2016 risk management workshop

1

You’re protected.

Designing Effective Cyber Security Risk Management &

Education Programs

Kalki Consulting LLC

2

Speaking with you today

Vikas Bhatia – CEO & ERA

Vikas is the founder, CEO and Executive Risk Adviser at Kalki. He has 15+ years’ experience, obtained serving local, regional & global clients in the outsourcing, consulting, and regulatory domains, enabling him to enhance any organizations Information Security Management System (ISMS). He is a Certified Chief Information Security Officer (C|CISO), Certified Information Systems Security Professional (CISSP), and Certified Information Privacy Professional (CIPP).

3

Objectives

What brings you to this workshop?

What else do you want to get from this?

You’ll get:1. Assess: A full diagnostic assessment of the risks and gaps

in your business.2. Respond: An understanding of what needs to be done to

address those gaps (including some DIY resources).3. Monitor: An understanding of why and how important it is

to create an enterprise-level Risk Management Program.

Who are you?• Industry• Size• Do you have a CISO?

4

Why are we here?

5

Scenario A: Breach

Remediation Costs

Total Number of records

X$145 per record*

Additional Impact• Reputational impact

• Additional productivity impacts

• Cost of remediation

*Ponemon institute: average cost of breach remediation is $145 per record

Example:15,000 customers

X$145 per record*

=$2,175,000

6

Cyber Insurance: Incident Response Responsibilities

Do you know which stages of the incident response process your company is responsible for handling vs. your insurance company?

Do you have a written, tested and functional incident response process in place?

7

Cyber Insurance: Internal Security Controls

Did you know that your insurance provider can refuse to pay out if you aren’t taking preventative measures?

Do you know all the cyber security program elements you are expected to have in place?

8

Cyber Insurance: Payout and Expectations

What are your policy’s max and average payouts?

Does either one of those numbers cover the cost of the breach estimated earlier?

Do you know what you are expected to provide and when to provide it when notifying your cyber insurance of a problem? Do you have these expectations built in to your company's internal processes?

$$$

9

Scenario B: Downtime due to system outage

Productivity Costs

$ amount per dayin Salary costs

Additional Impact• Reputational impact

• Additional productivity impacts

• Cost of remediation

10

Scenario C: Malware outbreak

Numbers and costs based on actual malware incidents at 150 employee financial firm in NY.

Incident 1: Pre-SecurITy (June 2014)

100% of firm’s users affected

Lost productivity totaled approx.

3,600 hours

Approx. 145 hours combined (internal

IT team and vendors) spent on

clean-up

Total outbreak cost: Approx. $325,000

Incident 2: Mid-SecurITy Implementation (June 2015)

5% of firm’s users affected

Lost productivity totaled approx. 255

hours

Approx. 96 hours combined (internal

IT team and vendors) spent on

clean-up

Total outbreak cost: Approx. $25,000

Difference

95% 3,345 hours 49 hours $300,000

11

Real vs. Ideal

12

Real: What’s Important to IT vs. the Business?

Make it Work

Operations Keep the lights on

Save money

Improve efficiency

Streamline

Serve the customer

Keep the Peace

Keep the users happy

Maintain ability to work

Keep it simple

Get the newest tools

Work / Life balance

Business IT

13

Ideal: What’s Important to IT vs. the Business?

Achieving the organization’s Mission

Reputation Service Stability Trust

Innovation Engagement Dedication

Value Growth

Business & IT

14

Strategic Drivers

A business’ revenue is driven by the trust of its clients. The loss of even a small percentage of clientele due to loss of trust would result in significant financial loss for most businesses.

RevenueThe day-to-day operations of branches is vital. clients expect 24x7 access to services or products and expect the business to be operational.Operational downtime incurs significant costs including productivity costs, costs of restoration of service or funds and costs due to lost membership.

OperationsReputation is key for businesses to both attract new clients and retain existing ones.The impact of a breach on that reputation would be detrimental. A focus on SecurITy will provides a key differentiator to improve member trust and build reputation.

ReputationMandatory compliance frameworks provide very little guidance and represents a minimum standard.Outdated compliance standards do not keep pace with current threats and are not sufficient to protect member data.

Compliance

Mission: Achieving the organization’s mission / vision

What’s important to your business?

15

Why align?

How does your business rank each area?

Area Ranking (H/M/L)

Line of Business

Processes Data Systems

Reputation Marketing Website management

Website data Website

Revenue Sales Customer purchase

Customer payment information

CRM

Operations Technology Support ticket submission

User information

Ticketing software

Compliance

Finance Tax Filing Company Financial information

Financial tracking software

16

What are we protecting? The customer.

17

Technical SecurITy

Physical SecurITy

Real: What a Risk Management typically consists of.

18

SecurITy Direction

Incident Management Business Continuity Technical SecurITy Compliance

Access Control Physical SecurITy Operations SecurITy 3rd Party SecurITy

Organization of SecurITy Human SecurITy Asset Management

Ideal: What a Risk Management Program should consist of.

19

How to Start? Measure, Measure, MeasureThe Capability Maturity Model Integration (CMMI) will be used to measure our journey.

Maturity Level Name Definition

0 Non-existent

Complete lack of any recognizable processes. The enterprise has not even recognized that there is an issue to be addressed.

1 Initial / Ad Hoc

There is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are, however, no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized.

2Repeatable

but Intuitive

Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely.

3 Defined Process

Procedures have been standardized and documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.

4Managed

and Measurabl

e

Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.

5 OptimizedProcesses have been refined to a level of good practice, based on the results of continuous improvement and maturity modelling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

20

SecurITy Direction


Access Control Physical SecurITy Operations SecurITy 3rd Party SecurITy

Organization of SecurITy Human SecurITy Asset Management

How would you rate your organization?

21

Incident Management

(2)

Business Continuity

(3)

Technical SecurITy

(4)

Compliance

(3)

Access Control

(3)

Physical SecurITy

(3)

SecurITy Policies

(1)

Human SecurITy

(2)

Create a heat map

Operations SecurITy

(1)

Organization of SecurITy

(0)

3rd Party SecurITy

(1)

Asset Management

(4)

Fill in the heat map in your handout with how you think your business scores.

22


Access Control Physical SecurITy

SecurITy Direction Human SecurITy

What’s the bigger picture?

Operations SecurITy 3rd Party SecurITy

Organization of SecurITy Asset Management

Which areas are most important to Revenue-driven organizations?Reputation? Operations? Compliance?

23

How do we decide what to address first?

24

Assess:Fill in your scores as we go.

25

1.1 Owner/Director Commitment

Control: The enterprise’s commitment to information security should be promoted through a written undertaking or pledge.

Requirements: The enterprise will aim to apply its best endeavors to safeguard sensitive data and critical business systems from security threats.

Rate Yourself

1. No human resources assigned to the item2. The item has been done or worked on but not formally documented.3. The item has been officially documented.4. There are repeatable processes in place that have been successfully completed multiple times.5. There are measurement metrics in place to measure the success or improvement of the item.6. Optimization: There are technology tools in place to support the execution and measurement of the item.

26

1.2 Understanding obligations

Control: Managers and staff responsible for handling sensitive business information or controlling essential business systems must have a good, up-to-date understanding of relevant legal, regulatory and commercial requirements.

Requirements: Do you know all the legal requirements? Regulatory requirements? Commercial requirements?

Rate Yourself


27

1.3 Responding to security risks

Control: Directors and managers need to understand and address the information security risks to their business assets and activities.

Requirements: Regular reviews should be carried out of existing and emerging security threats, such as theft of data or equipment, fire or floods, equipment failures, computer viruses or computer hacking.

Rate Yourself


28

1.4 Essential security countermeasures

Control: Enterprises should ensure there are appropriate security measures in place to protect equipment and data from theft, damage or unauthorized access.

Requirements: Physical security measures for premises, procedural controls, and technical measures to ensure that mobile devices and data are adequately protected from loss by physical security and/or data encryption.

Rate Yourself


29

2.1 Security rules

Control: A clear list of Do’s and Don’ts should be maintained to ensure that employees understand and remember to follow the essential rules needed to safeguard sensitive data and critical business services.

Requirements: A list of Do’s and Don’ts should be maintained and should be periodically reviewed and updated.

Rate Yourself


30

2.2 Security responsibilities

Control: Responsibilities should be assigned for safeguarding important assets. Responsibilities of partners and suppliers should also be defined and included in contractual agreements.

Requirements: Safeguarding important assets and taking back-up copies or managing access rights to business systems and data.

Rate Yourself


31

2.3 Disaster survival plan

Control: Business activities can be seriously disrupted by unpredictable hazards such fire, flooding, hacking or equipment failures.

Requirements: It is important to identify alternative working arrangements, such as fallback sites or systems, and to make appropriate preparations for such an event.

Rate Yourself


32

2.3 Security oversight

Control: Experience shows that, in busy working environments, security rules and procedures can easily be overlooked.

Requirements: An appropriate set of checks should therefore be established to ensure employees have correctly discharged their responsibilities.

Rate Yourself


33

3.1 Policies

Control: Experience shows that, in busy working environments, security rules and procedures can easily be overlooked.

Requirements: An appropriate set of checks should therefore be established to ensure employees have correctly discharged their responsibilities.

Rate Yourself


34

3.2 Management system

Control: Experience in large organizations has shown that the most effective and efficient means of managing security requirements and activities is through a ‘process approach’ similar to the models widely used for business process improvement.

Requirements: This approach encourages security activities to be planned, implemented, checked and continuously improved on a proactive, strategic basis and review progress against targets.

Rate Yourself


35

3.3 Security technology

Control: SMEs should consider the use of specialist security technology to safeguard sensitive data and critical business systems, and to help prevent or detect potential security incidents.

Requirements: These are increasingly essential for everyday business use include ‘strong authentication’ devices for secure, remote connections by home users or travelling staff, ‘hard disk encryption’ systems to safeguard the data on laptops, and ‘intrusion prevention systems’ to detect and block incoming network attacks.

Rate Yourself


36

3.4 Security education

Control: Security is everyone’s responsibility within a modern enterprise, so all employees need to be educated, and regularly updated and reminded of the range of security threats to business data and systems, as well as their responsibilities for reducing the risks to an acceptable level.

Requirements: Security education should begin with an appropriate induction session for all new staff and should be maintained through regular briefings and bulletins.

Rate Yourself


37

RespondTurn in your answer sheets to get your full diagnostic results and all of our DIY resources emailed to you.

38

Where should we start?

39

How to prioritize

# Item Recommendation1.1 Owner/Director commitment Strategic Analysis1.2 Understanding obligations Strategic Analysis1.3 Responding to security risks Risk Assessment

Incident Response Processes1.4 Essential security countermeasures Vulnerability Assessment

Existing Technology Optimization2.1 Security rules Education & Awareness Basics2.2 Security responsibilities RACI (Roles & Responsibilities) Development2.3 Disaster survival plan Disaster Recovery

Business Continuity Processes2.4 Security oversight KPI's: Reporting & Metrics3.1 Policies & procedures Policies & Procedures3.2 Management system Enterprise Risk Management Program3.3 Security technology SecurITy Technology Implementation3.4 Security education Education & Awareness Program

Prioritize the recommendations that correspond to your lowest scores.

40

Strategic Analysis

A Strategic Analysis often accompanies one of our other more technical assessments and is meant to help make the results of those assessments meaningful to your business. It is definitely easy to run an assessment in a vacuum, but it doesn’t do much good. Instead, we make sure to gain a full understanding of your business’s goals, strategy and appetite for risk to make the technical assessment applicable to you.Many people see a technical problem and assume there is a very technical answer, but this is not necessarily the case. Our Strategic Analysis takes the extra steps to learn about the underlying reasons why your business is having security or technology problems. Similar to how a doctor treats a patient, this helps us to see past the symptoms and treat the underlying disease.

DIY Resources

OCIE GuideSecurITy Checklist for Execs

https://info.kalkiconsulting.com/ocie-cybersecurity-initiative-a-guide-to-preparing-your-business

https://info.kalkiconsulting.com/security-checklist-for-non-technical-executives


41

Risk Assessment

A Risk Assessment will focus on the particular areas of your business where you have issues and provide you a clear roadmap for how to fix the problems. Risk Assessments can highlight the underlying causes of your problems and dives deeper into the areas where you need the most help. This assessment can be used following High Level Risk Assessment to pinpoint the causes of the high level problems found.We work to make sure you completely understand the state of your business by providing you a roadmap detailing both the current state and desired state of information security. Our roadmaps will provide measured steps getting from the current to desired state. We will walk you through every step of the process so in the end you’re left with a full understanding of how we got there.

DIY Resources

OCIE GuideSecurITy Checklist for Execs

https://info.kalkiconsulting.com/ocie-cybersecurity-initiative-a-guide-to-preparing-your-business



42

Incident Response Processes

Proper incident handling processes can drastically reduce the overall cost of that incident to the business. Incident response processes promote early detection, quick and thorough response as well as post-incident improvements to processes and systems. We help you incorporate all of the following steps into your business’ incident response processes.

43

Education & Awareness Basics

A chain is only as strong as its weakest link. An organization is filled with a major risk in each of its employees, and it only takes one click to let malicious code in the door or one mistake to lose or leak important data. A company’s employees can be its greatest security weakness… or its greatest strength. Investing in information security training for employees, or choosing not to, can have a huge impact on bottom line.SecurITy starts with people. All the technology in the world is useless if an employee is willing to give away or isn’t careful with sensitive data. It’s important to make every one of your employees a guardian of your business’ data, and we can help!

DIY Resources

Employee Education & Awareness Guide

https://info.kalkiconsulting.com/employee-education-awareness-guide

44

MonitorTurn in your answer sheets to get your full diagnostic results and all of our DIY resources emailed to you.

45

Enterprise Risk Management Program

DIY Resources

Risk Register Template

Project Initiation Form Template

https://info.kalkiconsulting.com/risk-register-template

https://info.kalkiconsulting.com/risk-register-template

https://info.kalkiconsulting.com/project-initiation-template



46

Education and Awareness Program: Target your weakest links ASAP!

TESTRegularly test your employees to see how they behave! Run regular 3rd party Phishing & Social Engineering Testing to practice the real thing and see how they respond. Conduct a recurring Security Awareness Survey to measure the culture around security and gauge the level of employee knowledge.

TEACHProvide interactive training on security that’s geared toward educating even the non-technical employees at your company. Use a variety of instructor-led and digital methods. Make sure your trainers are ready to teach employees WHY they should care and how to protect both themselves and the company.

TRACKMeasure your success and adjust accordingly. Track key metrics including participation. Use the methods in the TEST section to regularly benchmark where your employees fall and measure improvements in the results. Make adjustments and improvements over time to mature your education program.

47

Questions?Don’t forget to turn in your answer sheets!

48

You’re protected.

protected@kalkiconsulting.comwww.kalkiconsulting.com1.855.GO.KALKI

mailto:[email protected]

http://www.kalkiconsulting.com/