SlideShare a Scribd company logo

Managing Information Risk

Doug Copley
Doug Copley

The lunch keynote presentation I delivered at SecureWorld Detroit September 17, 2015. The material presents practical steps to managing information risk.

Leadership & Management
1 of 36
Download to read offline
Doug Copley Effectively Managing Information Risk CISO – Beaumont Health Chairman Emeritus – Michigan Healthcare Cybersecurity Council
Audience Take-Aways » How to identify the information that needs to be protected » Leveraging dependencies in managing information risk » Pragmatic steps to demonstrate progress in managing information risk 2 17-Sep-2015
Information? Not IT? C – I – S – O Chief Information (not IT) Security Officer 17-Sep-20153
Why Protect Information? » Ponemon 2015 Cost of a Data Breach Study:  Average cost per record in US: $217  Average cost of data breach: $6.53M 17-Sep-20154 Average cost per record by industry Source: Ponemon Institute©
Breach Costs 17-Sep-20155 Source: Ponemon Institute©
Why Protect Information? 17-Sep-20156 Source: Ponemon Institute©
Barriers to Managing Information Risk » Lack of leadership (concern) from CEO or Board » Lack of vision on how future business needs will impact information security » Failure by businesses to articulate the value of information to the business 17-Sep-20157
Barriers to Managing Information Risk » Too much focus on IT systems, and not the information, which is the real asset » Board/CEO viewpoint that CIO focus is technology, not information » Culture lacks accountability for information 17-Sep-20158
WHAT INFORMATION DO I NEED TO PROTECT? 17-Sep-2015 9
What Information Needs Protection? » Identification  Corporate Compliance  Enterprise Risk  Internal Audit  Legal Affairs  Regulatory Guidance  Senior organizational leaders 10 17-Sep-2015
What Information Needs Protection? » What makes it critical to the organization?  Confidentiality (PII, PHI)  Integrity (financials, business intelligence)  Availability (hourly/daily/weekly processing) 11 17-Sep-2015
Where is the Information? » Internal  Servers?  PCs?  File cabinets?  Email?  Databases and Data Warehouses?  Backup media (tape/disk)?  File Servers?  SharePoint sites?  Executive reports and archives of them? 12 17-Sep-2015
Where is the Information? » External  Supply Chain?  Hosted Services  Email?  Applications?  Cloud collaboration tools (Box, Onedrive)?  Backup media stored off site (e.g. Iron Mountain)?  Data Clearinghouses?  Information Exchanges?  Consortiums, Research, Public Health entities?  Any stored/processed outside the US? 13 17-Sep-2015
Let’s Hope it’s not Here 17-Sep-201514 John Doe’s
WHO CAN HELP ME MANAGE INFORMATION RISK? 17-Sep-2015 15
Natural Partners in Managing Risk » Corporate Compliance » Applicable regulations » Risk of Non-Compliance » Enterprise Risk Management » Manages all risk across the company » Will measure information risk the same as others » Internal Audit  Can help raise risk awareness to Board  Can report on control effectiveness 16 17-Sep-2015
Natural Partners in Managing Risk » Legal Affairs – advice  Retention, litigation, legal precedents » Human Resources  Job Descriptions  Training » Information Technology  Will implement technical controls » Finance  Will help quantify risk into currency 17 17-Sep-2015
WHERE CAN I START? 17-Sep-2015 18
1. Leverage a Consistent Process 17-Sep-201519 Example risk management process
2. Identify Sensitive Information » Document what information needs protection » Identify accountable owners » Capture meta-data:  Location or transfer, #records, classification, #users with access, internally or externally accessible  What makes the information critical (C, I, A) » Document in a repository that can be shared with business partners 17-Sep-201520
3. Document It » Information Asset Inventory » Config Mgmt DB (CMDB) is a great place  Location or transfer, #records, classification, #users with access, internally or externally accessible, what makes the information critical (C, I, A) » SharePoint list (records by location/transfer) » Organization-wide risk register » Business Continuity Plans 21 17-Sep-2015 » Don’t forget to include routine data transfers
4. Classify the Information » Make it simple for users  Ask yourself what requirements would be different between classifications  Default classification should require no action  Is there a way to automate the classification? » Data Labeling » Data Handling Policy (information asset management) 22 17-Sep-2015 Educate, Educate, Educate some more
5. Identify the Threats » What are the relevant threat vectors?  Cyber Attack  Social Engineering & Malware  Physical modification (ex. POS terminals)  Web – False sites, man-in-middle, drive-by downloads  Mobile devices – IOS, Android, Blackberry, etc.  Removable media – USB, DVD, Backup drives, etc.  Email – phishing, malicious URLs and attachments  Natural disaster – failure to continue/recover 17-Sep-201523
6. Identify Your Vulnerabilities » Bugs - How’s your patching? » Misconfigurations? » Rapid changes in business or IT systems » Would users know a malicious email or web site if they seen one? » Failure to apply due care/diligence in managing IT systems » Internal malicious or accidental use 17-Sep-201524
6. Identify Your Vulnerabilities » Too many systems that don’t integrate » Poorly authenticated remote access » Do your systems filter or flag suspicious emails, URLs or file attachments? » What devices can attach to your network? » Do you permit use of removable media? 17-Sep-201525
7. Information Access Administration » Who’s responsible for the information?  Do they understand their role? » Who has access? » Is the access appropriate? Are roles used? » Who is approving access? » Who is administering the access? » What permission reviews are taking place? » Is activity also reviewed? 26 17-Sep-2015
8. Evaluate the Risks » Determine which threats and vulnerabilities apply to each set of information » Ask yourself the worse case scenario. » Assess likelihood and impact » Do you have controls that mitigate some risk? » Use Finance to help measure risk in $$ » Rank risks – is there a documented tolerance? » Evaluate cost and effort of additional mitigating controls » Let governance committee decide actions 17-Sep-201527
17-Sep-2015 28 or
17-Sep-2015 29 “Danger, Will Robinson!”
Example: SharePoint Library Business Unit exchanges PII data with outside companies or individuals » External collaborators access SharePoint » 450 people have access to the data » Worse case: all data is made public/breached » Access is authenticated, but each external company uses a generic credential » 50,000 records in the site 17-Sep-201530
Example: SharePoint Library Evaluation Data » 50,000 records * $200/record = $10M exposure » Controls mitigates 80%  $2M » Organization accepts anything $1M or less  Control: Could issue credentials to every user  Control: Could perform periodic activity reviews  Control: Could force 2-factor authentication  Control: Could alert on access by users not in ACL » Selected controls - $180,000; reduction to 5% ($500k) 17-Sep-201531
9. What Tools Can Help? » Information classification  Titus has a mature product for classification & retention » Information location  Data Loss Prevention tools can scan repositories and PCs looking for sensitive data » Information movement  Data Loss Prevention tools can detect/prevent the movement of sensitive data » Good security awareness campaigns » Lots of GRC tools to help manage your risks 17-Sep-201532
10. Monitor Your Information Risks » Is information being exposed? » Is information being used inappropriately? » Is sensitive data being infiltrated? » Are outages causing unavailability? » Periodically re-assess your threats and assumptions to make sure they’re still valid 17-Sep-201533
Summary 1. Leverage a consistent risk process 2. Identify your sensitive information 3. Document what, where, how much, etc. 4. Classify the information 5. Identify relevant threats 6. Identify your vulnerabilities 7. Identify existing controls that mitigate risk 8. Calculate the residual risk 9. Determine whether action is required 10. Monitor your risks and always look for new ones 34 17-Sep-2015
Questions? 17-Sep-2015 35
Thank You! 17-Sep-2015 36

Recommended

Business Security Check Reducing Risks Your Computer Systems
Business Security Check Reducing Risks Your Computer SystemsBusiness Security Check Reducing Risks Your Computer Systems
Business Security Check Reducing Risks Your Computer Systems- Mark - Fullbright
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentationEthan S. Burger
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsResilient Systems
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber InsuranceHB Litigation Conferences
 
Data breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundationData breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundationBradley Arant Boult Cummings LLP
 
10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance 10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance Hubbard Insurance Group
 
Data erasure's role in limiting cyber attacks
Data erasure's role in limiting cyber attacksData erasure's role in limiting cyber attacks
Data erasure's role in limiting cyber attacksBlancco
 

Recommended

Business Security Check Reducing Risks Your Computer Systems
Business Security Check Reducing Risks Your Computer SystemsBusiness Security Check Reducing Risks Your Computer Systems
Business Security Check Reducing Risks Your Computer Systems- Mark - Fullbright
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentationEthan S. Burger
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsResilient Systems
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber InsuranceHB Litigation Conferences
 
Data breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundationData breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundationBradley Arant Boult Cummings LLP
 
10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance 10 Reasons to buy Cyber Liability Insurance
10 Reasons to buy Cyber Liability Insurance Hubbard Insurance Group
 
Data erasure's role in limiting cyber attacks
Data erasure's role in limiting cyber attacksData erasure's role in limiting cyber attacks
Data erasure's role in limiting cyber attacksBlancco
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
Cybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data EncryptionCybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data EncryptionShawn Tuma
 
A Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesA Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesAdvanced Imaging Solutions & Pinnacle
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSCYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSHB Litigation Conferences
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prezDan Michaluk
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsShawn Tuma
 
Data Breach Response Checklist
Data Breach Response ChecklistData Breach Response Checklist
Data Breach Response Checklist- Mark - Fullbright
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Dan Michaluk
 
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Shawn Tuma
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesMeg Weber
 
Executive Breach Response Playbook
Executive Breach Response PlaybookExecutive Breach Response Playbook
Executive Breach Response PlaybookHewlett Packard Enterprise Business Value Exchange
 
The Unpleasant Truths of Modern Business Cybersecurity
The Unpleasant Truths of Modern Business CybersecurityThe Unpleasant Truths of Modern Business Cybersecurity
The Unpleasant Truths of Modern Business CybersecurityGlobal Knowledge Training
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
What every CEO needs to know about Califorinia's new data breach law
What every CEO needs to know about Califorinia's new data breach lawWhat every CEO needs to know about Califorinia's new data breach law
What every CEO needs to know about Califorinia's new data breach lawDavid Sweigert
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Dan Michaluk
 
BEA Presentation
BEA PresentationBEA Presentation
BEA PresentationGlenn E. Davis
 
Matriz FODA
Matriz FODAMatriz FODA
Matriz FODAKenia Phillips
 
2015 IA Presentation_G Fisher_V2.1
2015 IA Presentation_G Fisher_V2.12015 IA Presentation_G Fisher_V2.1
2015 IA Presentation_G Fisher_V2.1Grant Fisher
 

More Related Content

What's hot

Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
Cybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data EncryptionCybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data EncryptionShawn Tuma
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSCYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSHB Litigation Conferences
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsShawn Tuma
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Dan Michaluk
 
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Shawn Tuma
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesMeg Weber
 
The Unpleasant Truths of Modern Business Cybersecurity
The Unpleasant Truths of Modern Business CybersecurityThe Unpleasant Truths of Modern Business Cybersecurity
The Unpleasant Truths of Modern Business CybersecurityGlobal Knowledge Training
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
What every CEO needs to know about Califorinia's new data breach law
What every CEO needs to know about Califorinia's new data breach lawWhat every CEO needs to know about Califorinia's new data breach law
What every CEO needs to know about Califorinia's new data breach lawDavid Sweigert
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Dan Michaluk
 

What's hot (20)

Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policies
 
Cybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data EncryptionCybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data Encryption
 
A Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesA Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for Businesses
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
 
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSCYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prez
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
 
Data Breach Response Checklist
Data Breach Response ChecklistData Breach Response Checklist
Data Breach Response Checklist
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentation
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016
 
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security Strategies
 
Executive Breach Response Playbook
Executive Breach Response PlaybookExecutive Breach Response Playbook
Executive Breach Response Playbook
 
The Unpleasant Truths of Modern Business Cybersecurity
The Unpleasant Truths of Modern Business CybersecurityThe Unpleasant Truths of Modern Business Cybersecurity
The Unpleasant Truths of Modern Business Cybersecurity
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breach
 
What every CEO needs to know about Califorinia's new data breach law
What every CEO needs to know about Califorinia's new data breach lawWhat every CEO needs to know about Califorinia's new data breach law
What every CEO needs to know about Califorinia's new data breach law
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
 

Viewers also liked

2015 IA Presentation_G Fisher_V2.1
2015 IA Presentation_G Fisher_V2.12015 IA Presentation_G Fisher_V2.1
2015 IA Presentation_G Fisher_V2.1Grant Fisher
 
Updated coso internal control framework fa qs second edition-protiviti-2013_good
Updated coso internal control framework fa qs second edition-protiviti-2013_goodUpdated coso internal control framework fa qs second edition-protiviti-2013_good
Updated coso internal control framework fa qs second edition-protiviti-2013_goodSARVJEET KAUSHAL
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boardsPaul McGillicuddy
 

Viewers also liked (8)

Matriz FODA
Matriz FODAMatriz FODA
Matriz FODA
 
2015 IA Presentation_G Fisher_V2.1
2015 IA Presentation_G Fisher_V2.12015 IA Presentation_G Fisher_V2.1
2015 IA Presentation_G Fisher_V2.1
 
Updated coso internal control framework fa qs second edition-protiviti-2013_good
Updated coso internal control framework fa qs second edition-protiviti-2013_goodUpdated coso internal control framework fa qs second edition-protiviti-2013_good
Updated coso internal control framework fa qs second edition-protiviti-2013_good
 
Gtag 1 information risk and control
Gtag 1 information risk and controlGtag 1 information risk and control
Gtag 1 information risk and control
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
 
Risk Management and Internal Control in the Public Sector
Risk Management and Internal Control in the Public SectorRisk Management and Internal Control in the Public Sector
Risk Management and Internal Control in the Public Sector
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
 

Similar to Managing Information Risk

005. Ethics, Privacy and Security
005. Ethics, Privacy and Security005. Ethics, Privacy and Security
005. Ethics, Privacy and SecurityArianto Muditomo
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Compliancy Group
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach CostResilient Systems
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Impact of data science in financial reporting
Impact of data science in financial reporting Impact of data science in financial reporting
Impact of data science in financial reporting James Deiotte
 
Leading Practices in Information Security & Privacy
Leading Practices in Information Security & PrivacyLeading Practices in Information Security & Privacy
Leading Practices in Information Security & PrivacyDonny Shimamoto
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Lawley Insurance
 
Managing IT Risk and Assessing Vulnerability
Managing IT Risk and Assessing VulnerabilityManaging IT Risk and Assessing Vulnerability
Managing IT Risk and Assessing VulnerabilityAIS Network
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselCasey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counselbugcrowd
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Data Security for Nonprofits
Data Security for NonprofitsData Security for Nonprofits
Data Security for NonprofitsNPowerCR
 
2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?Lumension
 
Issala exec-forum-opening-150604
Issala exec-forum-opening-150604Issala exec-forum-opening-150604
Issala exec-forum-opening-150604ISSA LA
 
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Fasoo
 
Web Analytics and Privacy
Web Analytics and Privacy Web Analytics and Privacy
Web Analytics and Privacy Piwik PRO
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceJeff Lemmermann
 

Similar to Managing Information Risk (20)

005. Ethics, Privacy and Security
005. Ethics, Privacy and Security005. Ethics, Privacy and Security
005. Ethics, Privacy and Security
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Impact of data science in financial reporting
Impact of data science in financial reporting Impact of data science in financial reporting
Impact of data science in financial reporting
 
Leading Practices in Information Security & Privacy
Leading Practices in Information Security & PrivacyLeading Practices in Information Security & Privacy
Leading Practices in Information Security & Privacy
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015
 
Managing IT Risk and Assessing Vulnerability
Managing IT Risk and Assessing VulnerabilityManaging IT Risk and Assessing Vulnerability
Managing IT Risk and Assessing Vulnerability
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Data Security for Nonprofits
Data Security for NonprofitsData Security for Nonprofits
Data Security for Nonprofits
 
2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?
 
Issala exec-forum-opening-150604
Issala exec-forum-opening-150604Issala exec-forum-opening-150604
Issala exec-forum-opening-150604
 
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
 
Web Analytics and Privacy
Web Analytics and Privacy Web Analytics and Privacy
Web Analytics and Privacy
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 Conference
 
Spo2 t17
Spo2 t17Spo2 t17
Spo2 t17
 

More from Doug Copley

Security Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecuritySecurity Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecurityDoug Copley
 
Demonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDemonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDoug Copley
 
Improving Security Metrics
Improving Security MetricsImproving Security Metrics
Improving Security MetricsDoug Copley
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareDoug Copley
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017Doug Copley
 
Improving Cloud Visibility, Accountability & Security
Improving Cloud Visibility, Accountability & SecurityImproving Cloud Visibility, Accountability & Security
Improving Cloud Visibility, Accountability & SecurityDoug Copley
 
Detroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare CybersecurityDetroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare CybersecurityDoug Copley
 

More from Doug Copley (7)

Security Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecuritySecurity Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of Security
 
Demonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDemonstrating Information Security Program Effectiveness
Demonstrating Information Security Program Effectiveness
 
Improving Security Metrics
Improving Security MetricsImproving Security Metrics
Improving Security Metrics
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
 
Improving Cloud Visibility, Accountability & Security
Improving Cloud Visibility, Accountability & SecurityImproving Cloud Visibility, Accountability & Security
Improving Cloud Visibility, Accountability & Security
 
Detroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare CybersecurityDetroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare Cybersecurity
 

Recently uploaded

Reflecting, turning experience into insight
Reflecting, turning experience into insightReflecting, turning experience into insight
Reflecting, turning experience into insightWayne Abrahams
 
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...AgileNetwork
 
Fifteenth Finance Commission Presentation
Fifteenth Finance Commission PresentationFifteenth Finance Commission Presentation
Fifteenth Finance Commission Presentationmintusiprd
 
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...Pooja Nehwal
 
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixUnlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixCIToolkit
 
Introduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-EngineeringIntroduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-Engineeringthomas851723
 
VIP Kolkata Call Girl Rajarhat 👉 8250192130 Available With Room
VIP Kolkata Call Girl Rajarhat 👉 8250192130 Available With RoomVIP Kolkata Call Girl Rajarhat 👉 8250192130 Available With Room
VIP Kolkata Call Girl Rajarhat 👉 8250192130 Available With Roomdivyansh0kumar0
 
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingSimplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingCIToolkit
 
LPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business SectorLPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business Sectorthomas851723
 
LPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations ReviewLPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations Reviewthomas851723
 
Board Diversity Initiaive Launch Presentation
Board Diversity Initiaive Launch PresentationBoard Diversity Initiaive Launch Presentation
Board Diversity Initiaive Launch Presentationcraig524401
 

Recently uploaded (13)

Reflecting, turning experience into insight
Reflecting, turning experience into insightReflecting, turning experience into insight
Reflecting, turning experience into insight
 
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...
 
Fifteenth Finance Commission Presentation
Fifteenth Finance Commission PresentationFifteenth Finance Commission Presentation
Fifteenth Finance Commission Presentation
 
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...
 
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixUnlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
 
sauth delhi call girls in Defence Colony🔝 9953056974 🔝 escort Service
sauth delhi call girls in Defence Colony🔝 9953056974 🔝 escort Servicesauth delhi call girls in Defence Colony🔝 9953056974 🔝 escort Service
sauth delhi call girls in Defence Colony🔝 9953056974 🔝 escort Service
 
Call Girls Service Tilak Nagar @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Tilak Nagar @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICECall Girls Service Tilak Nagar @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Tilak Nagar @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
 
Introduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-EngineeringIntroduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-Engineering
 
VIP Kolkata Call Girl Rajarhat 👉 8250192130 Available With Room
VIP Kolkata Call Girl Rajarhat 👉 8250192130 Available With RoomVIP Kolkata Call Girl Rajarhat 👉 8250192130 Available With Room
VIP Kolkata Call Girl Rajarhat 👉 8250192130 Available With Room
 
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingSimplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
 
LPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business SectorLPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business Sector
 
LPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations ReviewLPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations Review
 
Board Diversity Initiaive Launch Presentation
Board Diversity Initiaive Launch PresentationBoard Diversity Initiaive Launch Presentation
Board Diversity Initiaive Launch Presentation
 

Managing Information Risk

  • 1. Doug Copley Effectively Managing Information Risk CISO – Beaumont Health Chairman Emeritus – Michigan Healthcare Cybersecurity Council
  • 2. Audience Take-Aways » How to identify the information that needs to be protected » Leveraging dependencies in managing information risk » Pragmatic steps to demonstrate progress in managing information risk 2 17-Sep-2015
  • 3. Information? Not IT? C – I – S – O Chief Information (not IT) Security Officer 17-Sep-20153
  • 4. Why Protect Information? » Ponemon 2015 Cost of a Data Breach Study:  Average cost per record in US: $217  Average cost of data breach: $6.53M 17-Sep-20154 Average cost per record by industry Source: Ponemon Institute©
  • 5. Breach Costs 17-Sep-20155 Source: Ponemon Institute©
  • 6. Why Protect Information? 17-Sep-20156 Source: Ponemon Institute©
  • 7. Barriers to Managing Information Risk » Lack of leadership (concern) from CEO or Board » Lack of vision on how future business needs will impact information security » Failure by businesses to articulate the value of information to the business 17-Sep-20157
  • 8. Barriers to Managing Information Risk » Too much focus on IT systems, and not the information, which is the real asset » Board/CEO viewpoint that CIO focus is technology, not information » Culture lacks accountability for information 17-Sep-20158
  • 9. WHAT INFORMATION DO I NEED TO PROTECT? 17-Sep-2015 9
  • 10. What Information Needs Protection? » Identification  Corporate Compliance  Enterprise Risk  Internal Audit  Legal Affairs  Regulatory Guidance  Senior organizational leaders 10 17-Sep-2015
  • 11. What Information Needs Protection? » What makes it critical to the organization?  Confidentiality (PII, PHI)  Integrity (financials, business intelligence)  Availability (hourly/daily/weekly processing) 11 17-Sep-2015
  • 12. Where is the Information? » Internal  Servers?  PCs?  File cabinets?  Email?  Databases and Data Warehouses?  Backup media (tape/disk)?  File Servers?  SharePoint sites?  Executive reports and archives of them? 12 17-Sep-2015
  • 13. Where is the Information? » External  Supply Chain?  Hosted Services  Email?  Applications?  Cloud collaboration tools (Box, Onedrive)?  Backup media stored off site (e.g. Iron Mountain)?  Data Clearinghouses?  Information Exchanges?  Consortiums, Research, Public Health entities?  Any stored/processed outside the US? 13 17-Sep-2015
  • 14. Let’s Hope it’s not Here 17-Sep-201514 John Doe’s
  • 15. WHO CAN HELP ME MANAGE INFORMATION RISK? 17-Sep-2015 15
  • 16. Natural Partners in Managing Risk » Corporate Compliance » Applicable regulations » Risk of Non-Compliance » Enterprise Risk Management » Manages all risk across the company » Will measure information risk the same as others » Internal Audit  Can help raise risk awareness to Board  Can report on control effectiveness 16 17-Sep-2015
  • 17. Natural Partners in Managing Risk » Legal Affairs – advice  Retention, litigation, legal precedents » Human Resources  Job Descriptions  Training » Information Technology  Will implement technical controls » Finance  Will help quantify risk into currency 17 17-Sep-2015
  • 18. WHERE CAN I START? 17-Sep-2015 18
  • 19. 1. Leverage a Consistent Process 17-Sep-201519 Example risk management process
  • 20. 2. Identify Sensitive Information » Document what information needs protection » Identify accountable owners » Capture meta-data:  Location or transfer, #records, classification, #users with access, internally or externally accessible  What makes the information critical (C, I, A) » Document in a repository that can be shared with business partners 17-Sep-201520
  • 21. 3. Document It » Information Asset Inventory » Config Mgmt DB (CMDB) is a great place  Location or transfer, #records, classification, #users with access, internally or externally accessible, what makes the information critical (C, I, A) » SharePoint list (records by location/transfer) » Organization-wide risk register » Business Continuity Plans 21 17-Sep-2015 » Don’t forget to include routine data transfers
  • 22. 4. Classify the Information » Make it simple for users  Ask yourself what requirements would be different between classifications  Default classification should require no action  Is there a way to automate the classification? » Data Labeling » Data Handling Policy (information asset management) 22 17-Sep-2015 Educate, Educate, Educate some more
  • 23. 5. Identify the Threats » What are the relevant threat vectors?  Cyber Attack  Social Engineering & Malware  Physical modification (ex. POS terminals)  Web – False sites, man-in-middle, drive-by downloads  Mobile devices – IOS, Android, Blackberry, etc.  Removable media – USB, DVD, Backup drives, etc.  Email – phishing, malicious URLs and attachments  Natural disaster – failure to continue/recover 17-Sep-201523
  • 24. 6. Identify Your Vulnerabilities » Bugs - How’s your patching? » Misconfigurations? » Rapid changes in business or IT systems » Would users know a malicious email or web site if they seen one? » Failure to apply due care/diligence in managing IT systems » Internal malicious or accidental use 17-Sep-201524
  • 25. 6. Identify Your Vulnerabilities » Too many systems that don’t integrate » Poorly authenticated remote access » Do your systems filter or flag suspicious emails, URLs or file attachments? » What devices can attach to your network? » Do you permit use of removable media? 17-Sep-201525
  • 26. 7. Information Access Administration » Who’s responsible for the information?  Do they understand their role? » Who has access? » Is the access appropriate? Are roles used? » Who is approving access? » Who is administering the access? » What permission reviews are taking place? » Is activity also reviewed? 26 17-Sep-2015
  • 27. 8. Evaluate the Risks » Determine which threats and vulnerabilities apply to each set of information » Ask yourself the worse case scenario. » Assess likelihood and impact » Do you have controls that mitigate some risk? » Use Finance to help measure risk in $$ » Rank risks – is there a documented tolerance? » Evaluate cost and effort of additional mitigating controls » Let governance committee decide actions 17-Sep-201527
  • 30. Example: SharePoint Library Business Unit exchanges PII data with outside companies or individuals » External collaborators access SharePoint » 450 people have access to the data » Worse case: all data is made public/breached » Access is authenticated, but each external company uses a generic credential » 50,000 records in the site 17-Sep-201530
  • 31. Example: SharePoint Library Evaluation Data » 50,000 records * $200/record = $10M exposure » Controls mitigates 80%  $2M » Organization accepts anything $1M or less  Control: Could issue credentials to every user  Control: Could perform periodic activity reviews  Control: Could force 2-factor authentication  Control: Could alert on access by users not in ACL » Selected controls - $180,000; reduction to 5% ($500k) 17-Sep-201531
  • 32. 9. What Tools Can Help? » Information classification  Titus has a mature product for classification & retention » Information location  Data Loss Prevention tools can scan repositories and PCs looking for sensitive data » Information movement  Data Loss Prevention tools can detect/prevent the movement of sensitive data » Good security awareness campaigns » Lots of GRC tools to help manage your risks 17-Sep-201532
  • 33. 10. Monitor Your Information Risks » Is information being exposed? » Is information being used inappropriately? » Is sensitive data being infiltrated? » Are outages causing unavailability? » Periodically re-assess your threats and assumptions to make sure they’re still valid 17-Sep-201533
  • 34. Summary 1. Leverage a consistent risk process 2. Identify your sensitive information 3. Document what, where, how much, etc. 4. Classify the information 5. Identify relevant threats 6. Identify your vulnerabilities 7. Identify existing controls that mitigate risk 8. Calculate the residual risk 9. Determine whether action is required 10. Monitor your risks and always look for new ones 34 17-Sep-2015