Upload
duongthuan
View
217
Download
0
Embed Size (px)
Citation preview
Goal of the presentation
To share our experience around Security Risk Management
1. Describe our approach around managing Security Risk.
2. Discuss the Risk Dashboard at a high level.
3. Provide some takeaways so that others can learn from our experience.
Our Risk Management Journey
Risk management at large is part of our DNA
2010 – Security established as a standalone department
2014 – CSO dealing with “Security Threat of the Week”
1H 2015 – Initial failure
2H 2015 – CSO transition and ERM reset
2016 to 2017 – Built current security risk program and tools
Our Approach
We did the following:
1. Developed comprehensive, tailored frameworks for Risks and Controls.
2. Performed an enterprise risk assessment.
3. Systematized our logic and analysis.
Risk Framework
Initiatives that Increase Confidence
Understand controls needed to address risk …
Risk Identification Risk Assessment Control Mapping Prioritize and Define Initiatives
1 External party takes down systems / causes denial of service
2 External party steals / exfiltrates pending trades
3 Authorized Employee misuses knowledge of Top Secret data
4 Employee leaks client information
1
3
[[
[
[
[
Likelihood
Impact
ControlsThreat
Recon • Security Training and Awareness
Social Engineering
Infiltrate • Endpoint Prot.• Vuln/Patch
Mgmt
Malware / Phishing
GainAccess
• MFA• Key Mgmt
Credential Theft
Execute • DLP• Web Proxies
Data Exfiltration
Capture potential risks … Analyze + classify those risk scenarios … Build/improve controls that drive down risk
2
Project A and BThese projects are designed to reduce risk 2 and 3 respectively
Project CThis project is designed to increase the confidence for a potentially high impact risk
Improve
2
[
Kill Chain
Overall Confidence
Risk Categorization
Overall RiskPrioritize Perceived Risks and Control Gaps
2 External party steals / exfiltrates pending trades
3 Authorized Employee misuses knowledge of TS data
1 External party takes down systems
4 Employee leaks client information
Initiatives that Address Risks
Conf. Impact
Conf. in Likelihood
OverallRisk
Overall Confidence
4
[ [
3
Key concepts include: Risk Scenario Identification, Risk Rating & Assessment, Control Mapping and Kill Chain Analysis, Control Prioritization.
Security Control FrameworkID Control Family1
Mgm
t
1 Security Strategy
2 Risk Management
3 Policy & Standards
4 Audit
Op
era
tio
nal
5 Staff Security
6 Physical Security
7 Security Culture & Training
8 Supply Chain
9 Business Continuity Management
10 Threat Intelligence
11 Information Sharing and Communications
12 Incident Response
Tech
no
logy
13 Monitoring
14 Network Security
15 Compute Security
16 Vulnerability & Patch Management
17 Asset and Configuration Management
18 Identity and Access Management
19 Data Protection
20 Secure System Development
Control SolutionsSpecific technologies, processes, and tools that are implemented
In order to support security objectives and requirements
Control RequirementsSpecific requirements that must be met in order to achieve
higher level control objectives
Control ObjectivesPurpose /aim of controls being implemented
across the organization
Control FamilyHigh level grouping/program
of security controls
Customized taxonomy used to categorize our controls
1. Security Control Framework has been developed using a number of industry standards and references for security controls, including: NIST, Cobit, ISO, and CIS/SANS.
Enterprise Risk Assessment
1. Captured department risks with Security SME’s.2. Conducted Risk Workshops with DH.
Key to Success
• Get buy-in from the business
• Keep it simple and interactive
• Establish clear rules of the road
• Cut off debate
Benefit to the Organization
1. Risk framework is now the foundation of our enterprise security strategy.
2. The Risk Dashboard is the core of our security reporting and presentations to the CEOs and Board.
3. Interactive dashboards are also available to departments.
4. Security has become a “center of excellence.”