Embed Size (px)
Citation preview
Sep 27, 2017
1
S1: Cyber Security implementation core issues in Financial Institutions: Addressing Governance, Risk, and Compliance (GRC) imperatives based on NIST Framework (CSF) and COBIT 5
Agenda 1 • Introduction
2 • Financial Institutions Industry Challenges
3 • Common CyberSec Concerns
4 • 7D H2O Analogy
5 • Cyber Risk Culture
6 • NIST Cyber Security Framework
7 • COBIT 5: One Complete Business Framework
8 • C5: Risk Perspectives – Function & Management
9 • Applying NIST CSF ID.GRC using COBIT
10 • Conclusion & Takeaway
2 Daoud Abu-Joudom S1 Presentation Sep 27/28 2017
3
7D H2O Analogy
LQs
Introduction
Financial Institutions Industry Challenges 1. Competition tough / Clients expectations (Net services) high
2. Technology Risks -> ultimately Business Risks
3. Never closed Env. anymore, Web Services -> Security issues
4. FIs need to address Regulatory Requirements/Compliance on timely basis, Central Banks, PCI,.. -> $$$ Fines?
5. Enabling security Technologies (IDS, MSS) are just tools/services - require specialized staff, processes, internal/application controls
6. Risky Projects (IT, BPO) if not well managed - Need to address IT/Projects risks, Regtech -> Reputational risks
7. Projects /services provided by 3Ps expose risks to be managed
8. Need comprehensive InfoSec/IT/OPS Policies & procedures
9. Systems, business processes, decision making processes, CRM require formalized GRC Processes
GRC=everyone is doing, BUT! … SILOs, & not institutionalized
4 Daoud Abu-Joudom S1 Presentation Sep 27/28 2017
7D D
Common CyberSec Concerns
1. Cyber Threats are becoming very critical for ORGs - investing in expensive security Technologies & Services?
2. To what level are we realizing benefits of our investments?
3. Are SEC Technologies just tools -> work by themselves ?
4. Are we hiring & training specialized staff to implement InfoSec
5. Huge investments>Really becoming immune to Cyber Threats?
6. Do we still believe it is an IT Issue?
7. Or do we holistically address InfoSec programs at Board & Management Levels? – Do they have sufficient assurance?
8. Are we truly formalizing right Governance, Risk, and Compliance (GRC) processes? – Is ERM in strategy setting?
9. Well, what about Security Risk Culture – would that be one CSF for InfoSec Program implementations
5 Daoud Abu-Joudom S1 Presentation Sep 27/28 2017 Challenges
Daddy
Doctor
Defend Drive
Dealer
Direct
Devote
Cyber Risk Culture Home 2 Office (H2O)
Risk Manager
Zealous Vigilant
Family Man
6 Daoud Abu-Joudom S1 Presentation Sep 27/28 2017
Richard F. Chambers, IIA
Story
7D H2O
Cyber Risk Culture Home 2 Office (H2O)
Compliance
Regulations 7 Daoud Abu-Joudom S1 Presentation Sep 27/28 2017
Risk Culture
1. Culture is the keystone that holds things together
2. Providing a source of strength or weakness for ORG
3. Actionable risk culture helps balance inevitable tension
1. (a) Creating enterprise value through strategy & driving performance vs.
2. (b) Protecting enterprise value through risk appetite & managing risk
4. In effect, it balances the push between strategy and risk appetite.
Board of Directors/Management Roles in Promoting Positive risk culture
Source : Establishing-and-Nurturing-an-Effective-Risk-Culture-Protiviti
8 Daoud Abu-Joudom S1 Presentation Sep 27/28 2017
NIST CSF
Structure of NIST Cyber Security Framework
The NIST Cyber Security Framework (CSF) Risk-based iterative approach to the adoption of a more vigilant cyber security posture in the public and private domains.
CSF CORE 9 Daoud Abu-Joudom S1 Presentation Sep 27/28 2017
Functions of NIST CSF Core V 1.0 (2014)
Supply Chain Risk
Management (ID.SC)
Draft V 1.1 2017
COBIT 5 FW 10 Daoud Abu-Joudom S1 Presentation Sep 27/28 2017
V1,1 draft Comments Assessed – Measurement Standards is still debated
Governance of Enterprise IT
COBIT 5
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
An business framework from ISACA, at www.isaca.org/cobit
Audit
COBIT1
COBIT 5: Now One Complete Business Framework for
2005/7 2000 1998
Evo
luti
on
of
sco
pe
1996 2012
Val IT 2.0 (2008)
Risk IT (2009)
11
© 2012 ISACA® All rights reserved.
Daoud Abu-Joudom S1 Presentation Sep 27/28 2017 COBIT 5 STR
COBIT 5 Structure
12 Daoud Abu-Joudom S1 Presentation Sep 27/28 2017
C5 Risk Persp.
C5: Risk Perspectives
The risk function perspective describes how to build and sustain a risk function in the enterprise by using the COBIT 5 enablers.
The risk management perspective looks at core risk governance and risk management processes and risk scenarios. This perspective describes how risk can be mitigated by using COBIT 5 enablers
C5 R Func Prsp. 13 Daoud Abu-Joudom S1 Presentation Sep 27/28 2017
Risk Function Perspective C5 for Risk defines seven risk principles Provide a systematic, timely and
structured approach to RM Contribute to consistent,
comparable and reliable results Risk principles formalize & standardize policy implementation—both core IT risk policy & supporting policies—e.g., InfoSec policy, BCM policy. Policies provide more detailed guidance on how to put principles into practice
How they will influence decision making within an enterprise.
C5 R Mgm Prsp. 14 Daoud Abu-Joudom S1 Presentation Sep 27/28 2017
Risk Management Perspective
C5 RM Prcs 15 Daoud Abu-Joudom S1 Presentation Sep 27/28 2017
EDM03 Ensure Risk Optimization
Understanding, articulation &
communication of enterprise risk
appetite & tolerance, ensures
identification & management of
risk to enterprise value - related to IT
use & its impact.
The goals of this process are to:
1. Define & communicate risk
thresholds & make sure key IT-
related risk is known.
2. Effectively & efficiently manage
critical IT-related enterprise
risk.
3. Ensure IT-related enterprise risk
does not exceed risk appetite.
APO12 Manage Risk
Continuous identification, assessment
& reduction of IT-related risk within
levels of tolerance set by enterprise
management.
Management of IT-related enterprise
risk should be integrated with
overall ERM. Costs & benefits of
managing IT-related enterprise risk
should be balanced by:
1. Collecting appropriate data &
analyzing risk
2. Maintaining Risk profile of
enterprise & articulating risk
3. Defining risk management
action portfolio & responding to
risk
C5 - Risk Management Processes
C5 & CSF 16 Daoud Abu-Joudom S1 Presentation Sep 27/28 2017
1. Business Environment (ID.BE) 2. Governance (ID.GV) 3. Risk Assessment (ID.RA) 4. Risk Management Strategy (ID.RM)
CSF Identify Function
C5 & CSF 17 Daoud Abu-Joudom S1 Presentation Sep 27/28 2017
C5 is a framework to manage all CSF References frameworks/standards
Applying NIST CSF ID.GRC using COBIT
CSF Business Environment (ID.BE) ORG mission, objectives, stakeholders, & activities understood,
prioritized; -> Inform cyber security roles, responsibilities, & risk management decisions.
18 Daoud Abu-Joudom S1 Presentation Sep 27/28 2017
1. Establish Comprehensive Policies & Procedures /Coverage & Compliance
2. Assess/think of Risk Culture Elements, 3. Implement formal Security Awareness programs -> Assess Progress 4. Define/Assess Risky Business Processes, -. BIA, RA 5. Manage Regulatory/Industry Requirements – formal process/Monitor 6. Manage 3rd Parties & Stakeholders/Users -> effective communication
ID.BE-3: Priorities for ORG mission, objectives, & activities are established & communicated
1. APO02 Manage Strategy 2. APO03 Manage Enterprise Architecture
C5 /CSF GV
Specific C5 Management Practices to be posted
Governance (ID.GV): Policies, procedures, and processes to manage & monitor
organization’s regulatory, legal, risk, environmental, & operational requirements are understood & inform the management of cyber security risk.
19 Daoud Abu-Joudom S1 Presentation Sep 27/28 2017
1. ID.GV-1: Organizational information security policy is established 2. ID.GV-2: Information security roles & responsibilities are coordinated and
aligned with internal roles and external partners 3. ID.GV-3: Legal and regulatory requirements regarding cyber security,
including privacy and civil liberties obligations, are understood and managed 4. ID.GV-4: Governance & risk management processes address Cyber Sec risks
1. EDM01 Ensure Governance Framework Setting and Maintenance 2. EDM03 Ensure Risk Optimization 3. APO01 Manage the IT Management Framework 4. APO13 Manage Security 5. DSS06 Manage Business Process Controls 6. DSS04 Manage Continuity 7. MEA03 Monitor, Evaluate and Assess Compliance With External
Requirements
C5 /CSF GV
20
1. InfoSec Roles & Responsibilities , 2. Authorities & Accountability defined, Coordinated & aligned with
internal roles & external partners 3. CyberSec Regulatory Compliance understood & managed / 4. CyberSec program is mapped, (plan vs. results) -> Monitor and review
changes, 5. InfoSec Program Compliance Monitored 6. Governance & Risk management processes in Place / Board
Oversight Assured, Governance system monitored 7. Risk Management Process Established – maintain Risk profiles – IA &
ORG
C5 /CSF RA Daoud Abu-Joudom S1 Presentation Sep 27/28 2017
Policies, procedures, and processes to manage & monitor organization’s regulatory, legal, risk, environmental, & operational requirements are understood & inform the management of cyber security risk.
Governance (ID.GV):
Risk Assessment (ID.RA): The organization understands the cyber security risk to organizational
operations (including mission, functions, image, or reputation), organizational assets, and individuals.
21
ID.RA-3: Threats, both internal and external, are identified and documented ID.RA-4: Potential business impacts and likelihoods are identified ID.RA-5: Threats, vulnerabilities, likelihoods, & impacts used to determine risk ID.RA-6: Risk responses are identified and prioritized
APO12 Manage Risk APO13 Manage Security
C5 /CSF RA
1. Cyber Sec Governance – Systems, Structure, Policies & Procedures, & Decision Making & Authorities
2. Risk Management Processes, 3. Risk Profile are established 4. IA issues -> Internal Controls defined, Implementation tracked 5. Business Impact analysis (BIA) conducted, 6. BCM/DRP Established and managed
Specific C5 Management Practices to be posted
Risk Management Strategy (ID.RM):
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
22
EDM03 Ensure Risk Optimization APO04 Manage Innovation APO12 Manage Risk APO13 Manage Security BAI02 Manage Requirements Definition BAI04 Manage Availability and Capacity
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders ID.RM-2: Organizational risk tolerance is determined and clearly expressed ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
C5 /CSF RMS
23
1. Risk management processes well defined – Embed in Policies & Procedures
2. NEVER allow SILOs – Define all Organizational Charters, Roles & Responsibilities among all functions (RM, IT, OPS, Legal, Business)
3. Risk Profiles maintained, Internal Controls, Mitigation Plans tracking, 4. Risk treatment, Risk Acceptance, Based on Risk Appetite, 5. Internal/Application Controls, Addressing IA Issues (could be serious) 6. Organizational risk tolerance, 7. Define & apply effective KRI, Dashboard reporting, and Monitor, 8. Ensure Risks are reassessed – Controls designed & implemented
Con/Tk Awy
Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances,
and assumptions are established and used to support operational risk decisions.
Conclusion & Takeaway 1.Every business has an InfoSec and CyberSec risk.
2.“Can this happen to us?” Sadly, answer remains “yes,” as CyberSec risk can never fully be removed
3.BoD/ORG should assess CyberSec risk on a regular or event driven basis, …> After any incident or security event
4.Successful compromise result of either lack of adequate controls or control failure, -> Indicates risk was not assessed accurately & must be reassessed.
5.However, corporate boards can create a culture of security to mitigate risk & better protect their ORG critical infrastructure, data systems & reputation
6.BoD/Management can no longer be content in solely hearing about metrics, resources, and compliance when evaluating corporate success.
7.Increase board awareness -> (CISO) must proactively engage their boards on issues of data confidentiality, integrity, and availability.
8.Recent ransomware, DoS, phishing & other malware attacks are calling for BoD/Management to ask difficult questions about their ORG risk.
24 Con/Tk Awy * CSO Online Articles main points Included
1. Once ORG defined its corporate risks & identified its security expectations, compliance should be met at all levels of ORG
2. Opportunities for risk mitigation -> InfoSec strategy
3. InfoSec Governance is a subset of CG -> provides strategic direction for security activities & ensures CyberSec objectives
4. ORG must mandate development & maintenance of an InfoSec framework that supports & is intrinsically linked with business objectives.
5. Distinction between compliance & security is Critical
6. Conduct BIA to determine current & emerging threats?
7. InfoSec should be woven into fiduciary, oversight & RM purview of ORG
8. After all, benign neglect, indifference or ignorance will not end well & could result in irreparable reputation and product damage
25
Conclusion & Takeaway
S2: CyberSec Audit
