the european commission’s - isaca · the european commission’s science and knowledge service...
TRANSCRIPT
1
The European Commission’s
science and knowledge service
Joint Research Centre
Cybersecurity in Complex
IT Environments
Fabrice WAWAK
Information Security Officer
HLCA'17 ISACA Madrid
V1.0
2
Joint Research Centre
As the science and knowledge service of the European Commission, the Joint Research Centre's mission is to support EU policies with independent evidence throughout the whole policy cycle
3
JRC activities
Activities • Agriculture and food security
• Economic and Monetary Union
• Energy and transport
• Environment and climate change
• Health and consumer protection
• Information Society
• Innovation and growth
• Nuclear safety and security
• Safety and Security
• Standards
4
5
EC Information Systems
security framework
Commission Decision 2017/46 concerning the security of information systems used by the European Commission
and its Implementation Rules
6
EC Information Systems security framework
Define security plans
• Scope and boundaries
• Security needs (BIA)
• Risk assessment
Review and improve security plans
• Corrective actions
• Preventive actions
Implement security plans
• Implementation plan
Monitor the effectiveness of security plans
• Compliance check
• Incidents review
• Reported breaches
7
Big challenge for our System Owners
© Kurmyshov - Fotolia
8
Our approach to support our
System Owner
Integrated tool providing rapid IT security risk information capture
Automatic generation of customised and prefilled individual documents
© Alexander Limbach
9
Quick preliminary inputs
Where is the security focus of the system?
• Confidentiality / Integrity / Availability
What is the scope?
• Relevant threat areas
Scope document
© freerangestock.com
10
Threat areas evaluation
• Different scenarios
• Rating of the threat
Threat areas
evaluation
© Sergey Nivens - Fotolia
Threats
11
Methodology based on weighted aggregation of CIA evaluation and risk area evaluation per countermeasures
Mapping from risks areas and CIA to the 85 countermeasures of EC implementation rules
Risk Assessment Methodology
© Marek - Fotolia
12
Federates several approaches
Mapping of 85 processes with ISO27002 but also including COBIT 5, eBIOS, Magerit, SANS CSC and PCI DSS
Risk Assessment Methodology
© Vladimir Prusakov - Fotolia
13
Support given to the System Owner
List of countermeasures classified by their importance
Dedicated prefilled Security Plan template
Prefilled Security
plan template
© RAM - Fotolia
𝑀𝑅𝑅 𝑥 = CvT ∗ MAX ( C I 𝐴 )
𝑇ℎ𝑟𝑒𝑎𝑡𝑠
𝑛=1
14
Define Process Owner
Baseline Processes in Standard Services
vs
Specific Needs
• Reporting BCP needs
• Request change on network rules
• Request extra physical countermeasures
15
Output from System Owner
System owner finalises the security plan
Selection of the countermeasures to be implemented
Define countermeasures ownership
Residual risk acceptance
Security plan
Prefilled Implem-entation
plan template
© Goncharenya Tanya - Fotolia
16
Processes definition
System owner finalises the implementation plan
Implem-entation
plan
© vinnstock - Fotolia
17
Implement
System Owner implements the countermeasures
© Fotolia
18
Output for the auditor
Dedicated prefilled Audit Plan template given to the Auditor
Auditor performs the audit
Prefilled Audit Plan
template
© destina - Fotolia
19 © pilipphoto - Fotolia
Check and Monitoring
Look for non-compliance evidences
IT vulnerabilities included, and check also defined processes
20 © pilipphoto - Fotolia
Maturity Model
Reporting
• Evidences are mapped vs threats and impacts
• Assess for each process a level of compliance (MM)
21
Corrective Actions
Provide an improvement plan based on the maturity model and the specific needs of the system
© Sergey Nivens - Fotolia
22
Governance Reporting
Top-down
Provide the KPI values periodically to Management
Bottom-up
COBIT provides some KPI / KGI to be used based on the Business focus
© nirutft - Fotolia
23
Conclusion
• Embed the complexity of the methodology in the supporting tool
• Reuse collected information at each step and in each iteration
• Ease Risk assessment exercise focusing on applicable threat areas
• Support SO in all steps
24
That's All Folks
Questions?
@ deepagopi2011 - Fotolia