Top Ten Trends in TRM
-
Upload
north-texas-chapter-of-the-issa -
Category
Internet
-
view
365 -
download
0
Transcript of Top Ten Trends in TRM
@NTXISSA
Top 10 Trends in TRM
Jon Murphy, CISSP, CBCP, NSA-IAM/IEM, ITILv3, CHS-V, MBA
National Practice Lead, TRM Consulting & ServicesAlexander Open Systems (AOS)
April 24, 2015
@NTXISSA
Disclaimer
All thoughts and opinions expressed in this presentation, or by Jon Murphy directly, are his own and should NOT be interpreted as those of Alexander Open Systems (AOS), or any other organization that might be mentioned. The mention of any organizations should not be interpreted as endorsement.
Some material contained herein was obtained and is used with the express written permission of AOS, and other organizations and MAY NOT be used or reproduced in any way without each of these parties’ express written consent in advance.
@NTXISSA
Overview
• What is TRM• The Top Ten Trends• Why You Need IT• Where Are You • Conceptual Solutions• What The Future May Hold• More Resources• Q & A
@NTXISSA
Why Technology Risk Management (TRM)
• TRM includes:• IT Sec• BC/DR• Governance & Compliance
• Exponential Growth of Threats• D&D Insiders• Outside Hackers
(Commercial, Organized Crime, State Sponsored)• Competitor Espionage
• Continuously Growing Regulations & Requirements• Increases are a mandatory cost of doing business• FFIEC, SOx, HIPAA, PCI, GLBA, Dodd-Frank, NERC, OCC, etc…• Volume reduction, Fines, and jail time for failure to comply• Cost of data breach up 23% - as much as $20,000 a day
• Ever increasing expectations for “adequate” safeguards by consumers and courts
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 5
What’s Your Biggest Exposure?
# 3 Paper
# 1 Employee Negligence
# 2 Hacking
@NTXISSA
Top Ten Trends
1. Hacks may become data destruction attacks
2. Threat actors are becoming more sophisticated
3. Attacks and resultant legislation will push industry standards around cyber risks and improve threat intelligence information sharing
@NTXISSA
Top Ten Trends -cntd
4. Predictive threat intelligence analytics are critical 5. Third Party Service Provider Risk Management is
becoming an increasingly important concern among firms
6. TRM must become a board-level issue7. Embracing and adapting to the new “boundless
network,” is inevitable and we must also invest in training its workforce to properly access and protect corporate data
@NTXISSA
Top Ten Trends - cmpltd
8. Identity and Access Management are ever increasingly a key security control area
9. Cyber benchmarking is imperative10.TRM is not MERELY a Technology Issue
@NTXISSA
Why?
• There are at least 5 reasons
@NTXISSA
Why would strangers want your info?
1. Identity theft for resale or immediate profit2. Damage reputation of competitor3. Steal intellectual property4. Blackmail5. Cyber Crime – Its An Epidemic;
The Nation’s Top CopSays So
@NTXISSA
We Help Clients Progress Their Maturity Level
Technology Risk Management Maturity Model
Level 1:Threat Defense
• Security is “necessary evil”
• Reactive and de-centralized monitoring
• Tactical point products
Level 2:Checkboxes and Defense-in-Depth• Check-box mentality• Collect data needed
primarily for compliance
• Tactical threat defenses enhanced with layered security controls
Level 3:Risk-Based Security
• Proactive and assessment based
• Collect data needed to assess risk and detect advanced threats
• Security tools integrated with common data and management platform
Level 4:Business-Oriented
• Security fully embedded in enterprise processes
• Data fully integrated with business context; drives decision-making
• Security tools integrated with business tools
TACTICAL
STRATEGICApproach
Scope
Technology
@NTXISSA
Where are we now?Some might say, somewhere in here . . .
Where we want (need?) to be . . .
@NTXISSA
What concrete steps can you undertake?
Seven action items to start:
1. Get and stay informed2. Learn the cultural risk appetite3. Create a risk register and matrix4. Perform a self assessment5. Create an incident response plan6. Add layers to defense in depth7. Get help
@NTXISSA
Get & Stay Informed
1. Associations – e.g.; ISSA, InfoSec Community on LinkedIn
2. Blogs – e.g.; http://www.vogelitlawblog.com/3. Newsletters – e.g.; Info Risk Today
@NTXISSA
Learn The Cultural Risk Appetite
• The amount and type of risk that an organization is willing to take in order to meet their strategic objectives.
• Both formally and informally set and driven by leadership, SO?
1. Has leadership experienced cyber crime personally?
2. Is there an enterprise risk management office?
3. Is security the realm of some lowly network admin in the bowels of the M.I.S. department?
@NTXISSA
1. List all the realistic bad things that could happen
2. Rank them by likelihood (1-Least to 5-most) and
3. Impact (1-Least to 5-most) 4. Plot them in a matrix5. Concentrate on the 5/5s
5 / 5s
Create a Risk Register & Matrix
@NTXISSA
Perform A RVA Self Assessment
• Have the business do it first• Then involve an IT Pro• Better yet, involve a risk management
Pro• Use a recognized methodology & tool,
e.g.; Shared Assessments
@NTXISSA
• Create an incident response plan1. Use the list from action item 3
2. Either create an overarching plan as guide to every thing on the list or a plan for each
3. The plan should contain:1. Who can invoke the plan2. When to invoke the plan3. Who does what4. Alternate roles & responsibilities5. How to do what6. What is BAU
4. Don’t forget the post mortem for lesson learned
You can’t run . . . or do this !
@NTXISSA
1. Bad guys and insiders are getting more savvy by the day
2. One – three layers of tech defense is the norm (NOT ENOUGH)
3. Technology, process, and people must interact optimally
4. Prepare for the worst and hope for better
5. You need professional expertise
The education you’ve undertaken will quickly tell you:
@NTXISSA
Reasonable Security HW/Systems to Deploy:
Next Generation FirewallsEncryptionUpdated Software PatchesComplex PasswordsMulti-factor AuthenticationDevice/Appliance InventoryIntrusion
Prevention/DetectionAnti-malware
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 21
What The Future Holds
@NTXISSA
Additional Resources
Ponemon Institutehttp://www.ponemon.org/
Shared Assessments™http://sharedassessments.org/about/
ISO 31000http://www.iso.org/iso/catalogue_detail?csnumber=43170
AOS Security Consultinghttp://www.aos5.com/security/
@NTXISSA
Questions?
http://www.aos5.com/security/consulting
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 24@NTXISSA
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
Thank you