Developing National Frameworks & Engaging the Private Sector

Transcription

1 Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012 Dan Fitzgerald

2 Agenda Section 1. Section 2. Section 3. Introduction: The Business View of Information Security Risk Innovation & Emerging Security Risks Discussion/ Wrap-Up

3 1. Introduction: The Business View of Information Security Risk

4 CEOs/Boards are no longer ignoring cyber security Security Hot Topics: Balancing Business Enablers vs Business Risks Privacy Organizations looking to improve privacy management in the event of a breach "have to continually plan and prepare. Social Media Social media can make or break a brand and the fine line between the two must be managed. Regulatory Organizations in all industries are under increased scrutiny by regulatory governance bodies. Mobile & Emerging Tech Cloud computing, Mobile platforms and accelerated product life cycles are just the latest contributors to risk of an enterprise. Data Loss Prevention Company s reputation is paramount and the risk of loss of sensitive customer data threaten this fragile asset. Threat & Vulnerability Management A Major bank s share price dropped three percent after Wiki Leaks threatened to take down a major American bank and reveal an ecosystem of corruption using documents from an executive s hard drive 3rd Parties While risks associated with third parties continue to increase, many companies are less prepared to defend their data. Cyber Crisis Management The cyber threat landscape continues to yield an increasingly sophisticated underworld of criminals. Companies need to remain prepared for such cyber crises. 4

5 The opportunities and risks of the cyber world Key Management Stakeholders (CEO, CIO, Internal Audit, CFO, CTO, Compliance, Legal) have influence and risks in the following functional areas: C Suite Focus Areas Secure information is power Building In Resilience Business continuity management Disaster recovery Crisis Management Managing Incidents Incident response review Corporate and regulatory investigations Forensic investigation and readiness Business Continuity Management Incident Response & Forensics Setting Direction Security strategy development Organizational design Management reporting CIO,CTO,CISO Security Strategy Enterprisewide IT Risk & Security Assessment Threat & Vulnerability Management CIO,CTO, CISO CFO, CTO,CIO Security Governance & Control Architecture Network General Auditor CIO,CTO, CISO Security & Identity Crisis response Managing Exposure Penetration testing Vulnerability scanning and remediation Continuous and global threat monitoring Creating a Sound Framework of Control Risk, policy and privacy review Regulatory compliance assessment Data loss prevention Awareness programs Third Party Vendors Building Secure Systems and Infrastructure Security architecture Network security Cloud computing security Mobile computing Identity and access management solutions 5

6 CEOs/Boards are no longer ignoring cyber security Cyber Security is an enterprise-wide issue. Specific types of Cyber Security risks organizations are facing include: Increase in Privacy and Security regulatory mandates in recent years, as well as expected changes in upcoming years. Boards are no longer willing to accept the risk that technology can pose to the business. Growing demand by business leaders to understand how security integrates with privacy ( what data is sensitive to the business) and security ( how they protect the data deemed sensitive) Increase in threats and vulnerabilities to sensitive data and corporate assets. Businesses continue to struggle to maintain accountability to their stakeholders and establish effective strategies and standards for security risk management and privacy control activities. 6

7 Risks to Consider Financial Risks Financial Companies face several financial risks associated with a breach: Reputational Risk Factors Legal Federal/state regulatory fines Stock price decline Incident response efforts Remediation efforts Legal Risks Companies are experiencing increasing lawsuits from: Regulatory Employees Customers Investors 7

8 Risks to Consider Regulatory Risks Financial Enforcement actions from federal and state agencies such as: Reputational Risk Factors Legal Federal Trade Commission (FTC) Health and Human Services - Office of Civil Rights (HHS-OCR) State Attorneys General Regulatory inquires may require long-term third party remediation in order to verify regulatory compliance Regulatory Reputational Risks Negative impact to the brand Loss of employee/customer/investor confidence 8

9 Risks are more risky Risk profiles are changing Complexity: Linkages between global trade, financial markets and supply chains Unpredictability: Privacy breaches, environmental factors, financial uncertainty Variety: Global diversification, culture challenges Speed: Social media, reputation perhaps we feel risk is growing simply because we know more. -Stakeholder respondent Source: 2012 State of the Internal Audit Profession Study 9

10 2. Innovation & Emerging Security Risks

11 Mobile devices and social media: New rules and new risks Organizations are beginning to implement strategies to keep pace with employee adoption of mobile devices and social networking, as well as use of personal technology within the enterprise. Yet much remains to be done: Less than half of respondents have implemented safeguards to protect the enterprise from the security hazards that mobile devices and social media can introduce. 50% 40% 43% 37% 30% 32% 20% 10% Have a security strategy for employee use of personal devices Have a security strategy for mobile devices Have a security strategy for social media Question 17: What process information security safeguards does your organization currently have in place? (Not all factors shown. Total does not add up to 100%.) 11

12 Advanced Persistent Threat is a dangerous and increasingly common threat. Yet few organizations are prepared to combat it. This year, significant percentages of respondents from various industries agree that APT drives their organization s security spending, yet only 16% say their company has a security policy that addresses APT. Worse, implementation of certain tools and processes crucial to combatting this new threat has slowed over the past year. 60% 40% 53% 47% 45% 41% 49% 48% 43% 43% 38% 38% 20% 0% Network access control software Identity management technology Employee security awareness training program Centralized security information management process Penetration tests Question 28: Which of the following elements, if any, are included in your organization s security policy? Question 17: What process information technology security safeguards does your organization currently have in place? Question 18: What technology information security safeguards does your organization currently have in place? (Not all factors shown. Totals do not add up to 100%.) 12

13 Advance Persistent Threat (APT) Attack Sequence Target a specific organization or entire industry Spam address space and/or spear phish Exploit a discovered vulnerability Install of custom developed malware: sniffers, beacons, backdoors, password crackers, counter-forensic file deletion Enumeration of network nodes, identify target systems & information 6 Obtain Domain Admin credentials Use of services available within the environment to move laterally Collect data, exfiltrate, securely delete files Persistence: maintain remote access via beacon malware 13

14 Managing security risks associated with customers, partners, and suppliers is becoming an increasingly serious issue. Customers and insiders like partners and suppliers traditionally have not been considered likely suspects in data breaches. That s changing fast. Over the past 24 months, the number of security incidents attributed to customers, partners, and suppliers has nearly doubled. Customer Partner or supplier 8% 10% 11% 12% 15% 17% % 5% 10% 15% 20% Question 22: Estimated likely source of incident. (Not all factors shown. Totals do not add up to 100%.) 14

15 Some additional data points on third-parties and security 39% have established security baselines for partners/customers/vendors. Taking this one step further, only 23.6% of respondents stated they have security procedures partners/suppliers must comply with. 69% of respondents said somewhat to very confident when asked how confident they are in partners'/suppliers' information security. 35% of the time, respondents state their organizations were informed of security breaches by customers or suppliers, government officials, the media or perpetrator. What is the greatest security risk to your outsourced strategy? Uncertain ability to enforce provider site security policies % Questionable privileged access control at provider site % Proximity of your data to someone else's % Uncertain ability to recover data % Uncertain continued existence of provider - 3.7% Uncertain provider regulatory compliance - 3.5% Uncertain ability to audit provider - 2.8% Access across an untrusted network - 4.1% 15

16 Mobile devices and social media: New rules and new risks Organizations are beginning to implement strategies to keep pace with employee adoption of mobile devices and social networking, as well as use of personal technology within the enterprise. Yet much remains to be done: Less than half of respondents have implemented safeguards to protect the enterprise from the security hazards that mobile devices and social media can introduce. 50% 40% 43% 37% 30% 32% 20% 10% Have a security strategy for employee use of personal devices Have a security strategy for mobile devices Have a security strategy for social media Question 17: What process information security safeguards does your organization currently have in place? (Not all factors shown. Total does not add up to 100%.) 16

17 Common Frameworks/ Assessment Tools & Certifications Customized questionnaire developed internally Customized questionnaire developed by third parties GRC tool assessment packages Assessment framework developed by member s. Based on ISO27000, incorporates privacy principals and is easily customized. Agreed Upon Procedures assessments may also be performed on service providers and result in a formal report. AUPs are typically done by third parties. Report of Compliance aka ROC issued by QSA firm. Self-assessment questionnaires (SAQ) may be used directly or incorporated into a custom questionnaire. Prioritized Approach documents also helpful Common Security Framework (CSF) aggregates a set of security principles to assess and certify compliance series of standards incorporates information security and risk principles provides framework for assessing 13 key security domains. ISO certification certifies an entities security management posture.. Generally Accepted Privacy Principles (GAPP). Set of best practices created by AICPA. compliance Safe Harbour Certifies with EU Directive 95/46/EC (privacy). 17

18 The implication for your business What does this mean for you? How can you use this information to improve your security, protect your assets and operations, and improve your business? Use this information to define a vision for your information security program. Ask us for more information on this bracket of leaders in areas critical to your business. Then define and refine your information security strategy. At minimum, focus acutely on (1) leadership, (2) strategy including business alignment, (3) testing and monitoring and (4) focus on sensitive data. 18

19 3. Discussion Topics/ Wrap-Up

20 Questions for discussion Security Risk/ Threat & Vulnerability Management: How does your organization align its security posture to support its business goals? How do you assess the company s security posture and gain comfort around security management as a whole? How does your organization manage information security risk? Do you use a formal methodology? How do you ensure your enterprise isn t currently being exploited or breached? Are you ever truly prepared to respond to a serious cyber incident? 20

21 Questions for discussion Data Protection & Third Party Security Risk Management 1 What is most important to your organization? a) Confidentiality of Data b) Integrity of Data c) Availability of Data 2 How do you get your arms around where data is, how data flows, and who has access to data within your organization? 3 What works well or not well about how your organization protects its data? 4 How are you protecting sensitive data at third parties? 21

22 Thank You! Dan Fitzgerald, CISSP Director, IT Security & Risk Assurance Practice 13 + years of information security experience CISSP and a former QSA Dan Fitzgerald is a Director in the IT Risk & Security Assurance practice and is based in Chicago. Dan has more than 13 years of experience in information security and IT governance, risk and compliance. He has developed strategic security and compliance approaches and led delivery of large security programs for numerous multinational businesses. He has experience with control frameworks including PCI DSS, ISO 27002, FISMA/ NIST and COBIT. Dan has developed and implemented technical and procedural solutions enabling customers to achieve and sustain compliance efficiently across differing standards. He has a background in network and infrastructure security and is skilled in emerging technologies such as encryption, tokenization and virtualization. Dan has experience in industry verticals including retail, the energy sector, technology and public service and has worked overseas on several engagements. He focuses on providing strategic security solutions that align to business outcomes.