Tag Archives: information security

How to Stir Dialogue on Cyber Security

While I continue another implementation of my Security Enterprise Risk Management Program (SERMP), I am also continuing to explore the program’s flexibility, to help my colleagues in the information technology security field explain to others in the organization the level of risk they face and the progress being made in managing it. The SERMP tool and process can adapt to multiple frameworks, so I asked my colleague Steve Zalewski, a chief security architect, if he would share his thoughts on alternative frameworks that he might “drop” into the SERMP.

Steve:

The concept of SERMP is well grounded in practical experience, as you outlined in your previous article. It creates a great tool to start the dialogue between the two risk management functions: the established business risk team and the nascent IT cyber security risk function. You have accurately represented ISO 27000 with the 12 security domains outlined as a starting point to bring the teams to the table, providing a meaningful set of definitions to the IT security domains.

As these SERMP teams gain momentum and maturity, there are alternative security frameworks available that can provide additional perspectives for the business discussion. This will improve our outcomes against the ultimate goal of a balanced analysis of total risk based on the key business processes and business continuity plans.

Let me explain what I mean by this. Based on the “technical” security controls of ISO 27000 being populated into the SERMP tool, you have established a productive dialogue based on security capabilities, which is a bottom-up approach.

Grace:

Using a crowdsourcing approach, we have a diverse team that is gathering information and populating the SERMP tool, which is a “bottom-up approach,” though I would liken it more to a “hunting gathering” approach, as we are collecting data and documentation related to governance, which is “top down.” And, because we are seeking dialogue and information from various groups on the information that is readily available at the time, we are approaching the issue “sideways” too.

This might seem chaotic, but because of the SERMP tool and the disciplined procedure, we are able to make that tradeoff.

The ISO 27000 has been used for both of my implementations thus far, as this framework was chosen by the organization as the standard, but I’m eager to integrate other frameworks into the process.

chart1

Figure 1: Standard Technical Security Controls ISO 27000

Steve:

Compare this with the cyber security framework that was released based on security risk:

chart2

Figure 2: Cyber security Risk Function and Category Unique Identifiers. Source: NIST Framework for Improving Critical Infrastructure Cyber security Version 1.0

As you can see, this aligns to the notional information and decision flows as represented in the diagram below.

chart3

Figure 3: Notional Information and Decision Flows Within an Organization. Source: NIST Framework for Improving Critical Infrastructure Cyber security Version 1.0

Grace:

I can see incorporating the NIST framework by layering in additional categories with the current domains and functions. I would continue to document the strategies for each.

graph

Note: The reporting houses the above information for each domain, plus how the organization is managing the program: Establish, assess, treatment, monitor, review activities and metric tracking for: risk statement, risk impact, key risk indicators (KRIs), risk remediation initiatives, current state (KPI), target state (KRI) and projects.

Steve:

Information security risk frameworks are still maturing as the practice begins to mature. No single security framework is correct, so be flexible based on the maturity of your SERMP implementation, and don’t be afraid to experiment with the newer risk-based frameworks as the team gains confidence in the information security arena.

Grace:

Steve can you outline for me how you see the difference between a security risk assessment (SERMP) and an IT security assessment?

Steve:

A security risk assessment methodology is based on the guidelines found in:

  • ISO/IEC 27001:2005, information technology – security techniques – information security management systems – requirements
  • NIST SP 800-30, risk management guide for information technology systems
  • BS 7799-3:2006, guidelines for information security risk assessment

A risk assessment scope is defined based on the most “critical” or “valuable” business information assets identified in regard to the potential impact to the business if the asset’s confidentiality, integrity or availability was breached. Through data gathering and analysis, including business continuity plans, critical business processes analysis and critical business impact analysis, the assessment questionnaires, interviews and tests are determined. The observed organizational vulnerabilities to the threats, based on existing security controls, are assessed, and a risk analysis is performed.

The completion of a security risk gap analysis is to determine the organization’s compliance with the appropriate regulations, laws and security standards. In addition, a security improvement plan is defined for each risk and “gap” identified, and the implementation of the risk treatment plan is prioritized according to the highest risk scores. The result is to reduce the organization’s business risks to an “acceptable” level.

A security assessment methodology is based on the guidelines found in:

  • NIST SP 800-53, security and privacy controls for federal information systems and organizations

The goal of an IT security assessment (also known as a security audit, security review or network assessment), is to ensure that necessary security controls are integrated into the design and implementation of a project.

A properly completed security assessment should provide documentation outlining any security gaps between a project design and approved corporate security policies.

Management can address identified security gaps in three ways:

  • Management can decide to cancel the project
  • Management can allocate the necessary resources to correct the security gaps
  • Management can accept the risk based on an informed risk/reward analysis

In summary, the characteristics are:

IT Security Assessment

  • Narrower scope and current state focus
  • Start and end date, with a final report
  • Conducted by IT security experts
  • Is a “point in time” assessment

SERMP

  • Broader scope and continuous improvement focus
  • Continuous review
  • Has a periodic re-evaluation date with a “living document” report
  • Conducted by mixture of personnel with varied backgrounds
  • Focus on reducing business process security risk by analyzing the associated security risks

Grace:

Steve, that was very helpful in distinguishing between these two very important, but distinct assessments. For SERMP, we use the high-level findings of the IT security assessment as one of the sources of content, so the IT security assessment is critical to the SERMP process. The SERMP provides a high-level report of the current risk levels and the maturity of the mitigations in place that will drive improvement in the IT security assessment.

As always it is great to collaborate with you, and I encourage other risk professionals to work closely with their information technology colleagues.

About Steve:

steve

Steve Zalewski has spent 10-plus years in the cybersecurity field and is currently the chief security architect at Levi Strauss, responsible for the company’s enterprise security strategy. Before this, Steve was the enterprise security architect at Pacific Gas & Electric, leading the security architecture team responsible for the company’s cybersecurity technical strategy and architecture. Other positions have included security manager at Kaiser Permanente and senior engineering/management positions developing storage networking, data protection solutions and operating systems. He has five patents in data protection and multi-processor operating system design and holds CISSP, CISM and CRISC security certifications.

How Much Cyber Risk Should You Take?

I have been spending a fair amount of time over the last few months, talking and listening to board members and advisers, including industry experts, about cyber risk.

A number of things are clear:

  • Boards, not just those members who are on the audit or risk committee, are concerned about cyber and the risk it represents to their organizations. They are concerned because they don’t understand it – and the actions they should take as directors. The level of concern is sufficient for them to attend conferences dedicated to the topic rather than relying on their organizations.
  • They are not comfortable with the information they are receiving on cyber risk from management – management’s assessment of the risk that it represents to their organization; the measures management has taken to (a) prevent intrusions, (b) detect intrusions that got past defenses and (c) respond to such intrusions; how cyber risk is or may be affected by changes in the business, including new business initiatives; and, the current level and trend of intrusion attacks (some form of metrics).
  • The risk should be assessed, evaluated and addressed, not in isolation as a separate IT or cyber risk, but in terms of its potential effect on the business. Cyber risk should be integrated into enterprise risk management. Not only does it need to be assessed in terms of its potential effect on organizational business objectives, but it is only one of several risks that may affect each business objective.
  • It is impossible to eliminate cyber risk. In fact, it is broadly recognized that it is impossible to have impenetrable defenses (although every reasonable effort should be made to harden them). That recognition mandates increased attention to the timely detection of those who have breached the defenses, as well as the capability to respond at speed.
  • Because it is impossible to eliminate risk, a decision has to be made (by the board and management, with advice and counsel from IT, information security, the risk officer and internal audit) as to the level of risk that is acceptable. How much will the organization invest in cyber compared with the level of risk and the need for those same resources to be invested in other initiatives? The board members did not like to hear talk of accepting a level of risk, but that is an uncomfortable fact of life – they need to get over and deal with it!

The National Association of Corporate Directors has published a handbook on cyber for directors (free after registration).

Here is a list of questions I believe directors should consider. They should be asked of executive management (not just the CIO or CISO) in a session dedicated to cyber.

  1. How do you identify and assess cyber-related risks?
  2. Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of IP, compliance risk and so on) and not just “IT-risk”?
  3. How do you evaluate the risk to know whether it is too high?
  4. How do you decide what actions to take and how much resource to allocate?
  5. How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
  6. How do you assess the potential risks introduced by new technology? How do you determine when to take the risk because of the business value?
  7. Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
  8. How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
  9. Can you respond appropriately at speed?
  10. What procedures are in place to notify you, and then the board, in the event of a breach?
  11. Who has responsibility for cybersecurity, and do they have the access they need to senior management?
  12. Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce risks by signing up for new cloud services?

I welcome your thoughts, perspectives and comments.

12 Questions for Managing Cyber Risk

Recently, I participated in an NACD Master Class. I was a panelist in discussions of technology and cyber risk with 40 to 50 board members very actively involved, because this is a hot topic for boards.

I developed and shared a list of 12 questions that directors can use when they ask management about their organization’s understanding and management of cyber-related business risk.

The set of questions can also be used by executive management, risk professionals or internal auditors, or even by information security professionals interested in assessing whether they have all the necessary bases covered.

This is my list:

How do you identify and assess cyber-related risks?

Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of intellectual property, compliance risk and so on) and not just IT risk?

How do you evaluate the risk to know whether it is too high?

How do you decide what actions to take and how much resource to allocate?

How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?

How do you assess the potential new risks introduced by new technology? How do you determine when to take the risk because of the business value?

Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?

How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?

Can you respond appropriately at speed?

What procedures are in place to notify you, and then the board, in the event of a breach?

Who has responsibility for cybersecurity, and do they have the access they need to senior management?

Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce new risks by signing up for new cloud services?

I am interested in your comments on the list, how it can be improved and how useful it is – and to whom.