20180226 visn vpdsf steps 3 4 5 security risk management v1

1

2

3

4

5

RachelDixonwastheformerheadofdigitalidentityprojectsattheDigitalTransformationAgencyandisnowresponsibleforprivacyanddataprotectionintheofficeoftheVictorianInformationCommissioner

Rachelhashad“adiverseandimpressivecareerholdingseniorpositionsintheprivatesectorforAustralianandInternationaltechnologycompanies,wheresheledlargeteamsanddevelopedexpertiseintheareasofdata,privacy,cybersecurityandinformationsecurity”

WelcomeRachel

6

7

Tospeaktoyouaboutconsideringinformationsecurityinriskmanagement,wehaveJonathonMasom fromtheVictorianManagedInsuranceAgency(VMIA)

WelcomeJonathon.

8

9

10

11

12

Theconceptofriskisrelatedtootherconceptswhichhaveaslightlydifferentemphasis.Anissue:Apresentproblemorconcerninfluencingorganisationalobjectives.Ariskcanbecomeanissue,butanissueisnotarisk!Ahazard:Anythingthathasthepotentialtoharmpeople,property.Ariskariseswhenitispossiblethatahazardwillactuallycauseharm.Anevent:Anoccurrenceorchangeofaparticularsetofcircumstances.Aneventcan:Beoneormoreoccurrences,andcanhaveseveralcausesConsistofsomethingnothappeningSometimesbereferredtoasan‘incident’or‘accident’.Withoutconsequencescanalsobereferredtoasa‘nearmiss’.

Anincidentis:Aneventorcircumstancewhichcouldhave,ordidleadto,unintendedand/orunnecessaryharm toapersonand/oracomplaint,lossordamage.

13

14

15

KeyMessage

Riskmanagementisnota‘nicetohave’- agencieshavelegislatedobligationswithrespecttoriskmanagementandasanemployeeyouneedtobeawareofwhatthoseobligationsareandoperatewithinthem.

Agenciesareexpecttoattestintheirannualreportsthat:they have risk management processes in place consistent with the Standard (or its successor); these processes are effective in controlling risks to a satisfactory level; and a responsible body or Audit committee verifies that view.

AgencieshaveobligationswithrespecttoRiskManagementthatcomefromstandingdirection4.5.5.andsupportedbyVGRMF

Keypoints:

The Board or Accountable Officer:

Is ultimately responsible for the risk management framework.

Must ensure that it understands its responsibilities and has in place a mechanism to assure itself that it is meeting those.

May choose to delegate some responsibilities to a committee or Executive and senior management.

Delegation of responsibilities does not negate the Board’s or Accountable Officer’s responsibilities and accountabilities with respect to risk management.

• Aboardisultimatelyresponsibleforoversightoftheriskmanagementframework

UnderthePublicAdministrationAct2004(s.81(1)(b))aBoardofapublicentitygovernedbyDivision2ofPart5ofthePublicAdministrationActmustinformtheresponsibleMinisterandtherelevantDepartmentHeadof:

16

17

Talk through the three VMIA’s model RM framework: key elements – Risk Governance, Resources & Capability and Process. “Process” will be dealt with in more detail later in the training.

Also highlight the link to an agency’s overall corporate governance and its corporate planning process.

The Risk Management Framework includes a set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.

A risk management framework is not one discrete policy or document, it comprises the totality of the structures, policies, strategies, procedures and resources within an organisation that support risk management. Each organisation is unique and must ensure that a risk management framework is implemented and appropriate to the activity, size and complexity of the organisation, aligns with the defined risk profile and meets legislative or government policy requirements.

Q.Whatdoyouknowaboutyourorganisation’sriskmanagementframework?

18

Agencies must adopt the approach outlined in this VGRMF and have in place a risk management framework to provide for consistent risk management practices across the public sector; which is aligned with the AS/NZS Standard or its successor.

A Risk Management Framework provides:

Systematic approach to risk identification & management.

Consistent risk assessment criteria.

Accurate and concise risk information, for decisions.

Cost effective and efficient risk treatment strategies.

Ensure risk exposure remains within acceptable level.

18

19

20

Refer participantstothetemplatetowardsthebackofthePG.

21

22

GroupActivity– Card“WriteaRisk”

Theaimofthisistogetthemtopracticeidentifyingafewrisksbeforewegetintoriskassessmentandevaluation

TherearevaryingwaystoidentifyariskandtheStandarddoesn’tprescribe1way.Howariskisdescribedwillinfluencehowitwillbeaddressedorunderstood.Theriskneedstoreflectwhatisusefulandmakessensetopeoplewhoarereadingit.Forexample,itisnogoodsaying‘OHS’isariskasitistoobroad.

Therearecategoriesofrisksthatanorganisationputstogethertohelpmakesenseofrisk.

23

24

25

26

27

28

29

ThankyouJonathon

NowIampleasedtowelcome AnnaHarriswherewewillcoversteps3-5oftheVPDSF5stepactionplaninmoredetail

30

TheVPDSFfivestepactionplanneatlytiesinwiththe existingriskmanagementprocessasJonathondiscussedtoassistyouinidentifyingyoursecurityrisks.Itisnodifferenttoyourcurrentriskmanagementprocess.

Soletsrevisesteps1and2brieflyandwheretheyfitin…

31

Steps1and2havethebeautyofassisting2 fold.

Firstyouhavealreadyundertakensteps1and2toidentifyALL theinformationhandledinyourorganisationandundertakenavaluationassessmentonthesewhichwillformpartofestablishingyouroverallriskcontextwhenyoulookattheriskmethodologyi.e.internaloperatingenvironment(organisationalcontext)alongwithotherinternalandexternalfactorsaffectingyourorganisationsuchasregulatoryandoperationalrequirements.

Second,thesetwostepsalsoplayapartintheriskidentificationstageoftheriskassessmentprocesswherebyyoutaketheinformationassetsthatyouhaveidentifiedinstep2asthemorecriticalinformationinyourorganisation.Thisisaprioritisationstepsoyoucanfocusonthemoreimportantassetsandundertaketheriskassessmentprocessontheseratherthanallyourassets.Wewilltouchuponthisalittlemorefurtherinthepresentation.

Formoreinformationregardingtheactual step1and2processrefertoourpublishedinformationsecuritymanagementcollectionandcheckoutourSeptemberVISNforumrecording(availableonourwebsite)

32

Thefocusofthissessionaresteps3,4and5ofthefivestep actionplanwhereyoutaketheinputfrombothsteps1and2aswelltheVPDSSselfassessmentprocessthatorganisationsareaskedtoundertakewhereyoumayhaveidentifiedsomegapsyouwishtoriskassessiftheycannotbeimplemented.

Thesethreestepsfocusonidentifyingandassessingyoursecurityrisks,makinggoodchoicesonwhichsecuritymeasurestoapplytoprotectyourinformationandmanagingtherisksacrosstheinformationlifecycle

33

Howdoyoucompletethis?Aswellasmakingsureyoufollowyourorganisationsexistingriskmethodology,wehavetriedtoassistyoubydevelopingtheassurancecollectionpublishedonourwebsitewhichcontainsalltheanswersandalsoincludesexamplesandsomeappendicessuchas- sampletemplatessuchastheriskassessmentandtreatmentplanwhichwewill

discussfurther,theVPDSSselfassessmentand- Summariesofthevariousassessmentsteps

Theinformationcontainedinthiscollectionwillassistyouincompletingsteps3– 5oftheVPDSF5stepactionplan

34

Sowhydoweneedtodothis?Nowthatyouknowwhatinformationyouhaveanditscorrespondingvaluetoyourorganisation,youcanidentifythesecurityriskstoyourmoreimportantassets(yourcrownjewels)soyoucanensureeffective,efficientandeconomicinvestmentinsecurity.

ThevalueofthisexercisetoyourorganisationwhichTonywilltouchuponinhispresentationincludes• providingcontextandmeaningoftheevent,causeandimpactforeachrisk for

ongoing managementandoversight• assistingindirectingoutcomesoftreatmentplanning• providingmeaningfulinformationforreporting• reducingoverorunderinvestmentinmeasures,and• aligningthe‘uncertainty’tothebusinessobjectives

Lastly, theotherplusisthatafterthisprocessyouwillhavecompletedsomeofyourobligationsunderthePrivacyandDataProtectionActincludingthesecurityriskprofileassessment,SRPAandthedetailedprotectivedatasecurityplan,PDSP

35

Tothatend,toassist withtheriskassessmentstage,Chapter1AppendixAoftheAssuranceCollectionhasasampleSRPAtemplatethatorganisationswhodonothaveariskregistercanadoptandthosewhodohavearegistercanusetocheckagainst.

FeelfreetocontinuetouseVMIA’srisktemplatesaswellifthesearealreadyusedwithinyourorganisation.Thisisjustanadditionalresource

36

TheriskmanagementprocessoutlinedinChapter1oftheAssurancecollectionfollowsthesameriskmanagementprocessastheinternationalstandard31000thatJonathondiscussed.Wedidnotsetouttodevelopsomethingbespoketosecuritythateveryoneneededtolearnabout.Thesameriskprocessisfollowedtoidentifythesecurityriskstoyourinformationasotherrisksinyourorganisationsuchasfinancial,OHSrisksetc.

37

Soletsstartatthestart- riskidentificationwhichisoutlinedinsection10ofthecollection.Letsworkourwaydown

Nowthatyouhavecompletedsteps1and2toestablishyouroverallinformationriskcontext,itstimetoselectthecrownjewelsortheinformationwiththehighervalue(morecritical)informationassetstofocuson,andThepossibleeventsthatmayoccurtothese,Thepotentialcausesoftheseevents,Thepossibleimpactswhichhavealreadybeenidentifiedinstep2,soyoucankeepthatinyourbackpocketAndthesewillenableyoutoformulateyourriskstatement

Soletswalkthroughanexample…

38

Thebowtieapproachisonewaytoassistwithformulatingyourriskstatement.It’sagreatvisualisation tooltoidentifythepossibleriskscenariosforaparticularevent

Itstimetotelltheriskstory…

Whenyouarelookingatariskevent(inthecentreofyourbowtie)foryourmostcriticalinformationthatyouhaveidentified,itmaybesomethinglike- unauthorisedaccessleadingtocompromiseoftheinformation(whetherthat’sa

compromisetoeitheritsconfidentiality,integrityoravailabilitymaybetheft/modification/disclosure/destruction)

Intermsofcausestotheleftofthebowtie,youarelookingathowthiseventmayeventuatebeitnatural,accidentalordeliberate.TheInternationalStandardISO27005hasalistofthreatsinitsAnnex.Forexample,thisriskeventmayoccurdueto:- Adisgruntledemployee- Maliciousoutsider- Opportunisticcontractor- Anaturalweatheroccurrence

Theconsequencesontherighthandsidethankfullyhavealreadybeentakencareofforthisassetviayourbusinessimpactlevelvaluationassessment(Step2)soyouplug

39

theoutputsoftheaffectedcategoriesthatgaverisetothehighervalueratinginhere.Forexamplethiseventmayresultin:• Personalinjury• Complianceissues• Financialloss

Bringthistogethertonowformulateyourriskstatement.Forexample,TheriskofunauthorisedaccessleadingtodisclosureofinformationCausedbyamaliciousoutsider(upsetabouttheorganisationsstanceonatopic)/oramaliciousinsiderupsetaboutbeingoverlookedforapromotionandexploitingasystem/otherpersonnelResultinginharmtoanindividualssafety/lossofpublicconfidenceandtrust/financialloss

Whatyoumayfindisthatyouridentifiedsecurityrisksarenotallthatdifferenttoyourneighbour,butwhatmaydifferisyourinternalriskcriteriatoratetherisks,yourorganisation’srisktolerance,thecurrentcontrolsyouhaveinyourenvironmentandthecontrolsyouplantoimplementtomitigate/reducetherisk.

39

Soyouhaveyourriskstatement,letsmovetoriskanalysisItstimetoratethelikelihoodofthisriskoccurringunderstandingthecurrentcontrolsyouhaveinplaceandthelevelofconsequencee.g.insignificantvsmajor.

Generally,thecontrolsyouhaveinplacewon’tnecessarilychangetheimpactleveliftheriskwastoeventuatebutwillaffectwhethertheriskactuallyoccursinthefirstinstancei.e.whatisthelikelihoodofthiseventhappeningwiththecurrentcontrols?e.g.rare,possible,almostcertain

Werecommendyouuseyourorganisationsenterpriseriskcriteria/matrixtocompletethissteptoarriveatyourcorrespondingriskrating.

Weoftengetthequestion,whatisthedifferencebetweenthebusinessimpactlevelratingsinstep2andtheconsequencesratingtableusedinrisk?TheBILslookspecificallyattheimpactrelatedtothecompromiseoftheconfidentiality,integrityandavailabilityCIAofinformationandarecloselyalignedwithotherBILtablesonpurposetoenableinformationsharingacrossjurisdictions.Consequencecriteriatakeintoconsiderationotherfactorsincludingtheorganisation’s tolerances.Werecommendthatbusinessimpactsaremappedtoyourorganisation’sriskconsequencecriteria.Whilstnotalwaysaneasymatch,thecategoriesidentifiedintheBILtablearecoveredmoreloosely/broadlyinriskcriteriasoamappingofsortsshouldbemadetoenabletheapplicationofyourenterprise

40

riskframeworktoyourinformationsecurityrisks.

Thebusinessimpactlevelyoucameupwithinstep2whendoingyourvaluationassessmentforthisassetcanbeusedtomaptoyourconsequencecriteria.Section10.2.2intheCollectiondiscussesaligningthebusinessimpactlevelswithyourriskconsequencecriteriasoyoucanmakesuretherisksratingsforyourinformationassetsareproportionatewithyourotherrisksinyourorganisation’sriskframeworkandapplicationoftreatmentoptionsisconsistent.

40

TheriskevaluationprocessisnodifferenttonormalriskmanagementandalsocoveredintheVMIApracticeguideandassurancecollectionsowewillquicklygooverthis…

10.3.1RisktreatmentoptionsThefourpotentialoptionsfortreatingeachriskarethesameasnormalriskmanagementofaccepttheriskasis,avoidorsharetherisk,orreducetheriskbyaddingadditionaltreatmentoptions

10.3.2RiskappetiteRiskappetiteistheamountandtypeofriskthatyourorganisationiswillingtotaketoachieveitsobjectives.Riskappetitewillvaryfromorganisationtoorganisation,anditinfluencesandguidesdecision-making.Riskappetitemayalsovarywithinyourorganisationdependingoncriticalityofinformation/servicesthatmaybeaffectedbytherisk.

10.3.3PrioritisationofrisktreatmentTodeterminewithwhaturgencyyoushouldaddressrisks,theymustfirstbeprioritised.Riskswiththehighestriskratingarenormallyattendedtofirst.Typically,additionalconsiderationsmayinclude:safety– whataretheimplicationsiftheriskisnotaddressed?cost– howmuchwillitcosttoreducetherisk(andwillthebenefitsoutweighthe

41

expenditure)?reputation– whatisthelikelyeffectonreputationiftheriskisnottreated?legalobligations– istheorganisationlikelytobeunabletomeetitslegalobligationsiftheriskisleftinitscurrentstate?occurrence– whichrisksaremorelikelytooccur?whichyouwouldhaveidentifiedwithyourlikelihoodrating(tacklethe‘almostcertain’ onesfirst)

41

Lastly,youhavereachedrisktreatment whereyouidentifypossiblesecuritymeasures acrossthesecuritydomainsof- Information- Personnel- ICT- Physical

Theymay beadditionalequipment,strongerpersonnelscreening,specificcontractclauses,governancearrangements,policiesandprocedures,training…

TheVPDSSelementsmayalsoassistheretoidentifywhatmeasurestoconsiderandtheyarenotalwaysITcontrols!

Andthen,onceyouhaveselectedyoursecuritymeasurestomitigatetheriskfromoccurring,re-assessthelikelihoodandconsequencetogettheresidualriskforacceptancebymanagement

42

Nowthatyouhavealistofsecuritymeasurestoimplement fromtheriskassessmenttominimisetheriskstoyourinformationtoamanageablelevelforyourorganisation,extractthislistofsecuritymeasuresandpopulateyourdetailedprotectivedatasecurityplan(PDSP)whichisintheAssuranceCollectionidentifyingdetailssuchasthe- implementationplan- Implementationowner- TyingitbacktocorrespondingVPDSSelementtohelpyouwithyourreporting- AnyprojectsponsorsifitsnotaBAUactivity- Budget- Status- Duedate

YoushouldalsoaddthegapsofelementsnotimplementedthatwereidentifiedinyourVPDSSself-assessmenttothistreatmentplan(ifnotalreadylisted)sotheyareintheonedocument.

ThiswillensureyouhaveanapprovedsecurityprogramforthenextperiodtofocusyoursecurityinvestmentandyoualsofulfilyourdetailedPDSPobligations.

43

Aspartofthe lifecycleandthefinalstepinthe5stepactionplan,isthereviewstage.

Rememberthisisnotasetandforgetexerciseandtheserisksshouldbemanagedwithregularreviewsacrosstheinformationlifecycle

Triggersforthisreviewmaybe:• Changeofbusinesscontexte.g.machineryofgovernment• Additional/removalofinformationasset• Regularriskreviewcycle• Incidentwheretheriskhaseventuated

Iftheserisks arefedintoyourenterpriseriskregisterthiswillbeincludedaspartofthisexercise.

Thefirsttimethe5stepactionplanisdone,itwillbequiteabigtaskbutoncethehardyardshavebeendonehopefullyitwillgeteasiereachtimeitisundertakenandwitheachreview.

44

AndnowtohearfromaVPSagency’sexperiencewiththefivestepactionplan,wearepleasedtowelcomeTonySmithfromEastGippsland Water.ThankyouTony

45

ThankyouTony andbeforewefinishupandtakequestions,Laurencia willprovideanupdateontheupcoming2018reporting obligations

46

AfterhearingfeedbackfromexecutivesacrosstheVPS,ourofficehaspublishedahigh-levelProtectiveDataSecurityPlan(PDSP)withbuiltinattestationfororganisationstousetoreporttousinAugustthisyear.

Thisisessentiallyanexecutivesummaryofthedetailedtemplatesprovidedinourassurancecollection.Thiswillmakeiteasierforyourexecutivetosignoff.

47

Andhereisonewepreparedearlier…Svenhaswrittentoagenciestoadvise ofthenewreportingtemplatethatwillneedtobesubmittedtoourofficeinAugust2018.

48

Aspartoftheupdatedreportingtemplates,wehavealsoprovidedoptionsfororganisationreportingtoourofficesuchassingleormultiplereporting.

Thereportingoptionsintemplatearejustthat‘OPTIONS’!TheoptionsaredesignedtoreflecttheuniqueoperatingarrangementsthatexistacrossVictoriangovernment.Thisincludesgovernancestructuresthatoftenexistbetweenlargerleadagenciesandsmallerorganisationsthatfallwithintheleadagency’sportfolioofresponsibilitiesandtheprovisionofsharedresources(includinginformationtechnologyandcorporatefunctions).Italsoprovidesanopportunityforcollaborationacrossagenciesorbodiesthatperformasimilarfunction.

Singleorganisationmodel – AnorganisationsubmitsahighlevelPDSPandprovidesanattestationonitsownbehalfonly.Multipleorganisationmodel– AnorganisationsubmitsaconsolidatedhighlevelPDSPandprovidesanattestationonitsownbehalf,andforandonbehalfofoneormoreadditionalpublicsectoragenciesorbodies.

ThemultipleorganisationmodelmaybeusedinaportfoliosettingwhereagenciesorbodiesfallwithintheportfolioofresponsibilitiesofaDepartmentorwhereanumberoforganisationsofasimilarformorfunctionchoosetoconsolidatetheirefforts. Whilethisapproachwillassistyouinmeetingyourreportingobligations,your

49

publicsectorbodyHeadisstillaccountablefortheprotectionofitsinformationassets.Accountabilitycannotbetransferredoroutsourced.

49

Beforeweopenthefloortoquestionsfromtheaudienceandthosethathavecomeinviaslido,theseareahandfulofquestionswecommonlyreceiveinthedataprotectionbranch

50

DoIneedtocompletethetemplatesinthecollection?ThePDSPandVPDSFself-assessmenttemplatesintheassurancecollectionwillactuallyhelpyoutocompletethenewreportingtemplates.Thinkofthemasthedetailtoenableyoutowriteyourexecutivesummaryforyourpublicsectorbodyheadandrelevantcommitteestogetahighlevelunderstandingofyoursecuritypostureandtheplanstoimprovethis.

WhathappensifIdon’t?Withoutcompletingthesemoredetaileddocuments,itwillbedifficulttowritethesummaryfortheexecutivetoattestasthesewillprovideyouwithreasons/explanations/justificationforwhyandhowthesecuritystatuswasderived.Thesedocumentswillalsoberequestedbyourofficeintheeventweconductoneofourassuranceactivitiesundertheassurancemodele.g.walkthrough,reviews.

DoIneedtobecompliantby2018?Westillgetorganisationscallingusaskingiftheyneedtobecompliantwiththestandardsbymidthisyear?Tobecompliantwiththelegislation,yourorganisationneedstosubmitthehighlevelPDSPandattestationtoouroffice– thatisthecompliancepart.Intermsofwhetheryouneedtohaveall18standardsfullyimplementedbyAugust2018,thesimpleanswerisNO,andhopefullytheexecutivesummaryreportthatissubmittedtoourofficere-iteratesthatthisisjustaplanofyoursecurityactivitiesforthenexttwoyearstoimproveinformationsecurityinyour

51

organisation.

WhataretheVPDSSelements?Aretheymandatory?WeintroducedtheelementsintotheVPDSStoassistorganisationswiththebaselinemeasurestheyshouldconsiderwhenimplementingtheStandards.Thesearenotadditionalmeasures,alltheyareisaconsolidatedextractfromeachofthereferencelibrarieslistedundereachstandard.Thishelpsorganisationstonothavetotrawlthroughalltheliteraturetodeterminethekeyactionstomeettheintentofeachstandard.Inawaytheyaremandatory– theonesthatyoudeterminetobeapplicabletoyourorganisationwillbetheonesweexpecttoseeoperatinginyourenvironmentifyoureportedfullcompliancetoouroffice

Whatisaninformationsecuritylead?Asmanyofyoumaybeaware,inthesecondhalfof2017,ourofficesoughtnominationsforaninformationsecurityleadfromeachorganisationtoenableustohaveapointofcontacttoliaiseoninformationsecuritymattersincludinginformingthemofnewmaterialweproduce,upcomingeventssuchastheVISNandanychangestotheframework.This‘lead’shouldnotstopothersfromcontactingus.Wewillcontinuetoansweranysecurityenquirieswereceive.Ifyourorganisationdoesnotwantanyoneelseotherthantheleadtocontactus,thisisaninternalgovernanceissueforyourorganisationtoworkout.Ifyourinformationsecurityleadwouldlikevisibilityofthetypeofquestionsthatcomefromotherswithinyourorganisation,wecanincludetheleadinourreturncorrespondence.Wedoencourageorganisationstokeepusinformedofanychangestoinformationsecurityleadssowecanensureyourorganisationisgettingthelatestinformationfromus.

51

Andtobookintoarisktrainingsession,contactVMIA

52

53