Establishing a Security Standards FrameworkNovember 2015

2

Introduction

• Not Security metrics• Strategy• Trends, compliance vs. risk based security• Frameworks• Measuring success and failure• How does Lincoln Electric do it

3

Speaker Bio

• Global Director, IT Security Lincoln Electric• 19 years of IT experience• Practitioner in infrastructure and security• Majority of career in manufacturing sector• CISSP, CISM

• chris_prewitt@lincolnelectric.com• https://www.linkedin.com/in/cprewitt

4

A recent survey on the Security Status of the Manufacturing Industry

• 36% have not implemented security standards for third-party providers.

• 42% do not perform security risk assessments of third-party vendors.

• 47% do not have a security strategy for cloud computing

• 46% do not perform vulnerability assessments• 33% have not implemented privileged user access

PricewaterhouseCoopers LLP, Global State of Information Security Survey: 2015 (Industrial Products Summary)

4

5

Security spending….

…has traditionally been tactical in nature and often based on “gut feel”

Too Much?

Too Little?

6

Balance of Security vs. Convenience

The degree of Protection applied to the Potential Loss

Maintain confidenceMinimize lossMitigate risk

7

Trends in Cyber Security ………

2) Privacy and Regulations– Most governments have already created, or are in the process of creating, regulations that impose

conditions on the safeguard and use of Personally Identifiable Information with penalties for organizations that fail to sufficiently protect it.

– Regulatory landscape forces greater disclosure and liability, particularly in Europe.

3) Threats from Third-Party Providers – The percent of incidents attributed to current and former service providers, consultants, and contractors

increased to 18% and 15%, respectively in 2014. ~ PWC The Global State of Information Security Survey 2015

– As more and more companies leverage third parties for software, infrastructure and services, proper due diligence is required to understand internal controls, security and business continuity.

1) Cybercrime– Enterprises continued to develop capabilities; unfortunately, so

did adversaries, some of whom launched and formidable attacks over the course of the year.

– 95% of incidents attributed to state sponsored actors, and for two years running, more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing.

– Manufacturing continues to be the most effected industry by cyber-espionage.

8

Trends in Cyber Security ………

4) Disruptive Technology– Trends continue for the expansion of

Bring Your Own Devices (Cellphones, Laptops, etc.) and companies have focus on securing Access by understanding who is on your network, when and how.

– As companies open up access to more cloud, collaboration and social tools, cyber criminals attack these vectors to hide the exfiltration of data.

– Internet of Things attacks have moved from proof-of-concept to mainstream risks. Every internet connected device greatly increases the number of attack surfaces.

5) Engagement with Your People– All cyber attacks involve human adversaries therefore, we have to continue to educate employees on the risk of

cybercrime and the potential loss to the organization.

– Security awareness has to become more than an exercise and must become part of the culture and engrained in the individual to consistently evaluate risks and become part of the mitigating control.

– People, process and technology, together, must form the defense against today’s threats.

9

In response to potential attacker we have developed best practice

Pre-Compromise

Compromise

Post-Compromise

Increasing Risk and Cost to Contain and Remediate

Today's advanced threats occur in "kill chains". These attacks attempt to evade traditional filtering and anti-virus defenses to steal an organization’s valuable data.

Advanced threats can be stopped at any stage if defenses are properly aligned to protect the organization.

10

ISO 27001:2013

ISO 27001 is an internationally recognized, certifiable Information Security Standard that formally evaluate the totality of an organization’s information assets and then steps through a process which gauges risks related to those assets and brings Information Security under explicit management controls.

Areas of Focus to be Evaluated

5. Information Security Policies 12. Operations Security

6. Organization of Information Security

13. Communication Security

7. Human Resource Security 14. Information Systems Acquisition, Development and Maintenance

8. Asset Management 15. Supplier Relationships

9. Access Control 16. Incident Management

10. Cryptography 17. Business Continuity Management

11. Physical and Environmental Security

18. Compliance

11

Critical Security Controls Top 20(formerly SANS)

12

COBIT/COSO

13

National Institute of Security and Technology (NIST)

14

Comparison of Frameworks

15

Importance of measurement

“Whenever you can, count.”-Sir Francis Bacon

“If it cannot be expressed in figures, it is not science. It is opinion.”-Robert Heinlein

“If you cannot measure it, you cannot control it.”-Lord Kelvin

16

Capability Maturity Model Index (CMMI)

17

Determination of inherent risk profile Consideration of established professional

standards Completion of external benchmarking and

assessments

Completion of internal assessments

The development of a Risk Mitigation Plan and related execution

Established monitoring and controls

Our approach to IT Risk Management requires actions in the following areas …..

18

Information Security Program

Governance and Compliance

-- Security Architecture

- Regulatory Compliance

- Organizational Security

- Controls Development

- Security Awareness

- Vendor Security Reviews

Information Security

Vulnerability Management

Application Security

Malware Protection

Secure Design & Coding

Security Monitoring

Intrusion Prevention

Perimeter Security

Penetration Testing

Operations & BCP/DR

Identity & Access Mgt.

Access Reviews

Business Continuity

Business Impact Analysis

Disaster Recovery Plans

Disaster Recovery Exercises

Forensics

Security ResponseeDiscovery Research & ForensicsLegal & HR Support

People/Strategic Process/Operational Technology/Tactical

Reporting Accessibility

Organizational Structure

19

ISO 27001:2013

ISO 27001 is an internationally recognized, certifiable Information Security Standard that formally evaluate the totality of an organization’s information assets and then steps through a process which gauges risks related to those assets and brings Information Security under explicit management controls.

Areas of Focus to be Evaluated

5. Information Security Policies 12. Operations Security

6. Organization of Information Security

13. Communication Security

7. Human Resource Security 14. Information Systems Acquisition, Development and Maintenance

8. Asset Management 15. Supplier Relationships

9. Access Control 16. Incident Management

10. Cryptography 17. Business Continuity Management

11. Physical and Environmental Security

18. Compliance

20

Security Program Measurement

21

Industry Ranking:What is the industry average for this area? Industry average is based on a combination of variables including, Industry, Organizational Complexity, Data to Protect and Size of the Organization.

1- Initial2- Basic3- Capable4- Efficient5- Optimizing

Globalization:

Progress/Accomplishments

Current State Gap Analysis Worksheet

Ranking Points

These rankings are the perceived states according to personnel and may not reflect the actual state based on findings, unless validation and testing was performed.

1

2

3

4

5

20142012

Where requirements have been implemented in a standard approach

1 2 3 4 5

2013

There are no formal Information Security Policies and Standards (ISSP).

Enforcement and Monitoring:

Poor Fair Good Excellent

The objective for reviewing this area is to ensure that there are standards and policies in place for personnel to follow relating to information security. Policy to support background checks for all “users” should be discussed in this section.

There are no formal Information Security Policies and Standards, however, default standards and policies are communicated to personnel to follow.

There are scattered ‘formal’ Information Security Policies and Standards in place.

There is a comprehensive set of formal Information Security Policies and Standards in place that are understood and utilized by personnel. The Information Security Policies should be reviewed annually. The policies should be approved by global and local leadership.

There are formal Information Security Policies and Standards in place that are distributed to all personnel. Compliance is ensured through random testing on a regular basis. All users sign the policies each year at their respective year-end reviews.

ISO 17799 Requirement 1 - Security Policies

1.0 Information Security Policies and Standards

Policies have been developed and been integrated with financial policies.

22

Control Risk Comments

Access Control Process: Privilege Access Control

HighSAP very good model. Active

Directory needs to be improved.

Configuration Management Process: Patch Management (OS – Operating System)

HighAlways going to be high risk.

Improve process for smartphones.

Configuration Management Process: Patch Management (Apps - applications)

HighImprove patch management

process for SAP applications

Risk Management Process: Legal Compliance

HighReview of IT Security

requirements from a global legal perspective.

“Lincoln Electric personnel have demonstrated a high level of expertise…

…strong quality in the organization’s current information security processes.

When comparing Lincoln Electric to organizations similar in size and scope, Lincoln has a much smaller risk profile…

Lincoln Electric has been continuously improving the organization’s risk posture over the last few years.”

Highlights of ISO 27001 Assessment …. remediation actions have been developed for high risk areas

Capability Maturity Model Index

23

Through security awareness and education, create a culture where security is an instinctive part of every associate’s day-to-day operations.

Awareness(I know it exists)

Awareness(I know it exists)

Understanding(I know what it is)

Understanding(I know what it is)

Value(I know why it is

worthwhile)

Value(I know why it is

worthwhile)

Ownership(I like it)

Ownership(I like it)

Commitment(I’ll do it)

Commitment(I’ll do it)

Communication(I’ll promote it)

Communication(I’ll promote it)

Development(I’ll help enhance it)

Development(I’ll help enhance it)

Meaningful Behavioural

Change

Strive for Excellence!

24

Expanded Security Awareness training capabilities …….

• According to the Verizon Breach Report, 23% of recipients open phishing messages and 11% click on attachments.

• One of the most effective ways to minimize the phishing threat is through awareness and training.

• Lincoln continues to provide awareness training and routinely tests all global employees.

Market performance

25

Metrics are integral to developing capabilities – weekly dashboards drive focus

26

One of our Key IT Risk categories is Cyber Security

Risk Category Risk Description

Cyber Security Risk associated with engaging through internet capabilities. A compromised or breached environment results in inappropriate access to systems or data to an internet hacker. In many cases, vulnerabilities in an environment could be exploited to compromise an environment.

Business Interruption (Disaster Recovery)

Risk associated with an interruption in the use of systems – typically, this risk can result from a natural disaster or other event that destroys or renders access to systems impractical.

Mobility Risk associated with employee use of mobile technologies – e.g., smartphones, tablets, laptops. A compromise of our data or system can result from insecure devices, and access obtained through physical means or through internet access.

Intellectual Property and Data Loss

Risk associated with potential loss of intellectual property due to information theft or leakage, a lack of backup and restore capabilities or the ability to support use of an application.

External Services (Cloud, SaaS, Hosting Solutions)

Risk associated with hosting our data or systems through or at external resources. Examples include software as a service (SaaS) or other cloud (internet) based hosting solutions.

Social Media Risk associated with Company and employee use of social media networks such as Facebook, Twitter, YouTube, etc.

High Availability A risk that systems are not consistently available for stakeholder (e.g., employee, customer) use. Supportable architectural standards, backup processes and network redundancies are examples of approach that minimize disruption.

27

Risk Mitigation Plan – Cyber Security

Key Metrics Plan Actual Status

ISO Scorecard – bi-annual 3.75 (Dec 2014)

3.9 (July 2015)

Weekly vulnerability scan and assessment - Global

A Grade A Grade

Completion of remediation from assessments

Complete per remediation

plan

Progress in line with plans

Improvement opportunities and action plan Owner Timing

► Continued development of IT Security program with a target of a 3.75 rating by end of 2015 with we current rating of 3.9. Significant improvement in Data Loss Prevention and External Service Management with continued focus on maturing these programs. The primary areas of focus in 2015 – 2016 will be: Application Security, Education Awareness, Cloud Risk Assessment, Perimeter Security and Phishing Defense. An investment was made in cyber insurance to help mitigate residual risk.

Team Dec 2015

Key business risks

► Breach of systems compromising customer, employee and/or intellectual property.

► Reputational risk

► Systems disruption – including loss of data

► Regulatory compliance – i.e., SEC, PCI

► Lost sales – B2C and B2B ► Lost productivity

Key strategy/initiative

Develop and implement a global cyber security program in line with ISO standards.

Team members

CIO (Bruno), Director of IT Security (Prewitt), IT Governance Committee

Mitigating controls Owner Date Status

Vulnerability Assessments – patch management process

Prewitt Weekly

Policies and Standards – including development of External Services Policy

Bruno Annual

Awareness Training (monthly communications, SAI Global, Wombat)

Prewitt, HR Monthly, various

Completion of External and Internal Assessment and related remediation

Prewitt, External

Ongoing

External Services Management and Risk Mitigation

IT Directors In Process

Resource alignment – Regional and External Bruno and Prewitt

Ongoing

Breach response plan to complement Incident Response Program

Prewitt / IT Governance

2015

Application Security Upgrades IT Security / Systems

Development

Ongoing

28

What This Translates Into

• Overarching Governance Model – Accountability and Consistency• Prevention Measures

– Thorough and Proactive Risk Analysis– Sound Security Policies– Employee Security Awareness and Training– Well Designed Security System Architecture– Proactive Vulnerability Assessments– Penetration Testing – 3rd Party

• Detection Measures

– Ongoing monitoring• Response Measures

– Effective Incident Response