risky business
TRANSCRIPT
Michael Scheidell, CISSP, CCISO, SMIEEE
RISKYBUSINESS
Prepare and Defend.
InfraGard slidesha.re/1H0uVSL
© 2014-2015 All Rights ReservedSecurity
Priva(eers
Sub headlineAGENDAMichael Scheidell, CISSP, CCISO, SMIEEE
Risky Business
@scheidell561-948-1305 / [email protected]
http://www.securityprivateers.com
• CISSP, Certified CISO• SE Regional Rep, Infragard
National• Board Member, InfraGard, South
Florida Members Alliance• Delegate to NIST CSF workshop
• Retained CISO• Member ISSA, IAPP, ISACA, PMI,
SFTA, CSA, FISA, IEEE• Patents in Network Security• Founded 3 technology companies
Sub headlineAGENDAAGENDA
© 2014 All Rights ReservedSecurity
Priva(eers
•Evolution, Revolution or Anarchy
•Who is Responsible for IT Security?
•Please Stop calling it InfoSec
•IT Risk Management
•Risk Officer / Risk Committee
•Types of Risk Management
•Risk of Too Much Management
•Risk Management Frameworks
•Do or Not Do. There is no Try
Risky Business
Restricted Access
Evolution, Revolution or Anarchy
Restricted Access
Evolution, Revolution or Anarchy
Secrets
Restricted Access
Evolution, Revolution or Anarchy
Secrets Protection
Sub headlineAGENDAWho is Responsible for IT Security
Not My Job
CFO
IT Security
NetworkManager
CIO
Dir IT
CEO
Information Security depends on Policy
Please Stop Calling it Information Security
Information SecurityUsually in the IT department, no visability into business practices. Revolves around the Information Security Policy and one of several InfoSec Frameworks.
1
Sample Risk Management Matrix
IT Risk ManagementWithout direct involvement with all stakeholders you can’t allocate resources or determine what to protect and why.
2
Executive
Operations
InformationTechnology
Legal
Finance
CRO
IT
RetailAdd in LOSS PREVENTION
1 MarketingPR for when things go wrong
2
Risk ManagementIt’s Everyone’s Job
Chief Risk Officer
From here to there and back againRisk Management Steps
1
Business Impact Analysis
What will it cost us. Needed for DRP and BCP also.
2
Identify Risks
Governance, Risk, Compliance
3
Priorize Mitigation
Budget, Business Impact, Legal
4
Fund Failure
It will happen. Decide what to do before it happens.
LIKELIHOOD CONSEQUENCESHow likely is the event to occur ?
What is the Severity of Injuries/potential damages/financial ?
Almost certain -MODERATE
RISKHIGHRISK
HIGHRISK
CRITICALRISK
CRITICALRISK
Expected in normal circumstances: 100%
Likely -MODERATE
RISKMODERATE
RISKHIGHRISK
HIGHRISK
CRITICALRISK
Probably occur in most circumstances: 10%
Possible - LOWRISK
MODERATERISK
HIGHRISK
HIGHRISK
CRITICALRISK
Might occur at some time: 1%
Unlikely -LOWRISK
MODERATERISK
MODERATERISK
HIGHRISK
HIGHRISK
Could occur at some future time: 0.1%
Rare -LOWRISK
LOWRISK
MODERATERISK
HIGHRISK
HIGHRISK
Only in exceptional circumstances: 0.01%
Insignificant Minor Moderate Major CatastrophicNo InjuriesNo Envir Impact< $1,000 Damage
Some First AidLow Envir Impact< $10K Damage
External MedicalMedium Impact< $100K Damage
Extensive injuriesHigh Envir Impact< $1MM Damage
Death/Major injuryToxic Envir Impact> $1MM Damage
Enterprise Risk1
© Copyright 2014 security Priva(eers
Sub headlineAGENDATypes of Risk Management
There is more than one way to go bankrupt
Operational Risk2
Regulatory and Legal Risk3
Financial Risk4
Unknown Risk5
Where doesInformation Risk Management Fit?
Operational Risk
Operational risks exist in every organization, regardless of its size, in any number of forms including hurricanes, blackouts, computer hacking, and organized fraud.
Types of Risk Management
Regulatory and Legal Risk
International, Federal, State, Local, Legal and Industry Specific: Safe Harbor, GLBA, SOX, Sarbanes-Oxley, HIPAA, PCI
Financial Risk
The loss of key resources like funding through Credit Risk, Investment Risk, Liquidity Risk and Market Risk
Enterprise Risk
Enterprise risk management (ERM) is a framework to reduce earnings volatility through a robust risk governance structure and strong risk culture, supported by sound risk management capabilities.
Unknown Risk
“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know” Donald Rumsfeld
© Copyright 2014 Security Priva(eers
Harvard Business Review, June 2012
Preventable Risks
•Risks that can be controlled
•Employee misconduct•Unauthorized, illegal•No strategic benefit•Manage pro-actively•Monitoring processes•Guiding behaviors•Rules-based
compliance
1Strategy Risks
•Must Accept Some Risks
•Lender Accepts Risk•R & D Spending•Not inherently
undesirable•Higher Reward-Higher
Risk•Rules-based won’t
work
Requires a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain risk events should they occur.
2External Risks
•Beyond Company Control
•Natural Disasters•Political Disasters•Economic Disasters•Can’t prevent them•Can’t predict them•Focus on
identification•Plan:•Business Impact
Analysis•Disaster Recovery
Plan•Business Continuity
Plan•Insurance
3
Working With Risks
Enterprise Operational Regulatory Financial
Strategic Risks
Preventable Risks
External Risks
Acceptable Risks
IT-related Risk
Enterprise Risk
StrategicRisk
Environmental
RiskMarket
RiskCredit
RiskOperational Risk
Compliance Risk
Sub headlineAGENDAIT Risk in the Risk Hierarchy
Where IT fits in
IT Benefit/Value Enablement Risk
IT Program and Project Delivery Risk
IT Operations and Service Delivery Risk
IT risk is a component of the overall risk universe of the enterprise. In many enterprises, IT-related risk is considered to be a component of operational risk, e.g., in the financial industry in the Basel II. However, even strategic risk can have an IT component to it, especially where IT is the key enabler of new business initiatives.
The same applies for credit risk, where poor IT (security) can lead to lower credit ratings. For that reason it is better not to depict IT risk with a hierarchic dependency on one of the other riskcategories, but perhaps as shown in the example given.
Sub headlineAGENDAWorking with Risks
COBIT 5 for Risk
Sub headlineAGENDAIT Risk Frameworks
NIST 800-37
Connect to Business Objectives
Align IT Risk Management With
ERM
Balance Cost/Benefit of IT Risk
Promote Fair and Open Discourse
Establish Tone and Accountability at the
Top
Function as Part of Daily Activities
Sub headlineAGENDAIT Risk Frameworks
ISACA’s RISK IT Framework
Risk IT Principles
Sub headlineAGENDAIT-related Risk Management
Risk IT is not limited to information security. It covers all IT-related risks, including:
• Late project delivery• Not achieving enough
value from IT• Compliance• Misalignment• Obsolete or inflexible
IT architecture• IT service delivery
problems
You take the blue pill – the story ends, you wake up in your bed and believe whatever you want to believe.
You take the red pill, … you stay in Wonderland, and I show you, how deep the rabbit-hole goes.
Sub headlineAGENDATwo choices
This is your last chance ... After this, there is no turning back.
© Copyright 2014 Security Priva(eers
Harvard Business Review, June 2012
Preventable Risks
•Risks that can be controlled
•Employee misconduct•Unauthorized, illegal•No strategic benefit•Manage pro-actively•Monitoring processes•Guiding behaviors•Rules-based
compliance
1Strategy Risks
•Must Accept Some Risks
•Lender Accepts Risk•R & D Spending•Not inherently
undesirable•Higher Reward-Higher
Risk•Rules-based won’t
work
Requires a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain risk events should they occur.
2External Risks
•Beyond Company Control
•Natural Disasters•Political Disasters•Economic Disasters•Can’t prevent them•Can’t predict them•Focus on
identification•Plan:•Business Impact
Analysis•Disaster Recovery
Plan•Business Continuity
Plan•Insurance
3
Running with ScissorsWhy RISK is Good
Sub headlineAGENDARisk of Too Much Management
• What major systemic failure can you think of in Security and Privacy?
• Where has too much Security eliminated Privacy and did nothing for Security?
• Have you experienced too much security?
Sub headlineAGENDA$93 Billion Dollars spent since 2001
Sub headlineAGENDAWhere to put priorities
• Identify• Risk Assessment
• Likelihood• Logs• Security Alerts
• Consequences• Business Impact
Analysis• Data Valuation
• Unavailable• Modified• Exfiltrated
• Data Classification• Public• Private• Classified
• THEN AUDIT
Sub headlineAGENDAWhere to put priorities
• Exfiltrated Public Data• State Code DB
• DoS Ketchup Formula
• Corrupt ICBM Codes
• 40MM Dumps with PIN
Sub headlineAGENDABusiness Impact Analysis
Data Valuation / Data Classification
Data BreachProfitibility
BCP/DRP/RISK IT
BIA
Missing Backup
Internet Outage
Power Outage
Responsibility
Executive Management(go to www.hotjobs.com)
1 Start to workPartner with other departments
2 Without a destination, any path will do.
3
© 2014 All Rights Reserved
• Join InfraGard http://www.infragard.org/• Join ISACA http://www.isaca.org• Join ISSA http://www.issa.org• Presentation: http://slidesha.re/1H0uVSL• Learn about RISK IT and COBIT• Training / Certifications: CISSP, CCISO, CRISC
Sub headlineAGENDANew Platform, Old Mistakes
Keep doing the same thing hoping for different results
© 2014-2015 All Rights Reserved
Risk Management Programs• Build your IT Risk Management
Team• Help Management Implement
RISK IT
• Training• Web App Assessment• SDLC Review• IT Risk Assessments• Retained CISO
Sub headlineAGENDARisky Business
Where to get Help
@scheidell561-948-1305 / [email protected]://www.securityprivateers.com
Call to set up an appointment for initial review