10/4/2018 1 Prepare For “When” • Every cyber breach or failure incident comes back to the failure of policy, procedure or the lack of having a policy or procedure. DOJ Homeland Security, James Abignale, FBI About George Usi • Internet Pioneer • Operations & Standards Pioneer • Strategic operations & management origin • Proud Father & Lucky Husband
17
Embed
3E - Impactful Security Program Leadership and Metrics for ...
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
10/4/2018
1
Prepare For “When”
• Every cyber breach or failure incident comes back to the failure of policy, procedure or the lack of having a policy or procedure.
DOJ Homeland Security, James Abignale, FBI
About George Usi
• Internet Pioneer• Operations & Standards Pioneer• Strategic operations & management origin• Proud Father & Lucky Husband
10/4/2018
2
What You Will Learn Today
Difference Between Cyber Security & Cyber Compliance Cyber Security Risks, Exposures, & Regulations Five Key Governance Problems Leaders Should Know Top Ten Lines Before Being Hacked The US Government Has (Somewhat) Come To The Rescue Security Program Leadership Methods & Requisite Organization What To Do Next
Cyber Differences
What’s The Difference?
• Computer security, cybersecurity[1], or IT security is the protection of computer systems from theft of or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide (Wikipedia definition as of September 1, 2018).
• Regulatory Compliance, In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws, policies, and regulations.[1]
10/4/2018
3
How You Might Relateto Both
Cyber Risks & Exposures
Risk Of A Cybersecurity Breach in 2018
Ref: Ponemon Institute – 2018 Global Data Breach Study by IBM & Datto Inc
TREND:62% of construction & manufacturing attacked reportransomware incident for small businesses <50.
10/4/2018
4
Low Records = Low Risk…Right? Think Again!
Source: 2018 Ponemon Institute all businesses – 24-month horizon
$ Risk* Likelihood of Breach by Records Count = Calculated Risk $
Example - Small Water Agency Risk of Breach Calculation: 1) 90 current employees plus 565 previous employee in archive, for total of 655 records operating
over 30 years;2) Handling privacy data name/address, and SSN of 20,000 customers.
(655 x $233) + (20,000 x $233) + $68,000 = $4,880,615 Risk
Leaders who failed to plan &invest wisely in cybersecurityspent 58% more then those whohave a “security plan” in place.*
10/4/2018
8
The Top Ten!
Top Ten Things We Hear Before The “Help… We
Were Hacked” Rescue Call
Top Ten Lines Heard Right Before A Hack
1. We don’t have any data anyone would want to steal.2. Security is an overhead and is too expensive.3. IT Guy/Team is great and everything is 100% secure.4. Cloud/service provider already provides my security.5. Business too small to get a regulatory fine/penalty.6. We change our passwords.7. I bought cyber security insurance.8. We follow best practices in cyber security.9. I hired a security leader to handle this.10. We have never been hacked before (that we know of).
10/4/2018
9
Federal Government To The Rescue (Somewhat)
With NIST CSF & NIST 800-53
https://www.nist.gov/cyberframework v1.0
10/4/2018
10
The Framework Path with SIMM 5300
• SIMM = Statewide Information Management Manual
• SIMM 5300 = OIS (Office of Information Security)
• 30 Control Areas• NIST influenced• Publication on CDT Site• Maps NIST & SAM 5300
• Posited that… …the complexity of a work role can be determined by measuring how long the incumbent could work on their own before being checked by the boss.
• Use of “Stratum Levels” to organize operational outcomes.
• Cyber Compromise is a Matter of When• With A Formal Security Program, Cyber Risk Reduction is ~30%• Regulations/Laws are Changing & More Stringent• All Is Not As It Seems; Training Necessary• Cyber Assurance Laws, 3rd-Party Checklists, & Audits Are Looming• Breaches No Longer About Just Losing Data• Conduct POAM & Spend Wisely• NIST & SIMM To The Rescue• Requisite Cyber Security Leadership• Simplify the Complicated With Free Toolsets
Here Is What I Recommend You Do Now
10/4/2018
15
Cyber Security Program 7-Step Punch List
1. Understand Agency Business Risk With Cyber Compliance Evaluation
2. Construct Action Plan for People, Process, & Technology
3. Launch/Relaunch Security Program with CDT Resources
4. Prepare for SIMM 5300 Security Compliance Reports (TRPs) and visit CDT site
+ Data Privacy Audit+ Compliance Analysis+ GAP Analysis+ 2-Party Oversight+ Security Posture
Audit
+ SIMM/NIST Adoption+ Work Plan to Comply+ Security Policy WISP+ Risk & Recovery Plan+ Business Associate &
3rd-Party Agreements
SIMM
10/4/2018
16
Case Study 1 – Organizational Risk
A regional water/power organization was struggling with regulatory cyber compliance due to separation of internal business units. They adopted NIST 800-53 and identified a number of regulatory cyber gaps between operating administrative and operational entities. With a proper oversight and compliance maintenance plan in place, they were able to use Vendor Management principles internally to avoid the potential for a compliance violation between their segmented operation and vendor communities and reduce risk exposures by 20%.
Case Study 2 – School Is In (The Money)
A large school district (top 20) was struggling to understand their cyber security business risk. Although they were following a framework, technology tools were unable to see when unmonitiredexceptions and policy violations were happening. They conducted a cyber compliance deep dive and adopted NIST CSF reducing their security spend by 18% while investing wisely in cyber risks that matter.
Case Study 3 – The SCAP Hurts
A major state agency was struggling with their STIG/SCAP visibility. They adopted continuous visibility/monitoring of endpoints with SCAP visibility and remediation for their cyber compliance passing audits with FISMA enforcement.