Crown Jewels Risk Assessment: Cost-Effective Risk Identification

Slides:



Advertisements
Similar presentations
1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Advertisements

Solutions & Services to ‘Multiply your Business Performance’ 2013.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
The State of Security Management By Jim Reavis January 2003.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Managing Risk in Information Systems Strategies for Mitigating Risk
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Ensuring Information Security
Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or
Copyright 2013 FUJITSU LIMITED. AGENDA Mitigation Considerations 4. Data Security – Examples and Application 2. Data Security Life-Cycle 1 1. Data Management.
A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
“Mitigating Offshoring Risks in a Global Business Environment“
Dell Connected Security Solutions Simplify & unify.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Dr. Benjamin Khoo New York Institute of Technology School of Management.
CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 2 Risk Identification and Risk Assessment.
Where in the world is your data? Data Breach Analysis Angelbeat Seminar Billy Austin, President iScan Online, Inc.
Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
HIPAA Security A Quantitative and Qualitative Risk Assessment Rosemary B. Abell Director, National Healthcare Vertical Keane, Inc. HIPAA Summit VII September.
Juan Ortega 12/15/09 NTS355. Microsoft Security Advisory (977544) Vulnerability in SMB Could Allow Denial of Service Flaw on SMBv2 supposedly opened two.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Infrastructure Protection
ISMS Implementation Workshop Adaptive Processes Consulting Pvt. Ltd.
FFIEC Cyber Security Assessment Tool
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Chapter 1: Security Governance Through Principles and Policies
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
IAEA International Atomic Energy Agency IAEA Training Course on Conducting Computer Security Assessments Presented by: Donald D. Dudenhoeffer.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Defining your requirements for a successful security (and compliance
Protect your Digital Enterprise
NRC’s 10 CFR Part 37 Program Review of Radioactive Source Security
Project Management for Treasury Professionals
Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Attention CFOs How to tighten your belt and still survive May 18, 2017.
Module 1: Introduction to Designing Security
I have many checklists: how do I get started with cyber security?
SECURITY MECHANISM & E-COMMERCE
National Cyber Security
IS&T Project Reviews September 9, 2004.
Cyber Risk & Cyber Insurance - Overview
Microsoft SAM Managed Service Program
IS Risk Management Framework Overview
IS4680 Security Auditing for Compliance
Fundamental Concepts and Models
Computer Science and Engineering
HIPAA Security A Quantitative and Qualitative Risk Assessment
Managing IT Risk in a digital Transformation AGE
Cyber Security in a Risk Management Framework
GRC - A Strategic Approach
Data Governance & Management Skills and Experience
Information Security Risks; All-in-One Terminology
General Data Protection Regulation “11 months in”
Counter APT Counter APT HUNT operations combine best of breed endpoint detection response technology with an experienced cadre of cybersecurity experts.
IT Management Services Infrastructure Services
DSC Contract Management Committee Meeting
ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions
Anatomy of a Common Cyber Attack
Presentation transcript:

Crown Jewels Risk Assessment: Cost-Effective Risk Identification GRC-W11 Crown Jewels Risk Assessment: Cost-Effective Risk Identification Douglas J. Landoll, CISSP, MBA, ISSA Distinguished Fellow CEO Lantego @douglandoll

Information Security Risk Assessment (ISRA) Definition- An objective analysis of the current security controls effectiveness to protect an organization’s assets and a determination of the probability of losses to those assets. Benefits Information Security Program Oversight e.g., checks and balances Periodic Review review effectiveness after threats, environment, and business process changes Basis for Risk-based Spending buy greatest risk reductions not pet projects and squeaky wheels

Information Security Risk Assessment The risk assessment process follows these five steps for EVERY risk assessment subject. ISRA Process Preparation Data Gathering Risk Analysis Risk Remediation Reporting and Resolution Scope Assets Boundaries Controls Review Interview Observe Test Threat Vulnerability Impact Safeguards Cost Effectiveness Report Repository Guidance Tracking

Traditional Centralized System Risk Assessments Traditional organizations have centralized information systems Common organizational controls Security policy, human resources, training, incident response Common system controls Authentication, configuration management, incident monitoring Limited systems General Office Mission Applications Services: Authentication, File Server Database Network Infrastructure

De-Centralized System Risk Assessments Many organizations have expanded from centralized information systems Cloud-based applications File storage, marketing, expense tracking, business intelligence Third party management System hosting, out-sourced development, human resources, sales “Unlimited” systems General Office Mission Applications Services: Authentication, File Server Database Network Infrastructure

Information Security Risk Assessment The Data Gathering step of the ISRA process does not scale well. ISRA Process Preparation Data Gathering Risk Analysis Risk Remediation Reporting and Resolution

Effect of Increasing # of Systems Cost drastically increase… as # of systems increases. $ $ $ $ $

Effect of Increasing # of Systems Data quality suffers… as # of systems increases.

Data Quality Typically Suffers Self-Assessments ask each system owner to rate the strength of their systems Surveys-based assessments send questionnaires to control custodians

Most Critical Data & Systems Crown Jewel Approach Most Critical Data & Systems Threats Impact All System Threats + Unique threats + Targeted attacks Catastrophic Impact upon system loss upon data loss

Most Critical Data & Systems Crown Jewels Approach Most Critical Data & Systems Volume Impact For most organizations – 0.01% - 2.0% of total sensitive data Represents up to 70% of sensitive data value Source: U.S. President’s 2006 Economic Report to Congress

Crown Jewels Project Environment Fortune 500 Subsidiary 189 information systems; 80%+ cloud-based 36 System owners; 15 System custodians Parsons Proprietary

Crown Jewels Project Define Discover Baseline Analyze Secure For Each Business Unit: Identify Critical Systems Define Critical Data Discover For Each Crown Jewel: Identify Lifecycle, Environment, and Flows Identify System & Environment Controls Baseline Identify Requirements Assess Control Effectiveness Analyze Identify Control Gaps Identify Security Risk Prioritize Security Gaps Secure Create Security Solution Sets Deploy Solutions Monitor Solutions Reduced systems from 186 to 20 here. Applied risk remediation to overall program here. ITAR CM.01.2014

Crown Jewels Project Define Discover Baseline Analyze Secure Key Project Artifacts Application Risk Survey & Interview Results Responses & Scoring Required Controls Controls Assessment Risk Analysis Solutions Development ITAR CM.01.2014

Crown Jewels Project Results Identification of Corporate “Crown Jewels” Determination of Crown Jewel Risk Limitation of Assessment to Most Impactful Elements Creation of Security Controls Plan with Most Significant Risk Reduction Less Work – More Results Parsons Proprietary

Applying Crown Jewel Lessons Define Discover Baseline Analyze Secure Next Week Identify Organization’s Security Assessment Plan Self vs. Third Party Frequency Rigor / Technique (tests vs. assessments) Determine Adequacy of Plan ITAR CM.01.2014 Parsons Proprietary

Applying Crown Jewel Lessons Define Discover Baseline Analyze Secure Within 1 Month Identify and Review Contractual and Legal Security Requirements Review Latest Security Assessment Reports Identify Business Process Owners Within 3 Months Conduct Crown Jewels Project Apply Lessons Learned ITAR CM.01.2014

Thank You Contacts Doug Landoll, CEO Lantego dlandoll@lantego.com ITAR CM.01.2014 Parsons Proprietary

Project Challenges Define Discover Baseline Analyze Secure Common Organizational Definition of “Crown Jewels” Identification of Business Processes Identification of Business / Systems Owners Identifying a Business Champion ITAR CM.01.2014 Parsons Proprietary