The lunch keynote presentation I delivered at SecureWorld Detroit September 17, 2015. The material presents practical steps to managing information risk.
2. Audience Take-Aways
» How to identify the information that needs to
be protected
» Leveraging dependencies in
managing information risk
» Pragmatic steps to demonstrate
progress in managing information risk
2 17-Sep-2015
3. Information? Not IT?
C – I – S – O
Chief
Information (not IT)
Security
Officer
17-Sep-20153
7. Barriers to Managing Information Risk
» Lack of leadership
(concern) from CEO or
Board
» Lack of vision on how
future business needs will
impact information security
» Failure by businesses to
articulate the value of
information to the business
17-Sep-20157
8. Barriers to Managing Information Risk
» Too much focus on IT systems,
and not the information,
which is the real asset
» Board/CEO viewpoint that CIO
focus is technology, not
information
» Culture lacks accountability
for information
17-Sep-20158
11. What Information Needs Protection?
» What makes it critical to the organization?
Confidentiality (PII, PHI)
Integrity (financials, business intelligence)
Availability (hourly/daily/weekly processing)
11 17-Sep-2015
12. Where is the Information?
» Internal
Servers?
PCs?
File cabinets?
Email?
Databases and Data Warehouses?
Backup media (tape/disk)?
File Servers?
SharePoint sites?
Executive reports and archives of them?
12 17-Sep-2015
13. Where is the Information?
» External
Supply Chain?
Hosted Services
Email?
Applications?
Cloud collaboration tools (Box, Onedrive)?
Backup media stored off site (e.g. Iron Mountain)?
Data Clearinghouses?
Information Exchanges?
Consortiums, Research, Public Health entities?
Any stored/processed outside the US?
13 17-Sep-2015
15. WHO CAN HELP ME MANAGE
INFORMATION RISK?
17-Sep-2015 15
16. Natural Partners in Managing Risk
» Corporate Compliance
» Applicable regulations
» Risk of Non-Compliance
» Enterprise Risk Management
» Manages all risk across the company
» Will measure information risk the same as others
» Internal Audit
Can help raise risk awareness to Board
Can report on control effectiveness
16 17-Sep-2015
17. Natural Partners in Managing Risk
» Legal Affairs – advice
Retention, litigation, legal precedents
» Human Resources
Job Descriptions
Training
» Information Technology
Will implement technical controls
» Finance
Will help quantify risk into currency
17 17-Sep-2015
19. 1. Leverage a Consistent Process
17-Sep-201519
Example risk management process
20. 2. Identify Sensitive Information
» Document what information needs protection
» Identify accountable owners
» Capture meta-data:
Location or transfer, #records, classification,
#users with access, internally or externally
accessible
What makes the information critical (C, I, A)
» Document in a repository that can be shared
with business partners
17-Sep-201520
21. 3. Document It
» Information Asset Inventory
» Config Mgmt DB (CMDB) is a great place
Location or transfer, #records, classification, #users
with access, internally or externally accessible, what
makes the information critical (C, I, A)
» SharePoint list (records by location/transfer)
» Organization-wide risk register
» Business Continuity Plans
21 17-Sep-2015
» Don’t forget to include
routine data transfers
22. 4. Classify the Information
» Make it simple for users
Ask yourself what requirements
would be different between classifications
Default classification should require no action
Is there a way to automate the classification?
» Data Labeling
» Data Handling Policy (information asset
management)
22 17-Sep-2015
Educate, Educate, Educate some more
23. 5. Identify the Threats
» What are the relevant threat vectors?
Cyber Attack
Social Engineering & Malware
Physical modification (ex. POS terminals)
Web – False sites, man-in-middle, drive-by
downloads
Mobile devices – IOS, Android, Blackberry, etc.
Removable media – USB, DVD, Backup drives, etc.
Email – phishing, malicious URLs and attachments
Natural disaster – failure to continue/recover
17-Sep-201523
24. 6. Identify Your Vulnerabilities
» Bugs - How’s your patching?
» Misconfigurations?
» Rapid changes in business or IT systems
» Would users know a malicious email or web
site if they seen one?
» Failure to apply due care/diligence in
managing IT systems
» Internal malicious or accidental use
17-Sep-201524
25. 6. Identify Your Vulnerabilities
» Too many systems that don’t integrate
» Poorly authenticated remote access
» Do your systems filter or flag suspicious
emails, URLs or file attachments?
» What devices can attach to your network?
» Do you permit use of removable media?
17-Sep-201525
26. 7. Information Access Administration
» Who’s responsible for the information?
Do they understand their role?
» Who has access?
» Is the access appropriate? Are roles used?
» Who is approving access?
» Who is administering the access?
» What permission reviews are taking place?
» Is activity also reviewed?
26 17-Sep-2015
27. 8. Evaluate the Risks
» Determine which threats and vulnerabilities
apply to each set of information
» Ask yourself the worse case scenario.
» Assess likelihood and impact
» Do you have controls that mitigate some risk?
» Use Finance to help measure risk in $$
» Rank risks – is there a documented tolerance?
» Evaluate cost and effort of additional
mitigating controls
» Let governance committee decide actions
17-Sep-201527
30. Example: SharePoint Library
Business Unit exchanges PII data with outside
companies or individuals
» External collaborators access SharePoint
» 450 people have access to the data
» Worse case: all data is made public/breached
» Access is authenticated, but each external
company uses a generic credential
» 50,000 records in the site
17-Sep-201530
31. Example: SharePoint Library
Evaluation Data
» 50,000 records * $200/record = $10M exposure
» Controls mitigates 80% $2M
» Organization accepts anything $1M or less
Control: Could issue credentials to every user
Control: Could perform periodic activity reviews
Control: Could force 2-factor authentication
Control: Could alert on access by users not in ACL
» Selected controls - $180,000; reduction to 5%
($500k)
17-Sep-201531
32. 9. What Tools Can Help?
» Information classification
Titus has a mature product for
classification & retention
» Information location
Data Loss Prevention tools can scan repositories and
PCs looking for sensitive data
» Information movement
Data Loss Prevention tools can detect/prevent the
movement of sensitive data
» Good security awareness campaigns
» Lots of GRC tools to help manage your risks
17-Sep-201532
33. 10. Monitor Your Information Risks
» Is information being exposed?
» Is information being used inappropriately?
» Is sensitive data being infiltrated?
» Are outages causing unavailability?
» Periodically re-assess your threats and
assumptions to make sure they’re still valid
17-Sep-201533
34. Summary
1. Leverage a consistent risk process
2. Identify your sensitive information
3. Document what, where, how much, etc.
4. Classify the information
5. Identify relevant threats
6. Identify your vulnerabilities
7. Identify existing controls that mitigate risk
8. Calculate the residual risk
9. Determine whether action is required
10. Monitor your risks and always look for new ones
34 17-Sep-2015