1 / 45

Cyber Security Risk Reduction

Cyber Security Risk Reduction. State of Washington And Washington Transit Insurance Pool. Value for PRIMA Members. Hear lessons learned from the State of Washington and WSTIP cyber risk reduction experiences Learn how to reduce cyber liability risks in your area of responsibility

dotty
Télécharger la présentation

Cyber Security Risk Reduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Security Risk Reduction State of Washington And Washington Transit Insurance Pool

  2. Value for PRIMA Members • Hear lessons learned from the State of Washington and WSTIP cyber risk reduction experiences • Learn how to reduce cyber liability risks in your area of responsibility • Learn about available resources you can use for your cyber risk reduction program PRIMA Seattle Chapter - V1.8

  3. Speakers • Jerry Spears – Washington Transit Insurance Pool • Deputy Director (Claims, IT and Finance) • Doug Selix – State of Washington, Office of Financial Management • IT Security and Disaster Recovery Program Manager • WSTIP Consultant PRIMA Seattle Chapter - V1.8

  4. Agenda • Cyber Liability Overview • State of Washington Cyber Risk Reduction • WSTIP Approach to Cyber Risk Reduction • WSTIP IT Security Review Project Overview • WSTIP Results from IT Security Review Project • How PRIMA Members can use this Information • Q&A PRIMA Seattle Chapter - V1.8

  5. Part 1 Cyber Liability Overview (Jerry Spears, WSTIP) PRIMA Seattle Chapter - V1.8

  6. What is a Cyber Liability? • The concept of Cyber Liability takes into account first- and third-party risks. The risk categories include: • Privacy issues • Impact from data security breach, • Infringement of intellectual property, • Malicious attacks you appear to cause or facilitate, • Any other serious trouble that may be passed from first to third parties via computing technology such as the Web. PRIMA Seattle Chapter - V1.8

  7. Organizational Impacts from Cyber Losses • Costs associated with RCW Required Notification • RCW 42.56.590 Personal information — Notice of security breaches. • Cost of recovery and mitigation • ~$200 – Estimated Private Sector cost per record in data breach (Ponemon Institute 2010 US Cost of a Data Security Breach Report) • Unplanned Cost Impact to budget planning • Loss of Reputation PRIMA Seattle Chapter - V1.8

  8. How Big Is The Problem? • Data Security Breach Information: • www.datalossdb.org • Regulations Are Likely To Increase • Proposed Kerry/McCain ‘‘Commercial Privacy Bill of Rights Act of 2011’’ • Result of frequent hi-profile data breach incidents • Result of perception that IT security controls are weak. • Result of dissatisfaction with self-managed IT security • Very prescriptive – this will cost all organization • Basis for future Cyber Liability Claims PRIMA Seattle Chapter - V1.8

  9. Impacts to Citizens • What happens with Public Organizations that Manage Cyber Liability Poorly? • Citizen Identity Theft – If Personal Data exposed • Reduced Public Sector Services due to cyber liability costs • Reduced Trust in Institutions and Management Teams • Reduced support to continue funding the current organization PRIMA Seattle Chapter - V1.8

  10. How Do We Manage This Risk Area? • Reduce the Risks? • Accept the Risks? • Transfer the Risk? • The answer is “Yes”, we apply all of these strategies to Cyber Risks. PRIMA Seattle Chapter - V1.8

  11. Approach • Reduce Risk by working to identify things we can improve • Eliminate known vulnerabilities • Mitigate unacceptable risks • Accept risks based on sound risk management principles • Transfer residual risks to Cyber Liability Insurance PRIMA Seattle Chapter - V1.8

  12. Part 2 State of Washington Approach To Cyber Security Risk Reduction (Doug Selix, OFM) PRIMA Seattle Chapter - V1.8

  13. What is “Cyber Security”? • Confidentiality • Protect data defined by law as “Private” • Only allow authorized access to private data • Know the risks to this class of data - leaks bite. • Integrity • Insure data accuracy and authenticity • Availability • Ensure systems operate within expected norms PRIMA Seattle Chapter - V1.8

  14. Cyber Security Risk Basics Threats + Vulnerabilities – Mitigation = Risk • Cyber Security Threats • Attackers, Employees, Errors & Omissions • Cyber Security Vulnerabilities • People, Process, Technology • Cyber Security Mitigation • Risk Based Approach PRIMA Seattle Chapter - V1.8

  15. What is the “Problem”? • Residual Cyber Security Risk is the Problem • Although you cannot eliminate the cyber threat, you can manage Cyber Security Risk PRIMA Seattle Chapter - V1.8

  16. Managing the Risk • A strategic Cyber Security Risk Management Plan is Imperative • Take a Risk Management Approach • Identify Organizational Risk Appetite • Identify Key Information Technology Assets • Organizational Mission, Data, People, Technology, • Identify and evaluate IT Security Controls • Identify Residual Risks, make sure they are known • Document Acceptance of Residual Risks • Demand incremental and evolutionary improvements to IT Security Maturity • Establish a “Culture of Security” PRIMA Seattle Chapter - V1.8

  17. IT Security Maturity Source: Microsoft Corp. PRIMA Seattle Chapter - V1.8

  18. Business Challenge • Improving IT Security is Complex • IT Security is viewed by management as a cost, not an end customer service • Probability of IT Security event for a single organization are low (but impact is high). • Decision makers are not comfortable with this subject. • IT Security is hard to understand, is never done, and is expensive PRIMA Seattle Chapter - V1.8

  19. Organizational Change Change = Vision + Dissatisfaction + First Step Build a “Culture of Security” PRIMA Seattle Chapter - V1.8

  20. State Approach • Information Services Board (ISB) • Established by RCW • Makes State IT Policy and Sets Standards • Controls Agency Delegated Authority for IT Spend • Can withhold/withdraw for non-compliance • Concerned about Cyber Liability Risks • ISB Established Clear Policy and Standards • Establish Standards (Shall, Must, Do) • Establish Accountability (Process) • Communicate Expectations to Agencies • Establish Verification Process PRIMA Seattle Chapter - V1.8

  21. ISB IT Security Policy • Establishes Clear Expectations • Authorizes the ISB Standards • Directs Agencies on Level of Risk to Accept • Establishes that IT Security is part of Overall IT Architecture • Requires Agencies to Document How they Comply with the IT Security Standards • Makes Agency Heads Accountable • Requires Independent Compliance Audits Every 3 Years PRIMA Seattle Chapter - V1.8

  22. ISB IT Security Standards • Requires Documentation • Personnel Security • Physical and Environment Security • Data Security • Network Security • Access Security • Application Security • Operations Management • Security Monitoring & Logging • Incident Response PRIMA Seattle Chapter - V1.8

  23. Bottom Line • State approach is: • Based on Risk Assessment Approach • Demands Compliance • Verifies Compliance • Aligns with Organization Development • Vision, Dissatisfaction, First Step • Implements Incremental and Evolutionary Improvements • Establishes a “Culture of Security” PRIMA Seattle Chapter - V1.8

  24. Lesson LearnedMost Powerful Weapon • Ask an Executive to Accept the Residual Risk – They don’t like that. • Requires a good Persistent Flashlight – • Persistent Risk Assessments • Document Residual Risks • Document Risk Acceptance PRIMA Seattle Chapter - V1.8

  25. Loss Prevention Results • In the past two years: • No loss of IT Physical Assets due to preventable causes • No significant loss of data requiring agencies to comply with RCW 42.56.590 PRIMA Seattle Chapter - V1.8

  26. WSTIP Approach to Cyber Risk Reduction (Jerry Spears, WSTIP) PRIMA Seattle Chapter - V1.8

  27. General Strategy • Adopt the State Approach to fit WSTIP Needs • Use a Subject Matter Expert to Perform an Initial Risk Assessment of member IT environments Based on ISB IT Security Standards • Provide Members with tools and resources to identify, understand, and manage Cyber Risks • Wrap our hands around an emerging exposure that impacts all of us • Help members establish and appropriate “Culture of Security” within their organizations PRIMA Seattle Chapter - V1.8

  28. What Subject Matter Expert? • We contracted with Doug Selix to develop a processand perform member reviews. • OFM Knows and Approves • Supported by OFM Risk Management as a good thing. • Member’s thought he was a terrific resource – the “Escalade” of IT Security SME’s • Takes a coaching approach to help member staff understand risks he identifies – not an audit • We are not selling anything except best practice PRIMA Seattle Chapter - V1.8

  29. WSTIP Board View • They like this approach to Cyber Loss Prevention • Initial Board Approval in 2007 • Initial Scope Limited to Small Members • Found Lots of Risks • Expanded to Include Medium Size Members • Found More Risk • Provided Aggregate Cyber Risk Data to the Board • Funded line item in the budget from 2008 forward • We have spent $88K to date PRIMA Seattle Chapter - V1.8

  30. WSTIP Member View • Process is credible • No direct cost to the member • Results have value internally and with the WSTIP relationship • Independent 3rd party is offering thoughtful suggestions about their IT infrastructure • Facilitates IT security maturity. PRIMA Seattle Chapter - V1.8

  31. WSTIP IT Security Review Project Overview (Doug Selix, OFM) PRIMA Seattle Chapter - V1.8

  32. Member Profile • Member IT Environment is: • Small IT staff • Most are technically competent with the hardware • Limited IT management and IT Security Skills • Focused on operational needs, not security. • Underfunded • The result of years of small unfinished IT projects • Many vendor supplied applications PRIMA Seattle Chapter - V1.8

  33. Step 1Assessment Process • WSTIP establishes engagement and non-disclosure • Approached as a partnership with the member • This is not an “Audit”, It is a “Review” • Review member IT Security policy and current IT configuration and designs • Conduct a Site Visit and Interviews • Document what is found • physical security status • Level of compliance with ISB IT Security Standards • Top risks that should be addressed PRIMA Seattle Chapter - V1.8

  34. Step 2Risk Reduction Strategy • Both WSTIP and Member get Assessment Results • Provides a basis for a discussion about Cyber Risks • Provides a bases for an Action Plan to reduce Cyber Risks • Provides a baseline for a follow-up review to measure progress towards reducing Cyber Risks PRIMA Seattle Chapter - V1.8

  35. Step 3Follow Up • Opportunity to provide other value added services to members: • IT Governance Coaching • Opportunity to further assist member is doing the right thing • Independent Cyber Risk Management Review PRIMA Seattle Chapter - V1.8

  36. Review Project Deliverables • Photo Analysis Report • Photo’s taken during the site visit • Comments on risk observations • Suggestions for risk reduction where appropriate • IT Security Review • Comparison to the ISB IT Security Standards • Comments on risk observations • Suggestions for risk reduction where appropriate • Risk, Threats, and Vulnerabilities – Top 10 Risks • Management Presentation When Requested PRIMA Seattle Chapter - V1.8

  37. How Has This Helped WSTIP? (Jerry Spears, WSTIP) PRIMA Seattle Chapter - V1.8

  38. Organizational Change Change = Vision + Dissatisfaction + First Step Vision Supplied by ISB and WSTIP Dissatisfaction Supplied by WSTIP Board, Confirmed by Results First Step WSTIP Supplied IT Security Reviews Change Incremental maturity towards a “Culture of Security” Better IT management in member organization Reduced Cyber Liability Risk PRIMA Seattle Chapter - V1.8

  39. What Was Learned • Large members are managed pretty well • Most risk exposure comes from small and medium sized members • Lack of IT Security Skills at management and staff levels • They don’t see the problem • They don’t know how to fix it • Underfunded for mature IT management • IT environments are a collection of small incomplete projects that leave risks PRIMA Seattle Chapter - V1.8

  40. Was it Worth the Cost? • Yes • Provided WSTIP with documentation of risks • Provided a gentle push in the right direction by exposing residual cyber risks to a trusted audience • Provided members with a valuable service they may not have been able to afford on their own. PRIMA Seattle Chapter - V1.8

  41. What is the ROI? • Hard to Measure • Improvements to the WSTIP/Member Relationship – Significant • We feel the investment has been worth the cost PRIMA Seattle Chapter - V1.8

  42. Impact to PRIMA • Local government organizations you represent are like Transit Systems • Come in many sizes • May not have the ability to manage Cyber Risks • Risk exposure WSTIP found, most likely the same for others • Risk exposure can be reduced using an approach similar to WSTIP’s PRIMA Seattle Chapter - V1.8

  43. References • Cost of a Data Security Breach • Cyber Liability Explained • Dept. of Homeland Security Advice • Information Service Board • Microsoft Cyber Security Resources • Open Security Foundation – Data Loss Database PRIMA Seattle Chapter - V1.8

  44. Questions PRIMA Seattle Chapter - V1.8

  45. Speaker Contact Info • Jerry Spears – Washington Transit Insurance Pool Phone: 360-586-1800 Email: jerry@wstip.org • Doug Selix – State of Washington, Office of Financial Management Phone: 360-664-7670 (OFM), 253-951-4825 (Cell) email: doug.selix@ofm.wa.gov, dselix@comcast.net PRIMA Seattle Chapter - V1.8

More Related