• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Wayne Tufek  University of Melbourne: Cyber security as business risk
 

Wayne Tufek University of Melbourne: Cyber security as business risk

on

  • 554 views

Wayne Tufek, IT Security and Risk Manager, University of Melbourne delivered this presentation at the 2013 Corporate Cyber Security Summit. The event examined cyber threats to Australia’s private ...

Wayne Tufek, IT Security and Risk Manager, University of Melbourne delivered this presentation at the 2013 Corporate Cyber Security Summit. The event examined cyber threats to Australia’s private sector and focussed on solutions and counter cyber-attacks. For more information about the event, please visit the conference website http://www.informa.com.au/cybersecurityconference

Statistics

Views

Total Views
554
Views on SlideShare
554
Embed Views
0

Actions

Likes
0
Downloads
20
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Wayne Tufek  University of Melbourne: Cyber security as business risk Wayne Tufek University of Melbourne: Cyber security as business risk Presentation Transcript

    • Corporate Cyber Security Summit Cyber Security Risk as Business Risk Wayne Tufek Corporate Cyber Security Summit November 13th Grand Hyatt, Melbourne
    • AGENDA • Security Framework Example • Designing and Implementing an Information Security program • Information Security Risk as Business Risk • The Security Processes You Must Get Right • Questions
    • A Security Framework Governance Operational
    • Designing and Implementing an Information Security Program 1. Designing and implementing an information security program 1 Governance Operational
    • Does Information Security Risk exist? • Common definition of security – Confidentiality – Integrity – Availability
    • Information Security is a Property of Something Else • • • • Reputation Regulation Revenue Resilience • For security to be relevant, it must solve business problems
    • Linking Security to Business Drivers • Sherwood Applied Business Security Architecture (SABSA) • • http://www.sabsa.org/ http://www.sabsa-institute.com/members/sites/default/inlinefiles/SABSA_White_Paper.pdf • Business driven architecture – – – – Goals Objectives Success factors The security program demonstrably supports, enhances and protects
    • SABSA
    • SABSA Goals Relationships Market Regulation People Materials Finance Production Business Strategy Contextual Attribute Profile Risk Model Trust Model Security Strategy Conceptual Process Design Policy & Legal Framework Technical Design Logical Security Services Logical Identification Registration Certification Directories Authentication Authorisation Access Control Audit Trail Access Control Lists Firewalls Logs Physical Security Mechanisms Physical Names Procedures Encryption Databases Passwords Components Component Products Tools Trusted Business Operations Operational
    • Business Driven Security Program Business requirements Business Drivers for Security Attributes Business goals and objectives • Sell more widgets • Be the best X Business requirements abstracted into one or more statements of security relevance Standardised and reusable specification of the business requirement
    • Attributes • Business attributes • Accessible – Information to which the user is entitled to gain access should be easily found and accessed by that user • Access controlled – Access to information and functions within the system should be controlled in accordance with the authorised privileges of the party requesting access. Unauthorised access should be prevented
    • Attributes
    • Example • Identity Management Project – Business requirements – Business drivers for security – Business attributes • Project Scope – – – – Banking organisation Automated user provisioning/de-provisioning Single sign on High availability platform
    • Example Business requirements Be the best bank in the world Be the most trusted brand To provide great customer service Business Drivers for Security Protect the reputation of the organisation Ensure compliance with regulations Maintain the accuracy of information
    • Example Protect the reputation of the organisation Attributes • Access controlled • Accessible • Available • Brand enhancing • Reputable • Efficient
    • Example Ensure compliance with regulations Attributes • Auditable • Compliant Maintain the accuracy of information Attributes • Accurate • Duty Segregated • Protected
    • Example Business requirements Business Drivers for Security Attributes
    • Corporate Cyber Security Summit Information Security Risk as Business Risk
    • A Security Framework 2. Cyber Security Risk as Business Risk 2 Governance Operational
    • Overview of IT Risk • • • • Risk IT Risk IT Governance Risk management
    • What Causes IT Risk? • George Westerman from MIT Sloan • http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/ – Failure of oversight and governance processes (ineffective IT governance) • Series of poor decisions and badly structured IT assets • Locally optimised decisions • Lack of business involvement – Uncontrolled complexity – Inattention to risk • IT risk results from decision-making processes that ignore the full range of business needs that arise from using IT
    • The Business Consequences of IT Risk Agility Accuracy Access Availability Source: George Westerman http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
    • The Business Consequences of IT Risk (cont) Enterprise IT Risks Availability Access Business continuity DRP Information protection Knowledge sharing Preventing attacks Accuracy Agility Data Integrity Regulatory compliance Ability to implement major strategic change Source: George Westerman http://cisr.mit.edu/research/researchoverview/classic-topics/it-related-risk/ IT Risk Factors Technology & Infrastructure Applications & Information Configuration management Architecture complexity Degree of standardisation Redundancy Age of technology Data integrity Degree of customisation People & Skills Vendors & Other Partners Policy & Process Organisational Turnover SLAs Controls Skills planning Use of firms standards Degree of standardisation Recruitingtraining Sole source risk Accountability ITBusiness relationship Cost cutting Complexity Funding
    • Example Risk Factors • Availability – Alternative site – Excessive time to restore (RTO, RPO, MTO) – Special hardware or equipment or a unique environment – Network links
    • Example Risk Factors • Access – Financial impact of unauthorised modification of data – Impact of unauthorised disclosure – Are duties segregated? – Is access based on the users role? – Can the system track user actions and provide reports? – How effective is the access provisioning/deprovisioning process?
    • Example Risk Factors • Accuracy – What is the financial impact of incorrect applications? – How will inaccuracy impact customers and the organisation’s reputation? – What regulatory and government compliance is required? – Is there a high level of customisation? – Are calculations performed by any third parties?
    • Example Risk Factors • Agility – Is the system hard coded with custom features difficult to modify? – Is the system supported by the vendor? – Does the system require hard to obtain technical resources to maintain support? – Can the system be scaled in terms of volume? – Is the documentation adequate? – Does the system run on out of date software
    • Example • Single Sign-On implementation Agility Accuracy Access Availability Source: George Westerman http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
    • Example • Moving corporate data to the cloud Agility Accuracy Access Availability Source: George Westerman http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
    • Corporate Cyber Security Summit The Security Processes You Must Get Right
    • A Security Framework 3. The Security Processes You Must Get Right Governance Operational 3
    • The Processes • Vulnerability management • Incident response • Security awareness Vulnerability management Incident response These are the processes that should be considered the foundation of your security operations function. Certain operational security processes are critical in ensuring that information security is managed effectively. Security awareness
    • Is that it? • Some key security processes exist in the governance layers • Other processes to consider
    • Getting it Right? • Documentation – – – – – Purpose Process description Process flow chart Responsibility matrix (RACI) Metrics
    • Vulnerability Management • Phases – – – – – – – Policy Discovery Reporting Prioritisation Response Eliminate root cause Monitor
    • Incident Response • Phases – – – – – Preparation Identification Containment Eradication Review
    • Security Awareness • • • • • C-level support Understand your organisations culture Partner with other business areas Metrics Change in behaviour is the goal – Define the behaviours (in English) – Engage through social media – Use entertainment as a teaching tool
    • Questions
    • Contact • wtufek@unimelb.edu.au • LinkedIn – http://www.linkedin.com/pub/wayne-tufek/0/338/312