1 1 Risk Management: How to Comply with Everything July 11, 2013.
-
Upload
kassidy-space -
Category
Documents
-
view
216 -
download
1
Transcript of 1 1 Risk Management: How to Comply with Everything July 11, 2013.
![Page 1: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/1.jpg)
1 1
Risk Management:How to Comply with
Everything
July 11, 2013
![Page 2: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/2.jpg)
2 2
Introduction• Chris Cronin– Principal Consultant, Halock Security Labs– GCIH, ISO 27001 Auditor– Recent GSNA Gold– 15+ years experience IT operations, audit,
consulting and incident response
![Page 3: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/3.jpg)
3 3
What You Will Learn
Finding the Investment Sweet Spot
How much security does the organization really need?
On Common Ground
Meeting the agendas of the Executive Suite
Ease Their PainConflict-free audits
Ask and You Shall Receive
Bullet proof risk treatment planning & approvals
How to Comply with Everything
Why risk management is the compliance keystone
![Page 4: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/4.jpg)
4 4
Presentation Layout
What is risk management?
Who benefits?
How to bust the myths.
![Page 5: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/5.jpg)
5 5
What is Risk Management?
![Page 6: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/6.jpg)
6 6
Asset
![Page 7: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/7.jpg)
7 7
Control
![Page 8: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/8.jpg)
8 8
Vulnerability
![Page 9: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/9.jpg)
9 9
Threat
![Page 10: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/10.jpg)
10 10
Likelihood
![Page 11: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/11.jpg)
11 11
Impact to Your Mission
![Page 12: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/12.jpg)
12 12
Risk
Risk = Likelihood x Impact
![Page 13: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/13.jpg)
13 13
Risk Treatment
![Page 14: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/14.jpg)
14 14
The Risk Register
![Page 15: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/15.jpg)
15 15
The Risk Register
![Page 16: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/16.jpg)
16 16
What Risk Management Isn’t
![Page 17: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/17.jpg)
17 17
Gap Assessment
![Page 18: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/18.jpg)
18 18
What Keeps You Up At Night?
![Page 19: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/19.jpg)
19 19
Predicting the Future
![Page 20: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/20.jpg)
20 20
What Risk Management Is
![Page 21: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/21.jpg)
21 21
Risk Management in Regulations
• HIPAA Security Rule– “Conduct an accurate and thorough assessment of the
potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information...”
– “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…”
– “Security measures implemented to comply with standards and implementation specifications …must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of [EPHI]”
![Page 22: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/22.jpg)
22 22
Risk Management in Regulations
• HIPAA Security Rule– “Conduct an accurate and thorough assessment of the
potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information...”
– “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…”
– “Security measures implemented to comply with standards and implementation specifications …must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of [EPHI]”
![Page 23: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/23.jpg)
23 23
Risk Management in Regulations
• Massachusetts 201 CMR 17.00– “Every person that owns or licenses personal
information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program”
– “Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information…”
– “…evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks…”
![Page 24: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/24.jpg)
24 24
Risk Management in Regulations
• Massachusetts 201 CMR 17.00– “Every person that owns or licenses personal
information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program”
– “Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information…”
– “…evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks…”
![Page 25: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/25.jpg)
25 25
Components of Risk Management
Risk Management
Assessment Oversight
Identity Risks Propose Controls
Implement Controls
Test Effectiveness
Improve Ineffective Controls
![Page 26: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/26.jpg)
26 26
Information Risk Management: The Standard of Care
• Required by laws and regulations– SOX (Audit Standard 5) – HIPAA Security Rule / Meaningful Use–Massachusetts 201 CMR 17.00– Gramm Leach Bliley– FISMA – Federal Trade Commission Rulings
![Page 27: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/27.jpg)
27 27
Information Risk Management: The Standard of Care
• Required by Security Standards– PCI DSS 2.0– ISO 27001/ISO 27002– CobiT– NIST Special Publications
![Page 28: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/28.jpg)
28 28
Who is Benefiting from Risk Management?
![Page 29: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/29.jpg)
29 29
A Real-Life Case Study
• An organization that needed to
improve their information compliance
and security program
• Multiple roles that each had
something at stake
• Multiple regulations apply to them
![Page 30: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/30.jpg)
30 30
Whose Jobs are Getting Easier With Risk Management?
Chief Financial Officer
Auditor Chief Information Security Officer
General Counsel Chief Information Officer
IT Staff
![Page 31: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/31.jpg)
31 31
Their Risk Register
![Page 32: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/32.jpg)
32 32
Their Risk Calculations
• Risk = Likelihood x Impact
• Likelihood values: 1-5
• Impact values: 1-5
• Risk rating range: 1-25
• Acceptable Risk = Below 8
![Page 33: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/33.jpg)
33 33
Lesson 1: Finding the Investment Sweet Spot
• Risk:– Local administrator passwords on end-user systems
are identical. They allow a “pass-the-hash” breach.
• Roles:– CIO: Needs to balance business and compliance
requirements– IT Staff: Need an easy way to support desktops– CISO: Needs to be sure requirements are met– General Counsel: Needs to balance business and
compliance while addressing liability
![Page 34: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/34.jpg)
34 34
Lesson 1: “Pass-the-Hash” Risk
![Page 35: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/35.jpg)
35 35
Lesson 1: “Pass-the-Hash” Risk
![Page 36: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/36.jpg)
36 36
Finding the Sweet Spot
![Page 37: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/37.jpg)
37 37
Lesson 2: Finding Common Ground
• Risk:– Lack of secure web application coding practices have
created vulnerable applications.
• Roles:– CIO: Needs to balance demands for new secure
applications with many other demands– CFO: Needs controlled applications for financial
reporting. Needs to control costs.– CISO: Needs to be sure requirements are met– General Counsel: Needs to balance business and
compliance while addressing liability
![Page 38: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/38.jpg)
38 38
Lesson 2: Unsecured Applications Risk
![Page 39: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/39.jpg)
39 39
Lesson 2: Unsecured Applications Risk
![Page 40: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/40.jpg)
40 40
Lesson 3: Ease Their Pain
• Risk:– Client auditor demanding “hard tokens” rather
than “soft tokens” for two-factor authentication.
• Roles:– Auditor: Needs to demonstrate whether
controls are met (while maintaining independence)
– CIO: Needs to respond truthfully to auditor (while balancing business with compliance)
– CISO: Needs to ensure compliance
![Page 41: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/41.jpg)
41 41
Lesson 3: Two-Factor Token Risk
![Page 42: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/42.jpg)
42 42
Lesson 3: Two-Factor Token Risk
![Page 43: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/43.jpg)
43 43
Lesson 4: Ask and You Shall Receive
If you ask for something that reduces a
risk to the mission of the organization,
and the cost is reasonable for reducing
the impact … then you will get it.
![Page 44: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/44.jpg)
45 45
Lesson 5: How to Comply with Everything
![Page 45: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/45.jpg)
46 46
How to Bust Risk Assessment Myths
![Page 46: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/46.jpg)
47 47
“We need actuarial tables”
Actuarial tables are not used for risk
assessments! Information risk assessments
are standard, straight-forward processes.
They require no statistical skills.
![Page 47: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/47.jpg)
48 48
“We can’t predict the future”
Risk assessments are not intended to be
predictions, but should be “due care”
considerations of what could go wrong.
![Page 48: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/48.jpg)
49 49
![Page 49: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/49.jpg)
50 50
“Risk assessments take too much time”
Because risk assessments help
determine reasonable control levels,
less time and cost is invested to get
compliant
Risk management reduces liability
even before full compliance is met.
![Page 50: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/50.jpg)
51 51
“Reasonable means ‘what our competitors do.’”
You don’t know what your competitors
do. The regulations and statutes tell
you to arrive at “reasonable and
appropriate” using risk analysis
![Page 51: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/51.jpg)
52 52
“We can never agree on asset values”
Risk assessment methodologies often
state the need to assess the asset value.
That is often more difficult than what you
need. Try assessing the impact instead.
![Page 52: 1 1 Risk Management: How to Comply with Everything July 11, 2013.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649c985503460f94954da0/html5/thumbnails/52.jpg)
53 53
“We did a gap assessment. That’s good enough”
Your first gap will be “We didn’t conduct
a risk assessment.” Risk assessments are
the standard of care for laws, regulations
and information security standards.