1 / 53

Risk Management: How to Comply with Everything

Risk Management: How to Comply with Everything. July 11, 2013. Introduction. Chris Cronin Principal Consultant, Halock Security Labs GCIH, ISO 27001 Auditor Recent GSNA Gold 15+ years experience IT operations, audit, consulting and incident response. What You Will Learn.

zita
Télécharger la présentation

Risk Management: How to Comply with Everything

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Risk Management:How to Comply with Everything July 11, 2013

  2. Introduction • Chris Cronin • Principal Consultant, Halock Security Labs • GCIH, ISO 27001 Auditor • Recent GSNA Gold • 15+ years experience IT operations, audit, consulting and incident response

  3. What You Will Learn Finding the Investment Sweet Spot How much security does the organization really need? On Common Ground Meeting the agendas of the Executive Suite Ease Their PainConflict-free audits Ask and You Shall Receive Bullet proof risk treatment planning & approvals How to Comply with Everything Why risk management is the compliance keystone

  4. Presentation Layout • What is risk management? Who benefits? • How to bust the myths.

  5. What is Risk Management?

  6. Asset

  7. Control

  8. Vulnerability

  9. Threat

  10. Likelihood

  11. Impact to Your Mission

  12. Risk Risk = Likelihood x Impact

  13. Risk Treatment

  14. The Risk Register

  15. The Risk Register

  16. What Risk Management Isn’t

  17. Gap Assessment

  18. What Keeps You Up At Night?

  19. Predicting the Future

  20. What Risk Management Is

  21. Risk Management in Regulations • HIPAA Security Rule • “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information...” • “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…” • “Security measures implemented to comply with standards and implementation specifications …mustbe reviewedandmodifiedas needed to continue provision of reasonable and appropriate protection of [EPHI]”

  22. Risk Management in Regulations • HIPAA Security Rule • “Conduct an accurate and thorough assessmentof the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information...” • “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…” • “Security measures implemented to comply with standards and implementation specifications …mustbe reviewed andmodifiedas needed to continue provision of reasonable and appropriate protection of [EPHI]”

  23. Risk Management in Regulations • Massachusetts 201 CMR 17.00 • “Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program” • “Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information…” • “…evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks…”

  24. Risk Management in Regulations • Massachusetts 201 CMR 17.00 • “Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program” • “Identifying and assessing reasonably foreseeable internal and external risksto the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information…” • “…evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks…”

  25. Components of Risk Management Risk Management Oversight Assessment Propose Controls Implement Controls Test Effectiveness Identity Risks Improve Ineffective Controls

  26. Information Risk Management: The Standard of Care • Required by laws and regulations • SOX (Audit Standard 5) • HIPAA Security Rule / Meaningful Use • Massachusetts 201 CMR 17.00 • Gramm Leach Bliley • FISMA • Federal Trade Commission Rulings

  27. Information Risk Management: The Standard of Care • Required by Security Standards • PCI DSS 2.0 • ISO 27001/ISO 27002 • CobiT • NIST Special Publications

  28. Who is Benefiting from Risk Management?

  29. A Real-Life Case Study • An organization that needed to improve their information compliance and security program • Multiple roles that each had something at stake • Multiple regulations apply to them

  30. Whose Jobs are Getting Easier With Risk Management? • Chief Information Security Officer • Chief Financial Officer • Auditor • General Counsel • Chief Information Officer • IT Staff

  31. Their Risk Register

  32. Their Risk Calculations • Risk = Likelihood x Impact • Likelihood values: 1-5 • Impact values: 1-5 • Risk rating range: 1-25 • Acceptable Risk = Below 8

  33. Lesson 1: Finding the Investment Sweet Spot • Risk: • Local administrator passwords on end-user systems are identical. They allow a “pass-the-hash” breach. • Roles: • CIO: Needs to balance business and compliance requirements • IT Staff: Need an easy way to support desktops • CISO: Needs to be sure requirements are met • General Counsel: Needs to balance business and compliance while addressing liability

  34. Lesson 1: “Pass-the-Hash” Risk

  35. Lesson 1: “Pass-the-Hash” Risk

  36. Finding the Sweet Spot

  37. Lesson 2: Finding Common Ground • Risk: • Lack of secure web application coding practices have created vulnerable applications. • Roles: • CIO: Needs to balance demands for new secure applications with many other demands • CFO: Needs controlled applications for financial reporting. Needs to control costs. • CISO: Needs to be sure requirements are met • General Counsel: Needs to balance business and compliance while addressing liability

  38. Lesson 2: Unsecured Applications Risk

  39. Lesson 2: Unsecured Applications Risk

  40. Lesson 3: Ease Their Pain • Risk: • Client auditor demanding “hard tokens” rather than “soft tokens” for two-factor authentication. • Roles: • Auditor: Needs to demonstrate whether controls are met (while maintaining independence) • CIO: Needs to respond truthfully to auditor (while balancing business with compliance) • CISO: Needs to ensure compliance

  41. Lesson 3: Two-Factor Token Risk

  42. Lesson 3: Two-Factor Token Risk

  43. Lesson 4: Ask and You Shall Receive If you ask for something that reduces a risk to the mission of the organization, and the cost is reasonable for reducing the impact … then you will get it.

  44. Lesson 5: How to Comply with Everything

  45. How to Bust Risk Assessment Myths

  46. “We need actuarial tables” Actuarial tables are not used for risk assessments! Information risk assessments are standard, straight-forward processes. They require no statistical skills.

  47. “We can’t predict the future” Risk assessments are not intended to be predictions, but should be “due care” considerations of what could go wrong.

  48. “Risk assessments take too much time” Because risk assessments help determine reasonable control levels, less time and cost is invested to get compliant Risk management reduces liability even before full compliance is met.

  49. “Reasonable means ‘what our competitors do.’” You don’t know what your competitors do. The regulations and statutes tell you to arrive at “reasonable and appropriate” using risk analysis

More Related