Modernizing Risk Management to Support Evolution of IT

Slides:

Advertisements

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Paul Green –President and Founder of G2, Inc –We are trusted security advisors to the Federal Government and Fortune 500. –We are recognized as having.

Recognising the Risks of Cyber Threats Across the Organisation John Thornton Secretary to the Digital Government Security Forum.

Meaningful Metrics: Answering the “So What?” Rick Aldrich, JD, LL.M, CISSP, CIPT

The State of Security Management By Jim Reavis January 2003.

© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S

Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

[Name / Title] [Date] Effective Threat Protection Strategies.

Information Security Issues at Casinos and eGaming

Security and Privacy Services Cloud computing point of view October 2012.

EEye Digital Security    On the Frontline of the Threat Landscape: Simple configuration goes a long way.

Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.

Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan May, 2009.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

Computer Viruses and Worms By: Monika Gupta Monika Gupta.

Frankfurt (Germany), 6-9 June 2011 Iiro Rinta-Jouppi – Sweden – RT 3c – Paper 0210 COMMUNICATION & DATA SECURITY.

PMC Update on Cyber Sprint June 18, Overview: 30-Day Cyber Sprint 1.Interagency Cyber Sprint Team: Launched June 11 and executing against the.

Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.

Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.

Few companies capture the imagination like Revlon. Incredibly high profile, globally recognized and cutting edge, Revlon is a recognized leader in the.

2006 Infrastructure Projects Four Themes: Storage – room to grow Security – reacting to threats Virtual Systems – increased efficiency Service Management.

Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 ©

1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.

Welcome Information Security Office Services Available to Counties Security Operations Center Questions.

BizSmart Lunch & Learn Webinar Information Security and Protecting your business With the increased risk of some sort of cyber- attack over the past few.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Presented by: Mike Gerdes Director, Information Security Center of Expertise Cybersecurity State of the Union.

Security and resilience for Smart Hospitals Key findings

Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.

Agenda Enterprise Situational Awareness Active Defense

The time to address enterprise mobility is now

Chapter 7. Identifying Assets and Activities to Be Protected

Cisco Compliance Management and Configuration Service

Customer Support Strategic Pillars

Cybersecurity - What’s Next? June 2017

Lessons Learned in Managing IT Risk

Compliance with hardening standards

Putting It All Together

Putting It All Together

Leverage What’s Out There

Cybersecurity Policies & Procedures ICA

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

COMPTIA CAS-003 Dumps VCE

Mcafee updates Mcafee antivirus uses a database of known virus definitions to identify malware and other threats on your computer system. So it is important.

Accelerate Application Innovation in the Cloud PaaS, IaaS (VMs & Containers) & Stack September, 2017.

Cyber Security in the Mortgage Industry

Cyber Security in New Jersey State Government

12 STEPS TO A GDPR AWARE NETWORK

Security as Risk Management

Cyber security Policy development and implementation

I UNDERSTAND CONCEPTS OF CYBERSECURITY

NSX Data Center for Security

Cybersecurity ATD technical

WELCOME AOI Tech Solutions Get Instant Tech Help & Support.

Agenda Macro-Industry Trends Industry Technology Trends

Technology Convergence

Managing IT Risk in a digital Transformation AGE

WELCOME AOI Tech Solutions - Network Security.

KEY INITIATIVE Finance Function Management

KEY INITIATIVE Finance Function Management

6. Application Software Security

Presentation transcript:

Modernizing Risk Management to Support Evolution of IT Mr. Eric Sanders CISO, NRO Director, NRO Cyber Security Office

Today’s Presentation Setting the Stage Four Major Issues Resolution Lack of Expertise Complex IT Environments The Slow, Boring Paper Game Future Attacks Resolution Understanding

“Driving Digital Transformation” Setting the Stage Fujitsu Forum 2016 “Driving Digital Transformation” 11/16/2016 Technology is constantly changing, at ever increasing rates Ensuring that new technologies are secure is difficult Traditional risk/compliance assessment is laborious and cumbersome Risk management must evolve to match the changing nature of cyber security

ISC2 “Hiring and Retaining Top Cybersecurity Talent”(2018) Lack of Expertise “In all, some 84% of cybersecurity workers are open to new employment opportunities in 2018, including 14% who are actively looking for a change.” Maintaining skilled workers in the IT industry is difficult Maintaining those same skills within cyber security is even harder, as indicated by this study by ISC2 Maintaining those skills within risk/compliance assessment is next to impossible Issues with getting and keeping skilled individuals in risk management Not the sexy job Not seen as a technical job ISC2 “Hiring and Retaining Top Cybersecurity Talent”(2018)

Risk Management TechBeacon report from 3/22/2018 Current risk management processes tend to slow down and hinder actual risk management decisions TechBeacon report from 3/22/2018

Complex IT Environments Traditional risk management separated everything in to systems and provided an assessment of individual systems Today’s IT environments are so interconnected and trusted that a true risk management must consider the impact of all connected systems Connections between dev and ops Government agencies have multiple dev and ops systems Requires complete understanding of all devices on network, including configurations and changes Need to understand data and sharing requirements Fujitsu Forum 2016 “Driving Digital Transformation” 11/16/2016

The Slow, Boring Paper Game By the time compliance is documented the underlying system has changed Reduction in compliance needs can speed up the process some Automation of the decision-making process is the real game changer

Future Attacks 2017 set new record for vulnerabilities (14,714) 2018 set another new record for vulnerabilities (over 16,500) Current risk management methods can’t cope with today’s attack vectors Must be fast but thorough Must accommodate constant state of change in order to protect against future attack vectors

What is the environment? Understanding What is the environment? Not just servers and software, but what should actually be trusted? What is acceptable risk? Need to understand the data, vulnerabilities, and threats as well as mitigations How does risk relate to ROI? What is the fastest and easiest risk management process given the risk level?

Solution Continuous scanning of IT If the baseline is understood, then risk management is simply an assessment of any changes Scanning must be automated Depending on system’s risk level and type of change, allow automated decision-making Non-complex systems with non-security related changes (i.e., standard desktop updates COTS to latest version) Risk management for complex systems and security changes can still be fully automated except for the decision

Our Approach Automated vulnerability and configuration scanning Automatically map scan results to NIST 800-53 security controls Tie pass/fail of security controls with vulnerability and threat information allowing for an automated risk score The risk score can be used for an automated risk decision on a continuous basis Example: (Current risk score – Lowest possible risk score) Lowest possible risk score