Data Security Officers: Addressing Risks and Avoiding...

© HIMSS 2015

Data Security Officers: Addressing Risks and

Avoiding Crisis from the Trenches

April 13, 2015

DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.

© HIMSS 2015

Conflicts of Interest

Gerry Hinkley, Jody Westby and Jim Wieland have no real or apparent conflicts of interest to report.

2 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches

© HIMSS 2015

Learning Objectives

• Understand how to identify and manage cyber risks

• Appreciate the nuances of open source software and issues that arise in open source licensing

• Understand why outsourcing security makes sense for organizations


© HIMSS 2015

Panelists

Jim Wieland Jody Westby Gerry Hinkley


© HIMSS 2015

Identifying, Quantifying, and Managing Cyber Risks


© HIMSS 2015

Approaching Cyber Risk Management

• Know your assets – have inventories with ownership, risk categorization • Keep up with the rapid pace of technological change and threat environment • Understand operational use of IT and data • Take into consideration supply chain linkages and relationships with business

partners and vendors • Factor in legal requirements across multiple jurisdictions • Create secure system architecture and deploy technical tools & services • Implement security program based on best practices and standards • Conduct assessment to establish baseline for cyber risk management • Identify threats material to operations and bottom line


© HIMSS 2015

Critical Questions for Cyber Risk Management

• Does your organization have an enterprise security program that meets best practices and standards?

• Do you know where there are gaps & deficiencies and the priority that should be assigned to remediation measures?

• What would be the financial consequences of a significant breach or cyber event?

• Are you prepared to manage a major event?

• What types of insurance does the organization need, what limits, and at what price?


© HIMSS 2015

Combining Cyber Assessments & Risk Valuations IT Environment IT Risks Business Impact Risk Management

= Identified Cyber Risks + Financial Impact


© HIMSS 2015

Quantifying Cyber Risks

• First Party Losses • Forensic/investigative costs • Legal and PR fees • Theft of money/property • Business interruption • Extra operating expenses • Loss of goodwill/reputation/market cap

• Most critical risks are those that affect customers and shareholders • Lost revenue/profit are precursors of reputational damage and market cap

loss • Trick is to identify revenue streams that are heavily reliant on data and

information flow


© HIMSS 2015

Exposure Valuation

• Assume a cessation of revenue for a reasonably long period of time, e.g., days or weeks, not hours

• Can any operational costs be saved in the event of disruption?

• Are mitigation strategies in effect, and to what extent can the disruption period be reduced?

• What is the cost of mitigation in relation to the potential exposure?


© HIMSS 2015

Insurance Considerations

• Cyber exposures to business interruption loss may not be insured under current first-party property and crime policies

• Data losses may not be a property loss • Some cyber policies limit “business interruption” recovery to mitigation

expenses, i.e., do not include lost profits • SEC Disclosure Guidance requires “description of relevant insurance

coverage”


© HIMSS 2015

Other Compensating Controls

• Third party services to help detect and prevent sophisticated attacks • Technical tools • Policies and procedures • Cross-organizational security team • Governance by board and senior management • Training: Awareness, Threat Specific, Job Specific • Software code reviews, static and dynamic analysis of web applications • Continuous vulnerability monitoring • Involvement in outside organizations, threat feeds


© HIMSS 2015

Evaluating Open Source Software Licenses


© HIMSS 2015

The Open Source License Basics

• Open source software is provided under a license agreement that makes the source code available and that allows the licensee to modify and distribute the software.

• Open source software source code is subject to copyright and the license agreement is a legally enforceable contract:

• Depending on the licensor, copyright restrictions are generally loosened or eliminated;

• Failure to comply with the license agreement can result in loss of the right to use the software.

• Open source compared to other types of software licenses: • May have common elements with proprietary software licenses;

• Distinction from Free Software a/k/a Free and Open Source Software (“FOSS”) is subject to debate among advocates, but “free” refers to the level of restrictions in the license agreement, not to the cost. It is as much a philosophy as a legal distinction;

• Software in the public domain is not subject to any restrictions or reservations of rights in the source; there is no license agreement.


© HIMSS 2015

Open Source License Terms

• There are significant variations among open source software licenses; there two general categories with important differences.

• “Copyleft” licenses require that any modified versions of the source code be distributed under the same terms and the original license.

• In other words, any modifications or improvements must also be made available and copyright in modifications or improvements cannot be retained.

• “Permissive” or “Non-Copyleft” licenses permit distribution under different licensing terms.

• In other words, intellectual property rights in modifications of improvements may be retained, even in proprietary form.

• If open source software is licensed for distribution, it is vital that the intellectual property terms of downstream licenses be identified early on, before development process is undertaken.


© HIMSS 2015

Open Source Software Issues

• Open source software is typically licensed without warranties, licensor support or maintenance programs.

• Support services are available through separate agreements: • You get what you pay for; generally a suite of services that would be available from the

licensor of proprietary software;

• For open source software in wide use, companies that market the software, i.e. are involved in its ongoing development and distribution, may be in the best position to support the software;

• Consider lag time, that is, new versions of open source software may be released before support is available ;

• Warranties and liability protection may be available.

• Security issues: • Does access to the source code provide an opportunity for hackers?;

• Does the vigilance of a community of users ensure that back doors or other security flaws will be detected fixed?


© HIMSS 2015

Open Source Software Issues

• Heartbleed: a painful open source software security lesson: • An open source programming error allowed hackers to access secure memory, exposing

social security numbers, credit card information and other sensitive data;

• Affected most websites and users;

• A basic error not detected in development or by user community.

• Open Source Software as a Service: • Lack of access to source code vs. pay for what you use.

• Developer commitment to the open source product.

• Open Source Software in the health care context: • Is development consistent with evolving regulatory security requirements;

• Open source encryption.


© HIMSS 2015

The Business Case for Outsourcing Security


© HIMSS 2015

What is Cybersecurity?

• “Cybersecurity is technology, processes and practices employed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access.”

- SEC Cybersecurity Disclosure Guidance

• “Cybersecurity is not all about technology, it's much bigger than that; it's a business challenge…the impact on their bottom line isn't virtual; it's real, so companies [had] better start thinking about it as a real, honest-to-goodness business problem.”

- Former Secretary of Homeland Security Tom Ridge in September 2013

• Cyber attacks include: • hacking to steal data or assets or to corrupt data

• causing operational disruptions

• causing a website to fail (DNS attacks)

• 19 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches

© HIMSS 2015

What is a Managed Security Service?

• A Managed Security Service is an IT Security service outsourced to and delivered by a service provider. This service is comprised of overarching business processes that go beyond the individual configuration item (asset) focused security hygiene processes performed by IT operations or an IT Infrastructure service provider

Security Hygiene Processes • Security Implementation • Security Administration • Security Enforcement • Credentials Management

Managed Security Processes • Security Solution Development • Security Operations • Security Analysis • Security Incident Response • Vulnerability Assessment


© HIMSS 2015

Benefits of using a Managed Security Service

• Level out the playing field vs. the black hats • Deployment of best practices supported by mature business processes and complimented by

architected, integrated, operational and automated tooling

• Centers of Excellence consolidating and leveraging threat intelligence and deep, competitively capable, subject matter expertise

• Sustainability over the long term, both “same stuff different day” and adaptability to a changing threat landscape

• Benefit from lessons-learned without having to actually experience them

• Allocation of Risk • Reputational and other risks shared with the service provider

• Cyberattacks will be very difficult to counteract without skilled allies


© HIMSS 2015

Who needs a Managed Security Service?

• It is likely that every enterprise will need some form of Managed Security Services but those who need an overarching independent service are likely to have:

• A complex IT infrastructure — especially those with complex multi delivery actor delivery fabrics

• An emerging collection of disparate cloud and SaaS solutions — especially those creating an internetwork of these disparate services

• A large number of endpoints (100k+) — especially those that are physically exposed, e.g., SCADA, POS, etc.

• Possess personal information about individuals — especially health and financial information

• A regulatory need

• A brand built on (and dependent on) reputation


© HIMSS 2015

Why is MSS hard to procure

• An IT services deal has several basic components: • MSA - the basic legal terms and conditions governing the relationship

• Scope - describes the what that needs to be done

• Service Levels - how well the provider will commit to perform

• Price - the charges for the various services

• Solution - how the supplier will provide the services


© HIMSS 2015

Why is MSS hard to procure (Cont’d)

• The main buyer difficulties are: • Establishing an acceptable risk allocation in the legal terms

• Describing the scope of what is to be done — the suppliers propose the how

• Allocating the processes between actors (Client, ITO, MSS, Colo, Cloud, etc.)

• Describing the service performance regime

• Determining the right things to pay for — obtaining good fixed variable ratios

• Gathering the right information for the go-to-market cycle and minimizing due diligence effort and pricing risk


© HIMSS 2015

It’s About More than Just Buying the Service!

• Assess corporate cyberinsurance policies in conjunction with procuring Managed Security Services

• Negotiate for lower premiums following a successful implementation

• Having the appropriate policy may reduce some contracting pressures around risk allocation/limitations of liability

• Be wary of policy terms that could eviscerate your coverage

• Robust contract management over lifecycle of Agreement • It will not be good enough to buy the Service and have a sound contract companies will need

to manage to it / monitor compliance to truly mature their security capabilities

• Governance and Audit • Managing and auditing service provider performance is crucial


© HIMSS 2015

Five Parting Points on Managed Security Services

• The current regulatory / political environment is ripe for legislative action and continued government involvement

• Corporations should look to “Centers of Excellence” / Third Party Providers to mature corporate cybersecurity capabilities

• It is likely that every enterprise will need some form of Managed Security Services

• Choose an advisor that can navigate you through a comprehensive cybersecurity program inclusive of prevention, management, response and recovery

• Using Managed Security Services is more than just signing a contract – cyberinsurance, robust governance and audit models, and contract management are also crucial


© HIMSS 2015

Jim Wieland Principal

Ober | Kaler 410.347.7397

[email protected]

Jody Westby Chief Executive Officer Global Cyber Risk LLC

202.337.0097 [email protected]

Gerry Hinkley Partner

Pillsbury Law 213.488.7188

[email protected]


Date post:	07-Jun-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Data Security Officers: Addressing Risks and Avoiding...

Documents