Upload
condition-zebra-conzebra
View
100
Download
0
Embed Size (px)
Citation preview
Critical Infrastructure Security Workshop:
For Cybersecurity Malaysia
Drew WilliamsPresident, Condition Zebra, inc.
Greetings and Welcome
Special thanks to MOSTI & CSM for arranging this
Summary Value Points:• Infrastructure Risk Management Takes Time• MOSTI & CSM have initiated strong benchmarks to
success• Tools & Technology should be considered AFTER Process• Managing expectations is key to long-term strategy• Start with what you have, fix what you know• Discover (quickly) what you don’t know you don’t know
Greetings and Welcome
If you are here, then you are interested in:
• Identifying the issues and challenges with regard to infrastructure security and preservation.
• Researching & recommending the types of best practices and courses of action to assess, mitigate and prevent risk in your infrastructure.
• Increasing your organization’s competitiveness and business position safely, while keeping risk in check.
• The potential costs/risks associated with the introduction of GRC mandates in the region, and how they may impact the sustainability and growth of your organization.
You are sacrificing 3 hours of your day for what?
We’re going to provide a fast-track view into GRC/CNII
• Information that you can take back and use today.• Relevant data as it pertains to risk management.• Awareness of trends that will impact your
business.• Insight into MY cyber-security mandates.• Preview of ConZebra’s greater value as a VAS.
Caveat & Disclaimer #1: Many citations are U.S. / ISO originated
policies
#2. These policies DO APPLY if your organization has some form of relevant business or operational relationship with the U.S. or its partners
#3. Use the following information as guidelines for potential trending of potential mandates on Asia’s horizons
1. GRC Scope in the APAC Region
1. GRC Scope in the APAC Region Throughout Asia:
• 1:5 companies have started and stopped infrastructure upgrades because of uncertainty about expenses related to GRC
• IT / Web infrastructures are not fully controllable any longer(BYOD)
• “Server Talk” is shifting to “Protecting virtual business assets”(credit card access, e-transactions, mobile computing, etc.)
• “ROI” has become guesswork for “CYA”• SEA has been traditionally a global tech-driver
Now it needs to be an “early adopter” process implementer
Defining GRC Governance, Risk [management], Compliance
• A system of people, processes, and technology that enables an organization to:
– Understand and Prioritize stakeholder expectations.– Set business objectives: congruent with Values &
Risks.– Meet objectives / value while Managing Risk profile.– Operate within Boundaries
legal, contractual, internal, social, ethical.– Provide relevant, reliable, and timely information to
appropriate stakeholders (“Accountability”).
What is “Governance?”
Focusing on the achievement of long-term success
• Ensures the fit between the organization's mission and its performance.
• It’s about being in control and taking responsibility for the work and actions of your company.
• Uses transparent decision-making processes to direct its resources and exercise power in an effective and accountable way.
• Is accountable for what your organization does and how it does it.
What is “Governance?”
MOSTI is clearly articulated, but vague in delivery
• Centralize coordination of national cyber security initiatives
• Promote effective cooperation between public and private sectors
• Establish formal and encourage informal information sharing exchanges
“Governance”-- At the pinnacle of implementation
What is “Risk?”
Risk (and its Management)• The effect of uncertainty on objectives
– positive or negative• Coordinated & economical application of
resources to:– Minimize, – Monitor, – Control the probability and/or impact of unfortunate
events• Mgt = Identification, assessment, prioritization
of risks
What is “Compliance?” Risk (and its Management)
• The effect of uncertainty on objectives – positive or negative
• Coordinated & economical application of resources to:
– Minimize, – Monitor, – Control the probability and/or impact of unfortunate
events• Mgt = Identification, assessment, prioritization of
risks
GRC Landscape
2. Critical Infrastructures for Malaysia Driven by MOSTi:
Defining Critical Infrastructure “Big Picture” • Basic, essential systems, services and
resources needed for an organization, designated population or region, to maintain its existence.
Defining Critical Infrastructure Traditional Definition—• Resources and “hard assets” vital to the
security, governance, public health and safety, economy and public confidence of a state entity
(U.S. National Security Agency)
Defining Critical Infrastructure Health Defense Government (Non-defense) Communications Energy & Utilities Transportation Finance Commerce & Economy Agriculture & Food Water Emergency Services
Part 2: Sector Profiling: Health
Relevant Parameters• Physical conditions must be evaluated first• Technical controls must consider how EPHI is
managed– Patient health information– Patient billing information– This includes insurance plans, etc.
• Administrative controls must be reviewed
Part 2: Sector Profiling: Health
GRC Mandates• Payment Card Industry Data Security Standard (PCI DSS)• National mandatory disclosure laws• Model Audit Rule (applies to health insurance companies)• Sarbanes-Oxley (SOX)
These legal and compliance obligations and exposure require that health care organizations proactively manage compliance.
Compliance risk in health care needs to be a coordinated effort that brings together a cohesive compliance process in a
Constantly changing environment—you must remain current.
— SAMPLE HIPAA POLICY
Part 2: Sector Profiling: Defense Relevant Parameters
• Physical controls exist to limit physical access to the system • There is a suitable access control policy in place to confirm the identity of
the user prior to• accessing the system;• Configured to guarantee accountability with proper auditing functions
enabled;• Configured to ensure integrity of data.
– This is includes proper backups, permissions, contingency planning• Latest appropriate patches • Users trained regarding system security awareness;• Procedures exist for handling security incidents;• Risk management analyses performed
– Assess value of additional security measures vs. the increased cost of those measures;
• Security planning / implementation performed throughout system lifecycle • Periodic reviews of security postures assure consistent application
Part 2: Sector Profiling: Defense
GRC Mandates– DoD – NIST FISMA– Specific Branches– Classified Document Handling Protocols– DefCons– Border Patrol Policies– Operational Handling of Secure Processes
— SAMPLE DoD / DoAF POLICIES — ISO 27K (excerpt)
Part 2: Sector Profiling: Gov’t Admin
Relevant Parameters• Critical Infrastructure Protection and Compliance
Policy coordinates the inter-department development and implementation of policies
– Protection of the critical infrastructure of the non-defense government sectors
– Development of certain other statutes and regulations within the specific sectors
Part 2: Sector Profiling: Gov’t Admin
GRC Mandate• FISMA• MOSTI• ISO27K• Agency-specific Policies• Treaty-based guidelines
– E.g., NAFTA
— ISO 27K (excerpt)
Part 2: Sector Profiling: Communications
Relevant Parameters
• Create a flexible framework to manage both control definition & regulatory requirements with compliance measurements
• Load balancing & consistent NOC reporting mechanisms• Manage telecommunications-targeted enterprise risks
within enormous infrastructures• Carrier plans may vary from region to region• Wireless & data stream management parameters differ• Platform compliance (SAP applications, Oracle, etc.)
Part 2: Sector Profiling: Communications
GRC Mandates• FCC• SOX• GLBA• PCI / DSS• ISO27K
— ISO 27K (excerpt)— T-Mobile Case Study
Part 2: Sector Profiling: Energy
Relevant Parameters• Maintaining support during Disasters• Grid Management & Physical Exposure to risk/threat• Policies may vary depending on location of
infrastructure• “Energy” is Multi-faceted
– Power– Natural Gas– Other sources
Part 2: Sector Profiling: Energy
This model overlays energy infrastructure networks on a specific location. The vertical lines identify system interdependencies.
Part 2: Sector Profiling: Energy
GRC Mandates• FEMA (U.S.)• MY DoE guidelines
— ISO 27K (excerpt)
Part 2: Sector Profiling: Finance Relevant Parameters
• Traded companies must comply with SEC rules by reporting on the effectiveness of their internal controls in the annual report.
• The content must contain– A statement of management’s responsibilities for establishing and maintaining an adequate
system.– The identification of the framework used to evaluate the internal controls.– A statement as to whether or not the internal control system is effective as of
yearend– The disclosure of any material weaknesses in the system.– A statement that the company’s auditors have issued an audit report on
management’s assessment.
• Senior management require CPA input
• Must determine whether there are any material weaknesses
Part 2: Sector Profiling: Finance
GRC Mandates• SEC Mandates• Sarbanes Oxley• Gramm Leach Bliley• PCI / DSS• ISO 27K
— SAMPLE SOX REPORTING POLICY (excerpt)
— ISO 27K (excerpt)
Part 2: Sector Profiling: Commerce
Relevant Parameters• Regulating free trade• Dealing with price gauging
– In times of shortage– Disasters– Event times
• Antitrust laws• Investment regulations
Part 2: Sector Profiling: Commerce
GRC Mandates• SEC Mandates• Sarbanes Oxley• Gramm Leach Bliley• PCI / DSS• ISO 27K
— SAMPLE SOX REPORTING POLICY (excerpt)— ISO 27K (excerpt)
Part 2: Sector Profiling: Emergency Services
Relevant Parameters• Contingency planning models• Business continuity • Disaster Response & Recovery
Part 2: Sector Profiling: Emergency Services
GRC Mandates• FEMA• Regional or MY directed models
— ISO 27K (excerpt)
Part 3. GRC Fail-points & what causes them
Part 3: GRC Fail-points
Why (how) do efforts fail?• Five Key Reasons:
– Redundant and inefficient processes– Inconsistent focus across the environment (enterprise)– It’s complicated! – Lack of business agility– Incomplete, reaction-based point solutions
Part 3: GRC Fail-points
Redundant & Inefficient Processes• Band-Aid Approach
– Compartmentalize risk management efforts– Contrary to “Big Picture” oversight
• Overlook how to leverage & integrate resources – Offer greater impact & timeliness to respond
• Varying levels of success (“Hit & Miss”)• Inconsistent responses to individual risk and compliance
requirements. • More expensive: multiple initiatives to build independent
GRC systems
Part 3: GRC Fail-points
Inconsistent focus across the environment (enterprise)• “Island Management”
– Creates silos of isolationism– Nobody knows what the others are doing– Creates “Scope Creep” and drains budgets
• No common framework for activity– COSO / CobIT / IIA / SANS
• CIO can’t create consistent management patterns ($, resources)
– Creates FUD about overall efforts at high levels– Nobody “downstairs” wants to follow the plan, sees no value
Part 3: GRC Fail-points
“It’s Complicated!”• Adding layers of GRC initiatives creates complex, reactive-
based conditions.• GRC is “Distractive” by its very nature
– Most in-house departments focus on their sector, not GRC issues – Complexity increases inherent risk and results in processes that
are not streamlined and managed consistently • More confusion fosters lack of trust in processes
– Discredits departments and individuals– . . . As well as the organization itself—should something happen!– Also breeds confusion in regulators, stakeholders, business
partners
Part 3: GRC Fail-points
Lack of Business Agility• Reaction-based policies are not flexible• Limitations caused by including complex plans, hundreds
of disconnected documents and spreadsheets • Dynamic distributed business structures need simple
traffic patterns for disseminating policy• Point solutions have some impact but often miss the
large-scale risk management solution framework and objectives
– Data can become disconnected and difficult to manage / resolve
Part 3: GRC Fail-points
Incomplete, reaction-based point solutions• Requires a top-down AND holistic view• Unravel one thread at a time• “Immediate Reaction” does not equal “Immediate
Response”• GRC point solutions often focus on assessment
– They might replace spreadsheets, – They usually don’t deliver on analytics – They usually don’t align with business applications.
• Gaps develop in the GRC plan, causing internal misalignment
Part 3: 10 Critical Fail-points in GRC Planning
Intelligence reporting • Needed to support decision-making:
– Risk awareness / mitigation and compliance areas Identifying consistent risk patterns & dependencies Inconsistent, inaccurate system and operational data
reports Cost of consolidating disparate / inconsistent data
streams Liabilities of fines for failing to report and trend GRC
across required assessment and reporting periods
Part 3: 10 Critical Fail-points in GRC Planning
Unreliable or irreconcilable risk assessment results • Different formats & approaches
(e.g., human monitoring without automation) Redundant risk management & compliance efforts Inconsistent approaches to risk/compliance activities Different vocabulary and processes that limit correlation,
comparison and integration of information • Not following a common criteria standard or framework
Limitations in response times to changing environments
Part 3: GRC Fail-points—ASK FIRST!!
High-level questions need to be answered first:• What does our end-to-end GRC program look like today?
– Budget, Planning, C-level Buy-in, Org-wide understanding• How can we align GRC requirements with our policies
and day-to-day business operations?• What is our real exposure and what controls need to be
implemented to address/mitigate/recover from risks?• How can we leverage technology to manage GRC
holistically across the enterprise?• How can we govern our GRC processes across silos and
stakeholders?
Content Acknowledgements. . .
National Institute of Standards & Technology Deloitte Cisco U.S. DoD SANS Institute Modulo Michael Rasmussen IIA / ISACA
3 Key Target Trends for CNII/NCSP implementation Text
Critical AssetsInfrastructure
Governance
Risk Management Compliance
Critical AssetsInfrastructure
Governance
Risk Management Compliance
Critical AssetsInfrastructure
• Objectives• Policies / Mandates• Development Pathway
• Internal Assessment• Technology Assurances• Business Rules• Common Criteria
• Gap Assessment• Physical Reviews• Audits• Contingency / Continuity Mgmt
Relevance Factoring
GRC Scope in APAC Region
Elements of a successful GRC roadmap
High-level questions need to be answered first:• What does your end-to-end GRC program look like today?
– Budget, Planning, C-level Buy-in, Org-wide understanding• How can you align GRC requirements with your policies
and day-to-day business operations?• What is your real exposure and what controls need to be
implemented to address/mitigate/recover from risks?• How can you leverage technology to manage GRC
holistically across the enterprise?• How can you govern your GRC processes across silos and
stakeholders?
GRC IT Maturity Model (Deloitte)
GRC IT Maturity Model (Deloitte)
GRC IT Maturity Model (Deloitte)
GRC IT Maturity Model (Deloitte)
GRC IT Maturity Model (Deloitte)
Your ConZebra Point of Value . . . We Created a scenario for how to establish a
critical infrastructure, and identified our GRC plans We Established a common parameter of
understanding for each respective operational sector of a Critical Infrastructure
We Identified potential gaps that may appear from our analysis of our respective sector-by-sector activities
We Recognized consequences and fail-points when configuring an effective GRC strategy