2 Day MOSTI Workshop

Critical Infrastructure Security Workshop:

For Cybersecurity Malaysia

Drew WilliamsPresident, Condition Zebra, inc.

Greetings and Welcome

Special thanks to MOSTI & CSM for arranging this

Summary Value Points:• Infrastructure Risk Management Takes Time• MOSTI & CSM have initiated strong benchmarks to

success• Tools & Technology should be considered AFTER Process• Managing expectations is key to long-term strategy• Start with what you have, fix what you know• Discover (quickly) what you don’t know you don’t know

Greetings and Welcome

If you are here, then you are interested in:

• Identifying the issues and challenges with regard to infrastructure security and preservation.

• Researching & recommending the types of best practices and courses of action to assess, mitigate and prevent risk in your infrastructure.

• Increasing your organization’s competitiveness and business position safely, while keeping risk in check.

• The potential costs/risks associated with the introduction of GRC mandates in the region, and how they may impact the sustainability and growth of your organization.

You are sacrificing 3 hours of your day for what?

We’re going to provide a fast-track view into GRC/CNII

• Information that you can take back and use today.• Relevant data as it pertains to risk management.• Awareness of trends that will impact your

business.• Insight into MY cyber-security mandates.• Preview of ConZebra’s greater value as a VAS.

Caveat & Disclaimer #1: Many citations are U.S. / ISO originated

policies

#2. These policies DO APPLY if your organization has some form of relevant business or operational relationship with the U.S. or its partners

#3. Use the following information as guidelines for potential trending of potential mandates on Asia’s horizons

1. GRC Scope in the APAC Region

1. GRC Scope in the APAC Region Throughout Asia:

• 1:5 companies have started and stopped infrastructure upgrades because of uncertainty about expenses related to GRC

• IT / Web infrastructures are not fully controllable any longer(BYOD)

• “Server Talk” is shifting to “Protecting virtual business assets”(credit card access, e-transactions, mobile computing, etc.)

• “ROI” has become guesswork for “CYA”• SEA has been traditionally a global tech-driver

Now it needs to be an “early adopter” process implementer

Defining GRC Governance, Risk [management], Compliance

• A system of people, processes, and technology that enables an organization to:

– Understand and Prioritize stakeholder expectations.– Set business objectives: congruent with Values &

Risks.– Meet objectives / value while Managing Risk profile.– Operate within Boundaries

legal, contractual, internal, social, ethical.– Provide relevant, reliable, and timely information to

appropriate stakeholders (“Accountability”).

What is “Governance?”

Focusing on the achievement of long-term success

• Ensures the fit between the organization's mission and its performance.

• It’s about being in control and taking responsibility for the work and actions of your company.

• Uses transparent decision-making processes to direct its resources and exercise power in an effective and accountable way.

• Is accountable for what your organization does and how it does it.

What is “Governance?”

MOSTI is clearly articulated, but vague in delivery

• Centralize coordination of national cyber security initiatives

• Promote effective cooperation between public and private sectors

• Establish formal and encourage informal information sharing exchanges

“Governance”-- At the pinnacle of implementation

What is “Risk?”

Risk (and its Management)• The effect of uncertainty on objectives

– positive or negative• Coordinated & economical application of

resources to:– Minimize, – Monitor, – Control the probability and/or impact of unfortunate

events• Mgt = Identification, assessment, prioritization

of risks

What is “Compliance?” Risk (and its Management)

• The effect of uncertainty on objectives – positive or negative

• Coordinated & economical application of resources to:

– Minimize, – Monitor, – Control the probability and/or impact of unfortunate

events• Mgt = Identification, assessment, prioritization of

risks

GRC Landscape

2. Critical Infrastructures for Malaysia Driven by MOSTi:

Defining Critical Infrastructure “Big Picture” • Basic, essential systems, services and

resources needed for an organization, designated population or region, to maintain its existence.

Defining Critical Infrastructure Traditional Definition—• Resources and “hard assets” vital to the

security, governance, public health and safety, economy and public confidence of a state entity

(U.S. National Security Agency)

Defining Critical Infrastructure Health Defense Government (Non-defense) Communications Energy & Utilities Transportation Finance Commerce & Economy Agriculture & Food Water Emergency Services

Part 2: Sector Profiling: Health

Relevant Parameters• Physical conditions must be evaluated first• Technical controls must consider how EPHI is

managed– Patient health information– Patient billing information– This includes insurance plans, etc.

• Administrative controls must be reviewed

Part 2: Sector Profiling: Health

GRC Mandates• Payment Card Industry Data Security Standard (PCI DSS)• National mandatory disclosure laws• Model Audit Rule (applies to health insurance companies)• Sarbanes-Oxley (SOX)

These legal and compliance obligations and exposure require that health care organizations proactively manage compliance.

Compliance risk in health care needs to be a coordinated effort that brings together a cohesive compliance process in a

Constantly changing environment—you must remain current.

— SAMPLE HIPAA POLICY

Part 2: Sector Profiling: Defense Relevant Parameters

• Physical controls exist to limit physical access to the system • There is a suitable access control policy in place to confirm the identity of

the user prior to• accessing the system;• Configured to guarantee accountability with proper auditing functions

enabled;• Configured to ensure integrity of data.

– This is includes proper backups, permissions, contingency planning• Latest appropriate patches • Users trained regarding system security awareness;• Procedures exist for handling security incidents;• Risk management analyses performed

– Assess value of additional security measures vs. the increased cost of those measures;

• Security planning / implementation performed throughout system lifecycle • Periodic reviews of security postures assure consistent application

Part 2: Sector Profiling: Defense

GRC Mandates– DoD – NIST FISMA– Specific Branches– Classified Document Handling Protocols– DefCons– Border Patrol Policies– Operational Handling of Secure Processes

— SAMPLE DoD / DoAF POLICIES — ISO 27K (excerpt)

Part 2: Sector Profiling: Gov’t Admin

Relevant Parameters• Critical Infrastructure Protection and Compliance

Policy coordinates the inter-department development and implementation of policies

– Protection of the critical infrastructure of the non-defense government sectors

– Development of certain other statutes and regulations within the specific sectors

Part 2: Sector Profiling: Gov’t Admin

GRC Mandate• FISMA• MOSTI• ISO27K• Agency-specific Policies• Treaty-based guidelines

– E.g., NAFTA

— ISO 27K (excerpt)

Part 2: Sector Profiling: Communications

Relevant Parameters

• Create a flexible framework to manage both control definition & regulatory requirements with compliance measurements

• Load balancing & consistent NOC reporting mechanisms• Manage telecommunications-targeted enterprise risks

within enormous infrastructures• Carrier plans may vary from region to region• Wireless & data stream management parameters differ• Platform compliance (SAP applications, Oracle, etc.)

Part 2: Sector Profiling: Communications

GRC Mandates• FCC• SOX• GLBA• PCI / DSS• ISO27K

— ISO 27K (excerpt)— T-Mobile Case Study

Part 2: Sector Profiling: Energy

Relevant Parameters• Maintaining support during Disasters• Grid Management & Physical Exposure to risk/threat• Policies may vary depending on location of

infrastructure• “Energy” is Multi-faceted

– Power– Natural Gas– Other sources


This model overlays energy infrastructure networks on a specific location. The vertical lines identify system interdependencies.


GRC Mandates• FEMA (U.S.)• MY DoE guidelines


Part 2: Sector Profiling: Finance Relevant Parameters

• Traded companies must comply with SEC rules by reporting on the effectiveness of their internal controls in the annual report.

• The content must contain– A statement of management’s responsibilities for establishing and maintaining an adequate

system.– The identification of the framework used to evaluate the internal controls.– A statement as to whether or not the internal control system is effective as of

yearend– The disclosure of any material weaknesses in the system.– A statement that the company’s auditors have issued an audit report on

management’s assessment.

• Senior management require CPA input

• Must determine whether there are any material weaknesses

Part 2: Sector Profiling: Finance

GRC Mandates• SEC Mandates• Sarbanes Oxley• Gramm Leach Bliley• PCI / DSS• ISO 27K

— SAMPLE SOX REPORTING POLICY (excerpt)


Part 2: Sector Profiling: Commerce

Relevant Parameters• Regulating free trade• Dealing with price gauging

– In times of shortage– Disasters– Event times

• Antitrust laws• Investment regulations

Part 2: Sector Profiling: Commerce

GRC Mandates• SEC Mandates• Sarbanes Oxley• Gramm Leach Bliley• PCI / DSS• ISO 27K

— SAMPLE SOX REPORTING POLICY (excerpt)— ISO 27K (excerpt)

Part 2: Sector Profiling: Emergency Services

Relevant Parameters• Contingency planning models• Business continuity • Disaster Response & Recovery

Part 2: Sector Profiling: Emergency Services

GRC Mandates• FEMA• Regional or MY directed models


Part 3. GRC Fail-points & what causes them

Part 3: GRC Fail-points

Why (how) do efforts fail?• Five Key Reasons:

– Redundant and inefficient processes– Inconsistent focus across the environment (enterprise)– It’s complicated! – Lack of business agility– Incomplete, reaction-based point solutions


Redundant & Inefficient Processes• Band-Aid Approach

– Compartmentalize risk management efforts– Contrary to “Big Picture” oversight

• Overlook how to leverage & integrate resources – Offer greater impact & timeliness to respond

• Varying levels of success (“Hit & Miss”)• Inconsistent responses to individual risk and compliance

requirements. • More expensive: multiple initiatives to build independent

GRC systems


Inconsistent focus across the environment (enterprise)• “Island Management”

– Creates silos of isolationism– Nobody knows what the others are doing– Creates “Scope Creep” and drains budgets

• No common framework for activity– COSO / CobIT / IIA / SANS

• CIO can’t create consistent management patterns ($, resources)

– Creates FUD about overall efforts at high levels– Nobody “downstairs” wants to follow the plan, sees no value


“It’s Complicated!”• Adding layers of GRC initiatives creates complex, reactive-

based conditions.• GRC is “Distractive” by its very nature

– Most in-house departments focus on their sector, not GRC issues – Complexity increases inherent risk and results in processes that

are not streamlined and managed consistently • More confusion fosters lack of trust in processes

– Discredits departments and individuals– . . . As well as the organization itself—should something happen!– Also breeds confusion in regulators, stakeholders, business

partners


Lack of Business Agility• Reaction-based policies are not flexible• Limitations caused by including complex plans, hundreds

of disconnected documents and spreadsheets • Dynamic distributed business structures need simple

traffic patterns for disseminating policy• Point solutions have some impact but often miss the

large-scale risk management solution framework and objectives

– Data can become disconnected and difficult to manage / resolve


Incomplete, reaction-based point solutions• Requires a top-down AND holistic view• Unravel one thread at a time• “Immediate Reaction” does not equal “Immediate

Response”• GRC point solutions often focus on assessment

– They might replace spreadsheets, – They usually don’t deliver on analytics – They usually don’t align with business applications.

• Gaps develop in the GRC plan, causing internal misalignment

Part 3: 10 Critical Fail-points in GRC Planning

Intelligence reporting • Needed to support decision-making:

– Risk awareness / mitigation and compliance areas Identifying consistent risk patterns & dependencies Inconsistent, inaccurate system and operational data

reports Cost of consolidating disparate / inconsistent data

streams Liabilities of fines for failing to report and trend GRC

across required assessment and reporting periods

Part 3: 10 Critical Fail-points in GRC Planning

Unreliable or irreconcilable risk assessment results • Different formats & approaches

(e.g., human monitoring without automation) Redundant risk management & compliance efforts Inconsistent approaches to risk/compliance activities Different vocabulary and processes that limit correlation,

comparison and integration of information • Not following a common criteria standard or framework

Limitations in response times to changing environments

Part 3: GRC Fail-points—ASK FIRST!!

High-level questions need to be answered first:• What does our end-to-end GRC program look like today?

– Budget, Planning, C-level Buy-in, Org-wide understanding• How can we align GRC requirements with our policies

and day-to-day business operations?• What is our real exposure and what controls need to be

implemented to address/mitigate/recover from risks?• How can we leverage technology to manage GRC

holistically across the enterprise?• How can we govern our GRC processes across silos and

stakeholders?

Content Acknowledgements. . .

National Institute of Standards & Technology Deloitte Cisco U.S. DoD SANS Institute Modulo Michael Rasmussen IIA / ISACA

3 Key Target Trends for CNII/NCSP implementation Text

Critical AssetsInfrastructure

Governance

Risk Management Compliance


Governance

Risk Management Compliance


• Objectives• Policies / Mandates• Development Pathway

• Internal Assessment• Technology Assurances• Business Rules• Common Criteria

• Gap Assessment• Physical Reviews• Audits• Contingency / Continuity Mgmt

Relevance Factoring

GRC Scope in APAC Region

Elements of a successful GRC roadmap

High-level questions need to be answered first:• What does your end-to-end GRC program look like today?

– Budget, Planning, C-level Buy-in, Org-wide understanding• How can you align GRC requirements with your policies

and day-to-day business operations?• What is your real exposure and what controls need to be

implemented to address/mitigate/recover from risks?• How can you leverage technology to manage GRC

holistically across the enterprise?• How can you govern your GRC processes across silos and

stakeholders?

GRC IT Maturity Model (Deloitte)





Your ConZebra Point of Value . . . We Created a scenario for how to establish a

critical infrastructure, and identified our GRC plans We Established a common parameter of

understanding for each respective operational sector of a Critical Infrastructure

We Identified potential gaps that may appear from our analysis of our respective sector-by-sector activities

We Recognized consequences and fail-points when configuring an effective GRC strategy

Thank You

Drew WilliamsPresident, Condition Zebra, inc.

[email protected]

Documents

2 Day MOSTI Workshop