1

The European Commission’s

science and knowledge service

Joint Research Centre

Cybersecurity in Complex

IT Environments

Fabrice WAWAK

Information Security Officer

HLCA'17 ISACA Madrid

V1.0

2

Joint Research Centre

As the science and knowledge service of the European Commission, the Joint Research Centre's mission is to support EU policies with independent evidence throughout the whole policy cycle

3

JRC activities

Activities • Agriculture and food security

• Economic and Monetary Union

• Energy and transport

• Environment and climate change

• Health and consumer protection

• Information Society

• Innovation and growth

• Nuclear safety and security

• Safety and Security

• Standards

4

5

EC Information Systems

security framework

Commission Decision 2017/46 concerning the security of information systems used by the European Commission

and its Implementation Rules

6

EC Information Systems security framework

Define security plans

• Scope and boundaries

• Security needs (BIA)

• Risk assessment

Review and improve security plans

• Corrective actions

• Preventive actions

Implement security plans

• Implementation plan

Monitor the effectiveness of security plans

• Compliance check

• Incidents review

• Reported breaches

7

Big challenge for our System Owners

© Kurmyshov - Fotolia

8

Our approach to support our

System Owner

Integrated tool providing rapid IT security risk information capture

Automatic generation of customised and prefilled individual documents

© Alexander Limbach

9

Quick preliminary inputs

Where is the security focus of the system?

• Confidentiality / Integrity / Availability

What is the scope?

• Relevant threat areas

Scope document

© freerangestock.com

10

Threat areas evaluation

• Different scenarios

• Rating of the threat

Threat areas

evaluation

© Sergey Nivens - Fotolia

Threats

11

Methodology based on weighted aggregation of CIA evaluation and risk area evaluation per countermeasures

Mapping from risks areas and CIA to the 85 countermeasures of EC implementation rules

Risk Assessment Methodology

© Marek - Fotolia

12

Federates several approaches

Mapping of 85 processes with ISO27002 but also including COBIT 5, eBIOS, Magerit, SANS CSC and PCI DSS

Risk Assessment Methodology

© Vladimir Prusakov - Fotolia

13

Support given to the System Owner

List of countermeasures classified by their importance

Dedicated prefilled Security Plan template

Prefilled Security

plan template

© RAM - Fotolia

𝑀𝑅𝑅 𝑥 = CvT ∗ MAX ( C I 𝐴 )

𝑇ℎ𝑟𝑒𝑎𝑡𝑠

𝑛=1

14

Define Process Owner

Baseline Processes in Standard Services

vs

Specific Needs

• Reporting BCP needs

• Request change on network rules

• Request extra physical countermeasures

15

Output from System Owner

System owner finalises the security plan

Selection of the countermeasures to be implemented

Define countermeasures ownership

Residual risk acceptance

Security plan

Prefilled Implem-entation

plan template

© Goncharenya Tanya - Fotolia

16

Processes definition

System owner finalises the implementation plan

Implem-entation

plan

© vinnstock - Fotolia

17

Implement

System Owner implements the countermeasures

© Fotolia

18

Output for the auditor

Dedicated prefilled Audit Plan template given to the Auditor

Auditor performs the audit

Prefilled Audit Plan

template

© destina - Fotolia

19 © pilipphoto - Fotolia

Check and Monitoring

Look for non-compliance evidences

IT vulnerabilities included, and check also defined processes

20 © pilipphoto - Fotolia

Maturity Model

Reporting

• Evidences are mapped vs threats and impacts

• Assess for each process a level of compliance (MM)

21

Corrective Actions

Provide an improvement plan based on the maturity model and the specific needs of the system

© Sergey Nivens - Fotolia

22

Governance Reporting

Top-down

Provide the KPI values periodically to Management

Bottom-up

COBIT provides some KPI / KGI to be used based on the Business focus

© nirutft - Fotolia

23

Conclusion

• Embed the complexity of the methodology in the supporting tool

• Reuse collected information at each step and in each iteration

• Ease Risk assessment exercise focusing on applicable threat areas

• Support SO in all steps

24

That's All Folks

Questions?

@ deepagopi2011 - Fotolia