Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security



Similar documents
External Supplier Control Requirements

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Mitigating and managing cyber risk: ten issues to consider

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Cyber Essentials Scheme. Protect your business from cyber threats and gain valuable certification

Cybersecurity for Meaningful Use FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

Risk Management Policy

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

developing your potential Cyber Security Training

Cybersecurity Awareness. Part 1

Cyber Security. John Leek Chief Strategist

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Risks and uncertainties

Cyber Risks in Italian market

Small businesses: What you need to know about cyber security

Getting real about cyber threats: where are you headed?

Cyber Threats: Exposures and Breach Costs

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

Cyber security Building confidence in your digital future

Cybersecurity and internal audit. August 15, 2014

The Protection Mission a constant endeavor

Top 5 Global Bank Selects Resolution1 for Cyber Incident Response.

Including Threat Actor Capability and Motivation in Risk Assessment for Smart Grids

London Business Interruption Association Technology new risks and opportunities for the Insurance industry

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Risk Management in Global Operating Industry

The Value of Vulnerability Management*

Cyber Security: Threat & The Maritime Environment Cyber Security: now byting the maritime industry

Combating a new generation of cybercriminal with in-depth security monitoring

REPORT. Next steps in cyber security

Cybersecurity. Are you prepared?

Zak Khan Director, Advanced Cyber Defence

Are You Ready for PCI 3.1?

Into the cybersecurity breach

ITAR Compliance Best Practices Guide

Cybersecurity The role of Internal Audit

Cyber Security Incident Reporting Scheme

SPEAR PHISHING UNDERSTANDING THE THREAT

DBC 999 Incident Reporting Procedure

Cybersecurity Awareness for Executives

Italy. EY s Global Information Security Survey 2013

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Cyber Security Management

Security Incident Management Policy

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

The potential legal consequences of a personal data breach

UF IT Risk Assessment Standard

I ve been breached! Now what?

Insurance implications for Cyber Threats

Close the security gap with a unified approach. Detect, block and remediate risks faster with end-to-end visibility of the security cycle

External Supplier Control Requirements

Cybercrime Security Risks and Challenges Facing Business

INFORMATION SECURITY California Maritime Academy

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

How small and medium-sized enterprises can formulate an information security management system

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION

Overview TECHIS Carry out risk assessment and management activities

Cyber Security solutions

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

University of Sunderland Business Assurance Information Security Policy

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

a Medical Device Privacy Consortium White Paper

Cyber Risk Management

Data Security: Fight Insider Threats & Protect Your Sensitive Data

The Onslaught of Cyber Security Threats and What that Means to You

Cyber Security for SCADA/ICS Networks

Data Masking Best Practices

INFORMATION TECHNOLOGY SECURITY STANDARDS

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

Transcription:

Enterprise Security Governance Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security

Governance and Organisational Model Risk Mgmt & Reporting Digital Risk & Security Team 2

Threat & Control Assessment Approach 33 Workshops, 47 Information Assets/Asset Types Across UK & US: Business Units, Trading Systems, CNI/Network Operations/Field Devices Gas & Electricity, Field Management, LNG, Metering, Generation, IT Infrastructure email, desktops mobiles, etc, IT Applications SAP, Billing, Payments, ETON, HR, Finance & Treasury etc Outputs 1. Asset Identification and Prioritisation Identify key business assets (information systems) within each area of the business and determine business impact if damaged or compromised. Assets and Impacts 2. Threat & Vulnerability Selection Identify relevant threats to the assets (based on 27 threats in 7 industry categories) and capture associated vulnerabilities. Threats and vulnerabilities 3. Threat & Vulnerability Rating Rate exposure of the asset according to National Grid 1-5 Risk Management Control scale Potential Risk Level 4. Control Selection & Identification Identify existing technical controls (35 core controls plus others) and their impact on the risk to determine controls gaps and the residual risk. Actual Risk Level 3

Key Threats A) Insider Attack / Error A threat to National Grid Systems / Data from a trusted source within the National Grid security perimeter B) System Availability / Malfunction A threat to National Grid Systems / Data availability due to System Malfunction C) Malware / Virus Attack A threat to National Grid Systems / Data from an indirect attack via Malware or Virus infestation D) Data Leakage / Corruption / Availability A threat to National Grid Data confidentiality, integrity or availability E) External Attack A threat to National Grid Facilities, Personnel, Systems / Data via a directed attack by an outside party from outside the security perimeter with the intent of causing damage or destruction F) Unauthorized Access A threat to National Grid Facilities, Personnel, Systems / Data due to unauthorized access G) Criminal Victimization of Employees A threat to National Grid personnel from criminals, disgruntled customers, or members of the pubic. H) Regulatory Non-Compliance A threat of fine or sanction resulting in monetary loss or negative reputational impact I) Commercial/state sponsored espionage A threat by foreign actors to achieve economic or technical advantage at the expense of National Grid F I N A N C I A L I M P A C T Key Risks (GLOBES) 1 2 3??? LIKELIHOOD OF OCCURRENCE 1 Catastrophic cyber security breach of CNI systems 2 Major cyber security breach of business systems/data 3 IT embedded in Operational Technology

Threat and control assessment (cont) Key investment areas 1. Endpoint Security security of end user computing and information 2. Shared Information security and access to stored sensitive information 3. Network Security network access control, configuration and zoning 4. Access Control user access provisioning and management 5. Critical National Infrastructure specific improvements Program 1. Foundational definition of underlying policies & standards and more detailed analysis and remediation planning across several specific areas 2. Tactical short to medium term remediation activities 3. Strategic long term remediation activities focused on enhancing and implementing new security technologies and capabilities 5

Digital Risk & Security Programme Update 2009 Mar 2013 Mar 2014 Target 6

Energy threat landscape is changing We need: Better intelligence and co-ordination from intelligence communities Disruptive response capabilities from federal agencies and co-ordination across state and national borders A regulatory environment to allow investment in security infrastructure to address changing risks We don t need: Forced disclosure of incidents that could increase our vulnerability Standards/audits/compliance based rules Sanctions for infringements of the national rules Facilitated co-ordination of incident response across government and business Copyright National Grid 2013 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information