establishing a security standards framework november 2015
TRANSCRIPT
Establishing a Security Standards FrameworkNovember 2015
2
Introduction
• Not Security metrics• Strategy• Trends, compliance vs. risk based security• Frameworks• Measuring success and failure• How does Lincoln Electric do it
3
Speaker Bio
• Global Director, IT Security Lincoln Electric• 19 years of IT experience• Practitioner in infrastructure and security• Majority of career in manufacturing sector• CISSP, CISM
• [email protected]• https://www.linkedin.com/in/cprewitt
4
A recent survey on the Security Status of the Manufacturing Industry
• 36% have not implemented security standards for third-party providers.
• 42% do not perform security risk assessments of third-party vendors.
• 47% do not have a security strategy for cloud computing
• 46% do not perform vulnerability assessments• 33% have not implemented privileged user access
PricewaterhouseCoopers LLP, Global State of Information Security Survey: 2015 (Industrial Products Summary)
4
5
Security spending….
…has traditionally been tactical in nature and often based on “gut feel”
Too Much?
Too Little?
6
Balance of Security vs. Convenience
The degree of Protection applied to the Potential Loss
Maintain confidenceMinimize lossMitigate risk
7
Trends in Cyber Security ………
2) Privacy and Regulations– Most governments have already created, or are in the process of creating, regulations that impose
conditions on the safeguard and use of Personally Identifiable Information with penalties for organizations that fail to sufficiently protect it.
– Regulatory landscape forces greater disclosure and liability, particularly in Europe.
3) Threats from Third-Party Providers – The percent of incidents attributed to current and former service providers, consultants, and contractors
increased to 18% and 15%, respectively in 2014. ~ PWC The Global State of Information Security Survey 2015
– As more and more companies leverage third parties for software, infrastructure and services, proper due diligence is required to understand internal controls, security and business continuity.
1) Cybercrime– Enterprises continued to develop capabilities; unfortunately, so
did adversaries, some of whom launched and formidable attacks over the course of the year.
– 95% of incidents attributed to state sponsored actors, and for two years running, more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing.
– Manufacturing continues to be the most effected industry by cyber-espionage.
8
Trends in Cyber Security ………
4) Disruptive Technology– Trends continue for the expansion of
Bring Your Own Devices (Cellphones, Laptops, etc.) and companies have focus on securing Access by understanding who is on your network, when and how.
– As companies open up access to more cloud, collaboration and social tools, cyber criminals attack these vectors to hide the exfiltration of data.
– Internet of Things attacks have moved from proof-of-concept to mainstream risks. Every internet connected device greatly increases the number of attack surfaces.
5) Engagement with Your People– All cyber attacks involve human adversaries therefore, we have to continue to educate employees on the risk of
cybercrime and the potential loss to the organization.
– Security awareness has to become more than an exercise and must become part of the culture and engrained in the individual to consistently evaluate risks and become part of the mitigating control.
– People, process and technology, together, must form the defense against today’s threats.
9
In response to potential attacker we have developed best practice
Pre-Compromise
Compromise
Post-Compromise
Increasing Risk and Cost to Contain and Remediate
Today's advanced threats occur in "kill chains". These attacks attempt to evade traditional filtering and anti-virus defenses to steal an organization’s valuable data.
Advanced threats can be stopped at any stage if defenses are properly aligned to protect the organization.
10
ISO 27001:2013
ISO 27001 is an internationally recognized, certifiable Information Security Standard that formally evaluate the totality of an organization’s information assets and then steps through a process which gauges risks related to those assets and brings Information Security under explicit management controls.
Areas of Focus to be Evaluated
5. Information Security Policies 12. Operations Security
6. Organization of Information Security
13. Communication Security
7. Human Resource Security 14. Information Systems Acquisition, Development and Maintenance
8. Asset Management 15. Supplier Relationships
9. Access Control 16. Incident Management
10. Cryptography 17. Business Continuity Management
11. Physical and Environmental Security
18. Compliance
11
Critical Security Controls Top 20(formerly SANS)
12
COBIT/COSO
13
National Institute of Security and Technology (NIST)
14
Comparison of Frameworks
15
Importance of measurement
“Whenever you can, count.”-Sir Francis Bacon
“If it cannot be expressed in figures, it is not science. It is opinion.”-Robert Heinlein
“If you cannot measure it, you cannot control it.”-Lord Kelvin
16
Capability Maturity Model Index (CMMI)
17
Determination of inherent risk profile Consideration of established professional
standards Completion of external benchmarking and
assessments
Completion of internal assessments
The development of a Risk Mitigation Plan and related execution
Established monitoring and controls
Our approach to IT Risk Management requires actions in the following areas …..
18
Information Security Program
Governance and Compliance
-- Security Architecture
- Regulatory Compliance
- Organizational Security
- Controls Development
- Security Awareness
- Vendor Security Reviews
Information Security
Vulnerability Management
Application Security
Malware Protection
Secure Design & Coding
Security Monitoring
Intrusion Prevention
Perimeter Security
Penetration Testing
Operations & BCP/DR
Identity & Access Mgt.
Access Reviews
Business Continuity
Business Impact Analysis
Disaster Recovery Plans
Disaster Recovery Exercises
Forensics
Security ResponseeDiscovery Research & ForensicsLegal & HR Support
People/Strategic Process/Operational Technology/Tactical
Reporting Accessibility
Organizational Structure
19
ISO 27001:2013
ISO 27001 is an internationally recognized, certifiable Information Security Standard that formally evaluate the totality of an organization’s information assets and then steps through a process which gauges risks related to those assets and brings Information Security under explicit management controls.
Areas of Focus to be Evaluated
5. Information Security Policies 12. Operations Security
6. Organization of Information Security
13. Communication Security
7. Human Resource Security 14. Information Systems Acquisition, Development and Maintenance
8. Asset Management 15. Supplier Relationships
9. Access Control 16. Incident Management
10. Cryptography 17. Business Continuity Management
11. Physical and Environmental Security
18. Compliance
20
Security Program Measurement
21
Industry Ranking:What is the industry average for this area? Industry average is based on a combination of variables including, Industry, Organizational Complexity, Data to Protect and Size of the Organization.
1- Initial2- Basic3- Capable4- Efficient5- Optimizing
Globalization:
Progress/Accomplishments
Current State Gap Analysis Worksheet
Ranking Points
These rankings are the perceived states according to personnel and may not reflect the actual state based on findings, unless validation and testing was performed.
1
2
3
4
5
20142012
Where requirements have been implemented in a standard approach
1 2 3 4 5
2013
There are no formal Information Security Policies and Standards (ISSP).
Enforcement and Monitoring:
Poor Fair Good Excellent
The objective for reviewing this area is to ensure that there are standards and policies in place for personnel to follow relating to information security. Policy to support background checks for all “users” should be discussed in this section.
There are no formal Information Security Policies and Standards, however, default standards and policies are communicated to personnel to follow.
There are scattered ‘formal’ Information Security Policies and Standards in place.
There is a comprehensive set of formal Information Security Policies and Standards in place that are understood and utilized by personnel. The Information Security Policies should be reviewed annually. The policies should be approved by global and local leadership.
There are formal Information Security Policies and Standards in place that are distributed to all personnel. Compliance is ensured through random testing on a regular basis. All users sign the policies each year at their respective year-end reviews.
ISO 17799 Requirement 1 - Security Policies
1.0 Information Security Policies and Standards
Policies have been developed and been integrated with financial policies.
22
Control Risk Comments
Access Control Process: Privilege Access Control
HighSAP very good model. Active
Directory needs to be improved.
Configuration Management Process: Patch Management (OS – Operating System)
HighAlways going to be high risk.
Improve process for smartphones.
Configuration Management Process: Patch Management (Apps - applications)
HighImprove patch management
process for SAP applications
Risk Management Process: Legal Compliance
HighReview of IT Security
requirements from a global legal perspective.
“Lincoln Electric personnel have demonstrated a high level of expertise…
…strong quality in the organization’s current information security processes.
When comparing Lincoln Electric to organizations similar in size and scope, Lincoln has a much smaller risk profile…
Lincoln Electric has been continuously improving the organization’s risk posture over the last few years.”
Highlights of ISO 27001 Assessment …. remediation actions have been developed for high risk areas
Capability Maturity Model Index
23
Through security awareness and education, create a culture where security is an instinctive part of every associate’s day-to-day operations.
Awareness(I know it exists)
Awareness(I know it exists)
Understanding(I know what it is)
Understanding(I know what it is)
Value(I know why it is
worthwhile)
Value(I know why it is
worthwhile)
Ownership(I like it)
Ownership(I like it)
Commitment(I’ll do it)
Commitment(I’ll do it)
Communication(I’ll promote it)
Communication(I’ll promote it)
Development(I’ll help enhance it)
Development(I’ll help enhance it)
Meaningful Behavioural
Change
Strive for Excellence!
24
Expanded Security Awareness training capabilities …….
• According to the Verizon Breach Report, 23% of recipients open phishing messages and 11% click on attachments.
• One of the most effective ways to minimize the phishing threat is through awareness and training.
• Lincoln continues to provide awareness training and routinely tests all global employees.
Market performance
25
Metrics are integral to developing capabilities – weekly dashboards drive focus
26
One of our Key IT Risk categories is Cyber Security
Risk Category Risk Description
Cyber Security Risk associated with engaging through internet capabilities. A compromised or breached environment results in inappropriate access to systems or data to an internet hacker. In many cases, vulnerabilities in an environment could be exploited to compromise an environment.
Business Interruption (Disaster Recovery)
Risk associated with an interruption in the use of systems – typically, this risk can result from a natural disaster or other event that destroys or renders access to systems impractical.
Mobility Risk associated with employee use of mobile technologies – e.g., smartphones, tablets, laptops. A compromise of our data or system can result from insecure devices, and access obtained through physical means or through internet access.
Intellectual Property and Data Loss
Risk associated with potential loss of intellectual property due to information theft or leakage, a lack of backup and restore capabilities or the ability to support use of an application.
External Services (Cloud, SaaS, Hosting Solutions)
Risk associated with hosting our data or systems through or at external resources. Examples include software as a service (SaaS) or other cloud (internet) based hosting solutions.
Social Media Risk associated with Company and employee use of social media networks such as Facebook, Twitter, YouTube, etc.
High Availability A risk that systems are not consistently available for stakeholder (e.g., employee, customer) use. Supportable architectural standards, backup processes and network redundancies are examples of approach that minimize disruption.
27
Risk Mitigation Plan – Cyber Security
Key Metrics Plan Actual Status
ISO Scorecard – bi-annual 3.75 (Dec 2014)
3.9 (July 2015)
Weekly vulnerability scan and assessment - Global
A Grade A Grade
Completion of remediation from assessments
Complete per remediation
plan
Progress in line with plans
Improvement opportunities and action plan Owner Timing
► Continued development of IT Security program with a target of a 3.75 rating by end of 2015 with we current rating of 3.9. Significant improvement in Data Loss Prevention and External Service Management with continued focus on maturing these programs. The primary areas of focus in 2015 – 2016 will be: Application Security, Education Awareness, Cloud Risk Assessment, Perimeter Security and Phishing Defense. An investment was made in cyber insurance to help mitigate residual risk.
Team Dec 2015
Key business risks
► Breach of systems compromising customer, employee and/or intellectual property.
► Reputational risk
► Systems disruption – including loss of data
► Regulatory compliance – i.e., SEC, PCI
► Lost sales – B2C and B2B ► Lost productivity
Key strategy/initiative
Develop and implement a global cyber security program in line with ISO standards.
Team members
CIO (Bruno), Director of IT Security (Prewitt), IT Governance Committee
Mitigating controls Owner Date Status
Vulnerability Assessments – patch management process
Prewitt Weekly
Policies and Standards – including development of External Services Policy
Bruno Annual
Awareness Training (monthly communications, SAI Global, Wombat)
Prewitt, HR Monthly, various
Completion of External and Internal Assessment and related remediation
Prewitt, External
Ongoing
External Services Management and Risk Mitigation
IT Directors In Process
Resource alignment – Regional and External Bruno and Prewitt
Ongoing
Breach response plan to complement Incident Response Program
Prewitt / IT Governance
2015
Application Security Upgrades IT Security / Systems
Development
Ongoing
28
What This Translates Into
• Overarching Governance Model – Accountability and Consistency• Prevention Measures
– Thorough and Proactive Risk Analysis– Sound Security Policies– Employee Security Awareness and Training– Well Designed Security System Architecture– Proactive Vulnerability Assessments– Penetration Testing – 3rd Party
• Detection Measures
– Ongoing monitoring• Response Measures
– Effective Incident Response