecurity The Evolving Landscape

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Web 2.0, Consumerization, and Application Security

Mitigation Controls on. 13-Dec-16 1

Transcription:

Infosec Europe 2009 Business Strategy Theatre Giving Executives the Security Management Information that they Really Need Simon Marvell Managing Director simon.marvell@acuityrm.com

Agenda 1. What financial and performance management information do Executives receive? 2. What risk and security information do Executives need? 3. How do you provide this information? 4. Summary

What financial and performance management information do Executives receive? Actual, forecast and historic performance against targets Sales, earnings, eps, market share, service levels Exception reports Project delays, loss of key contracts, partnering opportunities Key actions and responsibilities

What risk and security information do Executives need? Actual, forecast and historic performance against targets Exception reports Key actions and responsibilities Financial & performance Financial position vs. targets, e.g. sales, earnings, eps Performance against targets, e.g. service levels Project delays Loss of key contracts Etc. As necessary Risk & security Risk position vs. targets, e.g. risk appetite Performance against targets, e.g. security metrics, frequency & impact of incidents.. Major incidents Serious non-compliances Etc. As necessary

What risk and security information do Executives want? We need to know what the top 10 risks are, what s being done about them and who s responsible. And at the next meeting we want to know what the new top 10 risk are, what s being done about them and who s responsible. Panel of Fortune 500 Presidents & Chief Executives, Enterprise Risk Management Symposium, Chicago, April 2006

What do they mean? We need to know what the top 10 risks are, what s being done about them and who s responsible.. Real (or close to real) time Top 10 residual risks Risks that remain taking account of the heath and performance of controls to mitigate the risks Measured in relation to risk appetite

Risk appetite - 1 BS 31100 The organisation s risk appetite should be established and / or approved by the Board (or equivalent) and effectively communicated throughout the organisation. UK National Information Assurance Strategy Departments will need to take responsibility for determining a level of risk tolerance or appetite, and tailoring the management of their information risks appropriately. Financial risk appetite.

Risk appetite - 2 Or non-financial risk appetite. Or combined financial / non-financial risk appetite Source: Extract from HMG Information Assurance Standard No. 1 (Business Impact Table). Table 4 Public Services: Impacts due to disruption, compromise or flawed working of public services.

Residual risk - 1 Example controls to mitigate the risk of Hacking Increasing Risk Untreated Risk Risk appetite Perimeter Control Controls 1 Patch Control Management 2 Event Control Monitoring 3 Authentication Control 4 Control Back-up 5 Treated Risk Residual Residual Risk risk from Hacking Residual Risk

Residual risk - 2 Hacking Perimeter Controls 1 Patch Control Mgmt 2 Event Control 3 monitoring Authentication Control 4 Back-up Control 5 Residual Risk risk from Hacking Misuse Staff Screening Control 1 Logging Control 2 Exception Control 3 reporting Authentication Control 4 Residual risk Residual from Misuse Risk Theft Staff Screening Control 3 Discipline Control 4 Control Staff 5 Contracts Residual Risk risk from Theft Dependency between controls Control mitigating multiple risks

Real time 09:13 14:13 23:13 New York London Tokyo Sales Operations ERP Network

What risk and security information do Executives need? Actual, forecast and historic performance against targets Exception reports Key actions and responsibilities Financial & performance Financial position vs. targets, e.g. sales, earnings, eps Performance against targets, e.g. service levels Project delays Loss of key contracts Etc. As necessary Risk & security Risk position vs. targets, e.g. risk appetite Performance against targets, e.g. security metrics, frequency & impact of incidents.. Major incidents Serious non-compliances Etc. As necessary

Are Executives getting this information? Generally, No! Multiple independent, point in time (rather than real-time) risk assessments and compliance assessments High volumes of data from surveys, audits and scanning / logging systems which are difficult to interpret in terms of business risk As a result, weak visibility of current risk status in business terms and limited assurance that risk is being managed effectively

How do you provide this information? Compliance Risks Integration Incidents Performance

Risk assessment Increasing Risk 09:13 14:13 New York London Hacking Perimeter Controls 1 Patch Control Mgmt 2 Event Control 3 monitoring Authentication Control 4 Back-up Control 5 Residual Risk risk from Hacking 23:13 Tokyo Misuse Staff Screening Control 1 Logging Control 2 Exception Control 3 reporting Authentication Control 4 Residual risk Residual from Misuse Risk Understanding and setting risk appetite Assessing the potential impact or criticality, e.g. Confidentiality Integrity Availability Assessing threat levels Understanding inherent vulnerabilities

Control assessment 09:13 14:13 23:13 Increasing Risk New York London Hacking Perimeter Controls 1 Patch Control Mgmt 2 Event Control 3 monitoring Authentication Control 4 Back-up Control 5 Residual Risk risk from Hacking Tokyo Misuse Staff Screening Control 1 Logging Control 2 Exception Control 3 reporting Authentication Control 4 Residual risk Residual from Misuse Risk Mapping of controls to risks Potential contribution of controls in mitigating risk Dependencies between controls The performance of controls, leading to Actual contribution of controls in mitigating risk

Measuring security performance Vulnerability scans Penetration tests Compliance assessments Audits Security incident & event management (SIEM) But how do we use security performance measurements to understand residual risk status? Effective use of security metrics

Security metrics A metric is a consistent standard for measurement A good security metric should be: Consistently measured, without subjective criteria Cheap to gather, preferably in an automated way Expressed as a cardinal number or percentage, not with qualitative labels like high, medium and low Expressed using at least one unit of measure, such as defects, hours or dollars Contextually specific relevant enough to decision makers so they can take action Source: Security Metrics Replacing Fear, Uncertainty and Doubt, Andrew Jaquith, Addison Wesley, 2007

Security metrics Example metrics for understanding the residual risk from Misuse % data backed-up securely and tested % team screened prior to access % components with clearly defined and implemented business access polices % components compliant with baseline configuration % accounts uniquely associated with individual users % components employing active incident and event monitoring % staff (including contractors) that have signed acceptance of security obligations % audit reviews completed against plan within last 12 months % high risk vulnerabilities remediated within 3 days % components penetration tested within last 6 months

Integrated reporting Residual risk status

Integrated reporting Residual risk vs. security metrics

Integrated reporting Residual risk vs. security metrics

Integrated reporting Top 10 risks

Integrated reporting Security performance metrics

Integrated reporting Compliance

Integrated reporting Historical trends

Summary Executives want simple, clear information which mirrors that provided for financial and performance management: Top 10 risks and their potential consequences Which parts of the business are operating above risk appetite and / or have weak security metrics, including significant non-compliances with policy and standards What s being done, who s responsible and forecast status Delivery requires an integrated approach to risk, performance, compliance and incident management with suitable supporting technology

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback