2. 1
What we’ll talk about today
Elon Ginzburg
Operational Risk Manager
Wells Fargo Bank
Mario Paez
National Practice Advisor
Wells Fargo Insurance
Taiye Lambo
Chief Information Security Officer
City of Atlanta
Rob Callahan
Host and Moderator
Wells Fargo Bank
Today’s cybersecurity
landscape
City of Atlanta’s bold vision for
cyber security
4. 33
18.8% crimeware 18% cyber
espionage
10.6% insider
misuse
28.5% POS
intrusions
2,122 confirmed
data breaches
(up from 1,367 in 2014)
79,790 reported
security incidents
(up from 63,437 in 2014)
61 countries
represented
(down from 95 in 2015)
Verizon: 2015 Data Breach Investigations Report using 50 contributing global organizations.
By the numbers
Verizon 2015 data breach investigations report
5. 4
Data
Sample size – 160 insured claims
Company size
Nano-cap (under $50M revenue): 28% of incidents
Micro-cap ($50M-$300M revenue): 18% of incidents
Small-revenue ($300M-$2B revenue): 25% of incidents
Large-revenue ($10-$100 billion) lost the most records (60%)
Additional notes
The average cost of a claim was $673,767
Third parties accounted for 25% of the claims submitted
Findings
Data type Cause of loss Business sectors
PII - 45%
PCI - 27%
PHI - 14%
Hackers - 31%
Malware virus – 14%
Staff mistakes – 11%
Rogue employees - 11%
Lost/Stolen Laptop/Device – 10%
Paper Records – 5%
System Glitch – 5%
*In 2013, stolen laptops were #1
Healthcare sector - 21%
Financial services - 17%
Retail – 13%
Technology – 9%
Professional Services – 8%
Hospitality – 4%
Restaurants – 4%
NetDiligence 2015 claims study
6. 5
Percentage of breaches by cause of loss
•Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2015 Study (Sample size = 160 insured claims)
NetDiligence 2015 claims study
7. 6
Percentage of breaches by business sector
•Cyber Risk Claims: A Review of Industry Losses Paid Out - NetDilligence® 2015 Study (Sample size = 160 insured claims)
NetDiligence 2015 claims study
9. 8
Key types of fraud attacks
– Low tech
– Operational gaps
– Awareness
Imposter fraud / social engineering / social media
– Coding vulnerabilities
– Misconfigured equipment
– Holistic cyber security
Cyber security
– Weakest link
– Challenges with outsourcing (cloud, 4th party outsourcing, others)
– Importance of a third party service provider management program
Breaches that originate through 3rd party service providers
10. 99
Vision
Mission
A trusted steward of information
technology and catalyst for
innovation.
Enabling city operations by
consistently delivering reliable and
secure services, innovative solutions,
and best-in-class customer service.
11. 10
AIM Future Service Delivery Model
Mayor’s Office
Department of Finance/Risk
Department of Procurement
Department of HR
Department of Law
Department of Audit
Department of Law
Department of Ethics
City Council
Department. of Public Works
Department of Planning & Com Dev.
Department of Parks & Recreation
Office of Ent. Assets Mgmt.
Department of Entertainment
Department of Sustainability
Atlanta Workforce Dev. Agency
Atlanta 311
Invest Atlanta
Department of Aviation –
Hartsfield-Jackson International
Airport
Department of Watershed
Management
Atlanta Police Department
Atlanta Fire/Rescue Department
Department of Corrections
Judicial Agencies
Public Defenders Office
Solicitors Office
13. 12
Ensure IT
Infrastructure
Reliability &
Security
Enhance IT
Customer Service
Quality & Delivery
Improve IT
Operational
Efficiency
Achieve IT Operational Excellence
Run IT like a service business providing reliable, scalable,
and secure technology solutions aligned with “best-in-
class” customer service
Ensure Data
Confidentiality
Ensure Data
Integrity
Ensure Data
Availability
AIM
Objective
Enterprise
AIMGoals
Information
SecurityGoals
Strategic Plan: Objectives & Goals
14. 13
Compliance ≠ Security – Example
A safety engineer approves the appropriate
number of lifeboats on a new capacity line of
cruise ships.
Regulatory Compliance Requirement:
Passenger and Crew Capacity: 3,600
Lifeboats: 16
Occupancy: 1,100
Actual:
Passengers and Crew: 2,224
Lifeboats: 20
Occupancy: 1,178
Determination, “Compliant”
*Compliance + Continual Improvement Process
through ongoing Risk Assessments would have
identified the need for protection against
physical factors such as weather and icebergs!
Maiden Voyage
April 15, 1912
RMS Titanic
Passengers
and Crew
Lost: 1,514
15. 14
The need for frameworks
An extensible structure for documenting and implementing a set of
concepts, processes, methods, technologies, procedures and cultural
changes necessary for a complete product.
By aligning the framework controls to business goals and objectives,
the framework helps focus on achieving the goals of the business.
16. 15
The need for frameworks (cont.)
Frameworks direct your focus on the four basic
elements of good governance;
Participation: Aligning IT with the strategic
business goals and providing a common frame of
reference and vocabulary;
Accountability: Meeting compliance
requirements;
Predictability: Efficiently managing IT resources
and risks. The common frame of reference
produces predictability;
Transparency: Implementing consistent tools
and processes throughout the organization
17. 16
Criteria common to frameworks
Effectiveness Information being relevant and pertinent to the business process and
delivered in a timely, correct, consistent, and usable manner.
Efficiency
Providing information through the optimal ─ most productive and
economical ─ use of resources.
Confidentiality The protection of sensitive information from unauthorized disclosure.
Integrity
The accuracy and completeness of information as well as to its validity in
accordance with business values and expectations.
Availability
Information being available, when required by the business process,
present and future and safeguarding necessary resources and associated
capabilities.
Compliance
Achieving externally imposed business criteria (laws, regulations, and
contractual obligations) to which the business process is subject and
internal policies.
Reliability
Providing appropriate information for management to operate the entity
and exercise its fiduciary and governance responsibilities.
18. 17
5 characteristics of a control framework
Provides
sharper
business
focus
Defines a
common
language
Helps meet
regulatory
requirements
General
acceptability
among
organizations
Ensures
process
orientation
19. 18
A holistic integrated control framework
COSO
CobiT
ITIL
ISO/IEC
27001
NIST/ FISMA
FedRAMP
Privacy Laws US,
CA, EU
GLBA, HIPAA, PCI,
SOX, Basel III,
Breach Laws,
Trade Agreements
Corporate Governance
IT & Service Management
Governance
Security Governance
Information Security
Management System ISMS
Security Guidance Emerging
Requirements Key Risks and
Risk Assessment
Aligns governing body to selection of legally
required business and entity controls.
Framework is adopted by the main
governing body, such as SEC / PCAOB in the
US, or OGC in the UK.
Guides implementation and recommendation
of control programs and establishes
independent criteria for assessment, goals
and performance.
Establishes specific measures and methods
for implementing security programs, risk
assessment, conformity and allowable
business policy.
Industry, region, country and trade
requirements for business and systems.
20. 19
Critical success factors
Visible support & commitment from top management; a top down
approach
Information security policies, objectives & activities that reflect
business objectives
An approach to implementing information security that is consistent
with organizational culture
A good understanding of the security requirements, risk assessment &
risk management
Effective marketing of security to all managers and employees
Distribution of guidance on information security policy & standards to
all employees and contractors
Provide appropriate training & education
A comprehensive & balanced system of measurement which is used to
evaluate performance in information security management & feedback
suggestions for improvement
21. 20
Continual improvement process
Plan Do
CheckAct
Implement a remediation
plan / roadmap for fixing
gaps identified.
Perform risk based audits
such as HISPI ISO 27001
Top 20 critical controls
Perform risk assessment
and gap assessment of
current environment
against legal, contractual
and regulatory,
requirements.
Fix gaps identified from
risk based audits
22. 21
High level strategic roadmap
FY2015 FY2016 FY2017
Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Develop CISO’s 90-day Strategic Plan for Information Security
Perform risk & gap assessment of current environment against legal, contractual, regulatory
requirements.
Information Security Policies and Organization of Information Security
Establish a management framework to initiate and control the implementation and operation of
information security within the organization.
Information Security Training & Awareness
Ensure that employees and contractors understand their responsibilities and are suitable for the
roles for which they are considered.
Asset Management and Supplier Relationships
Identify organizational assets and define appropriate protection responsibilities. Maintain an
agreed level of information security and service delivery in line with supplier agreements.
Access Control and Cryptography
Limit access to information and information processing facilities. Ensure proper and effective use
of cryptography to protect the confidentiality, authenticity and/or integrity of information.
Physical and Environmental Security
Prevent unauthorized physical access, damage and interference to the organization’s information
and information processing facilities.
Operations Security and Communications Security
Ensure correct and secure operations of information processing facilities. Maintain the security of
information transferred within an organization and with any external entity.
Systems Acquisition, Development and Maintenance
Ensure that information security is an integral part of information systems across the entire
lifecycle, including the requirements for systems which provide services over public networks.
Information Security Incident Management
Ensure a consistent and effective approach to the management of information security incidents,
including communication on security events and weaknesses.
Information Security Compliance + Continual Improvement
Avoid breaches of legal, statutory, regulatory or contractual obligations related to information
security and of any security requirements.
Ensure IT Infrastructure Reliability & Security
Ensure the Reliability, Security, and Scalability of COA Systems & Infrastructure