RESILIA- Is your organization resistant to cyber risks?

Christian F. Nissen, BlueHat P/S

© 2016 of BlueHat P/S unless otherwise stated

RESILIATM, ITIL®, PRINCE2® MSP®, MoP® and MoV® are registered trademarks of AXELOS in the United Kingdom and other countries

COBIT® is a registered trademark of the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)

TOGAFTM and IT4ITTM are registered trademarks of The Open Group

2

Agenda

1. Cyber threats

2. Cyber Resilience

3. Cyber Resilience Lifecycle

❍ Strategy

❍ Design

❍ Transition

❍ Operation

❍ Continual Improvement

4. Segregation of duties and dual controls

5. Barriers to Cyber Resilience

Ag

en

da

© 2016

Quick poll

Hvad er din baggrund?

Sikkerhed

Governance, risk, compliance

Revision

Service management

Anden

3 © 2016

Ag

en

da

Why bother?

Computerworld, August 24, 2016:

Svenske Lucas Lundgren fra FortConsult ”har fundet en

grel fejl i en forbindelsesprotokol ved navn MQTT, der

binder milliarder af enheder sammen i Internet of Things-

netværket (IoT).”

"Jeg har fundet et atomkraftværk, hvor man kunne hæve

strålingsniveauet og et fængsel, hvor fængselsdørene kan

åbnes fra en server"

4 © 2016

Cyb

er

thre

ats

Why bother?

According to the ISACA’s January 2016

Cybersecurity Snapshot,

84 percent of respondents believe there is a medium to

high likelihood of a cybersecurity attack disrupting critical

infrastructure (e.g., electrical grid, water supply systems)

this year.

20 percent of the respondents have experienced a

ransomware incident

72 percent of respondents say they are in favor of the US

Cybersecurity Act, but only 46% say their organizations

would voluntarily participate in cyber threat information

sharing, as outlined in the Act.

5 © 2016

Cyb

er

thre

ats

Why bother?

6 © 2016

Cyb

er

thre

ats

Why bother?

7 © 2016

Cyb

er

thre

ats

Best practices and standards

Some standards and frameworks that can help organizations to

manage cyber threats include:

NIST Framework for Improving Critical Infrastructure Cybersecurity - A US risk-based approach to managing cybersecurity risk.

Management of Risk (M_o_R) - Best practice for managing risk

ISO/IEC 27001 - International standard for information security

management

ISO 31000 - International standard defining risk management principles

and guidelines.

ISO 22301 - International standard for business continuity

COBIT 5 – Best practice for governance and management of enterprise IT.

ITIL – Best practice for IT service management

ISO/IEC 20000 - International standard for IT service management

8 © 2016

Cyb

er

Re

sili

ence

Quick poll

Har du praktisk erfaring med ét eller flere af følgende

frameworks?

NIST

ISO/IEC 27001

Management of Risk (M_o_R)

ISO 31000

ISO 22301

COBIT 5

ITIL

ISO/IEC 20000

RESILIA

Ingen af ovenstående

9 © 2016

Cyb

er

Re

sili

ence

Information Security versus Cyber Resilience

The human factor

❍ Service value resides in information, technology, people

and processes

❍ People and their behaviour cause most vulnerabilities

❍ Need to look beyond

information security

– to cyber resilience

10 © 2016

Cyb

er

Re

sili

ence

Information

Tech-nology

People

Pro-cesses

Information Security versus Cyber Resilience

Security is defined as ‘the state of being free from danger or

threat’ and involves the protection (confidentiality, integrity,

availability & non-repudiation) of what is important, often

with more emphasis on prevention and less emphasis on

recovery from an incident. However prevention alone is no

longer a realistic strategy.

Resilience is the ability of a system

or component to resist an unplanned

disturbance or failure, and to recover

in a timely manner following any

unplanned disturbance or failure.

11 © 2016

Resilience

Security

Cyb

er

Re

sili

ence

What is Cyber Resilience?

Cyber resilience is the ability to prevent, detect, and correct

(respond & recover) any impact that incidents have on the

information required to do business.

Right balance between three types of control activity:

12 © 2016

Cyb

er

Re

sili

ence

.

..

Preventive

Detective Corrective

Quick poll

I hvilken grad er du enig i, at informationssikkerhed er en

radikalt anden disciplin end cyber resilience?

Helt enig

Delvis enig

Delvis uenig

Helt uenig

13 © 2016

Cyb

er

Re

sili

ence

What is RESILIA?

A best practice from Axelos released in 2015

A balanced and holistic approach to cyber resilience

The missing chapter in ITIL

Risk and control based

Lifecycle based

14 © 2016

Cyb

er

Re

sili

ence

https://www.axelos.com/best-practice-solutions/resilia

What is RESILIA?

Risk-based

15 © 2016

AssetVulnera-

bilityThreat

Cyb

er

Re

sili

ence

What is RESILIA?

Addressing risk

16 © 2016

Cyb

er

Re

sili

ence

What is RESILIA?

17 © 2016

Cyb

er

Re

sili

ence

Best Practice Guide

Core practical guidance for strategy,

implementation and management:

“what good looks like”

Individual Awareness

Learning & Know-howAll staff across an organisation

IT teams and data

owners/managers

Membership

& CPDIT teams and data

owners/managers

Leader

EngagementLeadership team

across an organisation

Management

Pathway Tool

Foundation

& Practitioner

Training

RESILIA Management Pathway Tool

Method of assessing the maturity of cyber resilience in

your organization

❍ Explore the RESILIA best practice

guidance and understand how its

processes and security controls apply

to your organization.

❍ Evaluate your existing cyber resilience

controls and processes to identify the critical gaps

❍ Map the necessary improvements you need to make

to meet your desired level of cyber resilience maturity

18 © 2016

Cyb

er

Re

sili

ence

RESILIA Leader Engagement

Awareness products tools and guidance specifically

designed to increase understanding, insight and action

in the boardroom

These include:

❍ Continuing professional development and learning for

executive and non-executive directors

❍ Cyber boardroom simulations

❍ Cyber resilience risk management training for senior

risk management decision makers.

19 © 2016

Cyb

er

Re

sili

ence

RESILIA Awareness Learning

20 © 2016

Cyb

er

Re

sili

ence Learning modules

Phishing Social

engineering

Password

safety

Information

handling

Online safety Remote and

mobile working

Personal

information

Learning formats

GamesSimu-

lationsVideos

eLear-

ning

Tests

and

refresh-

ers

Anima-

tions

RESILIA Certification

21 © 2016

Cyb

er

Re

sili

ence

Cyber

Resilience

Foundation

Cyber

Resilience

Practitioner

Course structure Learning outcomes

3day classroom course

or

20hours of distance learning, optional simulation to

start course, Foundation certification multiple choice

exam

How decisions impact good/

bad Cyber Resilience

Comprehensive approach

across all areas

How to make good Cyber

Resilience an efficient part

of business and operational management

2day classroom course

or

15hours of distance learning, optional simulation to

start course, Practitioner certification multiple choice

exam, bundled with Foundation as a 5 day course

What effective Cyber Resilience looks like

Pitfalls, risk and issues that can easily

hit Cyber Resilience

Getting the best balance of risk,

cost, benefits and flexibility

within an organization

https://dit.dk/KurserOgCertificeringer/RESILIA

Positioning of RESILIA certification

22 © 2016

Cyb

er

Re

sili

ence

IT VENDORS-

CISCO, MS,

ORACLE etc

ISC(2)

CISSP

CompTIA

Security+

EC Council

Ethical Hacker

EC Council

Certified Security

Analyst

CISM

ISC(2)

SSCP

CLA

S

ISO27001

auditor

CESG

CCPCES

G

CCT

ISACA Cybersecurity

Fundamentals

Certificate

AXELOS

RESILIA

Practitioner

AXELOS

RESILIA

Foundation

BCS InfoSec

Principles

Key

Grey = non-certification

course

Size of circle = course

market share

TECHNICAL FOCUS BUSINESS FOCUS

GENERAL

AUDIENCE

NICHE AUDIENCE

RESILIA CPD scheme

Continuing Professional Development (CPD):

❍ Coming in 2016

❍ Completing a RESILIA qualification will earn

15 CPD points towards a professional membership

❍ A route to maintain your RESILIA qualification

without re-sitting the exam

23 © 2016

Cyb

er

Re

sili

ence

Who is RESILIA for?

The Foundation and Practitioner certification is aimed at:

IT and security functions

Risk and compliance functions

Core business functions including HR, Finance,

Procurement, Operations and Marketing.

The awareness learning is for the entire organization.

The leadership engagement delivers specialised training and

learning for the leaders within an organization

24 © 2016

Cyb

er

Re

sili

ence

The Cyber Resilience Lifecycle

26 © 2016

Cyb

er

Re

sili

ence L

ife

cycle

Strategy

Quick poll

Giver det mening af knytte cyber resilience kontroller og

processer op på ITIL’s fem livscyklus faser og tilhørende

processer?

Ja, det har vi ventet længe på!

Det gør vist ikke den store forskel

Nej, det giver overhovedet ingen mening!

Det har jeg ingen holdning til

27 © 2016

Cyb

er

Re

sili

ence

Cyber Resilience Strategy – Controls

28 © 2016

Controls for Cyber Resilience

Strategy

Establish governance of

cyber resilience

Vision and mission

Governance roles

Manage stakeholders

Identifying and categorizingstakeholders

Gathering stakeholder

requirements

Stakeholder communications

Create and manage cyber

resilience policies

Cyber resiliencepolicies

Structure of the policies

Management of the policies(Process)

Manage cyber resilience audit and compliance

Audit

Compliance management

Cyb

er

Re

sili

ence S

tra

teg

y

Cyber Resilience Strategy - Processes

Interaction of ITSM Processes with Cyber Resilience Activities:

Strategy management for IT services

Service portfolio management

Financial management for IT services

Demand management

Business relationship management

29 © 2016

Cyb

er

Re

sili

ence S

tra

teg

y

Cyber Resilience Strategy - Processes

Example: Cyber

Resilience

Interfaces with

Service Portfolio

Management

30 © 2016

Cyb

er

Re

sili

ence S

tra

teg

y

Cyber Resilience Design – Controls

31 © 2016

Controls for Cyber Resilience Design

Human Resource Security

Recruitment

Pre-employment, employment, exit and termination

Training & awareness

System Acquisition, Development,

Architecture, and Design

Requirement analysis

Architecture design and development

Threat and vulnerability modelling

Secure design and development

Cyber resilience security testing

Supplier and Third-Party Security Management

Supply chain risk management

Managing third-party risks

Confidentiality and non-disclosure for

suppliers

Compliance and auditing of the supply chain

Endpoint Security

Data-in-transit

Data-at-rest

Cryptography

. . .

Business Continuity Management

Business impact analysis

Cyb

er

Re

sili

ence D

esig

n

Cyber Resilience Design - Processes

Interaction of ITSM Processes with Cyber Resilience Activities:

Design Coordination

Service Catalogue Management

Service Level Management

Availability Management

Capacity Management

IT Service Continuity Management

Supplier Management

32 © 2016

Cyb

er

Re

sili

ence D

esig

n

Cyber Resilience Design - Processes

Example: Cyber

Resilience

Interfaces with IT

Service Continuity

Management

33 © 2016

Cyb

er

Re

sili

ence D

esig

n

Cyber Resilience Transition – Controls

34 © 2016

Controls for Cyber Resilience Transition

Asset management and

configuration management

Classification and handling

Data transportation and removable

media

Change management

Authorization, control and secure

implementation

Testing

Code review

Unit, system and integration testing

Regression and user-acceptance

testing

Penetration testing

TrainingDocumentation management

Information retention and

disposal

Cyb

er

Re

sili

ence T

ran

sitio

n

Cyber Resilience Transition - Processes

Interaction of ITSM Processes with Cyber Resilience Activities:

Transition planning and support

Change management

Service asset and configuration management

Release and deployment management

Service validation and testing

Change evaluation

Knowledge management

Management of organizational change35 © 2016

Cyb

er

Re

sili

ence T

ran

sitio

n

Cyber Resilience Transition - Processes

Example: Cyber

Resilience

Interfaces with

Release and

Deployment

Management

36 © 2016

Cyb

er

Re

sili

ence T

ran

sitio

n

Cyber Resilience Operation – Controls

37 © 2016

Cyb

er

Re

sili

ence O

pe

ratio

n

Controls for Cyber Resilience

Operation

Access control

Logical access control

Business requirements and

access policy

Authorization, registration and

provisioning

Identity verification

. . .

Network security management

Network design for resilience

Segmenting networks with

firewalls

Network switch and logical

segmentation

Detecting and preventing intrusions

. . .

Physical security

Physical access control

Perimeter security

Visitor management

Identity badges and passes

. . .

Operations security

Documentation

Operational activities

Cyber resilience incident

management

Incident planning

Incident reporting, logging and initial

assessment

Responding to the incident

Containing the incident,

eradicating and recovering

Learning lessons

Cyber Resilience Operation - Processes

Interaction of ITSM Processes with Cyber Resilience Activities:

Event management

Incident management

Request fulfilment

Problem management

Access management

38 © 2016

Cyb

er

Re

sili

ence O

pe

ratio

n

Cyber Resilience Operation - Processes

Example: Cyber

Resilience

Interfaces with

Event

Management

39 © 2016

Cyb

er

Re

sili

ence O

pe

ratio

n

Cyber Resilience Continual Improvement

40 © 2016

CR

Continual Im

pro

vem

ent

Controls for Cyber Resilience Continual

Improvement

Cyber resilience audit and review

Technology review and audit

Policy Review

Review of access rights

Review of administrator and

operator logs

Monitor, review and audit of third parties

Control assessmentKPI's, Key Risk Indicators and benchmarking

Business continuity improvements

Learning from information security

incidents

Process improvement

Remediation and improvement

planning

The remediation plan

Implementing improvements

Cyber Resilience Continual Improvement

Interaction of ITSM Processes with Cyber Resilience Activities:

The CSI approach

The seven-step improvement process

41 © 2016

CR

Continual Im

pro

vem

ent

Cyber Resilience Continual Improvement

Example: Cyber

Resilience

Interfaces with The

Seven-Step

Improvement

Process

42 © 2016

CR

Continual Im

pro

vem

ent

Segregation of duties and dual controls

Segregating Duties

Ensures that privileges and roles are separated so that

they cannot be used to commit fraud.

Example: Segregating development and operations

Dual Controls

A method used to control abuse of privileges.

Example: Encryption of information using two separate

encryption keys, each key belonging to a different person

43 © 2016

Cyb

er

Re

sili

en

ce

Re

sp

on

sib

ilitie

s

Barriers to cyber resilience

Lack of awareness (board level down)

Silo thinking (“it’s an IT problem”)

Narrow focus on regulatory compliance, not risk

Confusion about what “good” looks like

Cyber resilience demands a “whole system”

view (information, technology, people and processes)

44 © 2016

Ba

rrie

rs to

Cyb

er

Re

sili

ence

Quick poll

Vi har nu fået et lille indblik i RESILIA. Hvordan passer RESILIA

til virkeligheden og trusselsbilledet i din organisation?

Det lyder som et framework, som vi bør bygge på i vores

håndtering af cyber-risici

Det kan blive ét af mange nyttige værktøjer i værktøjskassen

Det vil ikke gøre den store forskel i vores organisation

45 © 2016

Cyb

er

Re

sili

ence

The end

46

Cyber

Resili

ence

© 2016

Co

nta

ct

© 201647

Christian F. NissenPartner

cfn@bluehat.dk+45 40 19 41 45

BlueHat P/SLottenborgvej 24 DK-2800 Kgs. Lyngby CVR: 37 55 59 08