@NTXISSA

Top 10 Trends in TRM

Jon Murphy, CISSP, CBCP, NSA-IAM/IEM, ITILv3, CHS-V, MBA

National Practice Lead, TRM Consulting & ServicesAlexander Open Systems (AOS)

April 24, 2015

@NTXISSA

Disclaimer

All thoughts and opinions expressed in this presentation, or by Jon Murphy directly, are his own and should NOT be interpreted as those of Alexander Open Systems (AOS), or any other organization that might be mentioned. The mention of any organizations should not be interpreted as endorsement.

Some material contained herein was obtained and is used with the express written permission of AOS, and other organizations and MAY NOT be used or reproduced in any way without each of these parties’ express written consent in advance.

@NTXISSA

Overview

• What is TRM• The Top Ten Trends• Why You Need IT• Where Are You • Conceptual Solutions• What The Future May Hold• More Resources• Q & A

@NTXISSA

Why Technology Risk Management (TRM)

• TRM includes:• IT Sec• BC/DR• Governance & Compliance

• Exponential Growth of Threats• D&D Insiders• Outside Hackers

(Commercial, Organized Crime, State Sponsored)• Competitor Espionage

• Continuously Growing Regulations & Requirements• Increases are a mandatory cost of doing business• FFIEC, SOx, HIPAA, PCI, GLBA, Dodd-Frank, NERC, OCC, etc…• Volume reduction, Fines, and jail time for failure to comply• Cost of data breach up 23% - as much as $20,000 a day

• Ever increasing expectations for “adequate” safeguards by consumers and courts

@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 5

What’s Your Biggest Exposure?

# 3 Paper

# 1 Employee Negligence

# 2 Hacking

@NTXISSA

Top Ten Trends

1. Hacks may become data destruction attacks

2. Threat actors are becoming more sophisticated

3. Attacks and resultant legislation will push industry standards around cyber risks and improve threat intelligence information sharing

@NTXISSA

Top Ten Trends -cntd

4. Predictive threat intelligence analytics are critical 5. Third Party Service Provider Risk Management is

becoming an increasingly important concern among firms

6. TRM must become a board-level issue7. Embracing and adapting to the new “boundless

network,” is inevitable and we must also invest in training its workforce to properly access and protect corporate data

@NTXISSA

Top Ten Trends - cmpltd

8. Identity and Access Management are ever increasingly a key security control area

9. Cyber benchmarking is imperative10.TRM is not MERELY a Technology Issue

@NTXISSA

Why?

• There are at least 5 reasons

@NTXISSA

Why would strangers want your info?

1. Identity theft for resale or immediate profit2. Damage reputation of competitor3. Steal intellectual property4. Blackmail5. Cyber Crime – Its An Epidemic;

The Nation’s Top CopSays So

@NTXISSA

We Help Clients Progress Their Maturity Level

Technology Risk Management Maturity Model

Level 1:Threat Defense

• Security is “necessary evil”

• Reactive and de-centralized monitoring

• Tactical point products

Level 2:Checkboxes and Defense-in-Depth• Check-box mentality• Collect data needed

primarily for compliance

• Tactical threat defenses enhanced with layered security controls

Level 3:Risk-Based Security

• Proactive and assessment based

• Collect data needed to assess risk and detect advanced threats

• Security tools integrated with common data and management platform

Level 4:Business-Oriented

• Security fully embedded in enterprise processes

• Data fully integrated with business context; drives decision-making

• Security tools integrated with business tools

TACTICAL

STRATEGICApproach

Scope

Technology

@NTXISSA

Where are we now?Some might say, somewhere in here . . .

Where we want (need?) to be . . .

@NTXISSA

What concrete steps can you undertake?

Seven action items to start:

1. Get and stay informed2. Learn the cultural risk appetite3. Create a risk register and matrix4. Perform a self assessment5. Create an incident response plan6. Add layers to defense in depth7. Get help

@NTXISSA

Get & Stay Informed

1. Associations – e.g.; ISSA, InfoSec Community on LinkedIn

2. Blogs – e.g.; http://www.vogelitlawblog.com/3. Newsletters – e.g.; Info Risk Today

@NTXISSA

Learn The Cultural Risk Appetite

• The amount and type of risk that an organization is willing to take in order to meet their strategic objectives.

• Both formally and informally set and driven by leadership, SO?

1. Has leadership experienced cyber crime personally?

2. Is there an enterprise risk management office?

3. Is security the realm of some lowly network admin in the bowels of the M.I.S. department?

@NTXISSA

1. List all the realistic bad things that could happen

2. Rank them by likelihood (1-Least to 5-most) and

3. Impact (1-Least to 5-most) 4. Plot them in a matrix5. Concentrate on the 5/5s

5 / 5s

Create a Risk Register & Matrix

@NTXISSA

Perform A RVA Self Assessment

• Have the business do it first• Then involve an IT Pro• Better yet, involve a risk management

Pro• Use a recognized methodology & tool,

e.g.; Shared Assessments

@NTXISSA

• Create an incident response plan1. Use the list from action item 3

2. Either create an overarching plan as guide to every thing on the list or a plan for each

3. The plan should contain:1. Who can invoke the plan2. When to invoke the plan3. Who does what4. Alternate roles & responsibilities5. How to do what6. What is BAU

4. Don’t forget the post mortem for lesson learned

You can’t run . . . or do this !

@NTXISSA

1. Bad guys and insiders are getting more savvy by the day

2. One – three layers of tech defense is the norm (NOT ENOUGH)

3. Technology, process, and people must interact optimally

4. Prepare for the worst and hope for better

5. You need professional expertise

The education you’ve undertaken will quickly tell you:

@NTXISSA

Reasonable Security HW/Systems to Deploy:

Next Generation FirewallsEncryptionUpdated Software PatchesComplex PasswordsMulti-factor AuthenticationDevice/Appliance InventoryIntrusion

Prevention/DetectionAnti-malware

@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 21

What The Future Holds

@NTXISSA

Additional Resources

Ponemon Institutehttp://www.ponemon.org/

Shared Assessments™http://sharedassessments.org/about/

ISO 31000http://www.iso.org/iso/catalogue_detail?csnumber=43170

AOS Security Consultinghttp://www.aos5.com/security/

@NTXISSA

Questions?

http://www.aos5.com/security/consulting

@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 24@NTXISSA

The Collin College Engineering Department

Collin College Student Chapter of the North Texas ISSA

North Texas ISSA (Information Systems Security Association)

Thank you