introducing resilia: cyber-resilience for the 21st...
TRANSCRIPT
SESSION 610 Thursday, April 14, 2:45pm - 3:45pm
Track: Service Management Excellence
Introducing RESILIA: Cyber-Resilience for the 21st Century
David Moskowitz CIO, Productivity Solutions, Inc. [email protected]
Session Description Is your organization at risk? Companies like Home Depot, Sony, Target, and the US Department of State have all been victims of some form of cyber-attack. In this session, David Moskowitz will provide an introduction to RESILIA, a cyber-resilience framework designed to integrate with the ITIL lifecycle. From strategy to operations and the service desk, it critical to understand that security or prevention alone isn’t enough. The organization must develop the capability to detect sooner and correct faster. Come learn about an approach that fits what you are already doing! Speaker Background David Moskowitz is an end-user, value-to-customer-driven professional with more than thirty years of strategic technology and competitive assessment experience. David is the primary author of an accredited Axelos RESILIA Practitioner course, and he holds both the RESILIA Practitioner and ITIL Expert certifications. Well-known on Twitter as @DavidM2, David is a PRINCE2 Practitioner, an Agile coach, and a mentor.
Session 610 Introducing RESILIA: Cyber-Resilience for the 21st
Century
David Moskowitz
RESILIA Practitioner
ITIL Expert
It Can’t Happen Here!
Small sample
• US Government OPM: 21.5 million• T-Mobile: 15 million applicants• Premera Blue Cross: 11 million• Anthem: 80 million• Ashley Madison: 32 million• Sony: terabytes of data• Home Depot: 56 million payment, 53 million email
addresses• JP Morgan: 83 million• Ebay: 145 million active users (including login)• Target: 110 million
Two types of companies.
The ones that have been
hacked and ones that
don’t know it.
The pace of change
www.glasbergen.com ― ©2006 Randy Glasbegen
What is Cyber Security?
• Not a preventative!
– Purpose: keep them out long enough
• Delay tactic!!!
• When they get in, whatever you’re trying to protect
• No longer sensitive, valuable or meaningful
• Not enough!
– Need capability to detect & correct
– Average time to detect breech???
Reported hacks per month outside of government • More than 50• 83% financial
companies• 44% retailAverage time to detect more than 6 monthshttp://www.zdnet.com/article/businesses-take-over-six-months-to-detect-data-breaches/ May, 2015
What’s Wrong with This Pikture
When Bad Things Happen to Good People• It’s not if, but when you will experience an
– Information breach– Malicious software– Cyber attack– Accident!!!!
• Prevention alone is not a realistic strategy– You have to be right all the time– … they only have to be right once
• Financial loss• Loss of trust• Loss of reputation• … careers
• Cyber Resilience controls– Prevention – Detection– Correction
Cyber Resilience (CR)
• Cyber Resilience
– “The ability to prevent, detect & correct any
impact that incidents have on the information
required to do business.”
• RESILIA™ = CR best practice framework
– Adopt & adapt similar to ITIL
– Uses ITSM lifecycle
• …and ITSM and a management system
Benefits of Cyber Resilience• Aligned to business outcomes• Implement balanced controls
– Prevent incidents you can– Detect incidents not prevented– Correct to protect business
• Builds trust within value network– Optimize the value created– Increase competitive advantage– Improve operational efficiency
• Balance– Protection of assets– Ability to innovate
• Requires single, coherent risk-based strategy– Must align with organization’s risk appetite
• Delivered via management systems
“Recognizing that 100% risk mitigation is not possible on any complex system, the overarching goal of a risk-based approach to cyber security is system resilience to survive and quickly recover from attacks and accidents.” Partnering for Cyber Resilience, World Economic Forum, January, 2013
Prevent Detect & Correct
Risk? Really??
Manage cyber resilience• Manage risks• Identify what might happen• Assess likelihood & impact• Decide on action• Select risk approach
• ISO 31000• M_O_R™• RESILIA™
Management Systems• Management systems exist everywhere
– Formal & informal
• Driven by strategic goals• Provides basis for governance & management
– Processes, roles, organizational design, metrics (CSF & KPI)– Directing, leading & reporting
• Axelos’ Cyber Resilience uses the ITSM Lifecycle– Strategy– Design– Transition– Operation– Continual Improvement
• Defined by the ITIL®
– Service Management Lifecycle
Cyber Resilience People, Process & Technology
• Avoid overreliance on technology• Strike a balance
– People– Process– … & technology
• Cyber Resilience requires– Well informed & educated people– Well designed processes
• People, Process & Technology– Must fit together without gaps– Act in a complementary manner– Include physical & personnel
• … to ensure completeness
People & Cyber Resilience• Most threats involve legitimate users
– Ill-informed users represent a vulnerability– Tailored training required to improve awareness– Improved user vigilance
• Target people who handle the organization’s information– Pretty much everybody
• Employees• Clients• Suppliers• … the public
• Improve & maintain– Leadership– Governance– Management
Process & Cyber Resilience• Processes document
– How things are done “here”– “The rules” we follow
• Organizational compliance to processes varies– Strict & “by the book”– Loose & “laid back”– … & everything in between
• Account for organizational culture– Reflect risk appetite– Balance between
• Reducing risk• Reducing efficiency • Reduced flexibility
– Decisions must consider the effect
• Cyber Resilience impacts– Information using technology– … or, pretty much EVERYTHING
What is a Process?
• Structured set of activities designed to
accomplish a specific objective. ITIL Glossary
– Trigger, one or more inputs
– Massaged according to
• Established plan and set of activities
• Produce a measurable outcome for a stakeholder
• Process implements necessary controls
– Produce desired measureable outcomes
• RESILIA adds CR controls to ITSM
Technology & Cyber Resilience• Cyber Resilience is an enterprise responsibility
– Not just IT– Cloud computing & storage– Anything “as a Service”– Smart phones & tablets (BYOD)– Internet of Things (IoT)
• Hyper-connectivity
• Impacted services– Power grid– City services– Telecommunications– Internet– Manufacturing controls– Medical devices – … (everything)
Core of Information Security• Confidentiality
– Available only to the right people
• Integrity– Accurate & unaltered information
• Availability– Usable when needed
• Authentication– Verification of the true identity
• Non-repudiation– Provide undeniable proof
Why RESILIA & ITSM• CISO gets alert on IP address
– Without good configuration management..
– Where it is?– What data is on it?– How sensitive is the data?– What flows through it?
• Service desk gets a report– Something that used to print doesn’t– Without
• Change management• Incident & problem management• Known error database (KEDB)
Planning CR initiative consider• ITIL Process Maturity
Framework• RESILIA™ Best-practice
approach for implementing Cyber Resilience• Includes practical guidance
• NIST Cybersecurity Framework• Defines cybersecurity
capability• Describes practice of
cybersecurity• Creates cybersecurity
profiles• Current state• Future state• Not how
RESALIA ™ Adds CR Controls to ITSM• Take lifecycle approach• Already doing something• Start where you are
– Improve what you have– Start with CSI (continual improvement)– Determine which controls needed
• Modify or add processes
• Examine existing business strategy– Add CR considerations– Set stage for governance & management
• Design to meet strategy• Transition to verify & validate accomplishment• Operate CR it• Get better at it
– CR constant moving target
Don’t limit
thinking! ITSM
isn’t just for IT!
CSI Control Objectives
• Audit & Review
• Control Assessments
• KPIs, KRIs, & Benchmarking
• Business Continuity Improvements
• Process Improvements
• Remediation & Improvement Planning
Strategy CR Control Objectives• Evaluate need & expectations of the stakeholders• Provide direction to management• Define who makes Cyber Resilience decisions & how• Ensure Cyber Resilience risk is addressed• Monitor performance & outcomes• Segregation of Duties & Dual Controls• Cyber Resilience activities
– Define overall strategy to create value– Identify stakeholders– Understand business requirements & set expectations– Define high-level priorities, goals & CSFs– Define roles & responsibilities– Provide funding
• … & exploit opportunities
Design CR Control Objectives
• Human Resources Security
– Joiners, movers & leavers (JML)
• System Acquisition, Development Architecture & Design
• Supplier & 3rd Party Security Management
• Endpoint Security
• Cryptography
• Business Continuity Management
Transition CR Control Objectives• Asset & Configuration Management
– What & where– Classification & Handling
• Data Transportation & Removable Media• Change Management
– Include CR considerations
• Testing• Training• Document Management• Information Retention• Information Disposal
Operation CR Control Objectives• Ensure risks that disrupt operational service are managed• Operation controls objectives include
– Access Control• JML, business requirements & access policy• Identity verification (authentication, access & non-repudiation)
– Network Security Management– Physical Security– Operation Security– Incident Management
• Incident response– Formal response team?
• Define CR communication• Determine criteria to bring in specialists• Forensic investigation• Document lessons learned
Critical Elements of Effective CR• Board-level ownership &
responsibility for CR– Execute business strategy – Deliver desired outcomes– Offer services to
customers• Trust & rely
• Training & development• Identify critical
information assets– Hackers want your
Information
• Clear view of key threats & vulnerabilities– Include customers, partners &
supply chain• Only secure as weakest link
– Common language used by all stakeholders
– Assessment of organizational CR maturity
• Appropriate balance of controls – Prevent– Detect– Correct
Prevent Detect & Correct
CR is Really Business Resilience• Ensure the organization can confidently
– Execute business strategy
– Deliver desired outcomes
• Provide– Good processes & people, systems & technology
• Offer products & services to customers– Trust & rely to do the right thing
• Keep customers in the loop
• CR key to survivability & profitability– Requires more than IT
– Absent effective CR headlines
Thank you for attending this session.
Please remember to complete a session evaluation!
NIST Cyber Security Framework• National Institute of Standards & Technology
(NIST)• Framework published in February 2014
– U.S. Publication – appropriate for organizations worldwide
– Intended for organizations supporting critical infrastructure
– Systems & assets; physical or virtual– Vital to U.S. Interests
• Incapacity or destruction results in debilitating impact on
– Security– National economic security– National public health or safety
• NIST Framework– Framework Core
• Controls described in a formal structured hierarchy
– Framework Implementation Tiers• 4-layered model describing alignment to the
framework
– Framework Profiles• Selection of controls from the core that is
appropriate for a particular organization or context
__________
“The framework is intended for
organizations that are responsible for
critical infrastructure, defined as ‘systems
and assets, whether physical or virtual, so
vital to the United States that the
incapacity or destruction of such systems
and assets would have a debilitating
impact on security, national economic
security, national public health or
safety…’”
__________
NIST Cybersecurity Framework• Published by the
– National Institute of Standards & Technology (NIST)• Department of the U.S. Department of Commerce• Published February 2014• Deemed appropriate for organizations worldwide
• Risk-based approach– Manages cybersecurity risk– Framework Core
• Describes common desired outcomes• Expressed as functions
– Framework Implementation Tiers• Describes how cybersecurity is practiced• Informed by business needs
– Framework Profiles• Aligns “core” with resources & tolerances• Used to define current state• … & future state
__________
“The framework is intended for
organizations that are responsible for
critical infrastructure, defined as ‘systems
and assets, whether physical or virtual, so
vital to the United States that the
incapacity or destruction of such systems
and assets would have a debilitating
impact on security, national economic
security, national public health or
safety…’”
__________
Implementation Tiers• Describes the practice of
– Cybersecurity risk management– Rigor of the practice of cybersecurity– … as define in the framework– Not intended to represent “maturity levels”
• … however may be used as such
• Implementation Tiers– Tier 1 - Partial
• Ad hoc• Limited risk awareness• No collaboration
– Tier 2 - Risk-informed• Approved risk management practices• Organizational awareness of risk• Role in relation to other organization
– Tier 3 - Repeatable• Organization-wide formal practices• Consistent processes & methods• Information sharing with other organizations
– Tier 4 - Adaptive• Practices based on lessons learned• Risk management part of culture• Information actively shared
__________
The Tiers range from ‘Ad hoc’ to ‘Adaptive and
describe an increasing degree of rigor and
sophistication in cybersecurity risk management
practices and the extent to which cybersecurity risk
management is informed by business needs and is
integrated into an organization’s overall risk
management practices.
“Implementation of the framework is not judged
based on the tier level achieved, but on achieving
the outcomes described in the organization’s target
profile(s).”
__________ NIST