SEC s Cybersecurity Risk Alert Part 2 of 3

Transcription

1 SEC s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting - O Connor Davies, LLP Timothy M. Simons, CPA, CFA, CIPM, CSCP, CFP Senior Managing Member Focus 1 Associates LLC

2 Speakers Tom DeMayo, CISSP, CISA, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting Services - O Connor Davies, LLP TDeMayo@odpkf.com Tim Simons, CPA, CFA, CIPM, CSCP, CFP Senior Managing Member - Focus 1 Associates LLC tim@focus1associates.com Footer 2

3 Objectives Discuss how to perform a true cybersecurity risk assessment for your firm Learn how to develop and implement administrative, technical, and physical controls relevant to your firm s risk exposure Establish a sound cybersecurity program based on applicable regulatory requirements and industry best practices 3

4 Fundamental Components of Risk Assessment Threats Anything that can cause harm. Common Threat Sources Human - Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information). Natural - Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events. Environmental - Long-term power failure, pollution, chemicals, liquid leakage. 4

5 Fundamental Components of Risk Assessment Vulnerabilities Any hardware, software or procedural weakness that can be exploited (i.e. taken advantage) by a threat. A Threat Vulnerability pair must exist in order to have RISK Risk The probability of occurrence (likelihood) that a threat will take advantage of a vulnerability and the resulting business impact 5

6 Fundamental Components of Risk Assessment Types of Risk Assessments Qualitative Relative measure of risk or asset value based on ranking or separation into descriptive categories such as low, medium, high Quantitative - the likelihood of occurrence of particular threats and the risks or loss associated with these particular threats are estimated and assessed according to predetermined measurement scales Unless your business absolutely requires a Quantitative risk assessment, use a Qualitative approach. 6

7 Risk Ranking Definitions Unacceptable Mitigation Required High Cost Benefit Analysis Required Moderate Possible Cost Analysis of Mitigation Low No Analysis Required When assigning values, trust your initial reaction 7

8 Risk Chart 8

9 Inherent Vs Residual Risk. Inherent Risk The risk associated with a threat and vulnerability pair in the absence of any controls (i.e. what is the risk posed if you don t apply any controls) Residual Risk The amount of risk that remains after the application of controls. Understanding the Inherent Risk is key to understanding the extent of controls required to manage the Residual Risk. 9

10 Risk Treatment Accept - Knowingly accept the risk as it falls within the organization's "risk appetite", in other words management deem the risk acceptable, compared to the cost of improving controls to mitigate it; Reduce - Implement a suitable control or combination of controls to reduce (mitigate) the risk to a more acceptable level. Avoid - Do not undertake the associated business activity; Transfer Shift the risk to another organization (e.g. through insurance or by contractual arrangements with a business partner) 10

11 Risk Management 11

12 Risk Areas to Consider Company IT Control Areas for Risk Assessment TAB Description TAB Description 01 Risks Chart 13 LS -Remote Access 02 U & H Residual Risks 14 LS - VMWare 03 Control Environment 15 LS_Share Point/Files and Folders 04 Physical 16 LS_Databases 05 Environmental 17 LS_Mobile Devices 06 Acct Management 18 Data Loss Prevention 07 Logical Security ("LS") - Network 19 Problem Management 08 LS - Active Directory 20 System Development Lifecycle 09 LS - Workstation_Server 21 Change Management_Infrastructure 10 LS - Patch Management 22 Backup Management 11 LS-Communications 23 Media Disposal 12 LS - Removeable Media 12

13 Risk Assessment Framework Industry recognized frameworks most commonly used include NIST SP OCTAVE FAIR 13

14 Risk Assessment Framework Whatever methodology you choose, it should comprise of the following: Identify all critical information resources, including such things as servers, applications, data repositories, etc. Assign a value to those resources. Depending on the Organization s risk assessment approach, this can be either a quantitative or qualitative value. Determine the threat and vulnerability pairs that exist to those resources. Determine the probability of occurrence and potential business impact of the corresponding threat vulnerability pair = Inherent Risk Value (risk value that exists if no controls are implemented) Identify the existing controls in place to reduce the inherent risk to an acceptable level = residual risk value When mapping controls, consider both the design and operating effectiveness when determining the residual risk value. 14

15 Sample Modified Approach 15

16 Questions? Tom DeMayo, CISSP, CISA, CIPP, CEH, CPT, CHFI, MCSE Director, IT Audit and Consulting Services - O Connor Davies, LLP TDeMayo@odpkf.com Tim Simons, CPA, CFA, CIPM, CSCP, CFP Senior Managing Member - Focus 1 Associates LLC tim@focus1associates.com