Cyber security risk reduction
This presentation is the property of its rightful owner.
Sponsored Links
1 / 45

Cyber Security Risk Reduction PowerPoint PPT Presentation


  • 192 Views
  • Uploaded on
  • Presentation posted in: General

Cyber Security Risk Reduction. State of Washington And Washington Transit Insurance Pool. Value for PRIMA Members. Hear lessons learned from the State of Washington and WSTIP cyber risk reduction experiences Learn how to reduce cyber liability risks in your area of responsibility

Download Presentation

Cyber Security Risk Reduction

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Cyber security risk reduction

Cyber Security Risk Reduction

State of Washington

And

Washington Transit Insurance Pool


Value for prima members

Value for PRIMA Members

  • Hear lessons learned from the State of Washington and WSTIP cyber risk reduction experiences

  • Learn how to reduce cyber liability risks in your area of responsibility

  • Learn about available resources you can use for your cyber risk reduction program

PRIMA Seattle Chapter - V1.8


Speakers

Speakers

  • Jerry Spears – Washington Transit Insurance Pool

    • Deputy Director (Claims, IT and Finance)

  • Doug Selix – State of Washington, Office of Financial Management

    • IT Security and Disaster Recovery Program Manager

    • WSTIP Consultant

PRIMA Seattle Chapter - V1.8


Agenda

Agenda

  • Cyber Liability Overview

  • State of Washington Cyber Risk Reduction

  • WSTIP Approach to Cyber Risk Reduction

  • WSTIP IT Security Review Project Overview

  • WSTIP Results from IT Security Review Project

  • How PRIMA Members can use this Information

  • Q&A

PRIMA Seattle Chapter - V1.8


Part 1

Part 1

Cyber Liability Overview

(Jerry Spears, WSTIP)

PRIMA Seattle Chapter - V1.8


What is a cyber liability

What is a Cyber Liability?

  • The concept of Cyber Liability takes into account first- and third-party risks. The risk categories include:

    • Privacy issues

    • Impact from data security breach,

    • Infringement of intellectual property,

    • Malicious attacks you appear to cause or facilitate,

    • Any other serious trouble that may be passed from first to third parties via computing technology such as the Web.

PRIMA Seattle Chapter - V1.8


Organizational impacts from cyber losses

Organizational Impacts from Cyber Losses

  • Costs associated with RCW Required Notification

    • RCW 42.56.590 Personal information — Notice of security breaches.

  • Cost of recovery and mitigation

    • ~$200 – Estimated Private Sector cost per record in data breach (Ponemon Institute 2010 US Cost of a Data Security Breach Report)

  • Unplanned Cost Impact to budget planning

  • Loss of Reputation

PRIMA Seattle Chapter - V1.8


How big is the problem

How Big Is The Problem?

  • Data Security Breach Information:

    • www.datalossdb.org

  • Regulations Are Likely To Increase

    • Proposed Kerry/McCain ‘‘Commercial Privacy Bill of Rights Act of 2011’’

      • Result of frequent hi-profile data breach incidents

      • Result of perception that IT security controls are weak.

      • Result of dissatisfaction with self-managed IT security

      • Very prescriptive – this will cost all organization

      • Basis for future Cyber Liability Claims

PRIMA Seattle Chapter - V1.8


Impacts to citizens

Impacts to Citizens

  • What happens with Public Organizations that Manage Cyber Liability Poorly?

    • Citizen Identity Theft – If Personal Data exposed

    • Reduced Public Sector Services due to cyber liability costs

    • Reduced Trust in Institutions and Management Teams

    • Reduced support to continue funding the current organization

PRIMA Seattle Chapter - V1.8


How do we manage this risk area

How Do We Manage This Risk Area?

  • Reduce the Risks?

  • Accept the Risks?

  • Transfer the Risk?

  • The answer is “Yes”, we apply all of these strategies to Cyber Risks.

PRIMA Seattle Chapter - V1.8


Approach

Approach

  • Reduce Risk by working to identify things we can improve

    • Eliminate known vulnerabilities

    • Mitigate unacceptable risks

  • Accept risks based on sound risk management principles

  • Transfer residual risks to Cyber Liability Insurance

PRIMA Seattle Chapter - V1.8


Part 2

Part 2

State of Washington

Approach To

Cyber Security Risk Reduction

(Doug Selix, OFM)

PRIMA Seattle Chapter - V1.8


What is cyber security

What is “Cyber Security”?

  • Confidentiality

    • Protect data defined by law as “Private”

    • Only allow authorized access to private data

    • Know the risks to this class of data - leaks bite.

  • Integrity

    • Insure data accuracy and authenticity

  • Availability

    • Ensure systems operate within expected norms

PRIMA Seattle Chapter - V1.8


Cyber security risk basics

Cyber Security Risk Basics

Threats + Vulnerabilities – Mitigation = Risk

  • Cyber Security Threats

    • Attackers, Employees, Errors & Omissions

  • Cyber Security Vulnerabilities

    • People, Process, Technology

  • Cyber Security Mitigation

    • Risk Based Approach

PRIMA Seattle Chapter - V1.8


What is the problem

What is the “Problem”?

  • Residual Cyber Security Risk is the Problem

  • Although you cannot eliminate the cyber threat, you can manage Cyber Security Risk

PRIMA Seattle Chapter - V1.8


Managing the risk

Managing the Risk

  • A strategic Cyber Security Risk Management Plan is Imperative

    • Take a Risk Management Approach

    • Identify Organizational Risk Appetite

    • Identify Key Information Technology Assets

      • Organizational Mission, Data, People, Technology,

    • Identify and evaluate IT Security Controls

    • Identify Residual Risks, make sure they are known

    • Document Acceptance of Residual Risks

  • Demand incremental and evolutionary improvements to IT Security Maturity

  • Establish a “Culture of Security”

PRIMA Seattle Chapter - V1.8


It security maturity

IT Security Maturity

Source: Microsoft Corp.

PRIMA Seattle Chapter - V1.8


Business challenge

Business Challenge

  • Improving IT Security is Complex

    • IT Security is viewed by management as a cost, not an end customer service

    • Probability of IT Security event for a single organization are low (but impact is high).

    • Decision makers are not comfortable with this subject.

    • IT Security is hard to understand, is never done, and is expensive

PRIMA Seattle Chapter - V1.8


Organizational change

Organizational Change

Change = Vision + Dissatisfaction + First Step

Build a “Culture of Security”

PRIMA Seattle Chapter - V1.8


State approach

State Approach

  • Information Services Board (ISB)

    • Established by RCW

    • Makes State IT Policy and Sets Standards

    • Controls Agency Delegated Authority for IT Spend

      • Can withhold/withdraw for non-compliance

    • Concerned about Cyber Liability Risks

  • ISB Established Clear Policy and Standards

    • Establish Standards (Shall, Must, Do)

    • Establish Accountability (Process)

    • Communicate Expectations to Agencies

    • Establish Verification Process

PRIMA Seattle Chapter - V1.8


Isb it security policy

ISB IT Security Policy

  • Establishes Clear Expectations

  • Authorizes the ISB Standards

  • Directs Agencies on Level of Risk to Accept

  • Establishes that IT Security is part of Overall IT Architecture

  • Requires Agencies to Document How they Comply with the IT Security Standards

  • Makes Agency Heads Accountable

  • Requires Independent Compliance Audits Every 3 Years

PRIMA Seattle Chapter - V1.8


Isb it security standards

ISB IT Security Standards

  • Requires Documentation

    • Personnel Security

    • Physical and Environment Security

    • Data Security

    • Network Security

    • Access Security

    • Application Security

    • Operations Management

    • Security Monitoring & Logging

    • Incident Response

PRIMA Seattle Chapter - V1.8


Bottom line

Bottom Line

  • State approach is:

    • Based on Risk Assessment Approach

    • Demands Compliance

    • Verifies Compliance

    • Aligns with Organization Development

      • Vision, Dissatisfaction, First Step

      • Implements Incremental and Evolutionary Improvements

      • Establishes a “Culture of Security”

PRIMA Seattle Chapter - V1.8


Lesson learned most powerful weapon

Lesson LearnedMost Powerful Weapon

  • Ask an Executive to Accept the Residual Risk – They don’t like that.

    • Requires a good Persistent Flashlight –

    • Persistent Risk Assessments

    • Document Residual Risks

    • Document Risk Acceptance

PRIMA Seattle Chapter - V1.8


Loss prevention results

Loss Prevention Results

  • In the past two years:

    • No loss of IT Physical Assets due to preventable causes

    • No significant loss of data requiring agencies to comply with RCW 42.56.590

PRIMA Seattle Chapter - V1.8


Cyber security risk reduction

WSTIP

Approach to Cyber Risk Reduction

(Jerry Spears, WSTIP)

PRIMA Seattle Chapter - V1.8


General strategy

General Strategy

  • Adopt the State Approach to fit WSTIP Needs

  • Use a Subject Matter Expert to Perform an Initial Risk Assessment of member IT environments Based on ISB IT Security Standards

  • Provide Members with tools and resources to identify, understand, and manage Cyber Risks

  • Wrap our hands around an emerging exposure that impacts all of us

  • Help members establish and appropriate “Culture of Security” within their organizations

PRIMA Seattle Chapter - V1.8


What subject matter expert

What Subject Matter Expert?

  • We contracted with Doug Selix to develop a processand perform member reviews.

    • OFM Knows and Approves

    • Supported by OFM Risk Management as a good thing.

  • Member’s thought he was a terrific resource – the “Escalade” of IT Security SME’s

    • Takes a coaching approach to help member staff understand risks he identifies – not an audit

    • We are not selling anything except best practice

PRIMA Seattle Chapter - V1.8


Wstip board view

WSTIP Board View

  • They like this approach to Cyber Loss Prevention

    • Initial Board Approval in 2007

    • Initial Scope Limited to Small Members

    • Found Lots of Risks

    • Expanded to Include Medium Size Members

    • Found More Risk

    • Provided Aggregate Cyber Risk Data to the Board

    • Funded line item in the budget from 2008 forward

    • We have spent $88K to date

PRIMA Seattle Chapter - V1.8


Wstip member view

WSTIP Member View

  • Process is credible

  • No direct cost to the member

  • Results have value internally and with the WSTIP relationship

  • Independent 3rd party is offering thoughtful suggestions about their IT infrastructure

  • Facilitates IT security maturity.

PRIMA Seattle Chapter - V1.8


Cyber security risk reduction

WSTIP

IT Security Review Project Overview

(Doug Selix, OFM)

PRIMA Seattle Chapter - V1.8


Member profile

Member Profile

  • Member IT Environment is:

    • Small IT staff

      • Most are technically competent with the hardware

      • Limited IT management and IT Security Skills

      • Focused on operational needs, not security.

    • Underfunded

    • The result of years of small unfinished IT projects

    • Many vendor supplied applications

PRIMA Seattle Chapter - V1.8


Step 1 assessment process

Step 1Assessment Process

  • WSTIP establishes engagement and non-disclosure

  • Approached as a partnership with the member

    • This is not an “Audit”, It is a “Review”

  • Review member IT Security policy and current IT configuration and designs

  • Conduct a Site Visit and Interviews

  • Document what is found

    • physical security status

    • Level of compliance with ISB IT Security Standards

    • Top risks that should be addressed

PRIMA Seattle Chapter - V1.8


Step 2 risk reduction strategy

Step 2Risk Reduction Strategy

  • Both WSTIP and Member get Assessment Results

    • Provides a basis for a discussion about Cyber Risks

    • Provides a bases for an Action Plan to reduce Cyber Risks

    • Provides a baseline for a follow-up review to measure progress towards reducing Cyber Risks

PRIMA Seattle Chapter - V1.8


Step 3 follow up

Step 3Follow Up

  • Opportunity to provide other value added services to members:

    • IT Governance Coaching

    • Opportunity to further assist member is doing the right thing

    • Independent Cyber Risk Management Review

PRIMA Seattle Chapter - V1.8


Review project deliverables

Review Project Deliverables

  • Photo Analysis Report

    • Photo’s taken during the site visit

    • Comments on risk observations

    • Suggestions for risk reduction where appropriate

  • IT Security Review

    • Comparison to the ISB IT Security Standards

    • Comments on risk observations

    • Suggestions for risk reduction where appropriate

  • Risk, Threats, and Vulnerabilities – Top 10 Risks

  • Management Presentation When Requested

PRIMA Seattle Chapter - V1.8


Cyber security risk reduction

How Has This Helped WSTIP?

(Jerry Spears, WSTIP)

PRIMA Seattle Chapter - V1.8


Organizational change1

Organizational Change

Change = Vision + Dissatisfaction + First Step

Vision Supplied by ISB and WSTIP

DissatisfactionSupplied by WSTIP Board, Confirmed by Results

First StepWSTIP Supplied IT Security Reviews

ChangeIncremental maturity towards a “Culture of Security”

Better IT management in member organization

Reduced Cyber Liability Risk

PRIMA Seattle Chapter - V1.8


What was learned

What Was Learned

  • Large members are managed pretty well

  • Most risk exposure comes from small and medium sized members

    • Lack of IT Security Skills at management and staff levels

      • They don’t see the problem

      • They don’t know how to fix it

    • Underfunded for mature IT management

    • IT environments are a collection of small incomplete projects that leave risks

PRIMA Seattle Chapter - V1.8


Was it worth the cost

Was it Worth the Cost?

  • Yes

    • Provided WSTIP with documentation of risks

    • Provided a gentle push in the right direction by exposing residual cyber risks to a trusted audience

    • Provided members with a valuable service they may not have been able to afford on their own.

PRIMA Seattle Chapter - V1.8


What is the roi

What is the ROI?

  • Hard to Measure

  • Improvements to the WSTIP/Member Relationship – Significant

  • We feel the investment has been worth the cost

PRIMA Seattle Chapter - V1.8


Impact to prima

Impact to PRIMA

  • Local government organizations you represent are like Transit Systems

    • Come in many sizes

    • May not have the ability to manage Cyber Risks

    • Risk exposure WSTIP found, most likely the same for others

    • Risk exposure can be reduced using an approach similar to WSTIP’s

PRIMA Seattle Chapter - V1.8


References

References

  • Cost of a Data Security Breach

  • Cyber Liability Explained

  • Dept. of Homeland Security Advice

  • Information Service Board

  • Microsoft Cyber Security Resources

  • Open Security Foundation – Data Loss Database

PRIMA Seattle Chapter - V1.8


Cyber security risk reduction

Questions

PRIMA Seattle Chapter - V1.8


Speaker contact info

Speaker Contact Info

  • Jerry Spears – Washington Transit Insurance Pool

    Phone:360-586-1800

    Email:[email protected]

  • Doug Selix – State of Washington, Office of Financial Management

    Phone:360-664-7670 (OFM), 253-951-4825 (Cell)

    email:[email protected], [email protected]

PRIMA Seattle Chapter - V1.8


  • Login