Leveraging Regulatory Compliance to Improve Cyber Security

Transcription

1 Leveraging Regulatory Compliance to Improve Cyber Security

2

3 Leveraging Regulatory Compliance to Improve Cyber Security

4 Brian Irish, Cyber Security Assurance Manager Salt River Project LEVERAGING REGULATORY COMPLIANCE TO IMPROVE CYBER SECURITY

5

6 Today s Topics Regulatory Compliance to Improve Security Cyber Security Trends and Security Practices Within The Supply Chain Questions Utilities Should be Asking (and Suppliers Ready To Answer)

7 Safety Minute

8 Security Minute Two-factor Authentication Two-step Verification

9 Today s Topics Regulatory Compliance to Improve Security Cyber Security Trends and Security Practices Within The Supply Chain Questions Utilities Should be Asking (and Suppliers Ready To Answer)

10 SRP at the Super Bowl

11 History

12 Power Delivery

13 Cyber Security Services 7 years ago we didn t exist, things change fast Reduce cyber risk to SRP Everyone plays a role in protecting SRP

14

15 Compliance as a Starting Point Security And, when it comes to protecting themselves from the threats, respondents unanimously agreed that being in compliance with NERC regulations does not guarantee security Compliance

16 The Opportunity to Advance Security $

17

18 What s Our Recipe? Body of Knowledge Culture of Security

19 Policy & Standards Awareness and Training Patch Management Quarterly Access Reviews Logging and Alerting

20 Compliance Culture of Security

21 Would we have done this without regulation?

22 Today s Topics Regulatory Compliance to Improve Security Cyber Security Trends and Security Practices Within The Supply Chain Questions Utilities Should be Asking (and Suppliers Ready To Answer)

23 Cyber Security Trends Cyber Events Board of Directors Framework Movement Cyber Insurance Evolving Solutions The Answer

24 2015 US Cyber Events Jan - April April 2015 Anthem Insurance Cyber Attack/ Data Breach GHOST glibc Vulnerability Superfish VisualDiscovery on Lenovo laptops causing spoofed HTTPS traffic AT&T Data Breach FREAK TLS/ Insider SSL Threat Vulnerability White House hacked by Russians

25 Board Awareness Questions Visibility Activity

26 Security Frameworks NIST Cybersecurity Framework ES-C2M2 NIST NIST SANS 20 (Critical Security Controls) ISO 27001

27 Cyber Insurance Coverage Deductible Exclusions

28 Evolving Solution Security takes more than a tool

29 The Answer Everyone has the answer Does it include a guarantee?

30 The Balance Risk Acceptance Business Impact

31 Contract Language Information Management and Protection Clause Ownership Encryption Destruction Portability Retention Breach notification

32 Contract Language Audit Clause Annual independent review Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. Service Organization Control (SOC) framework SOC 2 Readiness Assessment Application reviews

33 Assessments Determine cyber security involvement early in the process Security Assessments Access controls Identification and authorization Configuration management System monitoring and response Physical protections

34 Assessments (cont.) Research solution for background information Send/receive vendor questionnaire Identify control gaps and recommendations Create a report with assessment and summary Meet with clients to review the report Work with client to help implement security recommendations

35 Today s Topics Regulatory Compliance to Improve Security Cyber Security Trends and Security Practices Within The Supply Chain Questions Utilities Should be Asking (and Suppliers Ready To Answer)

36 Ask Questions Cyber security is no longer: Behind the curtain Too scary so don t talk about it Only understood by a few Someone else s responsibility

37 Utility / Supplier Questions (1) Do you run full background checks on candidate employees your employees during the hiring process and at regular intervals afterwards? Is the passing of a background check a condition of employment?

38 Utility / Supplier Questions (2) Please describe your Access Control processes: Provisioning/ Deprovisioning, Approval for Access, Recertification of Access (on a defined time interval), Role- Based Access, and Privileged Access.

39 Utility / Supplier Questions (3) Do you have Security Policies and Standards in place? How are they communicated to employees?

40 Utility / Supplier Questions (4) Do you have an Incident Response process that defines how you Detect, Identify, Categorize, Contain, Eradicate, and Recover from an Incident? This should include how Communications are handled to affected customers/partners.

41 Utility / Supplier Questions (5) Do you perform Independent 3rd Party Audits against your Data Center, Applications, or Processes (e.g. SOC2, Pen Tests, Vulnerability Scans, etc.) on a regular basis? Please be prepared to provide those reports on request

42 In Summary Compliance = Security / Understand the business Share information Understand the risk and reduce it Figure out what YOU can do

43 Let s talk about it Questions