Mike Davis: Senior Manager of IT Security (CISO) @ABS; CISSP, CISO, MSEE, PM….

Mike.Davis.SD@gmail.com (Caveat - These are personal views & examples, not representing the company or other entities)

Dr Paula deWitte: Assistant Director, Texas A&M Cybersecurity Center, and Associate

Professor of Practice, Computer Science and Engineering, Texas A&M University:

paula.dewitte@gmail.com

Harvey Nusz - 4IT Security, Governance & Compliance (CEO/Owner); CIPM, CISSP, CRISC,

CISA, CGEIT; ISACA Chapter president; Risk Management, Privacy and IT compliance / audit.

privacyshieldgdpr@gmail.com

“Lean RBSS Methods”“Continuous Adaptive Risk and Trust

Assessment (CARTA)” - Gartner’s 2017 IT Security Approach for the Digital Age

Answering the call of the wild (threat space) Using a Risk Based Security Strategy (RBSS)

KISS

Enterprise Risk Management (ERM) = business best risk value proposition

Houston SIM Chapter Cyber SIG

Prelude

• Threats are pervasive, intruders are very good and share methods well (Hackers, nation states, criminals, etc, etc).

( “Crime as a Service” makes every malcontent a very likely threat to counter)

• Data breaches escalate - 2017 on track to eclipse 2016 as the worst year on record; yet Data breach burnout continues…

• Do the Security basics very well, sets a risk foundation.(85+% reduction in security incidents: cyber hygiene, encryption, IdAM & SIEM)

• ERM Policy drives integrated actions and enforcement. (a Risk Champion prioritizes risks, communicate risk appetite CEO to shop floor)

• Major business initiatives accelerate – Pick one: Bi-Modal, EU’s “DGPR”

law, digital transformation, Globalization, customer-centricity, business flexibility/agility (speed), cloud / mobile first, DevOps, blockchain, IOT, other “mega-trends” (analytics, AI, etc), etc…

Quit admiring the “RISK problem (threat / laws / complexity)”

and start DOING something – a “Lean” RBSS approch

3

WHY manage RISK By being a trustworthy organization known for ‘walking the walk’ - focusing on

the P&L benefits of mitigating company risks.

Increase integrity, safety, reliability & TRUST.

Improve the industry position, your BRAND.

Improve resiliency (minimize down time, lost efforts)

Improve compliance levels, enhance efficiencies.

– Integrate RBSS & CARTA into your Company Risk Effort

- Enhance, streamline current security based efforts

- Increase risk awareness and support in the company

Improve

competitive

advantage

DATA rules in every industry– security counts as does privacy – thus show

excellence therein. ANY data breach could cause loss of business

Improving processes and supporting new services and products (support

business groups productivity) = increased customer experience = revenues.

Risk Big Picture (one of many!)

Data Breach – the Perfect Storm (of many!)

Hacker

Sophistication(“CaaS” proliferates)

Many new

business

initiatives

Technology

Advancement(blockchain, et al..) Shrinking

Resources(competing priorities)

Government

Regulations(USA & EU (“GDPR”))

Renewed focus

on Data’s Value

Increased

Outsourcing (third party / vendor management)

We Need an Enterprise Risk Management (ERM) Approach

5

‘FUD’ – Key Threat examples:• Data Breaches – 2016 worst year: 1093 events (2017 up 40%)

• Ransomware –worsens. $700+/attack. 90% attacks in email

• Internet of Things (IoT) threats hit home. PLCs to TVs. 20+B

Don’t spread Fear, Uncertainty and Doubt (FUD) OR chase the threats,

Rather - manage the risk consequences in your RBSS

• How much more bad news do we need – 1st Half 2017The first six months of 2017 have seen an inordinate number of cybersecurity meltdowns. there's been viral, state-sponsored ransomware, leaks of spy tools from US intelligence agencies, and full-on campaign hacking

---Shadow Brokers - The hacking group claims to have breached the spy tools of the elite NSA.

---WannaCry - A strain of ransomware spread around the world, walloping hundreds of thousands of targets, including public utilities and large corporations).

--- Petya/NotPetya/Nyetya/Goldeneye - A month or so after WannaCry, another wave of Ransomware

--- Wikileaks CIA Vault 7 - Published 8,761 documents allegedly stolen from the CIA that contained extensive documentation of alleged spying operations and hacking tools.

--- Cloudbleed - the internet infrastructure company a bug in its platform caused random leakage of potentially sensitive customer data - to about six million customer websites.

--- 198 Million Voter Records Exposed - Discovered a publicly accessible database that contained personal information for 198 million US voters—possibly every American voter for more than 10 years.

So who cares? The BOARD!(re: their D & O liability and stockholder reporting)

Cyber-risk Oversight / NACD Director’s Handbook SeriesNACD, in conjunction with AIG and the Internet Security Alliance, has identified five

steps boards should consider as they seek to enhance their oversight of cyber risks.

Their handbook was organized according to these five key cyber-risk principles:

1. Directors need to understand and approach cybersecurity as an enterprise-

wide risk management issue, not just an IT issue.

2. Directors should understand the legal implications of cyber risk as they relate to

their company’s specific circumstances.

https://www.nacdonline.org/files/FileDownloads/NACD%20Cyber-Risk%20Oversight%20Handbook%202017.pdf

3. Boards should have adequate access to cybersecurity expertise, and

discussions about cyber-risk management should be given regular and adequate

time on the board meeting agendas.

4. Directors should set the expectation that management will establish an

enterprise-wide cyber-risk management framework with adequate staffing and

budget (note - fiscal reality check – enough resources - not likely for many = RBSS)

5. Board-management discussions about cyber risks should include identification of

which risks to avoid, which to accept, and which to mitigate or transfer through

insurance, as well as specific plans associated with each approach.

RISK- Today’s IT / Cyber Challenge

More Agile Business• More accessibility for employees,

customers and partners

• Higher level of B2B integrations

• Faster reaction to changing requirements

More Secured Business• Organized crime

• Identity theft

• Intellectual property theft

• Constant global threats

More Compliant Business• Increasing regulatory demands

• Increasing privacy concerns

• Business viability concerns

RBSS enables the business AND minimizes risk.

Convenience Risk / Security

versus

…AND…

Data At Rest

• Data classification

• Device control

• Content control

• Application control

Transaction Data

• Direct Database Access

• Access via Applications

• Web applications

• Web services

Data In Motion

• Outgoing communications

• Internal communications

• Databases and documents

• Monitoring and enforcement

Employees(Honest & Rogue)

Customers& Criminals

Accidental,

Intentional and

Malicious Leaks

Employees(Honest & Rogue)

Employees(Honest & Rogue)

Risk is mostly about DATA protection…the bane of ERM…

* Encrypt (& Key Mgmt)* Access Controls (IAM)* Data Controls (DLP)

Protecting the data security and privacy lifecycle

Risk – a central ‘control’ role

• Risk is holistic -- central to

implementing and

sustaining the program

• Risk Assessment is the

front end of this iterative

planning process

• Risk should roll up into

major categories, like:Technical, Business

Systems, Program

Management & External

Factors

• Risk is assessed through

impacts to four principal

dimensions:

Cost, Schedule, Scope

and Quality

Risk in the Enterprise

• How Do YOU Do ERM now?

– Cultural Fit / Management Support

• Common Point of Reference

– International standards / references

– Triage Techniques: Divide & Conquer

• Don’t Overrun Your Abilities

– KISS - Hire specialists as needed

• Integrate Risk Process Early in

Projects, and Iterate

• Ensure Risk Assessments Result in

Decisions

• Risk References (partial list)

• ISO 27001/2

• ISO 31000

• NIST RMF & CSF

• ISACA COBIT 5 & RISK IT

• Health Information Trust Alliance (HITRUST) CSF

• Federal Financial Institutions Examination Council (FFIEC) CSF

• Factor Analysis of Information Risk (FAIR)

• Information Risk Assessment Methodology (IRAM)

• Software Engineering Institute’s OCTAVE Allegro

…AND others…

Many are turning to RMFs (*) as a strategy tool to assess risk and manage data

security mechanisms and privacy protection methods…. NIST’s CSF is popular.

http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf

Key elements of a cybersecurity program:

Consider

business

priorities,

assets,

processes

Document

formal

cybersecurity

strategy,

objectives and

goals

Evaluate and

prioritize gaps in

current vs

desired state

across risk

management

controls

Build a plan to

address,

monitor and

reassess the

prioritized

control gaps

Define formal

framework

of risk

management

controls

Risk Management Framework (RMF)

(Source: IBM Security “Business Connect 2015”) ( * -see also: Octave, NIST CSF & 800-39/37, COBIT, ISO 2700x, etc)

Frameworks are great, just pick one, and iterate the RM cycle.

Focus on mitigation priorities needed for ‘due diligence’ within your RBSS

THEN, Risk enable your Security Program -> RBSS

10 essential practices for a stronger security AND privacy posture

These practices generally are assessed using a risk maturity level basis:

(https://securityintelligence.com/a-risk-driven-approach-to-security-from-check-boxes-to-risk-management-frameworks/ )

RBSS is all about the best Business “Risk Value”

ERM – An Auditor’s Perspective* What is Enterprise Risk Management?

“A structured, consistent and continuous process across the whole organization for identifying, assessing,

deciding on responses to and reporting on opportunities and threats that affect the achievement of its

objectives” In other words – Risk management without silos

* As per the IIA definition, Internal Audit (IA) is “a department, division, team of consultants,

or other practitioner(s) that provides independent, objective assurance and consulting services

designed to add value and improve an organization’s operations. The IA activity helps an

organization accomplish objectives by bringing a systematic, disciplined approach to evaluate

and improve the effectiveness of risk management, control, and governance processes.”

* The IIA and RIMS believe that collaboration between the risk-related disciplines of internal

audit and risk management can lead to stronger risk practices. The two functions make a

powerful team when they collaborate and leverage one another’s resources, skill sets and

experiences to build robust risk capabilities across organizations

* Leading organizations have discovered efficiencies, better decision-making and improved

results by forming strong alliances - identified four fairly common practices:

• Link the audit plan and the enterprise risk assessment, and share other work products

• Share available resources wherever and whenever possible

• Cross-leverage each function’s respective competencies, roles and responsibilities

• Assess and monitor strategic risks

Effective collaboration results in a more robust overall organizational ERM risk portfolio. 13

Audit & Risk HarmonizationAll actors involved in Internal Control (regulator, consulting firms, and professional bodies

such as the IIA) agree: Internal Audit needs to take into account the risks the company faces.

These recommendations are both tactical, like advocating the use of a risk based approach to

create an Audit plan, and of a strategic with the inclusion of IA in a global, holistic ERM plan.

Four major objectives for the integration of risk management and internal audit,:

* Provide the risk management initiative with the necessary supporting evidence that internal

controls are operating as management believes them to be;

* Provide assurance to management that the internal audit function’s focus is on what is

important to the organization;

* Provide the audit committee with the necessary assurances that the risk management

initiative is effective and efficient; and

* Ensure that synergies between the two functions are fully optimized and that any potential

duplication of effort is avoided

* There is clear value that the organizations can gain from collaborative activity:

• Assurance that critical risks are being identified effectively

• Efficient use of scarce resources, such as financial, staff and time

• Communication depth and consistency, especially at the board and management levels

• Deeper understanding and focused action on the most significant risks

Effective collaboration results in a more robust overall organizational ERM risk portfolio. 14

Integrating Audit into ERMActivities to consider in your present audit processes:

* Assess the feasibility of tying annual audit planning with the ERM process

* Compare audit plan against the top risks identified through ERM

* Report on ERM risks through existing audits with an “Other Observations” or

“Recommendations” section

* Consider a business continuity audit

* Ask to sit in on ERM committee meetings

* Consider an audit of the company’s overall risk management framework

* Incorporate corporate strategy discussions into annual audit planning

* Build a knowledge base by asking enterprise risk questions on existing audits

* Incorporate enterprise/strategic risk discussions into Audit Committee presentations

Resources to assist in Audit & ERM harmonization:http://www.isaca.org/knowledge-center/research/documents/risk-it-framework-excerpt_fmk_eng_0109.pdf

http://www.isaca.org/chapters2/pittsburgh/events/documents/event_archive_2010_2011/10octpresentationhandouts.pdf

http://www.ey.com/Publication/vwLUAssets/EY_Key_considerations_for_your_internal_audit_plan_1/$FILE/ATT5QP7A.pdf

https://na.theiia.org/standards-

guidance/Public%20Documents/PP%20The%20Role%20of%20Internal%20Auditing%20in%20Enterprise%20Risk%20Management.pdf

15https://chapters.theiia.org/central-iowa/Events/Documents/ERM%20Presentation%20for%2010.11.16%20IIA%20Meeting.pdf

Cybersecurity Law/Ethical Issues

• Biggest current threats: Intellectual property theft and/or attacks on critical

infrastructure

• Appropriate response: Criminal hackers (law enforcement response) or

hackers’ acts of aggression (acceptable military style response)

– Nation-state attacks allow for Laws of Armed Conflict and Rules of

Engagement/Escalation of Force

– Yahoo Attack? Nation-state or individuals?

• Accurate Attribution

• “Hacking Back:” Offensive vs Defensive

• No standard code of ethics for cybersecurity professionals as for other

professions (e.g., doctor, lawyer, licensed professional engineer)

16

Cybersecurity Laws• Law:

– US Laws are made by: Federal, state, local government entities, administrative agencies, judges, the

President, state governors, …

– Privacy Act 1974

– FERPA—Federal Educational Rights and Privacy Act (1974)

– HIPPA—Health Insurance Portability and Accountability Act (1996)

– Wiretap Act 1988

– Computer Fraud and Abuse Act 1986

• Active Cyber Defense Certainty Act introduced March 22, 2017

– Presidential Executive Orders and Presidential Policy Directives

– Computer Information Sharing Act 2015

– EU—General Data Protection Regulation (GDPR)

• Retracted “Safe Harbor”

• Passed GDPR (May 2018)

• Opt-in vs opt-out

• Legal issues to consider:

– Who: Standing

– What: Case or controversy

– When: Statute of limitations

– Where: Jurisdiction

– Evidence standards

Ethics/Laws

• Ethics:

– Rules of behavior based on what is morally good or bad

– Cultural norms

• Personal ethics

• Business ethics: governance, insider trading, bribery,

discrimination, corporate responsibility, fiduciary responsibilities…

• Technology has now disrupted ethical standards.

– Automated: artificial intelligence, robotics, driverless cars, decision

making…

– Holders/owners/possessors/recipients of data

Who is responsible (who is liable)?

How does this affect risk?

18

Resources / Best Practices

• Resources:

– https://www.americanbar.org/publications/law_practice_ma

gazine/2012/march_april/hot-buttons.html

– http://ec.europa.eu/justice/data-

protection/reform/files/regulation_oj_en.pdf

• Templates:

– https://iapp.org/media/pdf/resource_center/Krasnow_model

_WISP.pdf

– http://www.mass.gov/auditor/docs/laws-and-regs/wisp.pdf

• Best Practices: Keep up!

– Considerable web sources!

– Join risk / security / privacy groups (InfraGard, ISACs, etc)19

Now on to a CARTA Overview

WHY? Gartner is a ‘thought leader’ in ERM… so frame your RBSS with them

The twin concepts behind CARTA are that:

1.“All systems and devices must be considered potentially compromised and their

behaviors continuously assessed for risk and trust.”

2.“Users (and other entities), even once authenticated, are given just enough trust to

complete the action being requested, and their behaviors are continuously verified

and assessed for risk.”

Where contextual, real-time and continuous visibility is at the heart of CARTA.

“Ambiguity is the new reality. Embrace the grey.” The key is to apply the

philosophy across the business from DevOps to external partners.

Bring context to big data, and the behavior centricity can then identify anomalies,

this means putting a focus not just on protection, but equally or even a bit more on

detection and response with a solid recovery framework.

20

We propose that organizations use an enterprise RBSS, stressing ‘risk values’

using Gartner’s CARTA (Continuous Adaptive Risk and Trust Assessment).

CARTA -> RBSS• The explosive growth of cloud-based services and mobile devices in the workplace has rendered

many conventional approaches to cybersecurity risk management outdated. According to Gartner,

“more information security decisions need to move toward a real-time assessment of risk and trust at

the point in time that the security decision is made, using relevant context to enrich and inform the

decision-making process and to enable real-time, adaptive, risk-based responses for access

enablement and protection from threats and attacks.”

• Simple forms of what we’ve called ‘cyber hygiene,’ although still valuable, don’t (directly translate)

to protection against real risks. What’s required instead is something much more analytically sound

and scientifically grounded, something that asks questions like “which threats are most likely to

occur?” or “what are our greatest vulnerabilities?” Translating these into business terms is key, and

continuously measuring them so that risks and countermeasures can be prioritized is essential.

• How do we accommodate these CARTA precepts in a simple RBSS?

1. Assess your current overall risk posture… start simple – ask your team, department – develop a risk register

2. Document your current security baseline – what is in place, configured effectively and what is needed

3. Develop your own version of a RBSS… using #1 and #2 - provide a ‘risk value’ buy down approach

4. Within your team / division, develop a risk report for leadership… including a ‘heat map’ for #3 for the Board

5. Integrate your efforts with the company’s overall ERM efforts, find a risk champion (besides your boss!)

6. Develop a continuous assessment process to monitor and report both risk and trust status and trends.

(we will provide more details / steps later….)21

ERM – a 10,000’ Baseline View (recap)

2.1 INTEGRATED ORGANIZATION-WIDE RISK MANAGEMENT

Managing information system-related security risks is a complex, multifaceted undertaking that requires the involvement of the entire organization—from senior leaders providing the strategic vision and top-level goals and objectives for the organization, to mid-level leaders planning and managing projects, to individuals on the front lines developing, implementing, and operating the systems supporting the organization’s core missions and business processes. Risk management can be viewed as a holistic activity that is fully integrated into every aspect of the organization. Figure 2-1 illustrates a three-tiered approach to risk management that addresses risk-related concerns at: (i) the organization level; (ii) the mission and business process level; and (iii) the information system level.15

http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

• Embrace the ERM journey – just do IT, avoid “complexity & analysis paralysis”

• Use “A” RMF as the starting point that is aware of and responsive to the multi-stakeholder risk environment

• Tailor RMF to reflect needs of your organization and partner collaboration

STRATEGICCross-communitycollabora on

Gapsinpolicy,management,orleadershipsplitstheroot

“Reduc ve”forces(security,risk-mi ga on,control

throughrules,etc.)splitstheroot

A acksexploi ngtechnicalvulnerabili esoftheDNSbringdowntherootora

majorTLD

Ecosystem-wide

“Regional”or“segment”focus

Providerororganiza on-focusedrisk

CORE

GLUE

EDGE

LONG-TERM IMMEDIATE

Need:coordina on,fast

response

Need:models,tools,

support,direc on

TACTICALDNSprovidersareattheforefront

Inadvertenttechnicalmishapbringsdowntherootora

majorTLD

Widespreadnaturaldisasterbringsdowntherootora

majorTLD

RiskScenarioTopicList

________________________________________________________________________________________________

Special Publication 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach

CHAPTER TWO

THE FUNDAMENTALS MANAGING INFORMATION SYSTEM-RELATED SECURITY RISKS

This chapter describes the basic concepts associated with managing information system-

related security risks. These concepts include: (i) incorporating risk management

principles and best practices into organization- wide strategic planning considerations, core

missions and business processes, and supporting or ganizational information systems; (ii)

integrating information security requirements into system development life cycle processes; (iii)

establishing practical and meaningful boundaries for organizational information systems; and (iv)

allocating security controls to organizational information systems as system-specific, hybrid, or

common controls.

2.1 INTEGRATED ORGANIZATION-WIDE RISK MANAGEMENT

Managing information system-related security risks is a complex, multifaceted undertaking that

requires the involvement of the entire organiza tion—from senior leaders providing the strategic

vision and top-level goals and objectives for the organization, to mid-level leaders planning and

managing projects, to individuals on the front lines developing, implementing, and operating the

systems supporting the organization’s core missions and business processes. Risk management

can be viewed as a holistic activity that i s fully integrated into every aspect of the organization.

Figure 2-1 illustrates a three-tiered approach to risk management that addresses risk-related

concerns at: (i) the organization level; (ii) the mission and business process level; and (iii) the

information system level.15

TIER 1 ORGANIZATION

(Governance)

TIER 2 MISSION / BUSINESS PROCESS

(Information and Information Flows)

TIER 3 INFORMATION SYSTEM

(Environment of Operation)

- Multitier Organization-Wide Risk Management

- Implemented by the Risk Executive (Function)

- Tightly coupled to Enterprise Architecture and Information Security Architecture

- System Development Life Cycle Focus

- Disciplined and Structured Process

- Flexible and Agile Implementation

TACTICAL RISK

STRATEGIC RISK

FIGURE 2-1: TIERED RISK MANAGEMENT APPROACH

15 NIST Special Publication 800-39, Integrated Enterprise-Wide Risk Management: Organization, Mission, and

Information System View (projected for publication in 2010), will provide guidance on the holistic approach to risk

management.

CHAPTER 2 PAGE 5

ERM major elements

Enterprise Risk Management Framework (RMF)Pick one and use it – recommend DoD’s “RMF” (or ISACA COBIT 5)

Effective ERM execution targets resources using the RR

Department Risk Management Plan (RMP)Integrate into Organization’s’ ERM plan – tailor for your work group

Risk Register (RR) – track and manage risks“THE” tool to identify, prioritize & mitigate risks = prioritization collaboration.

Strategic

Tactical

• A risk-based approach means that asset owners and

operators identify, assess and understand the

cybersecurity risks to which they are exposed, and take

protective measures commensurate to those risks in order

to mitigate them effectively.

- Understanding and prioritization RISKS are key activities

• The risk assessment therefore provides the basis for the

prioritized application of cyber-protective actions and

measures.

What is RBSS – A Risk-Based Approach

The RBSS approach is not a “zero failure” method; there may be occasions

where an institution has taken all reasonable measures to identify and mitigate

cybersecurity risks, but it still suffers successful attack.

Data Centric, Cyber enabled RBSS, Benefits• IMPROVE data security awareness amongst employees

• ENFORCE corporate security policy consistently.

• IDENTIFY Critical Data, Applications and Infrastructure

• REDUCE COST focus security budget protecting the critical data

• DEMONSTRATE regulatory compliance & risk‐based approach

• INCREASE the effectiveness of DLP solutions & other tools

• ENCOURAGE safer collaboration outside of company

boundaries

https://www.jawconsulting.co.uk/wp-content/uploads/10-Key-Steps-to-Build-a-Cyber-Security-Strategy-for-EU-GDPR-PCI-DSS-v1.pdf

Critical data is

high value

Do you KNOW

where your key

data is?

Cyber enabled RBSS Major Steps

1 – Establish a RBSS project (pick a RMF, charter, objectives)

2 – Conduct an initial risk assessment / survey – establish “RR”

3 - Identify – your sensitive data – most have no standard

4 – Classify – data according to its value to the organization

5 - Discover & Map The Data– identify environment scope

6 - Purge & Delete‐ Data that is no longer required

7 - Secure – employ security controls and protection measures (IRM & IAM)

8 - Security Awareness & Training – employees are your first, and last line of

defense… and conduct frequent tests / exercises!

9 - Monitor – measure and evolve security & data practices.. (SIEM & DLP)

10 - Testing of Systems & Processes– Measure and evolve security practices

11 - Establish & Practice Incident Response, it’s as important as data breach

risk minimization!

https://www.jawconsulting.co.uk/wp-content/uploads/10-Key-Steps-to-Build-a-Cyber-Security-Strategy-for-EU-GDPR-PCI-DSS-v1.pdf

Common sense steps for any data security, privacy effort

YET, how do we get there, the major activities to put in action?

Quantify

DATA

ecosphere

Risk Assessment Support---NIST - How to conduct a RA

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

---ISACA – Performing a RA

https://www.isaca.org/Journal/archives/2010/Volume-1/Pages/Performing-a-Security-Risk-Assessment1.aspx

---Five RA frameworks (an overview of each)http://www.csoonline.com/article/2125140/metrics-budgets/it-risk-assessment-frameworks--real-world-experience.html

---HIPAA RA tool (free – 156 questions)

https://www.healthit.gov/providers-professionals/security-risk-assessment-tool

---US-CERT Cyber Resilience Review (CRR)

https://www.us-cert.gov/ccubedvp/assessments

---GRC tools (governance, risk management and compliance)

http://www.polecat.com/blog/free-grc-tools/

---Other free RM tools

https://securityintelligence.com/five-free-risk-management-tools-that-can-add-value-to-your-security-program/

Yes, a lot of RA sources… Pick one and just do it (e.g., CRR)

Complement those results with your survey -> “RR”

Risk Registers and Risk Tracking

KISS – on-line, spreadsheet

Common methods, ranking

Risk report to tell the story

RRs are the baseline foundation to RBSS – quantify and document

Risk Reporting – for a common risk vernacular

•

Figure 1. Risk Reporting Matrix Example

Lik

elih

ood

Consequence

1

2

3

4

5

1 2 3 4 5

Range Performance

System weight targets may not be achieved,

Causing impacts to system performance

and non-compliance requirements

Mitigation Plan

1. Establish weight management program

2. Substantiate weight estimates

3. Identify alternative design solutions or trades

Inc 1 & 2 Configuration Differences

Inc 2 requirements may drive unique differences

resulting in Inc 1 structures not being unusable for

Inc 2

Mitigation Plan

1. Identify structural retrofit requirements

2. Identify potential requirement trades

3. Determine technical, schedule and cost

viability of retrofit

A - Inspection

Short Interval (100 hour) inspections for bushing

wear and hub cracking will increase overall system

down-time and increase spares requirement

Mitigation Plan

1. Additional spares

2. Accelerate new development

3. Establish retrofit plan option

B - Increment 1 Impact on IOC

IOC may be delayed beyond Threshold dates

Mitigation Plan

1. Mitigate SETR delays through out of station mods

2. Optimize production, missionization and T&E

Engine Exhaust

Current aircraft experiences fuselage heating

due to exhaust impingement

Mitigation Plan

1. Local thermal blanketing

2. Trade study for redirection of exhaust

Program Affordability

Additional scope and EAC growth may grow

Costs beyond the program budget

Mitigation Plan

1. Identify cost reduction baseline

2. Identify CAIV trade options

“Heat Maps” are common - yet how do we minimize the steps for LEAN

ERM, and still have an adequate confidence factor and risk fidelity?

Continuous Monitoring for RBSS

CARTA is all about RBSS and best Business Value(https://securityintelligence.com/a-risk-driven-approach-to-security-from-check-boxes-to-risk-management-frameworks/ )

Leverage your SIEM, SOC, & MSP!

Key Actions YOU Can Do

1. Establish a RBSS project (slide 26)

2. Initial risk assessment – start RR

3. Quantify data environment (DC & tools)

4. Define crown jewels / success factors /

Requirements

5. Develop risk report / heat map

Strategies• Know Your Architecture,

Equipment and Capabilities

• Treat Security as Organization-Wide – Not as an IT Problem

• Know Your People – Plan for Development and Maturity

• Encourage Training and Education – Leverage the many professional groups!

…AND…. Etc….

• Develop Security Policy

• Use Lessons Learned and Join Industry Groups

• Execute Identity & Access Management

• Build Your Incident Response Capability

• Data & Privacy Governance Group

• Get and USE Threat Intelligence

• Configuration Management and Hygiene

• Encrypt Your Data! And track it (DLP, etc)

• Test Software for Security Issues

• Perform Recurrent Audits and Checks

• Build a Roadmap to Capabilities

• Track Action Items and Technical Debt

Actions and Requirements

SummaryOK, NOW, What to Do With This?

• Implement #1 and 2 ASAP – just do it!

• Provide an initial risk report / heat map to

leadership – stress the top 2-3 risks for action

• Team with the DATA folks, leverage their data

methods, etc – enhance with DLP, DRM, etc

• Enhance your department’s ERM effort, start a

RM committee, as RBSS is a team sport

• Have a plan, process, timeline – to collaborate

with – doing something is better than nothing!

32RBSS – you can indeed bet your company on it – explicitly!

33

Risk mitigations / types

Source: Gartner

*

*

*

*

* **

*

Risk management = avoid, reduce, accept, or transfer

Data breaches

= 1st & 3rd

party liability, the latter can be global,

almost unbounded!

Proving a due

diligence level

of securityFoundation to minimizing

risk and legal liability

For example, Cyber Insurance is Transfer of Risk

Cyber risks are pervasive – are you covered?

(And exploit and ignore)

How Do We Get started…from where?

Source: NIST 800-37 Rev1

Key #1: Understand the “Crown

Jewels” of your organization.

- Data and systems

- Personnel and skills

- Key Business Functions

Key #2: Perform risk assessments

iteratively, and track results

- Start simple – survey, etc

- What do you control?

- What do you just HOPE about?

- What’s on your Technical

Debt list (legacy risks)?

* Making CYBER protection a full organizational contact sport *

RM

Plan

Company Vision(business success factors)

V&V (& C&A) (verification / validation)

Security Policy(users, mobile, social media, etc)

Education / Training(awareness, JIT, needs based)

Known Baseline(“MSB” / CMDB / effective hygiene)

CMMI / Sustainment(consistent SoPs / processes)

MSSP / Experts(SOC / 3rd party IV&V support)

Data Security(DLP, DRM, reputation based methods)

Insider Threat

Company Intel(open source, FBI, etc)

SCM / SIEM(monitor / track / mitigate)

Cyber insurance(broker & legal council)

Privacy Protection(manage PII, Audit, compliance )

Major risks must be embedded in your enterprise risk management plan (RMP)

And be visible and pervasive throughout the company – IMS, legal, HR, finance, etc

ERM – drives cyber security priorities – but how de we keep track?

37

Cyber Complexity is everywhere – Policy on down:

Don’t chase threats - manage the risk consequences in your RBSS