Upload
doanngoc
View
293
Download
8
Embed Size (px)
Citation preview
Cyber Security & GRC Metrics That Tell a Story!Presented by:Swarnika MehtaManager, KPMG Cyber Security Services
Eva BennSenior Associate, KPMG Cyber Security Services
2© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)
Contents
Introduction
4© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)
In the news
Hackers Stole Credit Card Information From Thousands of Arby’s CustomersJonathan Vanian Feb 09, 2017
Hackers have stolen customer credit card information from an unknown number of Arby’s restaurants, according to a report on Thursday.
Read more at: http://fortune.com/2017/02/09/arbys-restaurants-hackers-data-breach/
Military personnel data leaked in Dun & Bradstreet databaseBy James Rogers, Published March 16, 2017
The huge leak of a Dun & Bradstreet database containing the details of almost 33.7 million people includes over 100,000 military personnel, according to the security researcher who reported the leak.
Read more at: http://www.foxnews.com/tech/2017/03/16/military-personnel-data-leaked-in-dun-bradstreet-database.html
5© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)
The hard questions
“How do we distill the important information and complex metrics in a way that can be consumed by senior executives and the board?”
Information Security Metrics Program (ISMP)
Key Metrics
7© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)
Key reporting metrics
Application Security
Server Security
Endpoint Security
Incident Management
Vendor Security Operations
% Applications scanned
% Vulnerabilities
Time to remediate vulnerabilities
High
Medium
Low
ClosedPendingOpen
Time to resolve incidents
% of ICF/non-ICF servers missing sev 4/5patches
% of ICF/non-ICF Servers with AV
and CSP installed
CSP
Time to remediate security events
% of endpoints missing critical
security patches
% of endpoints with Anti-Virus
installed
High, Medium, and Low Risk Vendors
% of
Average vendor
risk score
8.8
# of resources with
certifications
On Track Delayed
Security projects% of vendors
completed risk assessments
8© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)
Reporting by stakeholders
How do I tell the story?Align with business goals
Facts that matter!Which numbers have gone up?
Which numbers have gone down?
Q1
58% 23%
Q2 Q1
39% 45%
Q2 Q1
58% 23%
Q2
High Medium Low
Demonstrate ROI onIT investments
Reduction in compliance failures
Operational Redundancies
Do it again……!
Focused metrics
InvestmentSavings
% customer satisfaction
Provide holistic trends in cyber security risks
Data Leakage
Vendor Risk
Insider threat Malware
5 7 2 9
Vulnerabilities remediated
Metrics Program and Technology Enablement
10© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)
Common Challenges
People
Process Technology
− Lack of capability to gather, collect or analyze data
− Manually producing metrics is too time consuming
− Not all historical data is usable and requires expensive cleanup
− No business context− Lack of awareness− Poor delivery
− Arbitrary “thresholds”− No clear requirements− Too many metrics
11© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)
Key components of an ISMP
Scope and Coverage
Extraction and Collection
Measurement and Analysis
Presentation and Reporting
Governance and Ongoing
Maintenance
Areas of measurement within the program. This includes domains(e.g., Endpoint Security, Threat Management) and relevant metrics within each domain
Collecting raw metrics data from identified data sources or source systems to calculate metrics.
Calculating metrics based on raw metrics data and analyzing results using thresholds, weighting, targets, trending, etc.
Organizing metrics results into visually appealing and intuitive reports at each stakeholder level. Examples include management level memo, program level scorecard and operational level dashboard
Roles and responsibilities with supporting processes needed to operationalize the program and keep it relevant over time
12© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)
Building an information security metrics program
DEFINE STRATEGY
Strategy and Design
DESIGN BUILDROADMAP
DEVELOP METRICS
Implementation (Manual)
PHASEDROLLOUT
OPERATIONALIZE
AUTOMATE
Implementation (Enhanced)
FULLROLLOUT
DATA & ANLAYTICS
Non-existent Mature
13© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)
Enhancement opportunities
• Metrics will be aggregated into domains (e.g. Incident Management, Mobile Security, etc.)• An aggregated score will be provided for each domain using simple, yet specific formulae
Aggregate Score by Domain
• Metrics will be weighted based on their importance on applied assets (e.g. critical application vs. non-critical application) to help with prioritization of metrics
• Thresholds and tolerance levels will help analyze if the measured or calculated value of each metric is helping track risks as well as performance objectives
Weighted Metrics
• Risks will be mapped to each domain so that the user will be able to decide on appropriate actions to be taken based on the types of risk exposure
• Relevant controls will be mapped to each domain to provide the user with the ability to devise an initial remediation strategy and action
Risk & Control Mapping
• Each metric report can be dimensionalized (filtered), through relationships, so that the user can come in from a different view point (e.g. Segment, Region, Country, Business Unit, Sub BU, Data Center, Data Center Supplier, IT Area, Stakeholder, CISO).
• User will be able to view trends for each metric and compare against other related metricsDimensions
• Users will have the ability to drill down into each domain to see individual metric reports and other detailed information (e.g. server name, stakeholder, etc.)
Drill Down Capability
Do’s and Don’ts
15© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)
― Define scope of existing risk reporting activities
― Manage cyber risk within the organizational context
― Align correlations to business objectives and risks
― Focus on key metrics
― Establish a structured cyber risk reporting capability
― Rationalize processes and frameworks to enable prioritization and decision making
― Differentiate governance versus operational roles and responsibilities
― Ensure board level awareness of key cyber risk and compliance issues
– Build a culture of continuous improvement
– Design process and capabilities (process and tools) to mature over time
– Rationalize frameworks (simplify and integrate)
– Leverage automation to support operational enablement
Lessonslearned
Sustainability
Scalability
Ownership & Accountability
Single view of riskLessons learned
16© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)
Considerations for implementing an ISMP As with any additional capability added to an organization, there are several cost considerations that need to be accounted for, actual cost will depend on the scope of the ISMP.
– Additional resources need to be hired or current resources need their responsibilities prioritized to support operationalizing the ISMP
– Raw data owners need to allocate time to support collection of metrics data People
– Metrics collection, reporting development, ISMP ongoing maintenance and training processes need to be developed and executed once the ISMP is operational
– Additional processes to extract data may need to be defined
– Gather “contextual data” for metrics (e.g., thresholds, dimensions)Process
– Technical implementation of processes to extract data
– “Big Security Data”
– Initial investments towards a metrics solution for automated aggregation, reporting and analytics. Technology
Thank you
© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity and the views presented herein are those of the presenter. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
kpmg.com/socialmedia