houston sim chapter cyber sig02f9c3b.netsolhost.com/blog1/wp-content/uploads/risk...dr paula...
TRANSCRIPT
Mike Davis: Senior Manager of IT Security (CISO) @ABS; CISSP, CISO, MSEE, PM….
[email protected] (Caveat - These are personal views & examples, not representing the company or other entities)
Dr Paula deWitte: Assistant Director, Texas A&M Cybersecurity Center, and Associate
Professor of Practice, Computer Science and Engineering, Texas A&M University:
Harvey Nusz - 4IT Security, Governance & Compliance (CEO/Owner); CIPM, CISSP, CRISC,
CISA, CGEIT; ISACA Chapter president; Risk Management, Privacy and IT compliance / audit.
“Lean RBSS Methods”“Continuous Adaptive Risk and Trust
Assessment (CARTA)” - Gartner’s 2017 IT Security Approach for the Digital Age
Answering the call of the wild (threat space) Using a Risk Based Security Strategy (RBSS)
KISS
Enterprise Risk Management (ERM) = business best risk value proposition
Houston SIM Chapter Cyber SIG
Prelude
• Threats are pervasive, intruders are very good and share methods well (Hackers, nation states, criminals, etc, etc).
( “Crime as a Service” makes every malcontent a very likely threat to counter)
• Data breaches escalate - 2017 on track to eclipse 2016 as the worst year on record; yet Data breach burnout continues…
• Do the Security basics very well, sets a risk foundation.(85+% reduction in security incidents: cyber hygiene, encryption, IdAM & SIEM)
• ERM Policy drives integrated actions and enforcement. (a Risk Champion prioritizes risks, communicate risk appetite CEO to shop floor)
• Major business initiatives accelerate – Pick one: Bi-Modal, EU’s “DGPR”
law, digital transformation, Globalization, customer-centricity, business flexibility/agility (speed), cloud / mobile first, DevOps, blockchain, IOT, other “mega-trends” (analytics, AI, etc), etc…
Quit admiring the “RISK problem (threat / laws / complexity)”
and start DOING something – a “Lean” RBSS approch
3
WHY manage RISK By being a trustworthy organization known for ‘walking the walk’ - focusing on
the P&L benefits of mitigating company risks.
Increase integrity, safety, reliability & TRUST.
Improve the industry position, your BRAND.
Improve resiliency (minimize down time, lost efforts)
Improve compliance levels, enhance efficiencies.
– Integrate RBSS & CARTA into your Company Risk Effort
- Enhance, streamline current security based efforts
- Increase risk awareness and support in the company
Improve
competitive
advantage
DATA rules in every industry– security counts as does privacy – thus show
excellence therein. ANY data breach could cause loss of business
Improving processes and supporting new services and products (support
business groups productivity) = increased customer experience = revenues.
Risk Big Picture (one of many!)
Data Breach – the Perfect Storm (of many!)
Hacker
Sophistication(“CaaS” proliferates)
Many new
business
initiatives
Technology
Advancement(blockchain, et al..) Shrinking
Resources(competing priorities)
Government
Regulations(USA & EU (“GDPR”))
Renewed focus
on Data’s Value
Increased
Outsourcing (third party / vendor management)
We Need an Enterprise Risk Management (ERM) Approach
5
‘FUD’ – Key Threat examples:• Data Breaches – 2016 worst year: 1093 events (2017 up 40%)
• Ransomware –worsens. $700+/attack. 90% attacks in email
• Internet of Things (IoT) threats hit home. PLCs to TVs. 20+B
Don’t spread Fear, Uncertainty and Doubt (FUD) OR chase the threats,
Rather - manage the risk consequences in your RBSS
• How much more bad news do we need – 1st Half 2017The first six months of 2017 have seen an inordinate number of cybersecurity meltdowns. there's been viral, state-sponsored ransomware, leaks of spy tools from US intelligence agencies, and full-on campaign hacking
---Shadow Brokers - The hacking group claims to have breached the spy tools of the elite NSA.
---WannaCry - A strain of ransomware spread around the world, walloping hundreds of thousands of targets, including public utilities and large corporations).
--- Petya/NotPetya/Nyetya/Goldeneye - A month or so after WannaCry, another wave of Ransomware
--- Wikileaks CIA Vault 7 - Published 8,761 documents allegedly stolen from the CIA that contained extensive documentation of alleged spying operations and hacking tools.
--- Cloudbleed - the internet infrastructure company a bug in its platform caused random leakage of potentially sensitive customer data - to about six million customer websites.
--- 198 Million Voter Records Exposed - Discovered a publicly accessible database that contained personal information for 198 million US voters—possibly every American voter for more than 10 years.
So who cares? The BOARD!(re: their D & O liability and stockholder reporting)
Cyber-risk Oversight / NACD Director’s Handbook SeriesNACD, in conjunction with AIG and the Internet Security Alliance, has identified five
steps boards should consider as they seek to enhance their oversight of cyber risks.
Their handbook was organized according to these five key cyber-risk principles:
1. Directors need to understand and approach cybersecurity as an enterprise-
wide risk management issue, not just an IT issue.
2. Directors should understand the legal implications of cyber risk as they relate to
their company’s specific circumstances.
https://www.nacdonline.org/files/FileDownloads/NACD%20Cyber-Risk%20Oversight%20Handbook%202017.pdf
3. Boards should have adequate access to cybersecurity expertise, and
discussions about cyber-risk management should be given regular and adequate
time on the board meeting agendas.
4. Directors should set the expectation that management will establish an
enterprise-wide cyber-risk management framework with adequate staffing and
budget (note - fiscal reality check – enough resources - not likely for many = RBSS)
5. Board-management discussions about cyber risks should include identification of
which risks to avoid, which to accept, and which to mitigate or transfer through
insurance, as well as specific plans associated with each approach.
RISK- Today’s IT / Cyber Challenge
More Agile Business• More accessibility for employees,
customers and partners
• Higher level of B2B integrations
• Faster reaction to changing requirements
More Secured Business• Organized crime
• Identity theft
• Intellectual property theft
• Constant global threats
More Compliant Business• Increasing regulatory demands
• Increasing privacy concerns
• Business viability concerns
RBSS enables the business AND minimizes risk.
Convenience Risk / Security
versus
…AND…
Data At Rest
• Data classification
• Device control
• Content control
• Application control
Transaction Data
• Direct Database Access
• Access via Applications
• Web applications
• Web services
Data In Motion
• Outgoing communications
• Internal communications
• Databases and documents
• Monitoring and enforcement
Employees(Honest & Rogue)
Customers& Criminals
Accidental,
Intentional and
Malicious Leaks
Employees(Honest & Rogue)
Employees(Honest & Rogue)
Risk is mostly about DATA protection…the bane of ERM…
* Encrypt (& Key Mgmt)* Access Controls (IAM)* Data Controls (DLP)
Protecting the data security and privacy lifecycle
Risk – a central ‘control’ role
• Risk is holistic -- central to
implementing and
sustaining the program
• Risk Assessment is the
front end of this iterative
planning process
• Risk should roll up into
major categories, like:Technical, Business
Systems, Program
Management & External
Factors
• Risk is assessed through
impacts to four principal
dimensions:
Cost, Schedule, Scope
and Quality
Risk in the Enterprise
• How Do YOU Do ERM now?
– Cultural Fit / Management Support
• Common Point of Reference
– International standards / references
– Triage Techniques: Divide & Conquer
• Don’t Overrun Your Abilities
– KISS - Hire specialists as needed
• Integrate Risk Process Early in
Projects, and Iterate
• Ensure Risk Assessments Result in
Decisions
• Risk References (partial list)
• ISO 27001/2
• ISO 31000
• NIST RMF & CSF
• ISACA COBIT 5 & RISK IT
• Health Information Trust Alliance (HITRUST) CSF
• Federal Financial Institutions Examination Council (FFIEC) CSF
• Factor Analysis of Information Risk (FAIR)
• Information Risk Assessment Methodology (IRAM)
• Software Engineering Institute’s OCTAVE Allegro
…AND others…
Many are turning to RMFs (*) as a strategy tool to assess risk and manage data
security mechanisms and privacy protection methods…. NIST’s CSF is popular.
http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf
Key elements of a cybersecurity program:
Consider
business
priorities,
assets,
processes
Document
formal
cybersecurity
strategy,
objectives and
goals
Evaluate and
prioritize gaps in
current vs
desired state
across risk
management
controls
Build a plan to
address,
monitor and
reassess the
prioritized
control gaps
Define formal
framework
of risk
management
controls
Risk Management Framework (RMF)
(Source: IBM Security “Business Connect 2015”) ( * -see also: Octave, NIST CSF & 800-39/37, COBIT, ISO 2700x, etc)
Frameworks are great, just pick one, and iterate the RM cycle.
Focus on mitigation priorities needed for ‘due diligence’ within your RBSS
THEN, Risk enable your Security Program -> RBSS
10 essential practices for a stronger security AND privacy posture
These practices generally are assessed using a risk maturity level basis:
(https://securityintelligence.com/a-risk-driven-approach-to-security-from-check-boxes-to-risk-management-frameworks/ )
RBSS is all about the best Business “Risk Value”
ERM – An Auditor’s Perspective* What is Enterprise Risk Management?
“A structured, consistent and continuous process across the whole organization for identifying, assessing,
deciding on responses to and reporting on opportunities and threats that affect the achievement of its
objectives” In other words – Risk management without silos
* As per the IIA definition, Internal Audit (IA) is “a department, division, team of consultants,
or other practitioner(s) that provides independent, objective assurance and consulting services
designed to add value and improve an organization’s operations. The IA activity helps an
organization accomplish objectives by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management, control, and governance processes.”
* The IIA and RIMS believe that collaboration between the risk-related disciplines of internal
audit and risk management can lead to stronger risk practices. The two functions make a
powerful team when they collaborate and leverage one another’s resources, skill sets and
experiences to build robust risk capabilities across organizations
* Leading organizations have discovered efficiencies, better decision-making and improved
results by forming strong alliances - identified four fairly common practices:
• Link the audit plan and the enterprise risk assessment, and share other work products
• Share available resources wherever and whenever possible
• Cross-leverage each function’s respective competencies, roles and responsibilities
• Assess and monitor strategic risks
Effective collaboration results in a more robust overall organizational ERM risk portfolio. 13
Audit & Risk HarmonizationAll actors involved in Internal Control (regulator, consulting firms, and professional bodies
such as the IIA) agree: Internal Audit needs to take into account the risks the company faces.
These recommendations are both tactical, like advocating the use of a risk based approach to
create an Audit plan, and of a strategic with the inclusion of IA in a global, holistic ERM plan.
Four major objectives for the integration of risk management and internal audit,:
* Provide the risk management initiative with the necessary supporting evidence that internal
controls are operating as management believes them to be;
* Provide assurance to management that the internal audit function’s focus is on what is
important to the organization;
* Provide the audit committee with the necessary assurances that the risk management
initiative is effective and efficient; and
* Ensure that synergies between the two functions are fully optimized and that any potential
duplication of effort is avoided
* There is clear value that the organizations can gain from collaborative activity:
• Assurance that critical risks are being identified effectively
• Efficient use of scarce resources, such as financial, staff and time
• Communication depth and consistency, especially at the board and management levels
• Deeper understanding and focused action on the most significant risks
Effective collaboration results in a more robust overall organizational ERM risk portfolio. 14
Integrating Audit into ERMActivities to consider in your present audit processes:
* Assess the feasibility of tying annual audit planning with the ERM process
* Compare audit plan against the top risks identified through ERM
* Report on ERM risks through existing audits with an “Other Observations” or
“Recommendations” section
* Consider a business continuity audit
* Ask to sit in on ERM committee meetings
* Consider an audit of the company’s overall risk management framework
* Incorporate corporate strategy discussions into annual audit planning
* Build a knowledge base by asking enterprise risk questions on existing audits
* Incorporate enterprise/strategic risk discussions into Audit Committee presentations
Resources to assist in Audit & ERM harmonization:http://www.isaca.org/knowledge-center/research/documents/risk-it-framework-excerpt_fmk_eng_0109.pdf
http://www.isaca.org/chapters2/pittsburgh/events/documents/event_archive_2010_2011/10octpresentationhandouts.pdf
http://www.ey.com/Publication/vwLUAssets/EY_Key_considerations_for_your_internal_audit_plan_1/$FILE/ATT5QP7A.pdf
https://na.theiia.org/standards-
guidance/Public%20Documents/PP%20The%20Role%20of%20Internal%20Auditing%20in%20Enterprise%20Risk%20Management.pdf
15https://chapters.theiia.org/central-iowa/Events/Documents/ERM%20Presentation%20for%2010.11.16%20IIA%20Meeting.pdf
Cybersecurity Law/Ethical Issues
• Biggest current threats: Intellectual property theft and/or attacks on critical
infrastructure
• Appropriate response: Criminal hackers (law enforcement response) or
hackers’ acts of aggression (acceptable military style response)
– Nation-state attacks allow for Laws of Armed Conflict and Rules of
Engagement/Escalation of Force
– Yahoo Attack? Nation-state or individuals?
• Accurate Attribution
• “Hacking Back:” Offensive vs Defensive
• No standard code of ethics for cybersecurity professionals as for other
professions (e.g., doctor, lawyer, licensed professional engineer)
16
Cybersecurity Laws• Law:
– US Laws are made by: Federal, state, local government entities, administrative agencies, judges, the
President, state governors, …
– Privacy Act 1974
– FERPA—Federal Educational Rights and Privacy Act (1974)
– HIPPA—Health Insurance Portability and Accountability Act (1996)
– Wiretap Act 1988
– Computer Fraud and Abuse Act 1986
• Active Cyber Defense Certainty Act introduced March 22, 2017
– Presidential Executive Orders and Presidential Policy Directives
– Computer Information Sharing Act 2015
– EU—General Data Protection Regulation (GDPR)
• Retracted “Safe Harbor”
• Passed GDPR (May 2018)
• Opt-in vs opt-out
• Legal issues to consider:
– Who: Standing
– What: Case or controversy
– When: Statute of limitations
– Where: Jurisdiction
– Evidence standards
Ethics/Laws
• Ethics:
– Rules of behavior based on what is morally good or bad
– Cultural norms
• Personal ethics
• Business ethics: governance, insider trading, bribery,
discrimination, corporate responsibility, fiduciary responsibilities…
• Technology has now disrupted ethical standards.
– Automated: artificial intelligence, robotics, driverless cars, decision
making…
– Holders/owners/possessors/recipients of data
Who is responsible (who is liable)?
How does this affect risk?
18
Resources / Best Practices
• Resources:
– https://www.americanbar.org/publications/law_practice_ma
gazine/2012/march_april/hot-buttons.html
– http://ec.europa.eu/justice/data-
protection/reform/files/regulation_oj_en.pdf
• Templates:
– https://iapp.org/media/pdf/resource_center/Krasnow_model
_WISP.pdf
– http://www.mass.gov/auditor/docs/laws-and-regs/wisp.pdf
• Best Practices: Keep up!
– Considerable web sources!
– Join risk / security / privacy groups (InfraGard, ISACs, etc)19
Now on to a CARTA Overview
WHY? Gartner is a ‘thought leader’ in ERM… so frame your RBSS with them
The twin concepts behind CARTA are that:
1.“All systems and devices must be considered potentially compromised and their
behaviors continuously assessed for risk and trust.”
2.“Users (and other entities), even once authenticated, are given just enough trust to
complete the action being requested, and their behaviors are continuously verified
and assessed for risk.”
Where contextual, real-time and continuous visibility is at the heart of CARTA.
“Ambiguity is the new reality. Embrace the grey.” The key is to apply the
philosophy across the business from DevOps to external partners.
Bring context to big data, and the behavior centricity can then identify anomalies,
this means putting a focus not just on protection, but equally or even a bit more on
detection and response with a solid recovery framework.
20
We propose that organizations use an enterprise RBSS, stressing ‘risk values’
using Gartner’s CARTA (Continuous Adaptive Risk and Trust Assessment).
CARTA -> RBSS• The explosive growth of cloud-based services and mobile devices in the workplace has rendered
many conventional approaches to cybersecurity risk management outdated. According to Gartner,
“more information security decisions need to move toward a real-time assessment of risk and trust at
the point in time that the security decision is made, using relevant context to enrich and inform the
decision-making process and to enable real-time, adaptive, risk-based responses for access
enablement and protection from threats and attacks.”
• Simple forms of what we’ve called ‘cyber hygiene,’ although still valuable, don’t (directly translate)
to protection against real risks. What’s required instead is something much more analytically sound
and scientifically grounded, something that asks questions like “which threats are most likely to
occur?” or “what are our greatest vulnerabilities?” Translating these into business terms is key, and
continuously measuring them so that risks and countermeasures can be prioritized is essential.
• How do we accommodate these CARTA precepts in a simple RBSS?
1. Assess your current overall risk posture… start simple – ask your team, department – develop a risk register
2. Document your current security baseline – what is in place, configured effectively and what is needed
3. Develop your own version of a RBSS… using #1 and #2 - provide a ‘risk value’ buy down approach
4. Within your team / division, develop a risk report for leadership… including a ‘heat map’ for #3 for the Board
5. Integrate your efforts with the company’s overall ERM efforts, find a risk champion (besides your boss!)
6. Develop a continuous assessment process to monitor and report both risk and trust status and trends.
(we will provide more details / steps later….)21
ERM – a 10,000’ Baseline View (recap)
2.1 INTEGRATED ORGANIZATION-WIDE RISK MANAGEMENT
Managing information system-related security risks is a complex, multifaceted undertaking that requires the involvement of the entire organization—from senior leaders providing the strategic vision and top-level goals and objectives for the organization, to mid-level leaders planning and managing projects, to individuals on the front lines developing, implementing, and operating the systems supporting the organization’s core missions and business processes. Risk management can be viewed as a holistic activity that is fully integrated into every aspect of the organization. Figure 2-1 illustrates a three-tiered approach to risk management that addresses risk-related concerns at: (i) the organization level; (ii) the mission and business process level; and (iii) the information system level.15
http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf
• Embrace the ERM journey – just do IT, avoid “complexity & analysis paralysis”
• Use “A” RMF as the starting point that is aware of and responsive to the multi-stakeholder risk environment
• Tailor RMF to reflect needs of your organization and partner collaboration
STRATEGICCross-communitycollabora on
Gapsinpolicy,management,orleadershipsplitstheroot
“Reduc ve”forces(security,risk-mi ga on,control
throughrules,etc.)splitstheroot
A acksexploi ngtechnicalvulnerabili esoftheDNSbringdowntherootora
majorTLD
Ecosystem-wide
“Regional”or“segment”focus
Providerororganiza on-focusedrisk
CORE
GLUE
EDGE
LONG-TERM IMMEDIATE
Need:coordina on,fast
response
Need:models,tools,
support,direc on
TACTICALDNSprovidersareattheforefront
Inadvertenttechnicalmishapbringsdowntherootora
majorTLD
Widespreadnaturaldisasterbringsdowntherootora
majorTLD
RiskScenarioTopicList
________________________________________________________________________________________________
Special Publication 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach
CHAPTER TWO
THE FUNDAMENTALS MANAGING INFORMATION SYSTEM-RELATED SECURITY RISKS
This chapter describes the basic concepts associated with managing information system-
related security risks. These concepts include: (i) incorporating risk management
principles and best practices into organization- wide strategic planning considerations, core
missions and business processes, and supporting or ganizational information systems; (ii)
integrating information security requirements into system development life cycle processes; (iii)
establishing practical and meaningful boundaries for organizational information systems; and (iv)
allocating security controls to organizational information systems as system-specific, hybrid, or
common controls.
2.1 INTEGRATED ORGANIZATION-WIDE RISK MANAGEMENT
Managing information system-related security risks is a complex, multifaceted undertaking that
requires the involvement of the entire organiza tion—from senior leaders providing the strategic
vision and top-level goals and objectives for the organization, to mid-level leaders planning and
managing projects, to individuals on the front lines developing, implementing, and operating the
systems supporting the organization’s core missions and business processes. Risk management
can be viewed as a holistic activity that i s fully integrated into every aspect of the organization.
Figure 2-1 illustrates a three-tiered approach to risk management that addresses risk-related
concerns at: (i) the organization level; (ii) the mission and business process level; and (iii) the
information system level.15
TIER 1 ORGANIZATION
(Governance)
TIER 2 MISSION / BUSINESS PROCESS
(Information and Information Flows)
TIER 3 INFORMATION SYSTEM
(Environment of Operation)
- Multitier Organization-Wide Risk Management
- Implemented by the Risk Executive (Function)
- Tightly coupled to Enterprise Architecture and Information Security Architecture
- System Development Life Cycle Focus
- Disciplined and Structured Process
- Flexible and Agile Implementation
TACTICAL RISK
STRATEGIC RISK
FIGURE 2-1: TIERED RISK MANAGEMENT APPROACH
15 NIST Special Publication 800-39, Integrated Enterprise-Wide Risk Management: Organization, Mission, and
Information System View (projected for publication in 2010), will provide guidance on the holistic approach to risk
management.
CHAPTER 2 PAGE 5
ERM major elements
Enterprise Risk Management Framework (RMF)Pick one and use it – recommend DoD’s “RMF” (or ISACA COBIT 5)
Effective ERM execution targets resources using the RR
Department Risk Management Plan (RMP)Integrate into Organization’s’ ERM plan – tailor for your work group
Risk Register (RR) – track and manage risks“THE” tool to identify, prioritize & mitigate risks = prioritization collaboration.
Strategic
Tactical
• A risk-based approach means that asset owners and
operators identify, assess and understand the
cybersecurity risks to which they are exposed, and take
protective measures commensurate to those risks in order
to mitigate them effectively.
- Understanding and prioritization RISKS are key activities
• The risk assessment therefore provides the basis for the
prioritized application of cyber-protective actions and
measures.
What is RBSS – A Risk-Based Approach
The RBSS approach is not a “zero failure” method; there may be occasions
where an institution has taken all reasonable measures to identify and mitigate
cybersecurity risks, but it still suffers successful attack.
Data Centric, Cyber enabled RBSS, Benefits• IMPROVE data security awareness amongst employees
• ENFORCE corporate security policy consistently.
• IDENTIFY Critical Data, Applications and Infrastructure
• REDUCE COST focus security budget protecting the critical data
• DEMONSTRATE regulatory compliance & risk‐based approach
• INCREASE the effectiveness of DLP solutions & other tools
• ENCOURAGE safer collaboration outside of company
boundaries
https://www.jawconsulting.co.uk/wp-content/uploads/10-Key-Steps-to-Build-a-Cyber-Security-Strategy-for-EU-GDPR-PCI-DSS-v1.pdf
Critical data is
high value
Do you KNOW
where your key
data is?
Cyber enabled RBSS Major Steps
1 – Establish a RBSS project (pick a RMF, charter, objectives)
2 – Conduct an initial risk assessment / survey – establish “RR”
3 - Identify – your sensitive data – most have no standard
4 – Classify – data according to its value to the organization
5 - Discover & Map The Data– identify environment scope
6 - Purge & Delete‐ Data that is no longer required
7 - Secure – employ security controls and protection measures (IRM & IAM)
8 - Security Awareness & Training – employees are your first, and last line of
defense… and conduct frequent tests / exercises!
9 - Monitor – measure and evolve security & data practices.. (SIEM & DLP)
10 - Testing of Systems & Processes– Measure and evolve security practices
11 - Establish & Practice Incident Response, it’s as important as data breach
risk minimization!
https://www.jawconsulting.co.uk/wp-content/uploads/10-Key-Steps-to-Build-a-Cyber-Security-Strategy-for-EU-GDPR-PCI-DSS-v1.pdf
Common sense steps for any data security, privacy effort
YET, how do we get there, the major activities to put in action?
Quantify
DATA
ecosphere
Risk Assessment Support---NIST - How to conduct a RA
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
---ISACA – Performing a RA
https://www.isaca.org/Journal/archives/2010/Volume-1/Pages/Performing-a-Security-Risk-Assessment1.aspx
---Five RA frameworks (an overview of each)http://www.csoonline.com/article/2125140/metrics-budgets/it-risk-assessment-frameworks--real-world-experience.html
---HIPAA RA tool (free – 156 questions)
https://www.healthit.gov/providers-professionals/security-risk-assessment-tool
---US-CERT Cyber Resilience Review (CRR)
https://www.us-cert.gov/ccubedvp/assessments
---GRC tools (governance, risk management and compliance)
http://www.polecat.com/blog/free-grc-tools/
---Other free RM tools
https://securityintelligence.com/five-free-risk-management-tools-that-can-add-value-to-your-security-program/
Yes, a lot of RA sources… Pick one and just do it (e.g., CRR)
Complement those results with your survey -> “RR”
Risk Registers and Risk Tracking
KISS – on-line, spreadsheet
Common methods, ranking
Risk report to tell the story
RRs are the baseline foundation to RBSS – quantify and document
Risk Reporting – for a common risk vernacular
•
Figure 1. Risk Reporting Matrix Example
Lik
elih
ood
Consequence
1
2
3
4
5
1 2 3 4 5
Range Performance
System weight targets may not be achieved,
Causing impacts to system performance
and non-compliance requirements
Mitigation Plan
1. Establish weight management program
2. Substantiate weight estimates
3. Identify alternative design solutions or trades
Inc 1 & 2 Configuration Differences
Inc 2 requirements may drive unique differences
resulting in Inc 1 structures not being unusable for
Inc 2
Mitigation Plan
1. Identify structural retrofit requirements
2. Identify potential requirement trades
3. Determine technical, schedule and cost
viability of retrofit
A - Inspection
Short Interval (100 hour) inspections for bushing
wear and hub cracking will increase overall system
down-time and increase spares requirement
Mitigation Plan
1. Additional spares
2. Accelerate new development
3. Establish retrofit plan option
B - Increment 1 Impact on IOC
IOC may be delayed beyond Threshold dates
Mitigation Plan
1. Mitigate SETR delays through out of station mods
2. Optimize production, missionization and T&E
Engine Exhaust
Current aircraft experiences fuselage heating
due to exhaust impingement
Mitigation Plan
1. Local thermal blanketing
2. Trade study for redirection of exhaust
Program Affordability
Additional scope and EAC growth may grow
Costs beyond the program budget
Mitigation Plan
1. Identify cost reduction baseline
2. Identify CAIV trade options
“Heat Maps” are common - yet how do we minimize the steps for LEAN
ERM, and still have an adequate confidence factor and risk fidelity?
Continuous Monitoring for RBSS
CARTA is all about RBSS and best Business Value(https://securityintelligence.com/a-risk-driven-approach-to-security-from-check-boxes-to-risk-management-frameworks/ )
Leverage your SIEM, SOC, & MSP!
Key Actions YOU Can Do
1. Establish a RBSS project (slide 26)
2. Initial risk assessment – start RR
3. Quantify data environment (DC & tools)
4. Define crown jewels / success factors /
Requirements
5. Develop risk report / heat map
Strategies• Know Your Architecture,
Equipment and Capabilities
• Treat Security as Organization-Wide – Not as an IT Problem
• Know Your People – Plan for Development and Maturity
• Encourage Training and Education – Leverage the many professional groups!
…AND…. Etc….
• Develop Security Policy
• Use Lessons Learned and Join Industry Groups
• Execute Identity & Access Management
• Build Your Incident Response Capability
• Data & Privacy Governance Group
• Get and USE Threat Intelligence
• Configuration Management and Hygiene
• Encrypt Your Data! And track it (DLP, etc)
• Test Software for Security Issues
• Perform Recurrent Audits and Checks
• Build a Roadmap to Capabilities
• Track Action Items and Technical Debt
Actions and Requirements
SummaryOK, NOW, What to Do With This?
• Implement #1 and 2 ASAP – just do it!
• Provide an initial risk report / heat map to
leadership – stress the top 2-3 risks for action
• Team with the DATA folks, leverage their data
methods, etc – enhance with DLP, DRM, etc
• Enhance your department’s ERM effort, start a
RM committee, as RBSS is a team sport
• Have a plan, process, timeline – to collaborate
with – doing something is better than nothing!
32RBSS – you can indeed bet your company on it – explicitly!
33
Risk mitigations / types
Source: Gartner
*
*
*
*
* **
*
Risk management = avoid, reduce, accept, or transfer
Data breaches
= 1st & 3rd
party liability, the latter can be global,
almost unbounded!
Proving a due
diligence level
of securityFoundation to minimizing
risk and legal liability
For example, Cyber Insurance is Transfer of Risk
Cyber risks are pervasive – are you covered?
(And exploit and ignore)
How Do We Get started…from where?
Source: NIST 800-37 Rev1
Key #1: Understand the “Crown
Jewels” of your organization.
- Data and systems
- Personnel and skills
- Key Business Functions
Key #2: Perform risk assessments
iteratively, and track results
- Start simple – survey, etc
- What do you control?
- What do you just HOPE about?
- What’s on your Technical
Debt list (legacy risks)?
* Making CYBER protection a full organizational contact sport *
RM
Plan
Company Vision(business success factors)
V&V (& C&A) (verification / validation)
Security Policy(users, mobile, social media, etc)
Education / Training(awareness, JIT, needs based)
Known Baseline(“MSB” / CMDB / effective hygiene)
CMMI / Sustainment(consistent SoPs / processes)
MSSP / Experts(SOC / 3rd party IV&V support)
Data Security(DLP, DRM, reputation based methods)
Insider Threat
Company Intel(open source, FBI, etc)
SCM / SIEM(monitor / track / mitigate)
Cyber insurance(broker & legal council)
Privacy Protection(manage PII, Audit, compliance )
Major risks must be embedded in your enterprise risk management plan (RMP)
And be visible and pervasive throughout the company – IMS, legal, HR, finance, etc
ERM – drives cyber security priorities – but how de we keep track?
37
Cyber Complexity is everywhere – Policy on down:
Don’t chase threats - manage the risk consequences in your RBSS