SESSION 610 Thursday, April 14, 2:45pm - 3:45pm

Track: Service Management Excellence

Introducing RESILIA: Cyber-Resilience for the 21st Century

David Moskowitz CIO, Productivity Solutions, Inc. davidm2@usa.net

Session Description Is your organization at risk? Companies like Home Depot, Sony, Target, and the US Department of State have all been victims of some form of cyber-attack. In this session, David Moskowitz will provide an introduction to RESILIA, a cyber-resilience framework designed to integrate with the ITIL lifecycle. From strategy to operations and the service desk, it critical to understand that security or prevention alone isn’t enough. The organization must develop the capability to detect sooner and correct faster. Come learn about an approach that fits what you are already doing! Speaker Background David Moskowitz is an end-user, value-to-customer-driven professional with more than thirty years of strategic technology and competitive assessment experience. David is the primary author of an accredited Axelos RESILIA Practitioner course, and he holds both the RESILIA Practitioner and ITIL Expert certifications. Well-known on Twitter as @DavidM2, David is a PRINCE2 Practitioner, an Agile coach, and a mentor.

Session 610 Introducing RESILIA: Cyber-Resilience for the 21st

Century

David Moskowitz

RESILIA Practitioner

ITIL Expert

It Can’t Happen Here!

Small sample

• US Government OPM: 21.5 million• T-Mobile: 15 million applicants• Premera Blue Cross: 11 million• Anthem: 80 million• Ashley Madison: 32 million• Sony: terabytes of data• Home Depot: 56 million payment, 53 million email

addresses• JP Morgan: 83 million• Ebay: 145 million active users (including login)• Target: 110 million

Two types of companies.

The ones that have been

hacked and ones that

don’t know it.

The pace of change

www.glasbergen.com ― ©2006 Randy Glasbegen

What is Cyber Security?

• Not a preventative!

– Purpose: keep them out long enough

• Delay tactic!!!

• When they get in, whatever you’re trying to protect

• No longer sensitive, valuable or meaningful

• Not enough!

– Need capability to detect & correct

– Average time to detect breech???

Reported hacks per month outside of government • More than 50• 83% financial

companies• 44% retailAverage time to detect more than 6 monthshttp://www.zdnet.com/article/businesses-take-over-six-months-to-detect-data-breaches/ May, 2015

What’s Wrong with This Pikture

When Bad Things Happen to Good People• It’s not if, but when you will experience an

– Information breach– Malicious software– Cyber attack– Accident!!!!

• Prevention alone is not a realistic strategy– You have to be right all the time– … they only have to be right once

• Financial loss• Loss of trust• Loss of reputation• … careers

• Cyber Resilience controls– Prevention – Detection– Correction

Cyber Resilience (CR)

• Cyber Resilience

– “The ability to prevent, detect & correct any

impact that incidents have on the information

required to do business.”

• RESILIA™ = CR best practice framework

– Adopt & adapt similar to ITIL

– Uses ITSM lifecycle

• …and ITSM and a management system

Benefits of Cyber Resilience• Aligned to business outcomes• Implement balanced controls

– Prevent incidents you can– Detect incidents not prevented– Correct to protect business

• Builds trust within value network– Optimize the value created– Increase competitive advantage– Improve operational efficiency

• Balance– Protection of assets– Ability to innovate

• Requires single, coherent risk-based strategy– Must align with organization’s risk appetite

• Delivered via management systems

“Recognizing that 100% risk mitigation is not possible on any complex system, the overarching goal of a risk-based approach to cyber security is system resilience to survive and quickly recover from attacks and accidents.” Partnering for Cyber Resilience, World Economic Forum, January, 2013

Prevent Detect & Correct

Risk? Really??

Manage cyber resilience• Manage risks• Identify what might happen• Assess likelihood & impact• Decide on action• Select risk approach

• ISO 31000• M_O_R™• RESILIA™

Management Systems• Management systems exist everywhere

– Formal & informal

• Driven by strategic goals• Provides basis for governance & management

– Processes, roles, organizational design, metrics (CSF & KPI)– Directing, leading & reporting

• Axelos’ Cyber Resilience uses the ITSM Lifecycle– Strategy– Design– Transition– Operation– Continual Improvement

• Defined by the ITIL®

– Service Management Lifecycle

Cyber Resilience People, Process & Technology

• Avoid overreliance on technology• Strike a balance

– People– Process– … & technology

• Cyber Resilience requires– Well informed & educated people– Well designed processes

• People, Process & Technology– Must fit together without gaps– Act in a complementary manner– Include physical & personnel

• … to ensure completeness

People & Cyber Resilience• Most threats involve legitimate users

– Ill-informed users represent a vulnerability– Tailored training required to improve awareness– Improved user vigilance

• Target people who handle the organization’s information– Pretty much everybody

• Employees• Clients• Suppliers• … the public

• Improve & maintain– Leadership– Governance– Management

Process & Cyber Resilience• Processes document

– How things are done “here”– “The rules” we follow

• Organizational compliance to processes varies– Strict & “by the book”– Loose & “laid back”– … & everything in between

• Account for organizational culture– Reflect risk appetite– Balance between

• Reducing risk• Reducing efficiency • Reduced flexibility

– Decisions must consider the effect

• Cyber Resilience impacts– Information using technology– … or, pretty much EVERYTHING

What is a Process?

• Structured set of activities designed to

accomplish a specific objective. ITIL Glossary

– Trigger, one or more inputs

– Massaged according to

• Established plan and set of activities

• Produce a measurable outcome for a stakeholder

• Process implements necessary controls

– Produce desired measureable outcomes

• RESILIA adds CR controls to ITSM

Technology & Cyber Resilience• Cyber Resilience is an enterprise responsibility

– Not just IT– Cloud computing & storage– Anything “as a Service”– Smart phones & tablets (BYOD)– Internet of Things (IoT)

• Hyper-connectivity

• Impacted services– Power grid– City services– Telecommunications– Internet– Manufacturing controls– Medical devices – … (everything)

Core of Information Security• Confidentiality

– Available only to the right people

• Integrity– Accurate & unaltered information

• Availability– Usable when needed

• Authentication– Verification of the true identity

• Non-repudiation– Provide undeniable proof

Why RESILIA & ITSM• CISO gets alert on IP address

– Without good configuration management..

– Where it is?– What data is on it?– How sensitive is the data?– What flows through it?

• Service desk gets a report– Something that used to print doesn’t– Without

• Change management• Incident & problem management• Known error database (KEDB)

Planning CR initiative consider• ITIL Process Maturity

Framework• RESILIA™ Best-practice

approach for implementing Cyber Resilience• Includes practical guidance

• NIST Cybersecurity Framework• Defines cybersecurity

capability• Describes practice of

cybersecurity• Creates cybersecurity

profiles• Current state• Future state• Not how

RESALIA ™ Adds CR Controls to ITSM• Take lifecycle approach• Already doing something• Start where you are

– Improve what you have– Start with CSI (continual improvement)– Determine which controls needed

• Modify or add processes

• Examine existing business strategy– Add CR considerations– Set stage for governance & management

• Design to meet strategy• Transition to verify & validate accomplishment• Operate CR it• Get better at it

– CR constant moving target

Don’t limit

thinking! ITSM

isn’t just for IT!

CSI Control Objectives

• Audit & Review

• Control Assessments

• KPIs, KRIs, & Benchmarking

• Business Continuity Improvements

• Process Improvements

• Remediation & Improvement Planning

Strategy CR Control Objectives• Evaluate need & expectations of the stakeholders• Provide direction to management• Define who makes Cyber Resilience decisions & how• Ensure Cyber Resilience risk is addressed• Monitor performance & outcomes• Segregation of Duties & Dual Controls• Cyber Resilience activities

– Define overall strategy to create value– Identify stakeholders– Understand business requirements & set expectations– Define high-level priorities, goals & CSFs– Define roles & responsibilities– Provide funding

• … & exploit opportunities

Design CR Control Objectives

• Human Resources Security

– Joiners, movers & leavers (JML)

• System Acquisition, Development Architecture & Design

• Supplier & 3rd Party Security Management

• Endpoint Security

• Cryptography

• Business Continuity Management

Transition CR Control Objectives• Asset & Configuration Management

– What & where– Classification & Handling

• Data Transportation & Removable Media• Change Management

– Include CR considerations

• Testing• Training• Document Management• Information Retention• Information Disposal

Operation CR Control Objectives• Ensure risks that disrupt operational service are managed• Operation controls objectives include

– Access Control• JML, business requirements & access policy• Identity verification (authentication, access & non-repudiation)

– Network Security Management– Physical Security– Operation Security– Incident Management

• Incident response– Formal response team?

• Define CR communication• Determine criteria to bring in specialists• Forensic investigation• Document lessons learned

Critical Elements of Effective CR• Board-level ownership &

responsibility for CR– Execute business strategy – Deliver desired outcomes– Offer services to

customers• Trust & rely

• Training & development• Identify critical

information assets– Hackers want your

Information

• Clear view of key threats & vulnerabilities– Include customers, partners &

supply chain• Only secure as weakest link

– Common language used by all stakeholders

– Assessment of organizational CR maturity

• Appropriate balance of controls – Prevent– Detect– Correct

Prevent Detect & Correct

CR is Really Business Resilience• Ensure the organization can confidently

– Execute business strategy

– Deliver desired outcomes

• Provide– Good processes & people, systems & technology

• Offer products & services to customers– Trust & rely to do the right thing

• Keep customers in the loop

• CR key to survivability & profitability– Requires more than IT

– Absent effective CR headlines

Thank you for attending this session.

Please remember to complete a session evaluation!

NIST Cyber Security Framework• National Institute of Standards & Technology

(NIST)• Framework published in February 2014

– U.S. Publication – appropriate for organizations worldwide

– Intended for organizations supporting critical infrastructure

– Systems & assets; physical or virtual– Vital to U.S. Interests

• Incapacity or destruction results in debilitating impact on

– Security– National economic security– National public health or safety

• NIST Framework– Framework Core

• Controls described in a formal structured hierarchy

– Framework Implementation Tiers• 4-layered model describing alignment to the

framework

– Framework Profiles• Selection of controls from the core that is

appropriate for a particular organization or context

__________

“The framework is intended for

organizations that are responsible for

critical infrastructure, defined as ‘systems

and assets, whether physical or virtual, so

vital to the United States that the

incapacity or destruction of such systems

and assets would have a debilitating

impact on security, national economic

security, national public health or

safety…’”

__________

NIST Cybersecurity Framework• Published by the

– National Institute of Standards & Technology (NIST)• Department of the U.S. Department of Commerce• Published February 2014• Deemed appropriate for organizations worldwide

• Risk-based approach– Manages cybersecurity risk– Framework Core

• Describes common desired outcomes• Expressed as functions

– Framework Implementation Tiers• Describes how cybersecurity is practiced• Informed by business needs

– Framework Profiles• Aligns “core” with resources & tolerances• Used to define current state• … & future state

__________

“The framework is intended for

organizations that are responsible for

critical infrastructure, defined as ‘systems

and assets, whether physical or virtual, so

vital to the United States that the

incapacity or destruction of such systems

and assets would have a debilitating

impact on security, national economic

security, national public health or

safety…’”

__________

Implementation Tiers• Describes the practice of

– Cybersecurity risk management– Rigor of the practice of cybersecurity– … as define in the framework– Not intended to represent “maturity levels”

• … however may be used as such

• Implementation Tiers– Tier 1 - Partial

• Ad hoc• Limited risk awareness• No collaboration

– Tier 2 - Risk-informed• Approved risk management practices• Organizational awareness of risk• Role in relation to other organization

– Tier 3 - Repeatable• Organization-wide formal practices• Consistent processes & methods• Information sharing with other organizations

– Tier 4 - Adaptive• Practices based on lessons learned• Risk management part of culture• Information actively shared

__________

The Tiers range from ‘Ad hoc’ to ‘Adaptive and

describe an increasing degree of rigor and

sophistication in cybersecurity risk management

practices and the extent to which cybersecurity risk

management is informed by business needs and is

integrated into an organization’s overall risk

management practices.

“Implementation of the framework is not judged

based on the tier level achieved, but on achieving

the outcomes described in the organization’s target

profile(s).”

__________ NIST