Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Framework for Digital Risk Managment

1,526 views

Published on

A cyber security governance framework and digital risk management process for OFFICIAL environments in UK Government. A pragmatic and proportional information risk management process which can be used at speed, and is compatible with Agile projects. This is released under a Creative Commons; Attribution-Non Commercial-Share Alike 4.0 International License.

Published in: Government & Nonprofit

Security Framework for Digital Risk Managment

  1. 1. Cyber Security Governance and Digital Risk Management for OFFICIAL Environments TONY RICHARDS SECURITY FRAMEWORK FOR DIGITAL RISK MANAGEMENT
  2. 2. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS This work is licensed under the Creative Commons, Attribution-Non Commercial-Share Alike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/. CREATIVE COMMONS
  3. 3. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS Securestorm in partnership with the Youth Justice Board (YJB), have developed a robust security governance framework and information risk management approach for OFFICIAL digital services and systems. This provides a practical and proportional process with re-usable common security profiles and architectural patterns to: • increase efficiency • reduce overheads • effectively manage Information Risk This move comes after the Cabinet Office announcement of the retirement of mandatory accreditation from the Security Policy Framework (SPF) and CESG’s move to supporting a business led Information Risk Management. INTRODUCTION
  4. 4. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS Securestorm’s Security Framework for Digital Risk Management1 approach2 enables organisations to utilise the latest security thought leadership from across UK government and industry, in a synchronised and logical flow that can be deployed rapidly and with agility. Note: 1This is available from Securestorm under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. 2The following is not a stand alone process or methodology, but a framework for organisations, incorporating a range of security and risk management principles from CESG and the Cabinet Office. INTRODUCTION
  5. 5. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS SECURITY GOVERNANCE FRAMEWORK Secure by Design •Security Design Principles •User Security Needs •Agile Security Stories •Cloud and micro-service Architectural Patterns •Secured base images •Protecting Bulk Personal Data Principles •Security Operations Info Risk Management •Information Risk Management Principles •Digital Information Risk Management •IT and Digital Security Policy •GSCS Core Security Controls •Relevant Security Profiles Risk Managed Life-cycle •Risk Status and Management Dashboard •Audit Program •Risk Management Checkpoints& road-maps •Assure Third Parties •SIRO/AO Risk Report •Digital Risk Management Record Schema
  6. 6. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS SECURE BY DESIGN Integrate CESG’s Security Design Principles for Digital Services in all new service designs https://www.cesg.gov.uk/guidance/security-design-principles-digital-services-0 User Security Needs – Predefined library of Security Outcomes, security controls for OFFICIAL, security stories, any legal and regulatory requirements specific to organisation and any other relevant security controls as required by the business https://www.gov.uk/government/publications/government-security- classifications Develop and share reusable Architectural Patterns where relevant for services or system components COMMON SOLUTIONS FOR COMMON PROBLEMS
  7. 7. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS INFORMATION RISK MANAGEMENT Understand CESG’s guidance on managing Information Risk https://www.cesg.gov.uk/guidance/10-steps-information-risk-management- regime Incorporate the “Apply Common Solutions to solve Common Problems” approach to Information Risk Management https://www.gov.uk/guidance/managing-information-risk Identify and apply Security Polices, Government Security Classification Core Controls and relevant Security Profiles COMMON SOLUTIONS FOR COMMON PROBLEMS Use the Security Framework for Digital Risk Management approach to pragmatically categorise data and assess the impact of a breach
  8. 8. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS RISK MANAGED LIFE-CYCLE Produce a Risk Status and Management Dashboard, for weekly, monthly or real time reporting Develop and maintain an Audit and Assurance program, to ensure that Service Providers and system Suppliers security assurances are actively audited, validated and managed Use a SIRO/AO Risk Report to document business risk decisions and provide supporting risk and assurance detail with a proportional Digital Risk Management Record Schema CONTINUOUS THROUGH-LIFE PROCESS Plan and schedule Risk Management Checkpoints to ensure that Risk Treatment Plans and security validations are reviewed and assured in a forecastable and pragmatic way
  9. 9. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS GOVERNANCE STRUCTURE ‘Effective leadership’ is a critical component of good security and accountability. The permanent Secretary (or equivalent) will own the organization's approach to security and ensure that these issues receive the attention and investment required. The Security Policy Framework (SPF) states: ‘Government organizations will have, an appropriate security governance structure to support the Permanent Secretary, that is properly resourced with individuals who have been appropriately trained; Board-level oversight of security compliance and auditing processes; and, arrangements to determine and satisfy themselves that Delivery Partners, service providers and third party suppliers, apply proper security controls’ https://www.gov.uk/government/publications/security-policy-framework/hmg-security- policy-framework
  10. 10. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS GOVERNANCE STRUCTURE The security management structure of an organisation, whatever size, needs to be strong. By splitting operational security from information risk, enables greater flexibility, ensuring that incident investigations and day to day operations don’t impact compliance and on-going risk management activities and vice versa. Binding the two strands together, overseeing the bigger picture and ensuring an important liaison with the business, the CISO is responsible for the entire security function while providing leadership, knowledge and experience. These roles are not necessarily full time, rather should be continuously adjusted to be dynamic to the organisations needs.
  11. 11. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS GOVERNANCE STRUCTURE The organisational example depicts an extended governance structure
  12. 12. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS Prior to April 2014, a security process called accreditation was mandated by the HMG Security Policy Framework (SPF), for all Government departments processing classified information. The process of accreditation provided for the assessment of a system against its security requirements, and approval was required from an accreditor as a prerequisite for operation. This was removed as a mandatory requirement from the April 2014 version of the SPF https://www.gov.uk/guidance/managing-information-risk INTRODUCING INFORMATION RISK
  13. 13. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS An organizational responsibility: Risk management decisions should be objective and informed by an understanding of risk. They should not be made in isolation but on a basis of understanding how individual decisions affect the wider business, and what it is trying to achieve. Tech to deliver business attracts risk: Organisations should decide for themselves what risk management decisions need to be made to support the delivery and operation of a system or service. Decisions: right people, time & support: They need to be empowered by the organisation and have the right business, technology, security knowledge and skills to enable informed and objective decisions. https://www.gov.uk/guidance/managing-information-risk INTRODUCING INFORMATION RISK
  14. 14. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS BUSINESS CONTEXT RISK MANAGEMENT APPROACH Before taking any action, the organisation must understand and communicate what risk management approach the business is going to take to provide confidence that the technology and information used is proportionally secured. Organisations should always be aware of the risks they are taking to achieve their aims. To ensure meaningful outcomes, organisations need to provide a context in which risk management and risk assessment is conducted. KEY COMPONANTS of RISK Risk assessments have inputs and outputs. Regardless of the risk assessment method used, any inputs and outputs should be understandable and meaningful in the context of the business and what it is trying to achieve. INFORMATION RISK MANAGEMENT
  15. 15. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS Irrespective of the approach taken to assessing risks, the outcome should be captured in a way that can be used to inform business decision making. Consistency is achieved by ensuring that the inputs to and outputs from assessments are meaningful in the context of what the business is trying to achieve To understand what risks exist, the risk assessment should be applied in the context of what the organisation is trying to achieve. The output of any risk assessment should be recorded for traceability purposes. Traceability is important so that risk management decisions and investment choices can be traced to an identified risk. MAKE INFORMED RISK MANAGEMENT DECISIONS Throughout the lifecycle of a system or service, the organisation will need to make objective decisions about what needs to be done to manage identified risks. These decisions should be informed and supported by information, subject matter expertise and evidence. After risk management action has taken place, some risks will remain. These are often referred to as residual risks. INFORMATION RISK MANAGEMENT COMMUNICATE RISK CONSISTENTLY UNDERSTAND WHAT RISKS EXIST
  16. 16. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS Taking risks is a necessary part of doing business in order to create opportunities and help deliver business objectives. Organisations should always be aware of the risks they are taking to achieve their aims. To ensure meaningful outcomes, organisations need to provide a context in which risk management and risk assessment is conducted. This context can be set by answering the following questions: Goal: What is the organisation trying to achieve ? Ethos: What does it really care about ? Attitude: What is it’s risk appetite? BUSINESS CONTEXT
  17. 17. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS Apply common solutions to solve common problems In this approach, the organisation applies the security provided by common security solutions to solve common technology problems. It only carries out tailored risk assessments (or specifies additional security controls) for those business objectives that are not entirely covered by the common solution. This is particularly useful in OFFICIAL environments, where an increasing range of common solutions are being assured across government. https://www.gov.uk/guidance/managing-information-risk RISK MANAGEMENT APPROACH
  18. 18. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS RISK MANAGEMENT APPROACH
  19. 19. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS THE OFFICIAL ENVIRONMENT Identify which elements of the environment require assurance as part of the service or solution.
  20. 20. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS END USER DEVICES Configured inline with CESG EUD Security and Configuration Guidance https://www.gov.uk/government/collections/end- user-devices-security-guidance Assured for OFFICIAL by another government organisation Legacy Accreditation as part of a Legacy service or system at OFFICIAL or previously “Restricted” ASSURANCE OPTIONS
  21. 21. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS NETWORK Data protected in transit inline with CESG Transport Layer Security (TLS) for external-facing services guidance https://www.gov.uk/guidance/transport-layer- security-tls-for-external-facing-services Public Services Network (PSN) accredited by the PSNA for OFFICIAL https://www.gov.uk/government/groups/public- services-network A VPN or other encrypted network legacy accredited for OFFICIAL (or previously “Restricted”) ASSURANCE OPTIONS
  22. 22. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS SERVICE Cloud services purchased via the Digital Marketplace, which meet the security requirements of the business inline with CESG Cloud Security Principles. https://www.gov.uk/government/collections/clou d-security-guidance Services legacy accredited for OFFICIAL by another government organisation including CESG Pan Government Accreditors. ASSURANCE OPTIONS Services can be assessed against the security requirements of the business and any deficiencies risk managed inline with the business risk appetite.
  23. 23. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS CLOUD SERVICES Cloud services purchased via the Digital Marketplace, can be procured in a variety of structures: • Software as a Service (SaaS) • An application built on top of Infrastructure as a Service (IaaS) • Platform as a Service (PaaS) • Platform as a Service (PaaS) built on Infrastructure as a Service (IaaS) • Infrastructure as a Service (IaaS) CLOUD STRUCTURES Software as a Service Platform as a Service Infrastructure as a Service Application
  24. 24. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS Combined Security Profile User Security Needs Applicable Security Controls Security Stories CLOUD SERVICES Where an application is to be developed or implemented on IaaS or PaaS, then the Digital Risk Management approach is still applicable. The Combined Security Profile will help identify the relevant User Security Needs and Outcomes, which in turn drive out proportional controls, which map into Security Stories for Agile development https://www.gov.uk/service-manual DEVELOPED APPLICATIONS
  25. 25. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS DATA TYPES Non-Sensitive Information This information will typically be public knowledge or intended for public consumption; for example, marketing material, open consultations, information to be published under transparency/open data or even routine communications with members of the public or third parties where there is no confidentiality requirement. There may be a requirement to protect the integrity and availability of this information. Transactional This includes one-off (potentially) sensitive exchanges with external partners, (citizens, industry, third sector etc), and online transactional services where the loss of a small number of instances is tolerable, but systematic or large scale compromise is unacceptable. Loss of confidentiality, integrity or availability of this data will result in disruption to HMG service delivery and may have a commercial or financial impact. Organisations may also need to comply with external compliance obligations such as the Payment Card Industry Data Security Standard (PCI DSS). Information of varying sensitivity that supports the routine business, operations and services of the Public Sector. There is a requirement to protect the confidentiality, integrity and availability of this information. Routine Public Sector Business
  26. 26. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS DATA TYPES Legally Defined Information which is subject to legal and / or regulatory requirements. For example, personal information that relates to an identifiable individual as defined by the Data Protection Act (DPA). Legal or regulatory requirements must be met and additional controls may be required in line with HMG risk appetite tolerances. There is a clear requirement to protect the confidentiality, availability and integrity of such information. OFFICIAL - SENSITIVE The loss, compromise or misuse of information marked with the OFFICIAL-SENSITIVE caveat has been assessed as being likely to have damaging consequences for an individual, an organisation or HMG more generally. Risk owners will typically require additional assurance that the need-to-know is strictly enforced, and there is a clear requirement to protect the confidentiality, integrity and availability of this information. However, note that this example is intended to illustrate where heightened technical protections may be appropriate; in most cases it will be more proportionate to risk manage access to limited amounts of OFFICIAL-SENSITIVE information on corporate systems using more stringent procedural controls instead.
  27. 27. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS SECURITY REQUIREMENTS • External Legal requirements could include: the Data Protection Act • External Regulatory requirements could include: PCI DSS or HMG Off- shoring Policy for Official
  28. 28. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS BUSINESS RED-LINES The Business must decide if there are any business appetite red-lines that would constrain the service or solution, or Business Red-lines are controls or restrictions that are not mandated by external requirements An example of a red-line might be: “No Off-Shoring of Sensitive Information”, or “Data-in-transit Must be encrypted” where the Business has assessed that additional specific security controls are required
  29. 29. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS BUSINESS IMPACTS The business impacts are a range of impacts that could effect the Business if a threat was realised for Confidentiality, Integrity or Availability. Each impact could be due to a number of reasons, including Financial, Personnel, Physical, Logical, etc
  30. 30. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS BUSINESS IMPACTS No Impact – No identified impact on the business, its operations, staff, management, or finances. Business Red-line Impact – An impact that effects the Business appetite in regards to a specific risk, control, or technology Reputation Impact – An impact that effects the Business through a degradation of its perceived reputation, Business Disruption – An impact that effects the daily operations of the Business, incl. administration, staff and technology Regulatory Impact– An impact that would lead to a breach of external regulatory requirements, resulting in fines, sanctions or agreements Legal Impact– An impact would lead to a breach of applicable law and the risk of legal prosecution
  31. 31. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS ASSESS THE IMPACT The Business must assess what the worst case impact of a breach of C, I and A would be for the Data Types involved. Text in Italics are examples.
  32. 32. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS SECURITY PROFILES Security Profiles are based on the 14 Cloud Security Principles from CESG’s published guidance on Cloud Security, and the 51 G-Cloud Security Assertions. https://www.gov.uk/government/collections/cloud-security-guidance https://digitalmarketplace.blog.gov.uk/2014/11/04/the-g-cloud-6-security-questions A range of reusable security profiles have been developed for different external requirements, such as the PSN Service Security Standard, DPA compliance, PCI DSS compliance, NHS IG Toolkit alignment, etc… https://www.gov.uk/guidance/apply-for-a-public-services-network-psn-service-provision- compliance-certificate The Impact Assessment will provide guidance as to which Security Profiles are relevant. New Security Profiles can be developed at any time to meet the Business Security Needs, including: organisation specific security controls.
  33. 33. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS APPLY SECURITY PROFILES Any relevant external security requirements (DPA, PSN, NHS, PCI DSS, etc), the business security needs (OFFICIAL), and any business red-lines (UK only, etc) will define which security profiles are applicable. The various applicable security profiles are then combined into one Consolidated Security Profile. Security Profiles Consolidated OFFICIAL DPA PSN OS Red-line
  34. 34. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS COMPARE SECURITY PROFILES The Consolidated Security Profile can be used for a range of activities: • As part of the selection criteria for the procurement of services from the Digital Marketplace • As a Supplier security assessment benchmark • To develop Security Requirements and Controls • To develop User Security Needs and User Security Stories • To Audit Suppliers security maturity Security Profile Comparison Consolidated Security Profile Supplier / Service Provider
  35. 35. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS RISK MANAGE THE DELTA Identify any external requirements or business red-lines that the solution or service does not meet. Any deficiency to the security requirements, “the Delta”, must be recorded and risk managed. The outcome is to reduce, where possible, the impact on the business or the likelihood of the impact occurring Identify any areas where the solution does not meet the consolidated security profile or user security needs.
  36. 36. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS RISK DEFINITIONS Threat Threat describes the source of a risk being realised. Where appropriate to their organisation’s context, the business should apply the threat profile for OFFICIAL, supplemented if necessary with local or specific threat intelligence where it is available. https://gov.uk/government/publications/government-security-classifications Likelihood Likelihood also known as “probability” estimates how likely it is for a threat to occur. It can be captured by examining historical records of compromises to estimate how history will be repeated. https://www.gov.uk/guidance/managing-information-risk Impact describes the consequences of a risk being realised. To allow risk evaluation and prioritisation, impact should specify the negative effect that a risk’s realisation would entail. This should include expected losses (e.g. financial and reputation losses) as well as business objectives which would not be achievable as a result of the impact. Impact
  37. 37. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS LIKELIHOOD OF OCCURANCE RARE: The threat may occur in exceptional circumstances UNLIKELY: The threat could occur some time in the target period POSSIBLE: The threat may occur within the target period LIKELY: The threat is likely to occur within the target period EXPECTED: The threat is expected to occur within the target period
  38. 38. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS RISK INDEX Risk Index = Impact of risk X Likelihood of occurrence (Described in a 5x6 matrix: Low = 1-4, Medium = 5-12, High = 15-20, Critical = 24-30) Other Risk Assessment methodologies can be used.
  39. 39. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS RISK TREATMENT Identified risks can be avoided if alternative technical or business decisions are made on the service design Identified risks are transferred to more appropriate business areas or responsibility is escalated Identified risks are accepted in the event that business needs override the impact of the risk or is within the business risk appetite Identified risks can be mitigated if a treatment or control will reduce the impact or likelihood AVOID MITIGATE TRANSFER ACCEPT
  40. 40. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS DOCUMENTATION Document the risk management approach, environment elements, and relevant data types Document the output of the assessment of impacts that could be realised, relevant to the data type Document the relevant security profiles and business red- lines, and define the consolidated security profile Document the external requirements, business red-lines and business security needs The documented output can be in a range of formats, not necessarily a document
  41. 41. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS DOCUMENTATION Document any “Delta” to the security requirements, business red-lines and consolidated security profile Document any controls or mitigations that can reduce the impact or likelihood of the risks occurring Produce a, high level, Risk Report for the SIRO / AO Document the risk management assessment outcomes, form whichever methodology used.
  42. 42. WHO WE AREWWW.SECURESTORM.COM THE EXPERT SECURITY ADVISORS DOCUMENTATION - SCHEMA As a standardised mechanism for recording, sharing and exchanging information risk management data, Securestorm developed a data schema. The Digital Services Risk Management Record1 provides the relevant risk and assurance information on a system or service, in a concise and proportional way. The schema can be saved in a variety of formats, including: CSV, JSON or Txt, enabling both human and machines readability.
  43. 43. ANY QUESTIONS? www.securestorm.com @Securestorm +44(0)8455196138

×