SESSION 610 Thursday, April 14, 2:45pm - 3:45pm Track: Service Management Excellence Introducing RESILIA: Cyber-Resilience for the 21st Century David Moskowitz CIO, Productivity Solutions, Inc. [email protected]Session Description Is your organization at risk? Companies like Home Depot, Sony, Target, and the US Department of State have all been victims of some form of cyber-attack. In this session, David Moskowitz will provide an introduction to RESILIA, a cyber-resilience framework designed to integrate with the ITIL lifecycle. From strategy to operations and the service desk, it critical to understand that security or prevention alone isn’t enough. The organization must develop the capability to detect sooner and correct faster. Come learn about an approach that fits what you are already doing! Speaker Background David Moskowitz is an end-user, value-to-customer-driven professional with more than thirty years of strategic technology and competitive assessment experience. David is the primary author of an accredited Axelos RESILIA Practitioner course, and he holds both the RESILIA Practitioner and ITIL Expert certifications. Well-known on Twitter as @DavidM2, David is a PRINCE2 Practitioner, an Agile coach, and a mentor.
16
Embed
Introducing RESILIA: Cyber-Resilience for the 21st Centuryprofessionalprograms.net/downloads/2016_HDI/PDFs/Session610.pdf · David is the primary author of an accredited Axelos RESILIA
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SESSION 610 Thursday, April 14, 2:45pm - 3:45pm
Track: Service Management Excellence
Introducing RESILIA: Cyber-Resilience for the 21st Century
Session Description Is your organization at risk? Companies like Home Depot, Sony, Target, and the US Department of State have all been victims of some form of cyber-attack. In this session, David Moskowitz will provide an introduction to RESILIA, a cyber-resilience framework designed to integrate with the ITIL lifecycle. From strategy to operations and the service desk, it critical to understand that security or prevention alone isn’t enough. The organization must develop the capability to detect sooner and correct faster. Come learn about an approach that fits what you are already doing! Speaker Background David Moskowitz is an end-user, value-to-customer-driven professional with more than thirty years of strategic technology and competitive assessment experience. David is the primary author of an accredited Axelos RESILIA Practitioner course, and he holds both the RESILIA Practitioner and ITIL Expert certifications. Well-known on Twitter as @DavidM2, David is a PRINCE2 Practitioner, an Agile coach, and a mentor.
Session 610 Introducing RESILIA: Cyber-Resilience for the 21st
Century
David Moskowitz
RESILIA Practitioner
ITIL Expert
It Can’t Happen Here!
Small sample
• US Government OPM: 21.5 million• T-Mobile: 15 million applicants• Premera Blue Cross: 11 million• Anthem: 80 million• Ashley Madison: 32 million• Sony: terabytes of data• Home Depot: 56 million payment, 53 million email
addresses• JP Morgan: 83 million• Ebay: 145 million active users (including login)• Target: 110 million
• When they get in, whatever you’re trying to protect
• No longer sensitive, valuable or meaningful
• Not enough!
– Need capability to detect & correct
– Average time to detect breech???
Reported hacks per month outside of government • More than 50• 83% financial
companies• 44% retailAverage time to detect more than 6 monthshttp://www.zdnet.com/article/businesses-take-over-six-months-to-detect-data-breaches/ May, 2015
Benefits of Cyber Resilience• Aligned to business outcomes• Implement balanced controls
– Prevent incidents you can– Detect incidents not prevented– Correct to protect business
• Builds trust within value network– Optimize the value created– Increase competitive advantage– Improve operational efficiency
• Balance– Protection of assets– Ability to innovate
• Requires single, coherent risk-based strategy– Must align with organization’s risk appetite
• Delivered via management systems
“Recognizing that 100% risk mitigation is not possible on any complex system, the overarching goal of a risk-based approach to cyber security is system resilience to survive and quickly recover from attacks and accidents.” Partnering for Cyber Resilience, World Economic Forum, January, 2013
Prevent Detect & Correct
Risk? Really??
Manage cyber resilience• Manage risks• Identify what might happen• Assess likelihood & impact• Decide on action• Select risk approach
• ISO 31000• M_O_R™• RESILIA™
Management Systems• Management systems exist everywhere
– Formal & informal
• Driven by strategic goals• Provides basis for governance & management
RESALIA ™ Adds CR Controls to ITSM• Take lifecycle approach• Already doing something• Start where you are
– Improve what you have– Start with CSI (continual improvement)– Determine which controls needed
• Modify or add processes
• Examine existing business strategy– Add CR considerations– Set stage for governance & management
• Design to meet strategy• Transition to verify & validate accomplishment• Operate CR it• Get better at it
– CR constant moving target
Don’t limit
thinking! ITSM
isn’t just for IT!
CSI Control Objectives
• Audit & Review
• Control Assessments
• KPIs, KRIs, & Benchmarking
• Business Continuity Improvements
• Process Improvements
• Remediation & Improvement Planning
Strategy CR Control Objectives• Evaluate need & expectations of the stakeholders• Provide direction to management• Define who makes Cyber Resilience decisions & how• Ensure Cyber Resilience risk is addressed• Monitor performance & outcomes• Segregation of Duties & Dual Controls• Cyber Resilience activities
– Define overall strategy to create value– Identify stakeholders– Understand business requirements & set expectations– Define high-level priorities, goals & CSFs– Define roles & responsibilities– Provide funding
• … & exploit opportunities
Design CR Control Objectives
• Human Resources Security
– Joiners, movers & leavers (JML)
• System Acquisition, Development Architecture & Design
• Supplier & 3rd Party Security Management
• Endpoint Security
• Cryptography
• Business Continuity Management
Transition CR Control Objectives• Asset & Configuration Management
– What & where– Classification & Handling
• Data Transportation & Removable Media• Change Management
– Include CR considerations
• Testing• Training• Document Management• Information Retention• Information Disposal
Operation CR Control Objectives• Ensure risks that disrupt operational service are managed• Operation controls objectives include
• Define CR communication• Determine criteria to bring in specialists• Forensic investigation• Document lessons learned
Critical Elements of Effective CR• Board-level ownership &
responsibility for CR– Execute business strategy – Deliver desired outcomes– Offer services to
customers• Trust & rely
• Training & development• Identify critical
information assets– Hackers want your
Information
• Clear view of key threats & vulnerabilities– Include customers, partners &
supply chain• Only secure as weakest link
– Common language used by all stakeholders
– Assessment of organizational CR maturity
• Appropriate balance of controls – Prevent– Detect– Correct
Prevent Detect & Correct
CR is Really Business Resilience• Ensure the organization can confidently
– Execute business strategy
– Deliver desired outcomes
• Provide– Good processes & people, systems & technology
• Offer products & services to customers– Trust & rely to do the right thing
• Keep customers in the loop
• CR key to survivability & profitability– Requires more than IT
– Absent effective CR headlines
Thank you for attending this session.
Please remember to complete a session evaluation!
NIST Cyber Security Framework• National Institute of Standards & Technology
(NIST)• Framework published in February 2014
– U.S. Publication – appropriate for organizations worldwide
– Intended for organizations supporting critical infrastructure
– Systems & assets; physical or virtual– Vital to U.S. Interests
• Incapacity or destruction results in debilitating impact on
– Security– National economic security– National public health or safety
• NIST Framework– Framework Core
• Controls described in a formal structured hierarchy
– Framework Implementation Tiers• 4-layered model describing alignment to the
framework
– Framework Profiles• Selection of controls from the core that is
appropriate for a particular organization or context
__________
“The framework is intended for
organizations that are responsible for
critical infrastructure, defined as ‘systems
and assets, whether physical or virtual, so
vital to the United States that the
incapacity or destruction of such systems
and assets would have a debilitating
impact on security, national economic
security, national public health or
safety…’”
__________
NIST Cybersecurity Framework• Published by the
– National Institute of Standards & Technology (NIST)• Department of the U.S. Department of Commerce• Published February 2014• Deemed appropriate for organizations worldwide