managing information security risks - protiviti information...g. social engineering / phishing h....
TRANSCRIPT
April 2013
Managing Information Security Risks
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 2
It takes twenty years to build a reputation and five minutes
to ruin it. If you think about that, you'll do things differently
– Warren Buffett ” “
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 3
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 4
New World Order of Information – Data Loss, Theft,
Compromise, and…Consequences
• Data Security and Privacy is a Major Area of Concern
• More and More Volume Creates Greater Opportunities
• Companies Reluctant to Divulge Loss or Theft Unless Required by Law
• Scale of Vulnerabilities are Not Always Known – Only See Headlines
• Damage Assessment is Difficult – Don’t know What Was Actually Stolen
• Lack of Data Governance Increases Risks
• Advanced Persistent Threat is a Considerable Issue
• Social Engineering Continues to be a Clear Vector for Opportunist
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 5
What is Risk Management?
• Risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
• Impact of Risk Exposure
• Legal Implications Resulting in Fines or Other Actions
• Loss of Credibility and Damage to Brand
• Lack of Consumer or Customer Confidence
• Business Disruption
• The goals of a Risk Management
• Dimension risk exposure (quantitative and qualitative) to enable
management to confirm an acceptable level of risk
• Ensure adequate controls, maintain exposure and losses within
acceptable levels
• Determine the appropriate level of capital to absorb extreme losses
associated with risks that do not lend themselves to controls.
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 6
Data Security and Privacy – Real Issues and Challenges
• There are real and increased concerns over information leakage, data retention
and data loss
• Custodianship is still a major issue – internal data owners, third parties, cross-
business process use
• Data risk assessments struggle to identify in scope assets – where is the data?
• Where is it stored, processed and transmitted? Is there an understanding of
transitory data that may be both ‘at rest’ and ‘in motion’?
• Compliance is often a silo from other compliance initiatives – competing for the
same dollars
• Awareness and education is as important as the actual controls
• Increased requirements for 3rd party reviews and due diligence
• Technology improvements are tearing at data silos (Warehouses, Shared
Services, Virtualization, Technology out and co-sourcing)
• Ongoing struggle to deliver successful Identity & Access Management
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 7
Who’s to Blame?
Final Edition
Source: Information Week, October 2007
Headline News
Theft Of Gap Laptop Puts 800,000 Job
Applicants At Risk
What really happened – “The laptop was stolen from one
of the retailer's third-party vendors that manages
information on job applicants.”
Ponemon Annual Study: Cost of a Data Breach
42 % 58 %
2009 Third Party
Internal
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 8
Overall Cost of a Breach
The cost of a data breach continues to grow. Experiencing a 1.5% increase from 2008 ($201 per
record) and 2009 ($204 per record) and an 12.7% increase since 2006 ($181 per record).
Ponemon 2009 Annual Study: Cost of a Data Breach
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 9
Growing Regulatory Compliance Requirements
Information Security Risk
Assessment – Getting to a
Destination
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 11
How do you get there?
Plan
• Formalize a plan for Information Risk Management
• Identify Stakeholders and Obtain Support
Execute
• Select a Risk Management Framework
• Ensure a Comprehensive Approach and Scope
Monitor
• Complete Assessment with Risk Outcomes
• Identify Ownership, Manage, Report, and Assess Mitigation
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 12
Goals of IT Risk Assessment and Management
• Accurate view on current and near-future IT-related events
• End-to-end guidance on how to manage IT-related risks
• Understanding of how to capitalize on the investment made in an IT
internal control system already in place
• Integration with the overall risk and compliance structures within the
enterprise
• Common language to help manage the relationships
• Promotion of risk ownership throughout the organization
• Complete risk profile to better understand risk
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 13
What is Data Security and Privacy?
Security
• Security is securing or protecting data assets. Typically viewed as the CIA triangle (Confidentiality,
Availability and Integrity)
• Numerous models – ISO 27001/2, NIST 800-53, COBIT, etc.
Privacy
• Privacy is protecting the confidentiality of private data (personal information, proprietary data, etc.) of
which Security is one element
• The main Privacy Model we see today is GAPP (Generally Accepted Privacy Principles)
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 14
Components of Security and Privacy
A. External Vulnerability Assessment
B. Internal Vulnerability Assessment
C. Wireless Security
D. Data Privacy
E. PCI
F. IT Security Governance
G. Social Engineering / Phishing
H. Physical Security
I. IT Regulatory Compliance Reviews
J. IT Security Process Reviews
K. Data Governance
L. Infrastructure Security
M. Other (Email Security, Workstation
Security, Database Security, etc.)
Protiviti Technology Risk Model
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 15
Example of a Risk Management Framework: ISO 27001 (Information technology – Security techniques – Information security management systems – Requirements)
Security Policy
• Information Security Policy
Organization of Information Security (Organizational Security)
• Manage information security within the Company
• Information Security Infrastructure
• Security of Third Party Access
• Outsourcing
Asset Management (Asset Classification and Control)
• Accountability for Assets
• Information Classification
Human Resource Security (Personnel Security)
• Security in Job Definition and Resourcing
• User Training
• Responding to Security Incidents and Malfunctions
Physical and Environment Security
• Secure Areas
• Equipment Security
• General Controls
Communications and Operational Management
• Operational Procedures and Responsibilities
• System Planning and Acceptance
• Protection Against Malicious Software
• Housekeeping
• Network Management
• Media Handling and Security
• Exchanges of Information and Software
Access Control
• Business Requirement for Access Control
• User Access Mgmt
• User Responsibilities
• Network Access Control
• Operating system access control
• Application Access Control
• Monitoring system access and use
• Mobile Computing and Tele-working
Systems Development and Maintenance
• Security Requirements of Systems
• Security in Application Systems
• Cryptographic Controls
• Security of System Files
• Security in the development and support processes
Information Security and Incident Management
• Incident Detection
• Incident Reponses
• Incident Escalation
Business Continuity Management
• Aspects of Business Continuity Management
Compliance
• Compliance with legal requirements
• Review of Security Policy and Tech controls
• System Audit Considerations
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 16
Data Sensitivity and What It Means
Business Value Oriented Solutions
5-10%
80-90%
5-10%
HIGH VALUE
• Sensitive And Critical
• Major Impact if Comprised
• Highest Cost for Protection
LOW VALUE
• Little to No Impact
• Not Considered a Loss
MEDIUM VALUE
• Impact if Comprised
• Highest Volume of Data
More
Sensitive,
More
Resource
Intensive
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 17
Risk Analysis Phases Information Security Framework (ISF) Layers
Risk Assessment Methodology
Identification of Safeguards
Threat Assessment
Asset Identification
Vulnerability Assessment
Risk Determination
Reporting
Remediation Planning
17
Reactive
processes that
enable
management to
measure how
well policies are
implemented
and followed and
when they need
to be changed.
Technologies
needed to
provide the
appropriate
protection and
support critical
processes.
Management
strategies for
information
technology and
relevant policies,
standards,
guidelines or
directives used
to communicate
these strategies
to the
organization.
Proactive
processes that
turn policies into
awareness
programs,
change
management,
security
administration
and other
activities.
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 18
Approach: Risk Analysis Activities
18
Asset
Identification
Threat
Assessment
Vulnerability
Assessment
Risk
Determination
Identification of
Countermeasures
PHASE I PHASE II PHASE III PHASE IV PHASE V
• Document security landscape, create context diagram
• Inventory and integrate current asset management/ identification data
• Choose from the following options:
– Facilitated sessions with upper management and business unit management
– Self-service survey sent to business units
– Combination of 1 & 2
• Determine asset classification (information, people, business process, etc.)
• Determine asset valuation approach (quantitative vs. qualitative)
• Categorize assets by ISF layer
• Perform asset valuation/ prioritization
• Obtain detailed documentation of infrastructure components
• Conduct assessments at
each layer of the ISF:
• Identify vulnerability types
and categories
• Identify impact and
likelihood of vulnerabilities
• Determine risk strategy
(mitigation, acceptance,
transference)
• Quantify risks based on
management defined
scale
• Identification of risk
acceptance authority
• Validate risk levels with
management
• Prioritize risk
• Apply previously identified
threats to each layer in the
ISF
• Customize threats to
organization based on CIA
(Confidentiality, Integrity,
Availability)
• Identify additional threats
• Identify existing
countermeasures
• Identify likelihood of
occurrence for each threat
• Develop options to move
business risk to an
acceptable level
• Work with management to
choose effective
countermeasures
• Identify safeguard gaps
• Develop an action plan for
risk mitigation
• Create a continuous risk
assessment process
• Integrate risk assessment
into overall risk
management strategy
Note: Each phase is a discrete activity which could be delivered in combination with other phases or performed standalone.
In addition, we may be able to leverage previous work or documentation within the various phases.
Activities
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 19
Approach: Sample Deliverables
19
Asset
Identification
Threat
Assessment
Vulnerability
Assessment
Risk
Determination
Identification of
Countermeasures
• Detailed asset inventory for all relevant business systems and processes
• Asset inventory tied to each level of the ISF
• Asset valuation and prioritization
• Security Landscape and Context Diagram
• A complete
vulnerability
assessment,
organized by ISF
layer
• For each weakness
identified in the
vulnerability
assessment, the
business risk will be
categorized
according to the
scale selected by
management
• A completed threat
table, including:
– Likelihood of
occurrence
– Business Risk
– Overall risk level
• A listing of all
identified threats to
identified assets
• For each threat, a
tieback to a specific
ISF layer and
specific asset
• For each threat – the
likelihood of
occurrence, taking
into account existing
countermeasures
• A prioritized list of
threats, risks, and
identified
countermeasures –
providing a roadmap
to the future
• Additionally, a gap
analysis comparing
your organization to
leading practices
Deliverables
PHASE I PHASE II PHASE III PHASE IV PHASE V
Automation Communication Project Management Business Focus
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 20
Risk Assessment Metrics
20
Risk Calculation
Impact Severity * Occurrence Likelihood = Inherent Risk – Safeguards (Controls) = Residual Risk
Asset Valuation
Assets are defined as a system or applications used to store, process or transmit client data. Specific asset categories are to be
discussed and agreed upon in the beginning stages of the review.
Impact Severity
Impact severity is the measure of the effect, vulnerability will have on an asset when exercised by a threat. For the Risk
Assessment, impact severity was defined by the amount of cardholder data and sources likely to be exposed.
Occurrence Likelihood This is the estimated probability that a threat will occur for a given asset.
Safeguards The technical, procedural, or physical measures in place that protect an asset from risk.
Risk Calculation Inherent risk was calculated as high, medium or low by cross indexing the metric factors for impact severity and likelihood of
occurrence on the table below. This table was calibrated to represent the total reputational and financial risks presented to client
by the threat vulnerability asset pairings in the SRA tool.
Residual Risk Residual risk is calculated as high, medium or low based on the highest risk individually assessed threat, vulnerability and
safeguard combination. The risk rating for the TVS combination is based on the revised likelihood and severity calculation,
accounting for the effect of an applied safeguard. The metrics are adapted from NIST and other leading methodologies as well as
input from client management regarding quantitative scale metrics. For each asset, threat, vulnerability and safeguard
combinations are assessed for residual risk. The totality of TVS combinations is assessed with consideration for the data affected.
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 21
Example: Initiative Summary Heatmap
Low Medium High
Impact
Difficult
(6 – 9+ months)
Moderate
(3 – 6 months)
Easy
(0 – 3 months)
1 IS Policy and Compliance
2Information Security
Governance
3Information Classification and
Labeling
4 Access Control - Logical &
Physical
5 Incident Response
6
7
8
9
Systems Development Life
Cycle
10Business Continuity
Management
11
Vendor Management Program Ea
se
of
Imp
lem
en
tati
on
Initiatives
1
2
3
4
5
6
7
8
9
10
11
Monitoring & Logging
IT Audit & Assessment
Vulnerability Assessment and
Management Program
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 22
Summary
Risk Management must
• Take a complete look at technology across the enterprise
• Be grounded in business risk and business context
When you measure risk
• Use quantitative factors in addition to the qualitative measures
• Focus on the maturity of the risk assessment over time
• Involve and educate all stakeholders in the risk assessment process
Use risk assessment to
• Drive your security and privacy plans
• Enable the organization to assess, manage, and accept risk
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 23
Questions
And
Comments
© 2010 Protiviti Inc.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 24
Mario Balakgie
1701 Pinnacle Drive, Suite 1600
McLean, VA 22102
Direct: 571.382.7231
Mobile: 571.277.1188
Fax: 571.382.7327
Powerful Insights. Proven Delivery.™