resilia - dit.dk
TRANSCRIPT
RESILIA- Is your organization resistant to cyber risks?
Christian F. Nissen, BlueHat P/S
© 2016 of BlueHat P/S unless otherwise stated
RESILIATM, ITIL®, PRINCE2® MSP®, MoP® and MoV® are registered trademarks of AXELOS in the United Kingdom and other countries
COBIT® is a registered trademark of the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)
TOGAFTM and IT4ITTM are registered trademarks of The Open Group
2
Agenda
1. Cyber threats
2. Cyber Resilience
3. Cyber Resilience Lifecycle
❍ Strategy
❍ Design
❍ Transition
❍ Operation
❍ Continual Improvement
4. Segregation of duties and dual controls
5. Barriers to Cyber Resilience
Ag
en
da
© 2016
Quick poll
Hvad er din baggrund?
Sikkerhed
Governance, risk, compliance
Revision
Service management
Anden
3 © 2016
Ag
en
da
Why bother?
Computerworld, August 24, 2016:
Svenske Lucas Lundgren fra FortConsult ”har fundet en
grel fejl i en forbindelsesprotokol ved navn MQTT, der
binder milliarder af enheder sammen i Internet of Things-
netværket (IoT).”
"Jeg har fundet et atomkraftværk, hvor man kunne hæve
strålingsniveauet og et fængsel, hvor fængselsdørene kan
åbnes fra en server"
4 © 2016
Cyb
er
thre
ats
Why bother?
According to the ISACA’s January 2016
Cybersecurity Snapshot,
84 percent of respondents believe there is a medium to
high likelihood of a cybersecurity attack disrupting critical
infrastructure (e.g., electrical grid, water supply systems)
this year.
20 percent of the respondents have experienced a
ransomware incident
72 percent of respondents say they are in favor of the US
Cybersecurity Act, but only 46% say their organizations
would voluntarily participate in cyber threat information
sharing, as outlined in the Act.
5 © 2016
Cyb
er
thre
ats
Why bother?
6 © 2016
Cyb
er
thre
ats
Why bother?
7 © 2016
Cyb
er
thre
ats
Best practices and standards
Some standards and frameworks that can help organizations to
manage cyber threats include:
NIST Framework for Improving Critical Infrastructure Cybersecurity - A US risk-based approach to managing cybersecurity risk.
Management of Risk (M_o_R) - Best practice for managing risk
ISO/IEC 27001 - International standard for information security
management
ISO 31000 - International standard defining risk management principles
and guidelines.
ISO 22301 - International standard for business continuity
COBIT 5 – Best practice for governance and management of enterprise IT.
ITIL – Best practice for IT service management
ISO/IEC 20000 - International standard for IT service management
8 © 2016
Cyb
er
Re
sili
ence
Quick poll
Har du praktisk erfaring med ét eller flere af følgende
frameworks?
NIST
ISO/IEC 27001
Management of Risk (M_o_R)
ISO 31000
ISO 22301
COBIT 5
ITIL
ISO/IEC 20000
RESILIA
Ingen af ovenstående
9 © 2016
Cyb
er
Re
sili
ence
Information Security versus Cyber Resilience
The human factor
❍ Service value resides in information, technology, people
and processes
❍ People and their behaviour cause most vulnerabilities
❍ Need to look beyond
information security
– to cyber resilience
10 © 2016
Cyb
er
Re
sili
ence
Information
Tech-nology
People
Pro-cesses
Information Security versus Cyber Resilience
Security is defined as ‘the state of being free from danger or
threat’ and involves the protection (confidentiality, integrity,
availability & non-repudiation) of what is important, often
with more emphasis on prevention and less emphasis on
recovery from an incident. However prevention alone is no
longer a realistic strategy.
Resilience is the ability of a system
or component to resist an unplanned
disturbance or failure, and to recover
in a timely manner following any
unplanned disturbance or failure.
11 © 2016
Resilience
Security
Cyb
er
Re
sili
ence
What is Cyber Resilience?
Cyber resilience is the ability to prevent, detect, and correct
(respond & recover) any impact that incidents have on the
information required to do business.
Right balance between three types of control activity:
12 © 2016
Cyb
er
Re
sili
ence
.
..
Preventive
Detective Corrective
Quick poll
I hvilken grad er du enig i, at informationssikkerhed er en
radikalt anden disciplin end cyber resilience?
Helt enig
Delvis enig
Delvis uenig
Helt uenig
13 © 2016
Cyb
er
Re
sili
ence
What is RESILIA?
A best practice from Axelos released in 2015
A balanced and holistic approach to cyber resilience
The missing chapter in ITIL
Risk and control based
Lifecycle based
14 © 2016
Cyb
er
Re
sili
ence
https://www.axelos.com/best-practice-solutions/resilia
What is RESILIA?
Risk-based
15 © 2016
AssetVulnera-
bilityThreat
Cyb
er
Re
sili
ence
What is RESILIA?
Addressing risk
16 © 2016
Cyb
er
Re
sili
ence
What is RESILIA?
17 © 2016
Cyb
er
Re
sili
ence
Best Practice Guide
Core practical guidance for strategy,
implementation and management:
“what good looks like”
Individual Awareness
Learning & Know-howAll staff across an organisation
IT teams and data
owners/managers
Membership
& CPDIT teams and data
owners/managers
Leader
EngagementLeadership team
across an organisation
Management
Pathway Tool
Foundation
& Practitioner
Training
RESILIA Management Pathway Tool
Method of assessing the maturity of cyber resilience in
your organization
❍ Explore the RESILIA best practice
guidance and understand how its
processes and security controls apply
to your organization.
❍ Evaluate your existing cyber resilience
controls and processes to identify the critical gaps
❍ Map the necessary improvements you need to make
to meet your desired level of cyber resilience maturity
18 © 2016
Cyb
er
Re
sili
ence
RESILIA Leader Engagement
Awareness products tools and guidance specifically
designed to increase understanding, insight and action
in the boardroom
These include:
❍ Continuing professional development and learning for
executive and non-executive directors
❍ Cyber boardroom simulations
❍ Cyber resilience risk management training for senior
risk management decision makers.
19 © 2016
Cyb
er
Re
sili
ence
RESILIA Awareness Learning
20 © 2016
Cyb
er
Re
sili
ence Learning modules
Phishing Social
engineering
Password
safety
Information
handling
Online safety Remote and
mobile working
Personal
information
Learning formats
GamesSimu-
lationsVideos
eLear-
ning
Tests
and
refresh-
ers
Anima-
tions
RESILIA Certification
21 © 2016
Cyb
er
Re
sili
ence
Cyber
Resilience
Foundation
Cyber
Resilience
Practitioner
Course structure Learning outcomes
3day classroom course
or
20hours of distance learning, optional simulation to
start course, Foundation certification multiple choice
exam
How decisions impact good/
bad Cyber Resilience
Comprehensive approach
across all areas
How to make good Cyber
Resilience an efficient part
of business and operational management
2day classroom course
or
15hours of distance learning, optional simulation to
start course, Practitioner certification multiple choice
exam, bundled with Foundation as a 5 day course
What effective Cyber Resilience looks like
Pitfalls, risk and issues that can easily
hit Cyber Resilience
Getting the best balance of risk,
cost, benefits and flexibility
within an organization
https://dit.dk/KurserOgCertificeringer/RESILIA
Positioning of RESILIA certification
22 © 2016
Cyb
er
Re
sili
ence
IT VENDORS-
CISCO, MS,
ORACLE etc
ISC(2)
CISSP
CompTIA
Security+
EC Council
Ethical Hacker
EC Council
Certified Security
Analyst
CISM
ISC(2)
SSCP
CLA
S
ISO27001
auditor
CESG
CCPCES
G
CCT
ISACA Cybersecurity
Fundamentals
Certificate
AXELOS
RESILIA
Practitioner
AXELOS
RESILIA
Foundation
BCS InfoSec
Principles
Key
Grey = non-certification
course
Size of circle = course
market share
TECHNICAL FOCUS BUSINESS FOCUS
GENERAL
AUDIENCE
NICHE AUDIENCE
RESILIA CPD scheme
Continuing Professional Development (CPD):
❍ Coming in 2016
❍ Completing a RESILIA qualification will earn
15 CPD points towards a professional membership
❍ A route to maintain your RESILIA qualification
without re-sitting the exam
23 © 2016
Cyb
er
Re
sili
ence
Who is RESILIA for?
The Foundation and Practitioner certification is aimed at:
IT and security functions
Risk and compliance functions
Core business functions including HR, Finance,
Procurement, Operations and Marketing.
The awareness learning is for the entire organization.
The leadership engagement delivers specialised training and
learning for the leaders within an organization
24 © 2016
Cyb
er
Re
sili
ence
The Cyber Resilience Lifecycle
26 © 2016
Cyb
er
Re
sili
ence L
ife
cycle
Strategy
Quick poll
Giver det mening af knytte cyber resilience kontroller og
processer op på ITIL’s fem livscyklus faser og tilhørende
processer?
Ja, det har vi ventet længe på!
Det gør vist ikke den store forskel
Nej, det giver overhovedet ingen mening!
Det har jeg ingen holdning til
27 © 2016
Cyb
er
Re
sili
ence
Cyber Resilience Strategy – Controls
28 © 2016
Controls for Cyber Resilience
Strategy
Establish governance of
cyber resilience
Vision and mission
Governance roles
Manage stakeholders
Identifying and categorizingstakeholders
Gathering stakeholder
requirements
Stakeholder communications
Create and manage cyber
resilience policies
Cyber resiliencepolicies
Structure of the policies
Management of the policies(Process)
Manage cyber resilience audit and compliance
Audit
Compliance management
Cyb
er
Re
sili
ence S
tra
teg
y
Cyber Resilience Strategy - Processes
Interaction of ITSM Processes with Cyber Resilience Activities:
Strategy management for IT services
Service portfolio management
Financial management for IT services
Demand management
Business relationship management
29 © 2016
Cyb
er
Re
sili
ence S
tra
teg
y
Cyber Resilience Strategy - Processes
Example: Cyber
Resilience
Interfaces with
Service Portfolio
Management
30 © 2016
Cyb
er
Re
sili
ence S
tra
teg
y
Cyber Resilience Design – Controls
31 © 2016
Controls for Cyber Resilience Design
Human Resource Security
Recruitment
Pre-employment, employment, exit and termination
Training & awareness
System Acquisition, Development,
Architecture, and Design
Requirement analysis
Architecture design and development
Threat and vulnerability modelling
Secure design and development
Cyber resilience security testing
Supplier and Third-Party Security Management
Supply chain risk management
Managing third-party risks
Confidentiality and non-disclosure for
suppliers
Compliance and auditing of the supply chain
Endpoint Security
Data-in-transit
Data-at-rest
Cryptography
. . .
Business Continuity Management
Business impact analysis
Cyb
er
Re
sili
ence D
esig
n
Cyber Resilience Design - Processes
Interaction of ITSM Processes with Cyber Resilience Activities:
Design Coordination
Service Catalogue Management
Service Level Management
Availability Management
Capacity Management
IT Service Continuity Management
Supplier Management
32 © 2016
Cyb
er
Re
sili
ence D
esig
n
Cyber Resilience Design - Processes
Example: Cyber
Resilience
Interfaces with IT
Service Continuity
Management
33 © 2016
Cyb
er
Re
sili
ence D
esig
n
Cyber Resilience Transition – Controls
34 © 2016
Controls for Cyber Resilience Transition
Asset management and
configuration management
Classification and handling
Data transportation and removable
media
Change management
Authorization, control and secure
implementation
Testing
Code review
Unit, system and integration testing
Regression and user-acceptance
testing
Penetration testing
TrainingDocumentation management
Information retention and
disposal
Cyb
er
Re
sili
ence T
ran
sitio
n
Cyber Resilience Transition - Processes
Interaction of ITSM Processes with Cyber Resilience Activities:
Transition planning and support
Change management
Service asset and configuration management
Release and deployment management
Service validation and testing
Change evaluation
Knowledge management
Management of organizational change35 © 2016
Cyb
er
Re
sili
ence T
ran
sitio
n
Cyber Resilience Transition - Processes
Example: Cyber
Resilience
Interfaces with
Release and
Deployment
Management
36 © 2016
Cyb
er
Re
sili
ence T
ran
sitio
n
Cyber Resilience Operation – Controls
37 © 2016
Cyb
er
Re
sili
ence O
pe
ratio
n
Controls for Cyber Resilience
Operation
Access control
Logical access control
Business requirements and
access policy
Authorization, registration and
provisioning
Identity verification
. . .
Network security management
Network design for resilience
Segmenting networks with
firewalls
Network switch and logical
segmentation
Detecting and preventing intrusions
. . .
Physical security
Physical access control
Perimeter security
Visitor management
Identity badges and passes
. . .
Operations security
Documentation
Operational activities
Cyber resilience incident
management
Incident planning
Incident reporting, logging and initial
assessment
Responding to the incident
Containing the incident,
eradicating and recovering
Learning lessons
Cyber Resilience Operation - Processes
Interaction of ITSM Processes with Cyber Resilience Activities:
Event management
Incident management
Request fulfilment
Problem management
Access management
38 © 2016
Cyb
er
Re
sili
ence O
pe
ratio
n
Cyber Resilience Operation - Processes
Example: Cyber
Resilience
Interfaces with
Event
Management
39 © 2016
Cyb
er
Re
sili
ence O
pe
ratio
n
Cyber Resilience Continual Improvement
40 © 2016
CR
Continual Im
pro
vem
ent
Controls for Cyber Resilience Continual
Improvement
Cyber resilience audit and review
Technology review and audit
Policy Review
Review of access rights
Review of administrator and
operator logs
Monitor, review and audit of third parties
Control assessmentKPI's, Key Risk Indicators and benchmarking
Business continuity improvements
Learning from information security
incidents
Process improvement
Remediation and improvement
planning
The remediation plan
Implementing improvements
Cyber Resilience Continual Improvement
Interaction of ITSM Processes with Cyber Resilience Activities:
The CSI approach
The seven-step improvement process
41 © 2016
CR
Continual Im
pro
vem
ent
Cyber Resilience Continual Improvement
Example: Cyber
Resilience
Interfaces with The
Seven-Step
Improvement
Process
42 © 2016
CR
Continual Im
pro
vem
ent
Segregation of duties and dual controls
Segregating Duties
Ensures that privileges and roles are separated so that
they cannot be used to commit fraud.
Example: Segregating development and operations
Dual Controls
A method used to control abuse of privileges.
Example: Encryption of information using two separate
encryption keys, each key belonging to a different person
43 © 2016
Cyb
er
Re
sili
en
ce
Re
sp
on
sib
ilitie
s
Barriers to cyber resilience
Lack of awareness (board level down)
Silo thinking (“it’s an IT problem”)
Narrow focus on regulatory compliance, not risk
Confusion about what “good” looks like
Cyber resilience demands a “whole system”
view (information, technology, people and processes)
44 © 2016
Ba
rrie
rs to
Cyb
er
Re
sili
ence
Quick poll
Vi har nu fået et lille indblik i RESILIA. Hvordan passer RESILIA
til virkeligheden og trusselsbilledet i din organisation?
Det lyder som et framework, som vi bør bygge på i vores
håndtering af cyber-risici
Det kan blive ét af mange nyttige værktøjer i værktøjskassen
Det vil ikke gøre den store forskel i vores organisation
45 © 2016
Cyb
er
Re
sili
ence
The end
46
Cyber
Resili
ence
© 2016
Co
nta
ct
© 201647
Christian F. NissenPartner
[email protected]+45 40 19 41 45
BlueHat P/SLottenborgvej 24 DK-2800 Kgs. Lyngby CVR: 37 55 59 08