Crown Jewels Risk Assessment: Cost-Effective Risk Identification GRC-W11 Crown Jewels Risk Assessment: Cost-Effective Risk Identification Douglas J. Landoll, CISSP, MBA, ISSA Distinguished Fellow CEO Lantego @douglandoll

Information Security Risk Assessment (ISRA) Definition- An objective analysis of the current security controls effectiveness to protect an organization’s assets and a determination of the probability of losses to those assets. Benefits Information Security Program Oversight e.g., checks and balances Periodic Review review effectiveness after threats, environment, and business process changes Basis for Risk-based Spending buy greatest risk reductions not pet projects and squeaky wheels

Information Security Risk Assessment The risk assessment process follows these five steps for EVERY risk assessment subject. ISRA Process Preparation Data Gathering Risk Analysis Risk Remediation Reporting and Resolution Scope Assets Boundaries Controls Review Interview Observe Test Threat Vulnerability Impact Safeguards Cost Effectiveness Report Repository Guidance Tracking

Traditional Centralized System Risk Assessments Traditional organizations have centralized information systems Common organizational controls Security policy, human resources, training, incident response Common system controls Authentication, configuration management, incident monitoring Limited systems General Office Mission Applications Services: Authentication, File Server Database Network Infrastructure

De-Centralized System Risk Assessments Many organizations have expanded from centralized information systems Cloud-based applications File storage, marketing, expense tracking, business intelligence Third party management System hosting, out-sourced development, human resources, sales “Unlimited” systems General Office Mission Applications Services: Authentication, File Server Database Network Infrastructure

Information Security Risk Assessment The Data Gathering step of the ISRA process does not scale well. ISRA Process Preparation Data Gathering Risk Analysis Risk Remediation Reporting and Resolution

Effect of Increasing # of Systems Cost drastically increase… as # of systems increases. $ $ $ $ $

Effect of Increasing # of Systems Data quality suffers… as # of systems increases.

Data Quality Typically Suffers Self-Assessments ask each system owner to rate the strength of their systems Surveys-based assessments send questionnaires to control custodians

Most Critical Data & Systems Crown Jewel Approach Most Critical Data & Systems Threats Impact All System Threats + Unique threats + Targeted attacks Catastrophic Impact upon system loss upon data loss

Most Critical Data & Systems Crown Jewels Approach Most Critical Data & Systems Volume Impact For most organizations – 0.01% - 2.0% of total sensitive data Represents up to 70% of sensitive data value Source: U.S. President’s 2006 Economic Report to Congress

Crown Jewels Project Environment Fortune 500 Subsidiary 189 information systems; 80%+ cloud-based 36 System owners; 15 System custodians Parsons Proprietary

Crown Jewels Project Define Discover Baseline Analyze Secure For Each Business Unit: Identify Critical Systems Define Critical Data Discover For Each Crown Jewel: Identify Lifecycle, Environment, and Flows Identify System & Environment Controls Baseline Identify Requirements Assess Control Effectiveness Analyze Identify Control Gaps Identify Security Risk Prioritize Security Gaps Secure Create Security Solution Sets Deploy Solutions Monitor Solutions Reduced systems from 186 to 20 here. Applied risk remediation to overall program here. ITAR CM.01.2014

Crown Jewels Project Define Discover Baseline Analyze Secure Key Project Artifacts Application Risk Survey & Interview Results Responses & Scoring Required Controls Controls Assessment Risk Analysis Solutions Development ITAR CM.01.2014

Crown Jewels Project Results Identification of Corporate “Crown Jewels” Determination of Crown Jewel Risk Limitation of Assessment to Most Impactful Elements Creation of Security Controls Plan with Most Significant Risk Reduction Less Work – More Results Parsons Proprietary

Applying Crown Jewel Lessons Define Discover Baseline Analyze Secure Next Week Identify Organization’s Security Assessment Plan Self vs. Third Party Frequency Rigor / Technique (tests vs. assessments) Determine Adequacy of Plan ITAR CM.01.2014 Parsons Proprietary

Applying Crown Jewel Lessons Define Discover Baseline Analyze Secure Within 1 Month Identify and Review Contractual and Legal Security Requirements Review Latest Security Assessment Reports Identify Business Process Owners Within 3 Months Conduct Crown Jewels Project Apply Lessons Learned ITAR CM.01.2014

Thank You Contacts Doug Landoll, CEO Lantego dlandoll@lantego.com ITAR CM.01.2014 Parsons Proprietary

Project Challenges Define Discover Baseline Analyze Secure Common Organizational Definition of “Crown Jewels” Identification of Business Processes Identification of Business / Systems Owners Identifying a Business Champion ITAR CM.01.2014 Parsons Proprietary