external dependency risk managementchapters.acp-international.com/images/northtexas/documents... ·...
TRANSCRIPT
External Dependency Risk Management
North Texas Association of Contingency Planners
July 8, 2014 General Meeting
Presented By: Charles M. Wallen
External Dependencies a Key Aspect
of Operational Risk Management
Managing External Dependency Risk
We realize new business opportunities, flexibility, and cost savings by outsourcing services . . . We utilize shared and public suppliers for a number of essential services…
. . . but how do we manage the
right relationships and mitigate
the resulting risks in a reliable
way over time?
3
Dependency Concepts and Terminology
External dependency risk management – aka supply chain risk management, vendor management or critical infrastructure risk management. External entity - external supplier who has access to, control of, ownership in, possession of, responsibility for, or other defined obligations related to one or more assets or services of the organization.
1.1 DataProcessing
2.1 Telecommunications Power Supplier
Critical Service 1
Critical Service 2
Critical Service 3
1.2 DataProcessing
1.3 DataProcessing
2.2 Telecommunications
Organization X Police
Fire
EMS
Threat Intelligence, ie, US-CERT
4
Growing External Dependency Risks:
Role of Relationships & Partnerships
5
Intertwining of Physical and Cyber Domains
But also less predictable impacts . . .
Physical Disruptions
Cybersecurity
Disruptions
New modes of attack • Physical-enabled cyber attack
• Cyber-enabled physical attack
Protection of
Physical Cyber
Assets
Cyber protection of
physical assets
6
Evolving threat challenges
• Growing frequency and intensity of
weather events
• Directed man-made attacks; terrorism
• State sponsored cyber events
We Depend on Evolving Cyber Ecosystems
7
Greater Dependency Every Day
CYBER
We are in a major transformation because our critical infrastructures, economy, personal lives, and even basic understanding of—and interaction with—the world are becoming more intertwined with digital technologies and the internet. In some cases, the world is applying digital technologies faster than our ability to understand the security implications and mitigate potential risks.
• —James Clapper, Director of National Intelligence, March 2013
8
Recent News
9
Partnering to Prepare and Respond
Relationships - Partnerships
Law Enforcement and First
Responder Communities
Private Sector
State and Local Governments Federal Departments and Agencies
Public-Private Partnership in Action
DHS, NSA, and FBI provided on-request support to organizations that
were attacked.
DHS has improved its capability to aid the attacked organizations:
• Information gathering, analysis, and sharing
• Recommendations for mitigations
• Clarification of contact points
“A year ago, quite frankly, the capability was not there. We did not have the capacity to collaborate nearly as effectively as we do now. I won't say that it has become almost pro forma, but it's become a lot more routine for how we do this now than it was just a few months ago.”
—Mark Weatherford, DHS Deputy Undersecretary for Cybersecurity, January 2013
11
Cooperation (and Information Sharing)
Is it getting better?
12
A Practical Case for Situational Awareness
13
Resilience Management & External Dependency Management:
Simplifying a Complex Challenge
14
What Is Resilience?
“… the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents…”
- Presidential Policy Directive – PPD 21
February 12, 2013
Protect (Security) Sustain (Continuity)
Perform (Capability) Repeat (Maturity)
Emergency
Management
Yesterday’s Preparedness Planning
Continuity of Operation
(COOP) Business
Continuity
IT Disaster Recovery
How can a resilience view help?
Crisis
Management
Emergency
Management
16
Information Security
IT Disaster Recovery
Today’s Preparedness Planning
Continuity of Operation
(COOP) Business
Continuity
Emergency
Management
Supply Chain
Continuity
Crisis
Management Contingency Planning
Pandemic
Planning
Preparedness
Planning
Operational Risk
Management
Enterprise Risk Management
IT Operations
Privacy
Risk
Management
Workforce
Continuity
Cyber Protection
Crisis Communications
Information Security
17
Desired Direction
Supply Chain Continuity
Continuity of Operation (COOP)
IT Disaster Recovery
Business Continuity
Crisis Management
Emergency Management
Contingency Planning
Pandemic Planning
Preparedness Planning
Operational Risk Management
Enterprise Risk Management
IT Operations
Privacy
Risk Management
Workforce Continuity
Information Security
Cyber Protection
Crisis Communications
IT
Disaster Recovery
Business
Continuity
Crisis Communications
Emergency Management
Crisis Management
Information Security
IT Operations
Supply Chain
Continuity
Risk Management
Workforce Continuity
Operational Resilience
18
Example Resilience Framework: Cyber Resilience
Review (CRR) Domains*
Asset Management Know your assets being protected & their requirements, e.g., CIA
Risk Management Know your biggest risks and address them in a manner that considers cost and your risk tolerances
Configuration and Change Management Manage asset configurations and changes
Service Continuity Management Ensure workable plans are in place to manage disruptions
Controls Management Manage and monitor controls to ensure they are meeting your objectives
Situational Awareness Actively discover and analyze information related to immediate operational stability and security
External Dependencies Management Know who your most important external entities are and manage the risks they pose to essential services
Training and Awareness Ensure your people are trained on and aware of cybersecurity risks and practices
Incident Management Be able to detect and respond to incidents
Vulnerability Management Know your vulnerabilities and manage those that pose the most risk
Key Attributes of a Resilience Program
* Based on Carnegie Mellon CERT Resilience Management Model http://www.cert.org/resilience/rmm.html
DHS Cyber Resilience Reviews
• DHS sponsored and coordinated with Carnegie Mellon CERT support
• Data collected from critical infrastructure and state/local government organizations in facilitated Cyber Resilience Review (CRR) assessments
-Located in US
-Data from CRRs conducted since 2011
• Strict non-attribution of results
• Not a scientifically rigorous study (yet) due to the limited sample size
• A snapshot of operational resilience as depicted in the ten domains of the CRR
0
0.2
0.4
0.6
0.8
1
1.2
Participant Average
All Sectors –10 CRR Domain Areas M
atu
rity
Ind
icat
or
Lev
el (
MIL
)
22
External Dependency Management – A Process Perspective
Managing External Dependency Risk
23
Monitor and ImproveExternal Dependency
Management
Establish and Maintain External Dependency
Management Plan
Define and maintain supplier and
contract/agreement requirements
Establishment of new suppliers and agreements/contr
acts
Transition, renewal or termination
Suppliers/ Vendors
Establish Relationships
Categorize and analyze suppliers
Monitor Supplier Performance and
Risk
SharedInfrastructure
Evaluation of new suppliers and agreements/
contracts
External Dependency management
information repository
Supplier reports and information
ManageRelationships
Public Services
• DHS launched the C3 Program in February, 2014 to complement the launch of the NIST Cyber Security Framework (CSF)
• The C³ Voluntary Program helps sectors and organizations that want to use the CSF by connecting them to existing cyber risk management capabilities provided by DHS, other U.S. Government organizations, and the private sector.
• The C3 website (http://www.us-cert.gov/ccubedvp) describes the various programs DHS offers to critical infrastructure partners, including Federal, State, local, and private sector organizations
• Many of the programs described on the following slides can also be found on the website
Website:
http://www.us-cert.gov/ccubedvp
General C3 inquiries: [email protected]
24
Critical Infrastructure Cyber Community (C3)
In Closing…….
25
• External dependency risk management is one of today’s key business challenges
• Dependencies extend well beyond just your vendors
• Relationships and partnerships are key – organizations cannot effectively manage dependency risks on their own
• The complexities of the today’s cyber and physical disruption landscape requires new tools
• Taking a converged approach to the challenge is key
• Resilience management can help provide a roadmap to simplify the management of operational and dependency risks