Information Security Risk Management Stephen Shippey Information Security Risk Manager, Governance Risk Compliance Stephen Shippey 22nd April 2015

Stephen Shippey 22nd April 2015 CYBER Definition of Cyber: Relating to or a characteristic of, the culture of computers, information technology and virtual reality Stephen Shippey 22nd April 2015

Stephen Shippey 22nd April 2015 IT since 1986. Information Security & Risk Manager since 1998 at a number of Global Financial Services Organisations including GE Global Consumer Finance, HBOS, Lloyds Banking Group. Joined HP as an Information Security Risk Consultant 2013 Disclaimer The views expressed in this presentation are my own and do not necessarily represent those of my employer. Stephen Shippey 22nd April 2015

Stephen Shippey 22nd April 2015 Risk Management Agenda What is Risk Management Slide 5 Objectives of Infosec Risk Management vs Generic Risk Management Slide 7 Problems with Risk Management Slide 11 Mitigation Plans vs Contingency Plans Slide 12 Identifying Risks Slide 13 Risk Submissions Slide 16 Managing Risk Slide 17 Any questions Slide 18 Stephen Shippey 22nd April 2015

Stephen Shippey 22nd April 2015 What is Risk Management? The identification of Risks and their management by defining: The Risk Description The Risk Owner The Probability of the Risk Event occurring The Risk Impact in terms of cost, loss of assets, Reputation … Failure to meet a Business Objective The most suitable Mitigations that will prevent or reduce the Likelihood of the Risk Event occurring with relation to their costs and the reduction of Risk Exposure The Contingency Plan to recover the Asset once risk is manifested An understanding of Corporate Risk Appetite and where appropriate the application of Risk Tolerance Stephen Shippey 22nd April 2015

Stephen Shippey 22nd April 2015 Risk Definitions Risk Definition: A Risk is a potential or future event that, should it occur, will have a (negative) impact on the Business Objectives of an Organisation A risk must have Uncertainty, (in terms of Probability or Likelihood). It might happen A risk must have a measurable Impact, (usually measured in monetary terms, but other criteria are acceptable, reputation for example) “It May Rain Tomorrow” Issue Definition: An Issue is a current event that will have a (negative) impact on the Business Objectives of an Organisation E.g. An Incident, a manifested risk, an Audit Non-Compliance finding, an Equipment or Supplier failure “It is Raining Today” Stephen Shippey 22nd April 2015

Objectives of Generic Risk Management To ensure that all risks to the Business however they are derived are managed effectively. Strategic Level Strategic Risk Register Strategic Risks Programme/Project Risks Operational Risks This includes: Strategic Risks Programme and Project Risks Operational Risks (includes Security and Business Continuity Risks) Project Risk Register Change Level Operational Risk Register Information Security Risk Register BAU Business continuity Operational Level (Business as Usual) Stephen Shippey 22nd April 2015

Objectives of Information Security Risk Management To ensure that the risks to the Organisation that are derived from, Incidents, Threats, Vulnerabilities and Audit non-compliances are managed effectively. In Security Terms these are those risks that impact the: Confidentiality, Integrity, Availability, and the Traceability of Information whilst: At rest Whilst being modified In transit (around a system, e-mail, media device, telephone etc.) Unlike Project Risk Management the objectives for Security Risk Management are fairly well defined

Information Security Risk Management Risks within service provider environments A risk may have the same Risk Description but two separate impacts dependent on the Owner e.g. Risk: patching may fail to complete in a timely manner Impact on IT Service Provider: Potential Commercial Penalties, Damage to Reputation Impact on Client: Loss of Systems, loss of information, loss of revenue etc. etc.

What is NOT Risk Management! Incident Management Audit Non-Compliances Problem Management Threat Management Vulnerability Management Exception / Waiver Management These are Issues, no uncertainty! However, they can be the Source of Infosec Risks

Problems with Risk Management Common Problems (Misunderstandings)? So What! Poor Risk Descriptions (Risk vs Issue and Impact confusion) (Qualification vs Quantification) Unachievable, ineffective and disproportionate Mitigation Actions Poor Control, risk owner vs risk mitigation owner. Stakeholder Involvement Reactive vs Proactive Approach Reliance on Incidents, Threat and Non- Compliance Management (Reactive) Proactive Risk Identification Workshop based on Success Criteria Risks occur that could have been managed Impact on Assets not understood (BIA, CMDB) Mitigation Action Costs do not reflect the Risk Exposure Reduction Systems fail, business and revenue lost, Corporate data is unavailable when required – Loss of Business Regulator penalties, reputational damage occurs Loss of Customer base and confidence Loss of IPR. Stephen Shippey 22nd April 2015

Mitigation Plans and Contingency Plans Mitigations or Controls are primarily used to prevent the occurrence of a risk or to reduce the Probability of Risk occurrence - (Reduce Probability) This is why it is so important to describe the risk event clearly. Contingency Plans address the Impact of the Risk plans and are used to recover a system from the effect of a risk should it occur, a mini BCP - (Reduce Impact) This is why it is so important to clearly describe the risk impact separately from the risk description

Stephen Shippey 22nd April 2015 Sources of Cyber Security Risks (flip to risks) Taken from some recent ISACA slides, these can be re-worded as risks Proliferation of BYOD and smart devices Cloud computing Outsourcing of critical business processes to a third party (and lack of controls around third-party services) Disaster recovery and business continuity Periodic access reviews Log reviews Source: Cybersecurity - what the Board of Directors need to ask, IIARF Research Report, 2014 Stephen Shippey 22nd April 2015

Stephen Shippey 22nd April 2015 Common Cybercriminal Attack Vectors (flip to risks) Application vulnerabilities Remote access. Ineffective patch management Weak network security/flat networks Lack of real-time security monitoring Third parties Lack of a data retention policy SOURCE: HANS HENRIK BERTHING - Cyber Assurance and the IT Auditor Nov 2014 Stephen Shippey 22nd April 2015

Stephen Shippey 22nd April 2015 Where to start Select appropriate controls / use security standards ISO27000 PCI DSS CObIT BITS SIG Identify what is important to the business Stephen Shippey 22nd April 2015

Stephen Shippey 22nd April 2015 Encourage Risk Reporting Create risk reporting awareness for the workforce Make it easy, create a simple Risk Submission form Assess the risk submission, ask questions Ensure it is a risk, not an issue, a service request, a change request  Stephen Shippey 22nd April 2015

Stephen Shippey 22nd April 2015 Manage the Risks Record in a Risk Register Describe the RISK Assess the Likelihood, Impact, and risk rating Agree recommended Risk Mitigation / Treatment Establish a contingency position if possible Assign to an appropriate RISK OWNER (usually a Business Stakeholder) Agree a Mitigation Owner Obtain a decision (Reduce, Accept, Avoid, Transfer) Monitor mitigation progress until target risk is achieved – retain awareness of closed or mitigated risks Produce monthly status reports Stephen Shippey 22nd April 2015

Stephen Shippey 22nd April 2015 Any Questions? Stephen Shippey 22nd April 2015