Risky Business

1. Michael Scheidell, CISSP, CCISO, SMIEEE RISKY BUSINESSPrepare and Defend. InfraGard slidesha.re/1H0uVSL

2. © 2014-2015 All Rights Reserved Security Priva(eers Sub headline AGENDAMichael Scheidell, CISSP, CCISO, SMIEEE Risky Business @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com • CISSP, Certified CISO • SE Regional Rep, Infragard National • Board Member, InfraGard, South Florida Members Alliance • Delegate to NIST CSF workshop • Retained CISO • Member ISSA, IAPP, ISACA, PMI, SFTA, CSA, FISA, IEEE • Patents in Network Security • Founded 3 technology companies

3. Sub headline AGENDAAGENDA © 2014 All Rights Reserved Security Priva(eers • Evolution, Revolution or Anarchy • Who is Responsible for IT Security? • Please Stop calling it InfoSec • IT Risk Management • Risk Officer / Risk Committee • Types of Risk Management • Risk of Too Much Management • Risk Management Frameworks • Do or Not Do. There is no Try

4. Restricted Access Evolution, Revolution or Anarchy

5. Restricted Access Evolution, Revolution or Anarchy Secrets

6. Restricted Access Evolution, Revolution or Anarchy Secrets Protection

7. Sub headline AGENDAWho is Responsible for IT Security Not My Job CFO IT Security Network Manager CIO Dir IT CEO

8. Please Stop Calling it Information Security Information Security Usually in the IT department, no visability into business practices. Revolves around the Information Security Policy and one of several InfoSec Frameworks. 1 IT Risk Management Without direct involvement with all stakeholders you can’t allocate resources or determine what to protect and why. 2

9. Executive Operations Information Technology Legal Finance CRO IT Retail Add in LOSS PREVENTION 1 Marketing PR for when things go wrong 2 Risk Management It’s Everyone’s Job Chief Risk Officer

10. From here to there and back again Risk Management Steps 1 Business Impact Analysis What will it cost us. Needed for DRP and BCP also. 2 Identify Risks Governance, Risk, Compliance 3 Priorize Mitigation Budget, Business Impact, Legal 4 Fund Failure It will happen. Decide what to do before it happens.

11. LIKELIHOOD CONSEQUENCES How likely is the event to occur ? What is the Severity of Injuries/potential damages/financial ? Almost certain - MODERATE RISK HIGH RISK HIGH RISK CRITICAL RISK CRITICAL RISK Expected in normal circumstances: 100% Likely - MODERATE RISK MODERATE RISK HIGH RISK HIGH RISK CRITICAL RISK Probably occur in most circumstances: 10% Possible - LOW RISK MODERATE RISK HIGH RISK HIGH RISK CRITICAL RISK Might occur at some time: 1% Unlikely - LOW RISK MODERATE RISK MODERATE RISK HIGH RISK HIGH RISK Could occur at some future time: 0.1% Rare - LOW RISK LOW RISK MODERATE RISK HIGH RISK HIGH RISK Only in exceptional circumstances: 0.01% Insignificant Minor Moderate Major Catastrophic No Injuries No Envir Impact < $1,000 Damage Some First Aid Low Envir Impact < $10K Damage External Medical Medium Impact < $100K Damage Extensive injuries High Envir Impact < $1MM Damage Death/Major injury Toxic Envir Impact > $1MM Damage

12. Enterprise Risk1 © Copyright 2014 security Priva(eers Sub headline AGENDATypes of Risk Management There is more than one way to go bankrupt Operational Risk2 Regulatory and Legal Risk3 Financial Risk4 Unknown Risk5 Where does Information Risk Management Fit?

13. Operational Risk Operational risks exist in every organization, regardless of its size, in any number of forms including hurricanes, blackouts, computer hacking, and organized fraud. Types of Risk Management Regulatory and Legal Risk International, Federal, State, Local, Legal and Industry Specific: Safe Harbor, GLBA, SOX, Sarbanes-Oxley, HIPAA, PCI Financial Risk The loss of key resources like funding through Credit Risk, Investment Risk, Liquidity Risk and Market Risk Enterprise Risk Enterprise risk management (ERM) is a framework to reduce earnings volatility through a robust risk governance structure and strong risk culture, supported by sound risk management capabilities. Unknown Risk “There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know” Donald Rumsfeld

14. © Copyright 2014 Security Priva(eers Harvard Business Review, June 2012 Preventable Risks • Risks that can be controlled • Employee misconduct • Unauthorized, illegal • No strategic benefit • Manage pro-actively • Monitoring processes • Guiding behaviors • Rules-based compliance 1 Strategy Risks • Must Accept Some Risks • Lender Accepts Risk • R & D Spending • Not inherently undesirable • Higher Reward-Higher Risk • Rules-based won’t work Requires a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain risk events should they occur. 2 External Risks • Beyond Company Control • Natural Disasters • Political Disasters • Economic Disasters • Can’t prevent them • Can’t predict them • Focus on identification • Plan: • Business Impact Analysis • Disaster Recovery Plan • Business Continuity Plan • Insurance 3

15. Working With Risks Enterprise Operational Regulatory Financial Strategic Risks Preventable Risks External Risks Acceptable Risks

16. IT-related Risk Enterprise Risk Strategic Risk Environmental Risk Market Risk Credit Risk Operational Risk Sub headline AGENDAIT Risk in the Risk Hierarchy Where IT fits in IT Benefit/Value Enablement Risk IT Program and Project Delivery Risk IT Operations and Service Delivery Risk IT risk is a component of the overall risk universe of the enterprise. In many enterprises, IT-related risk is considered to be a component of operational risk, e.g., in the financial industry in the Basel II. However, even strategic risk can have an IT component to it, especially where IT is the key enabler of new business initiatives. The same applies for credit risk, where poor IT (security) can lead to lower credit ratings. For that reason it is better not to depict IT risk with a hierarchic dependency on one of the other risk categories, but perhaps as shown in the example given.

17. Sub headline AGENDAWorking with Risks COBIT 5 for Risk

18. Sub headline AGENDAIT Risk Frameworks NIST 800-37

19. Connect to Business Objectives Align IT Risk Management With ERM Balance Cost/Benefit of IT Risk Promote Fair and Open Discourse Establish Tone and Accountability at the Top Function as Part of Daily Activities Sub headline AGENDAIT Risk Frameworks ISACA’s RISK IT Framework Risk IT Principles

20. Sub headline AGENDAIT-related Risk Management Risk IT is not limited to information security. It covers all IT- related risks, including: • Late project delivery • Not achieving enough value from IT • Compliance • Misalignment • Obsolete or inflexible IT architecture • IT service delivery problems

21. You take the blue pill – the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill, … you stay in Wonderland, and I show you, how deep the rabbit-hole goes. Sub headline AGENDATwo choices This is your last chance ... After this, there is no turning back.

22. © Copyright 2014 Security Priva(eers Harvard Business Review, June 2012 Preventable Risks • Risks that can be controlled • Employee misconduct • Unauthorized, illegal • No strategic benefit • Manage pro-actively • Monitoring processes • Guiding behaviors • Rules-based compliance 1 Strategy Risks • Must Accept Some Risks • Lender Accepts Risk • R & D Spending • Not inherently undesirable • Higher Reward-Higher Risk • Rules-based won’t work Requires a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain risk events should they occur. 2 External Risks • Beyond Company Control • Natural Disasters • Political Disasters • Economic Disasters • Can’t prevent them • Can’t predict them • Focus on identification • Plan: • Business Impact Analysis • Disaster Recovery Plan • Business Continuity Plan • Insurance 3

23. Running with Scissors Why RISK is Good

24. Sub headline AGENDARisk of Too Much Management • What major systemic failure can you think of in Security and Privacy? • Where has too much Security eliminated Privacy and did nothing for Security? • Have you experienced too much security?

25. Sub headline AGENDA$93 Billion Dollars spent since 2001

26. Sub headline AGENDAWhere to put priorities • Identify • Risk Assessment • Likelihood • Logs • Security Alerts • Consequences • Business Impact Analysis • Data Valuation • Unavailable • Modified • Exfiltrated • Data Classification • Public • Private • Classified • THEN AUDIT

27. Sub headline AGENDAWhere to put priorities • Exfiltrated Public Data • State Code DB • DoS Ketchup Formula • Corrupt ICBM Codes • 40MM Dumps with PIN

28. Sub headline AGENDABusiness Impact Analysis Data Valuation / Data Classification Data Breach Profitibility BCP/DRP/RISK IT BIA Missing Backup Internet Outage Power Outage

29. Responsibility Executive Management (go to www.hotjobs.com) 1 Start to work Partner with other departments 2 Without a destination, any path will do. 3

30. © 2014 All Rights Reserved • Join InfraGard http://www.infragard.org/ • Join ISACA http://www.isaca.org • Join ISSA http://www.issa.org • Presentation: http://slidesha.re/1H0uVSL • Learn about RISK IT and COBIT • Training / Certifications: CISSP, CCISO, CRISC Sub headline AGENDANew Platform, Old Mistakes Keep doing the same thing hoping for different results

31. © 2014-2015 All Rights Reserved Risk Management Programs • Build your IT Risk Management Team • Help Management Implement RISK IT • Training • Web App Assessment • SDLC Review • IT Risk Assessments • Retained CISO Sub headline AGENDARisky Business Where to get Help @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com Call to set up an appointment for initial review