risk management, ciso - kirk and ernie
Post on 09-Jan-2016
15 Views
Preview:
DESCRIPTION
TRANSCRIPT
-
Kirk Bailey, CISSP, CISM Chief Information Security Officer
University of Washington
kirkb01@washington.edu
RISK MANAGEMENT: AT THE HEART OF SECURITY
DECISION-MAKING
FOR THE CISO
Ernie Hayden, CISSP Chief Information Security Officer
Port of Seattle
Hayden.e@portseattle.org
-
THE CURRENT TECHNOLOGY
RISK PICTURE
PLENTY OF MONSTERS
OUT THERE!
-
True Cost of Convenience Model: Security vs Convenience
Liability vs Convenience
AT THE HEART
OF MOST TECHNOLOGY-BASED RISK
A different way to look at your risk
-
The Convenience Factor
Less More
Increased
-
The Convenience Factor
Less More
Increased
-
The Convenience Factor
Less More
Increased Increased
Crossover
Point moves
based on
Security
Needs, etc.
-
The Convenience Factor Buy Insurance
Less More
Increased Increased
Buy Insurance /
Transfer Risk
Shift in
Crossover
PointMore Convenience
Allowed
-
The Convenience Factor Add Security Controls
Less More
Increased Increased
Shift
Add
Security
Controls
-
Different kinds of risk management:
Daily work issues Larger strategic and planning issues
Different approaches, models, and tools
can be used by a CISO
COMING TO GRIPS WITH
RISK MANAGEMENT
AS A CISO
-
Technology
Security
Information
Security
Firewalls
Intrusion Detection
Network Security
Viruses, Worms, Crimeware
System Hardening
Encryption
Engineering
Technology
Problems
Risk Management
Business Continuity / Disaster Planning
Intellectual Property
Business / Financial Integrity
Regulatory Compliance
Industrial Espionage
Privacy
Forensics & Investigations
Business
Problems
Chart Based on Forrester, April 2005
And Enhanced/Modified by Kirk Bailey and Ernie Hayden
Critical Security
Problems
Strategic
Security
SECURITY PROFESSION EXPERTISE LEVELS
R E S E A R C H
Terrorism & CyberCrime
Regional Interests (Including Cyber and Natural
Disasters)
Nation State Interests
Intelligence
Professional Alliances
Politics
Strategies and Tactics
-
The POS Risk In Basket
Microsoft Word Zero-Day Exploits
Microsoft Only Releases 4 vs 8 Patches What is the Risk of not having the other 4?
Implications of Federal Rule on Criminal Procedure regarding E-Discovery? What about IM? Voicemail? Email?
How Securely Handle TSA Data? Transmission, Storage
House Audit of Personal Information Handling
PCI Compliance Issues
Vista Roll Out Concerns
-
UW
Information
Systems
Security
Risk Mapping
-
RISK AREAS RISK REGISTER
UW ERM program has
identified four (4) general
Risk Areas for defining, grouping and analyzing
risks. They are:
Compliance
Financial
Operational
Strategic
-
ISS OPERATIONAL RISK (5 identified):
Computing Systems:
Loss, disruption or unauthorized use of computing resources
Network / Telecommunications:
Loss, degradation or unauthorized access of network/telecommunication resources
Data Management:
Destruction, corruption or theft of information Physical and Environmental Management:
Theft, destruction or unauthorized access to facilities or assets
Environmental/natural caused damage to facilities, assets or harm to people
example
-
ISS STRATEGIC RISK (6 identified):
Organizational Authority (lack of it):
Unnecessary financial costs Unable to correct high risk incidents or behavior upon notice
Loss of competitive advantage Overall security may suffer as a result of competing priorities
Strategic Business Partnering and Alliances:
Missed legal and regulatory interests Missed business opportunities
example
-
Rank Description Injuries Financial Loss Asset Loss Interruption
of Services
Reputation &
Image
Performance
Loss
5 Catastrophic
Multiple
deaths or
severe
permanent
disabilities
$10M > or 6% > of
Operational
Budget
Complete loss
of assets 1 month >
Substantiated, public
embarrassment, very
high multiple
impacts, high
widespread news
profile, third party
actions
>50%
variation to
Key
Performance
Indicators
(KPIs)
4 Disastrous Death or
extensive
injuries
$3M - $10M or 6%
of
Operational
Budget
Significant
loss of assets
1 week - 1
month
Substantiated, public
embarrassment, high
impact, high news
profile, third party
actions
25 - 50%
variation to
KPI
3 Serious Medical
treatment
$250K - $3M or 2%
of
Operational
Budget
Major damage
to assets
> 1 day to < 1
week
Substantiated, public
embarrassment,
moderate impact,
moderate news
profile
10 - 25%
variation to
KPI
2 Minor First aid
treatment
$50K - $250K or 1%
of Operational
Budget
Minor loss or
damage to
assets
1/2 - 1 day
Substantiated, low
impact, low news
profile
5 - 10%
variation to
KPI
1 Insignificant No injuries < $50K or 0.5% of
Operational
Budget
Little or no
impact on
assets
< 1/2 day
Unsubstantiated, low
impact, low profile or
no news items
Up to 5%
variation to
Key
Performance
Indicators
(KPI)
-
Risk Ranking: measures of likelihood and impact are
multiplied to determine the level of risk.
Almost
Certain 5 5 10 15 20 25
Likely 4 4 8 12 16 20
Possible 3 3 6 9 12 15
Unlikely 2 2 4 6 8 10
Rare 1 1 2 3 4 5
LIKELIHOOD 1 2 3 4 5
Insignificant Minor Serious Disastrous Catastrophic IMPACT
-
RISK MAP
WITHOUT CONTROLS
RISK MAP
WITH CURRENT CONTROLS
RISK MAP
MTIGATION PLAN
RISK MANAGEMENT HEAT CHARTS
1
3
2
7
5 8
4
6
9
10 12
11
10
11
1 9 2
4
5
6 7
8
3
12
12
11
10
9
8
7
6
5
4 3
2
1
-
Says one Microsoft source, carefully speaking in the
hypothetical: "It would be nice to come out with a very
low-cost/low profile server--something easy to use and
easy to add large hard drives to. It would not only back
up all the PCs in your house, but also handle patch
management, anti-virus, spam filtering, anti-spyware,
firewall management, AND also act as a TV server."
CES 2007: Gates Launches
Windows Home Server at
CES 2007 (HP, AMD partner on home server, due in second half of 2007
Discussion Point: Risk assessment of this idea?
-
Technology Response vs Risk
Response
Risk Mitigation Considerations Handling Reputation Loss? Risk of Notifying or Not? How Respond When Technology Fails?
I will say this ...organized cybercrime is now capable of by-passing
ALL current industry standard security measures. We (the
security/technology industry) are making the wrong bets
concerning possible solution sets. If you manage security by the
book or rely heavily on technology counter-measures you are
playing into the skilled adversary's hands. You would be better off
not wasting your time and spend it instead on staffing and planning
for incident response, reputation loss and notification costs.
-
Thanks!
top related