How To Do An Ismart In The Bcan Government

Transcription

1 How to do an STRA in the BC Government Ken Prosser OCIO Information Security Branch

2 AGENDA Trust in a Connected World Security Threat & Risk Assessment Process STRAs and the system lifecycle Introduction to ismart Using ismart to manage risk Demonstrating trustworthiness

3 Trust in a Connected World

4 What is Trust? A belief that expectations will be met 4

5 Why do we need Trust? It s a connected world! 5

6 Would you do business with them? 92% 61% Business application environments with significant control weaknesses Chance they will suffer a MAJOR incident in a year Source: Information Security Forum 6

7 How do we get Trust? Prove IT! 7

8 Demonstrate Best Practice 13% The chance of suffering a major incident when controls are in 'good all round condition'. 8

9 What is Information Security? Confidentiality Integrity Availability

10 WHY MANAGE INFORMATION SECURITY? Enables business success Demonstrates due diligence Reduces # and impact of incidents 10

11 How do we manage security? Identify risk areas Determine risk mitigation Get management signoff

12 STRA Process

13 Risk Assessment Controls environment Criticality RISK FACTORS Special Circumstances Level of Threat Business Impact

14 Risk Mitigation Determine control gaps Analyze key issues Develop action plan

15 Management Signoff Present Risk Status Present Issues/Action Plan Management Risk Decision

16 So why would I do one? Required by Core Policy and Legislation Demonstrates due diligence Prepares organization for audits

17 When is an STRA required? All new information systems Any system subject to major change Every 3 years on critical systems

18 System Development Lifecycle Conceptual Design/Build Pre-Production Audit

19 Effort Required

20 What is ismart? information Security Management And Risk Tool

21 What can we do with ismart? Criticality Assessments Risk Assessments Incident Assessments

22 How to use ismart

23 ismart STRA Process 1. Define Target 2. Issue Scorecard 3. Complete scorecard 4. Identify issues and actions 5. Submit Scorecard and run reports 6. Notify Owner and get signoff

24 Defining a Target What is it? Who owns it? Who knows about it? How to evaluate it?

25 Concept of Owner Responsible for Program Has financial authority Risk decision maker

26 Basis Of Evaluation (BOE) Set of best practise controls Aligns to International standards Allows best fit for application

27 Issue the Scorecard

28 Completing the Scorecard Example scorecard

29 Section A: Information Resource Title Brief description Nature of Target Number of Users Percentage of business operations Date of Last Review Security Classification

30 Section B: Accountability Identifies Owner of resource Key contact information

31 Section C: Criticality Defines MAXIMUM harm from a loss of: Confidentiality Integrity Availability Pre-filled if Criticality Assessment done Helps define security classification

32 Section D: Vulnerability: Status of arrangements Assesses controls environment Based on FIRM (17 control areas) Defines state of compliance with BOE when completed at the detailed level.

33 Section E: Vulnerability: Special circumstances High degree of Change Geographically distributed Large in Scale Complex Immature Accessible by 3 rd parties Supports Call Centre

34 Section F: Level of threat Number of incidents in the last 12 months: Malfunctions of software or hardware Loss of services, equipment or facilities Overloads Human error Unforeseen effects of change Other undesirable acts

35 Section G: Business Impact Impact of incidents in the last 12 months: Financial loss Degraded performance Loss of management control Damaged reputation Impaired growth Any other ways

36 Section H: Strengthening controls Describes actions to improve controls Uses FIRM 17 Control areas Good tool for risk management planning

37 Section I: Completion details Identifies Primary completer Key contact information

38 Getting the most from ismart Use comments to: Document discussion and decisions Identify who is lead for answers to that section Raise questions for the team or management

39 Getting the most from ismart Use Test Field to: Document evidence that supports answer Document the testing required in next phase

40 Getting the most from ismart Use Issues Log to: Document issues that need investigation Document issues that impact the answer Document issues that need remediation

41 Getting the most from ismart Use Action Plan to: Identify a proposed action for each issue Develop a risk mitigation strategy Assign a lead for addressing the action item Track progress of resolution Get approval from Management for changes

42 Reporting to Management Typical report package for Management: Risk Scorecard Risk Status Risk Heatmap Schedule of Issues Action Plan with Signoff Compliance Checklist (if detail level done)

43 Using ismart to manage risk

44 Using ismart to manage risk ismart can help you: Identify critical systems Determine security requirements Build secure architecture Identify the cause & impact of incidents Develop remediation strategy

45 Developing a system security plan Use ismart to: Develop risk profile Document assessment history Build mitigation plans Show linkages/dependencies Support audits

46 Demonstrating Trustworthiness

47 Demonstrating Trustworthiness Proactive risk management Compliance with best practice Proven due diligence

48 Questions? Ken Prosser Information Security Branch Office of the Chief Information Office Province of BC