wayne tufek university of melbourne: cyber security as business risk
Post on 16-Jun-2015
541 Views
Preview:
DESCRIPTION
TRANSCRIPT
Corporate Cyber Security Summit
Wayne Tufek
Corporate Cyber Security Summit
November 13th
Grand Hyatt, Melbourne
Cyber Security Risk as Business Risk
AGENDA
• Security Framework Example
• Designing and Implementing an Information Security program
• Information Security Risk as Business Risk
• The Security Processes You Must Get Right
• Questions
A Security Framework
Governance
Operational
Designing and Implementing an Information Security Program
Governance
Operational
1
1. Designing and
implementing an
information security
program
Does Information Security Risk exist?
• Common definition of security – Confidentiality
– Integrity
– Availability
Information Security is a Property of Something Else
• Reputation
• Regulation
• Revenue
• Resilience
• For security to be relevant, it must solve business problems
Linking Security to Business Drivers
• Sherwood Applied Business Security Architecture (SABSA)
• http://www.sabsa.org/
• http://www.sabsa-institute.com/members/sites/default/inline-files/SABSA_White_Paper.pdf
• Business driven architecture – Goals
– Objectives
– Success factors
– The security program demonstrably supports, enhances and protects
SABSA
SABSA
Trusted Business Operations
Components
Products Tools
Physical Security Mechanisms
Names Procedures Encryption Databases Passwords Access Control
Lists Firewalls Logs
Logical Security Services
Identification Registration Certification Directories Authentication Authorisation Access Control Audit Trail
Security Strategy
Process Design Policy & Legal Framework Technical Design
Business Strategy
Attribute Profile Risk Model Trust Model
Goals Relationships Market Regulation People Materials Finance Production
Contextual
Conceptual
Logical
Physical
Component
Operational
Business Driven Security Program
Business requirements
Business Drivers for Security
Attributes
Business goals and objectives
• Sell more widgets
• Be the best X
Business requirements abstracted
into one or more statements of
security relevance
Standardised and reusable
specification of the business
requirement
Attributes
• Business attributes
• Accessible – Information to which the user is entitled to gain
access should be easily found and accessed by that user
• Access controlled – Access to information and functions within the
system should be controlled in accordance with the authorised privileges of the party requesting access. Unauthorised access should be prevented
Attributes
Example
• Identity Management Project – Business requirements
– Business drivers for security
– Business attributes
• Project Scope – Banking organisation
– Automated user provisioning/de-provisioning
– Single sign on
– High availability platform
Example
Protect the reputation of the organisation
Ensure compliance with regulations
Maintain the accuracy of information
Be the best bank in the world
Be the most trusted brand
To provide great customer service
Business requirements
Business Drivers for Security
Example
Attributes
• Access controlled
• Accessible
• Available
• Brand enhancing
• Reputable
• Efficient
Protect the reputation of the organisation
Example
Attributes
• Auditable
• Compliant
Attributes
• Accurate
• Duty Segregated
• Protected
Ensure compliance with regulations
Maintain the accuracy of information
Example
Business requirements
Business Drivers for Security
Attributes
Corporate Cyber Security Summit
Information Security Risk as Business Risk
A Security Framework
Governance
Operational
2
2. Cyber Security
Risk as Business
Risk
Overview of IT Risk
• Risk
• IT Risk
• IT Governance
• Risk management
What Causes IT Risk?
• George Westerman from MIT Sloan • http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
– Failure of oversight and governance processes (ineffective IT governance)
• Series of poor decisions and badly structured IT assets
• Locally optimised decisions
• Lack of business involvement
– Uncontrolled complexity
– Inattention to risk
• IT risk results from decision-making
processes that ignore the full range of business needs that arise from using IT
The Business Consequences of IT Risk
Source: George Westerman
http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
Availability
Access
Accuracy
Agility
The Business Consequences of IT Risk (cont)
Enterprise IT Risks
Availability Access Accuracy Agility
Business continuity
DRP
Information protection
Knowledge sharing
Preventing attacks
Data Integrity
Regulatory compliance
Ability to implement
major strategic
change
Technology &
Infrastructure
Applications &
Information People & Skills Vendors &
Other Partners Policy &
Process
Organisational
IT Risk Factors
Configuration management
Degree of standardisation
Age of technology
Architecture complexity
Redundancy
Data integrity
Degree of customisation
Turnover
Skills planning
Recruiting\training
IT\Business relationship
SLAs
Use of firms standards
Sole source risk
Controls
Degree of standardisation
Accountability
Cost cutting
Complexity
Funding
Source: George Westerman
http://cisr.mit.edu/research/research-
overview/classic-topics/it-related-risk/
Example Risk Factors
• Availability – Alternative site
– Excessive time to restore (RTO, RPO, MTO)
– Special hardware or equipment or a unique environment
– Network links
Example Risk Factors
• Access – Financial impact of unauthorised modification of
data
– Impact of unauthorised disclosure
– Are duties segregated?
– Is access based on the users role?
– Can the system track user actions and provide reports?
– How effective is the access provisioning/de-provisioning process?
Example Risk Factors
• Accuracy – What is the financial impact of incorrect
applications?
– How will inaccuracy impact customers and the organisation’s reputation?
– What regulatory and government compliance is required?
– Is there a high level of customisation?
– Are calculations performed by any third parties?
Example Risk Factors
• Agility – Is the system hard coded with custom features
difficult to modify?
– Is the system supported by the vendor?
– Does the system require hard to obtain technical resources to maintain support?
– Can the system be scaled in terms of volume?
– Is the documentation adequate?
– Does the system run on out of date software
Example
• Single Sign-On implementation
Availability
Access
Accuracy
Agility
Source: George Westerman
http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
Example
• Moving corporate data to the cloud
Source: George Westerman
http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
Availability
Access
Accuracy
Agility
Corporate Cyber Security Summit
The Security Processes You Must Get Right
A Security Framework
Governance
Operational
3
3. The Security
Processes You Must
Get Right
The Processes
• Vulnerability management
• Incident response
• Security awareness
Vulnerability management
Incident response
Security awareness
These are the processes that should be considered the
foundation of your security operations function. Certain
operational security processes are critical in ensuring that
information security is managed effectively.
Is that it?
• Some key security processes exist in the governance layers
• Other processes to consider
Getting it Right?
• Documentation – Purpose
– Process description
– Process flow chart
– Responsibility matrix (RACI)
– Metrics
Vulnerability Management
• Phases – Policy
– Discovery
– Reporting
– Prioritisation
– Response
– Eliminate root cause
– Monitor
Incident Response
• Phases – Preparation
– Identification
– Containment
– Eradication
– Review
Security Awareness
• C-level support
• Understand your organisations culture
• Partner with other business areas
• Metrics
• Change in behaviour is the goal – Define the behaviours (in English)
– Engage through social media
– Use entertainment as a teaching tool
Questions
Contact
• wtufek@unimelb.edu.au
• LinkedIn – http://www.linkedin.com/pub/wayne-tufek/0/338/312
top related