physec for infosec: how physical security may help prevent ...€¦ · •enterprise security risk...
TRANSCRIPT
PhySec for InfoSec: How physical security may help prevent data breachesWednesday, September 11, 2019
11:00 – 12:15 pm CST
Introductions
David FeeneyManager
Risk & Financial Advisory Deloitte & Touche LLP
Andrea LeStargeSenior Manager
Risk & Financial AdvisoryDeloitte & Touche LLP
3
Baselining Terminology
Definitions
• Physical Security: A part of security concerned with physical measures designed to safeguard people; to prevent unauthorized access to equipment, facilities, material, and documents, and to safeguard them against a security incident (ASIS Security Management Standard – Physical Asset Protection, 2012).
• Information Security: The preservation of the confidentiality, integrity, and availability of information (ISO/IEC 27000:2016 2.33).
• Cyber Security: The protection of an IT system from attack or damage to its hardware, software or information, as well as from disruption or misdirection of the services it provides (ISO/TR 2100-4:2018(en),3.10).
Definitions (cont’d)
• Convergence: The cooperation between physical and cyber security in an enterprise; the intersection of physical and cyber environments, devices, threats, vulnerabilities and consequences; a multi-lens strategy creating a “holistic” security view (https://www.securitymagazine.com/articles/88847-the-
unstoppable-convergence-between-physical-and-cybersecurity).
• Enterprise Security Risk Management (ESRM): A strategic approach to security management that ties an organization’s security practice to its mission & goals using globally established & accepted risk management principles (ASIS ESRM
Guideline, 2019).
A Deeper Look into “Convergence”
• Functionally and/or organizationally integrates physical and cyber security
• The degree of integration determines the degree of convergence
• Early efforts were organization-focused and based on budget
• Term is now applied more broadly, including threats and vulnerabilities
• Little engagement• Separate communications• Separate organization
Converged
• Strategic alignment• Joint communications• Converged
organization
Collaborative
• Frequent engagement• Cooperative culture• Positive interactions
Disparate
Spectrum of Maturity
• ESRM Context:• Mission & Vision
• Core Values
• Operating Environment
• Stakeholders
• ESRM Cycle:• Identify & Prioritize Assets
• Identify & Prioritize Risks
• Mitigate Prioritized Risks
• Continuous Improvement
• ESRM Foundation:• Holistic Risk Management
• Partnership with Stakeholders
• Transparency
• Governance
8
PhySec for InfoSec
Why is PhySec for InfoSec important?
• PhySec supports the InfoSec’s CIA Model• Confidentiality
• Integrity
• Availability
• Reinforces that physical security can help mitigate the risk of a data breach• Addresses the perceived security risk silos (PhySec, InfoSec, CyberSec)
• Demystifies the concern, “InfoSec gets all the budget”
• Clarifies the assumption, “Our Executive’s attention is focused on data breaches”
Where in the enterprise is the PhySec/InfoSec nexus?
PhySec InfoSec
Where in the enterprise is the PhySec/InfoSec nexus?
PhySec
Equipment:• Desks• Workstations• Printers• Laptop Screens• Mobile Devices• Social Media• Data Centers• Intermediate distribution frame (IDF)
Room(s)
Organizational Departments:• Human Resources • Finance • Security• Legal
InfoSec
Activity: Gallery walk
• On each side of the room are three flipcharts
• Each flipchart has a scenario
• “Gallery walk” to each of the three flipcharts• With the markers provided, write “security controls” that you think could help
mitigate the situation that is described on each of the flipcharts
What controls are available to assist in mitigating a data breach?Physical Access Control
Mitigated scenario: Innocent/complacent/malicious actor who has access to physical areas that contain sensitive/monetary/proprietary information
Insider Threat Program
Mitigated scenario: Dismissed or disgruntled employee who has access to enterprise-sensitive data
SecurePrintProcess
Mitigated scenarios: Mishandled hard copies, printed materials stolen from printer, inadvertently taking another’s printouts
CleanDeskPolicy
Mitigated scenario: Unauthorized access to enterprise-sensitive/monetary/proprietary information
PhySec
InfoSec
What controls are available to assist in mitigating a data breach?Privacy ScreenPolicy
Mitigated scenario: Unauthorized access to view enterprise-sensitive information
Data ProtectionPolicy
Mitigated scenario: Unauthorized distribution/access or lost/stolen devices
Data EncryptionProcess
Mitigated scenario: Unauthorized access or lost/stolen devices
Mobile Device Management
Mitigated Scenario: Unauthorized access to lost or stolen devices with enterprise-sensitive information
PhySec
InfoSec
Today’s top ten takeaways
3
4
5
2
1
8
9
10
7
6
• Work to remove silos, whether perceived or real • Include PhySec, InfoSec, & CyberSec in assessment processes
• Promote the holistic view by talking about the overlaps
• Leverage ESRM and convergence concepts as appropriate
• Implement and enforce strong policies
• Include PhySec, InfoSec & CyberSec in red teaming exercises
• Enhance policies with awareness and training efforts
• Consider not separating IT from OT
• Educate C-Suite Executives on the holistic viewpoint
• Reinforce the PhySec, InfoSec, & CyberSec controls
16
Questions?
Contact Information
David FeeneyManager
Risk & Financial Advisory Deloitte & Touche LLP
Andrea LeStargeSenior Manager
Risk & Financial AdvisoryDeloitte & Touche LLP
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting,business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.