wayne tufek university of melbourne: cyber security as business risk

Corporate Cyber Security Summit

Wayne Tufek


November 13th

Grand Hyatt, Melbourne

Cyber Security Risk as Business Risk

AGENDA

• Security Framework Example

• Designing and Implementing an Information Security program

• Information Security Risk as Business Risk

• The Security Processes You Must Get Right

• Questions

A Security Framework

Governance

Operational

Designing and Implementing an Information Security Program

Governance

Operational

1

1. Designing and

implementing an

information security

program

Does Information Security Risk exist?

• Common definition of security – Confidentiality

– Integrity

– Availability

Information Security is a Property of Something Else

• Reputation

• Regulation

• Revenue

• Resilience

• For security to be relevant, it must solve business problems

Linking Security to Business Drivers

• Sherwood Applied Business Security Architecture (SABSA)

• http://www.sabsa.org/

• http://www.sabsa-institute.com/members/sites/default/inline-files/SABSA_White_Paper.pdf

• Business driven architecture – Goals

– Objectives

– Success factors

– The security program demonstrably supports, enhances and protects

SABSA

Trusted Business Operations

Components

Products Tools

Physical Security Mechanisms

Names Procedures Encryption Databases Passwords Access Control

Lists Firewalls Logs

Logical Security Services

Identification Registration Certification Directories Authentication Authorisation Access Control Audit Trail

Security Strategy

Process Design Policy & Legal Framework Technical Design

Business Strategy

Attribute Profile Risk Model Trust Model

Goals Relationships Market Regulation People Materials Finance Production

Contextual

Conceptual

Logical

Physical

Component

Operational

Business Driven Security Program

Business requirements

Business Drivers for Security

Attributes

Business goals and objectives

• Sell more widgets

• Be the best X

Business requirements abstracted

into one or more statements of

security relevance

Standardised and reusable

specification of the business

requirement

Attributes

• Business attributes

• Accessible – Information to which the user is entitled to gain

access should be easily found and accessed by that user

• Access controlled – Access to information and functions within the

system should be controlled in accordance with the authorised privileges of the party requesting access. Unauthorised access should be prevented

Attributes

Example

• Identity Management Project – Business requirements

– Business drivers for security

– Business attributes

• Project Scope – Banking organisation

– Automated user provisioning/de-provisioning

– Single sign on

– High availability platform

Example

Protect the reputation of the organisation

Ensure compliance with regulations

Maintain the accuracy of information

Be the best bank in the world

Be the most trusted brand

To provide great customer service



Example

Attributes

• Access controlled

• Accessible

• Available

• Brand enhancing

• Reputable

• Efficient

Protect the reputation of the organisation

Example

Attributes

• Auditable

• Compliant

Attributes

• Accurate

• Duty Segregated

• Protected

Ensure compliance with regulations

Maintain the accuracy of information

Example



Attributes


Information Security Risk as Business Risk


Governance

Operational

2

2. Cyber Security

Risk as Business

Risk

Overview of IT Risk

• Risk

• IT Risk

• IT Governance

• Risk management

What Causes IT Risk?

• George Westerman from MIT Sloan • http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/

– Failure of oversight and governance processes (ineffective IT governance)

• Series of poor decisions and badly structured IT assets

• Locally optimised decisions

• Lack of business involvement

– Uncontrolled complexity

– Inattention to risk

• IT risk results from decision-making

processes that ignore the full range of business needs that arise from using IT

The Business Consequences of IT Risk

Source: George Westerman

http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/

Availability

Access

Accuracy

Agility

The Business Consequences of IT Risk (cont)

Enterprise IT Risks

Availability Access Accuracy Agility

Business continuity

DRP

Information protection

Knowledge sharing

Preventing attacks

Data Integrity

Regulatory compliance

Ability to implement

major strategic

change

Technology &

Infrastructure

Applications &

Information People & Skills Vendors &

Other Partners Policy &

Process

Organisational

IT Risk Factors

Configuration management

Degree of standardisation

Age of technology

Architecture complexity

Redundancy

Data integrity

Degree of customisation

Turnover

Skills planning

Recruiting\training

IT\Business relationship

SLAs

Use of firms standards

Sole source risk

Controls

Degree of standardisation

Accountability

Cost cutting

Complexity

Funding


http://cisr.mit.edu/research/research-

overview/classic-topics/it-related-risk/

Example Risk Factors

• Availability – Alternative site

– Excessive time to restore (RTO, RPO, MTO)

– Special hardware or equipment or a unique environment

– Network links


• Access – Financial impact of unauthorised modification of

data

– Impact of unauthorised disclosure

– Are duties segregated?

– Is access based on the users role?

– Can the system track user actions and provide reports?

– How effective is the access provisioning/de-provisioning process?


• Accuracy – What is the financial impact of incorrect

applications?

– How will inaccuracy impact customers and the organisation’s reputation?

– What regulatory and government compliance is required?

– Is there a high level of customisation?

– Are calculations performed by any third parties?


• Agility – Is the system hard coded with custom features

difficult to modify?

– Is the system supported by the vendor?

– Does the system require hard to obtain technical resources to maintain support?

– Can the system be scaled in terms of volume?

– Is the documentation adequate?

– Does the system run on out of date software

Example

• Single Sign-On implementation

Availability

Access

Accuracy

Agility



Example

• Moving corporate data to the cloud



Availability

Access

Accuracy

Agility


The Security Processes You Must Get Right


Governance

Operational

3

3. The Security

Processes You Must

Get Right

The Processes

• Vulnerability management

• Incident response

• Security awareness

Vulnerability management

Incident response

Security awareness

These are the processes that should be considered the

foundation of your security operations function. Certain

operational security processes are critical in ensuring that

information security is managed effectively.

Is that it?

• Some key security processes exist in the governance layers

• Other processes to consider

Getting it Right?

• Documentation – Purpose

– Process description

– Process flow chart

– Responsibility matrix (RACI)

– Metrics

Vulnerability Management

• Phases – Policy

– Discovery

– Reporting

– Prioritisation

– Response

– Eliminate root cause

– Monitor

Incident Response

• Phases – Preparation

– Identification

– Containment

– Eradication

– Review

Security Awareness

• C-level support

• Understand your organisations culture

• Partner with other business areas

• Metrics

• Change in behaviour is the goal – Define the behaviours (in English)

– Engage through social media

– Use entertainment as a teaching tool

Questions

Contact

• [email protected]

• LinkedIn – http://www.linkedin.com/pub/wayne-tufek/0/338/312

wayne tufek university of melbourne: cyber security as business risk

Technology

risk risk

security processes

business consequences

business problems

risk results

business drivers sherwood

governance risk management

range of business needs