Cyber Security Risk Reduction - PowerPoint PPT Presentation

cyber security risk reduction n.
Skip this Video
Loading SlideShow in 5 Seconds..
Cyber Security Risk Reduction PowerPoint Presentation
Download Presentation
Cyber Security Risk Reduction

play fullscreen
1 / 45
Cyber Security Risk Reduction
Download Presentation
Download Presentation

Cyber Security Risk Reduction

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Cyber Security Risk Reduction State of Washington And Washington Transit Insurance Pool

  2. Value for PRIMA Members • Hear lessons learned from the State of Washington and WSTIP cyber risk reduction experiences • Learn how to reduce cyber liability risks in your area of responsibility • Learn about available resources you can use for your cyber risk reduction program PRIMA Seattle Chapter - V1.8

  3. Speakers • Jerry Spears – Washington Transit Insurance Pool • Deputy Director (Claims, IT and Finance) • Doug Selix – State of Washington, Office of Financial Management • IT Security and Disaster Recovery Program Manager • WSTIP Consultant PRIMA Seattle Chapter - V1.8

  4. Agenda • Cyber Liability Overview • State of Washington Cyber Risk Reduction • WSTIP Approach to Cyber Risk Reduction • WSTIP IT Security Review Project Overview • WSTIP Results from IT Security Review Project • How PRIMA Members can use this Information • Q&A PRIMA Seattle Chapter - V1.8

  5. Part 1 Cyber Liability Overview (Jerry Spears, WSTIP) PRIMA Seattle Chapter - V1.8

  6. What is a Cyber Liability? • The concept of Cyber Liability takes into account first- and third-party risks. The risk categories include: • Privacy issues • Impact from data security breach, • Infringement of intellectual property, • Malicious attacks you appear to cause or facilitate, • Any other serious trouble that may be passed from first to third parties via computing technology such as the Web. PRIMA Seattle Chapter - V1.8

  7. Organizational Impacts from Cyber Losses • Costs associated with RCW Required Notification • RCW 42.56.590 Personal information — Notice of security breaches. • Cost of recovery and mitigation • ~$200 – Estimated Private Sector cost per record in data breach (Ponemon Institute 2010 US Cost of a Data Security Breach Report) • Unplanned Cost Impact to budget planning • Loss of Reputation PRIMA Seattle Chapter - V1.8

  8. How Big Is The Problem? • Data Security Breach Information: • • Regulations Are Likely To Increase • Proposed Kerry/McCain ‘‘Commercial Privacy Bill of Rights Act of 2011’’ • Result of frequent hi-profile data breach incidents • Result of perception that IT security controls are weak. • Result of dissatisfaction with self-managed IT security • Very prescriptive – this will cost all organization • Basis for future Cyber Liability Claims PRIMA Seattle Chapter - V1.8

  9. Impacts to Citizens • What happens with Public Organizations that Manage Cyber Liability Poorly? • Citizen Identity Theft – If Personal Data exposed • Reduced Public Sector Services due to cyber liability costs • Reduced Trust in Institutions and Management Teams • Reduced support to continue funding the current organization PRIMA Seattle Chapter - V1.8

  10. How Do We Manage This Risk Area? • Reduce the Risks? • Accept the Risks? • Transfer the Risk? • The answer is “Yes”, we apply all of these strategies to Cyber Risks. PRIMA Seattle Chapter - V1.8

  11. Approach • Reduce Risk by working to identify things we can improve • Eliminate known vulnerabilities • Mitigate unacceptable risks • Accept risks based on sound risk management principles • Transfer residual risks to Cyber Liability Insurance PRIMA Seattle Chapter - V1.8

  12. Part 2 State of Washington Approach To Cyber Security Risk Reduction (Doug Selix, OFM) PRIMA Seattle Chapter - V1.8

  13. What is “Cyber Security”? • Confidentiality • Protect data defined by law as “Private” • Only allow authorized access to private data • Know the risks to this class of data - leaks bite. • Integrity • Insure data accuracy and authenticity • Availability • Ensure systems operate within expected norms PRIMA Seattle Chapter - V1.8

  14. Cyber Security Risk Basics Threats + Vulnerabilities – Mitigation = Risk • Cyber Security Threats • Attackers, Employees, Errors & Omissions • Cyber Security Vulnerabilities • People, Process, Technology • Cyber Security Mitigation • Risk Based Approach PRIMA Seattle Chapter - V1.8

  15. What is the “Problem”? • Residual Cyber Security Risk is the Problem • Although you cannot eliminate the cyber threat, you can manage Cyber Security Risk PRIMA Seattle Chapter - V1.8

  16. Managing the Risk • A strategic Cyber Security Risk Management Plan is Imperative • Take a Risk Management Approach • Identify Organizational Risk Appetite • Identify Key Information Technology Assets • Organizational Mission, Data, People, Technology, • Identify and evaluate IT Security Controls • Identify Residual Risks, make sure they are known • Document Acceptance of Residual Risks • Demand incremental and evolutionary improvements to IT Security Maturity • Establish a “Culture of Security” PRIMA Seattle Chapter - V1.8

  17. IT Security Maturity Source: Microsoft Corp. PRIMA Seattle Chapter - V1.8

  18. Business Challenge • Improving IT Security is Complex • IT Security is viewed by management as a cost, not an end customer service • Probability of IT Security event for a single organization are low (but impact is high). • Decision makers are not comfortable with this subject. • IT Security is hard to understand, is never done, and is expensive PRIMA Seattle Chapter - V1.8

  19. Organizational Change Change = Vision + Dissatisfaction + First Step Build a “Culture of Security” PRIMA Seattle Chapter - V1.8

  20. State Approach • Information Services Board (ISB) • Established by RCW • Makes State IT Policy and Sets Standards • Controls Agency Delegated Authority for IT Spend • Can withhold/withdraw for non-compliance • Concerned about Cyber Liability Risks • ISB Established Clear Policy and Standards • Establish Standards (Shall, Must, Do) • Establish Accountability (Process) • Communicate Expectations to Agencies • Establish Verification Process PRIMA Seattle Chapter - V1.8

  21. ISB IT Security Policy • Establishes Clear Expectations • Authorizes the ISB Standards • Directs Agencies on Level of Risk to Accept • Establishes that IT Security is part of Overall IT Architecture • Requires Agencies to Document How they Comply with the IT Security Standards • Makes Agency Heads Accountable • Requires Independent Compliance Audits Every 3 Years PRIMA Seattle Chapter - V1.8

  22. ISB IT Security Standards • Requires Documentation • Personnel Security • Physical and Environment Security • Data Security • Network Security • Access Security • Application Security • Operations Management • Security Monitoring & Logging • Incident Response PRIMA Seattle Chapter - V1.8

  23. Bottom Line • State approach is: • Based on Risk Assessment Approach • Demands Compliance • Verifies Compliance • Aligns with Organization Development • Vision, Dissatisfaction, First Step • Implements Incremental and Evolutionary Improvements • Establishes a “Culture of Security” PRIMA Seattle Chapter - V1.8

  24. Lesson LearnedMost Powerful Weapon • Ask an Executive to Accept the Residual Risk – They don’t like that. • Requires a good Persistent Flashlight – • Persistent Risk Assessments • Document Residual Risks • Document Risk Acceptance PRIMA Seattle Chapter - V1.8

  25. Loss Prevention Results • In the past two years: • No loss of IT Physical Assets due to preventable causes • No significant loss of data requiring agencies to comply with RCW 42.56.590 PRIMA Seattle Chapter - V1.8

  26. WSTIP Approach to Cyber Risk Reduction (Jerry Spears, WSTIP) PRIMA Seattle Chapter - V1.8

  27. General Strategy • Adopt the State Approach to fit WSTIP Needs • Use a Subject Matter Expert to Perform an Initial Risk Assessment of member IT environments Based on ISB IT Security Standards • Provide Members with tools and resources to identify, understand, and manage Cyber Risks • Wrap our hands around an emerging exposure that impacts all of us • Help members establish and appropriate “Culture of Security” within their organizations PRIMA Seattle Chapter - V1.8

  28. What Subject Matter Expert? • We contracted with Doug Selix to develop a processand perform member reviews. • OFM Knows and Approves • Supported by OFM Risk Management as a good thing. • Member’s thought he was a terrific resource – the “Escalade” of IT Security SME’s • Takes a coaching approach to help member staff understand risks he identifies – not an audit • We are not selling anything except best practice PRIMA Seattle Chapter - V1.8

  29. WSTIP Board View • They like this approach to Cyber Loss Prevention • Initial Board Approval in 2007 • Initial Scope Limited to Small Members • Found Lots of Risks • Expanded to Include Medium Size Members • Found More Risk • Provided Aggregate Cyber Risk Data to the Board • Funded line item in the budget from 2008 forward • We have spent $88K to date PRIMA Seattle Chapter - V1.8

  30. WSTIP Member View • Process is credible • No direct cost to the member • Results have value internally and with the WSTIP relationship • Independent 3rd party is offering thoughtful suggestions about their IT infrastructure • Facilitates IT security maturity. PRIMA Seattle Chapter - V1.8

  31. WSTIP IT Security Review Project Overview (Doug Selix, OFM) PRIMA Seattle Chapter - V1.8

  32. Member Profile • Member IT Environment is: • Small IT staff • Most are technically competent with the hardware • Limited IT management and IT Security Skills • Focused on operational needs, not security. • Underfunded • The result of years of small unfinished IT projects • Many vendor supplied applications PRIMA Seattle Chapter - V1.8

  33. Step 1Assessment Process • WSTIP establishes engagement and non-disclosure • Approached as a partnership with the member • This is not an “Audit”, It is a “Review” • Review member IT Security policy and current IT configuration and designs • Conduct a Site Visit and Interviews • Document what is found • physical security status • Level of compliance with ISB IT Security Standards • Top risks that should be addressed PRIMA Seattle Chapter - V1.8

  34. Step 2Risk Reduction Strategy • Both WSTIP and Member get Assessment Results • Provides a basis for a discussion about Cyber Risks • Provides a bases for an Action Plan to reduce Cyber Risks • Provides a baseline for a follow-up review to measure progress towards reducing Cyber Risks PRIMA Seattle Chapter - V1.8

  35. Step 3Follow Up • Opportunity to provide other value added services to members: • IT Governance Coaching • Opportunity to further assist member is doing the right thing • Independent Cyber Risk Management Review PRIMA Seattle Chapter - V1.8

  36. Review Project Deliverables • Photo Analysis Report • Photo’s taken during the site visit • Comments on risk observations • Suggestions for risk reduction where appropriate • IT Security Review • Comparison to the ISB IT Security Standards • Comments on risk observations • Suggestions for risk reduction where appropriate • Risk, Threats, and Vulnerabilities – Top 10 Risks • Management Presentation When Requested PRIMA Seattle Chapter - V1.8

  37. How Has This Helped WSTIP? (Jerry Spears, WSTIP) PRIMA Seattle Chapter - V1.8

  38. Organizational Change Change = Vision + Dissatisfaction + First Step Vision Supplied by ISB and WSTIP Dissatisfaction Supplied by WSTIP Board, Confirmed by Results First Step WSTIP Supplied IT Security Reviews Change Incremental maturity towards a “Culture of Security” Better IT management in member organization Reduced Cyber Liability Risk PRIMA Seattle Chapter - V1.8

  39. What Was Learned • Large members are managed pretty well • Most risk exposure comes from small and medium sized members • Lack of IT Security Skills at management and staff levels • They don’t see the problem • They don’t know how to fix it • Underfunded for mature IT management • IT environments are a collection of small incomplete projects that leave risks PRIMA Seattle Chapter - V1.8

  40. Was it Worth the Cost? • Yes • Provided WSTIP with documentation of risks • Provided a gentle push in the right direction by exposing residual cyber risks to a trusted audience • Provided members with a valuable service they may not have been able to afford on their own. PRIMA Seattle Chapter - V1.8

  41. What is the ROI? • Hard to Measure • Improvements to the WSTIP/Member Relationship – Significant • We feel the investment has been worth the cost PRIMA Seattle Chapter - V1.8

  42. Impact to PRIMA • Local government organizations you represent are like Transit Systems • Come in many sizes • May not have the ability to manage Cyber Risks • Risk exposure WSTIP found, most likely the same for others • Risk exposure can be reduced using an approach similar to WSTIP’s PRIMA Seattle Chapter - V1.8

  43. References • Cost of a Data Security Breach • Cyber Liability Explained • Dept. of Homeland Security Advice • Information Service Board • Microsoft Cyber Security Resources • Open Security Foundation – Data Loss Database PRIMA Seattle Chapter - V1.8

  44. Questions PRIMA Seattle Chapter - V1.8

  45. Speaker Contact Info • Jerry Spears – Washington Transit Insurance Pool Phone: 360-586-1800 Email: • Doug Selix – State of Washington, Office of Financial Management Phone: 360-664-7670 (OFM), 253-951-4825 (Cell) email:, PRIMA Seattle Chapter - V1.8