External Dependency Risk Management

North Texas Association of Contingency Planners

July 8, 2014 General Meeting

Presented By: Charles M. Wallen

External Dependencies a Key Aspect

of Operational Risk Management

Managing External Dependency Risk

We realize new business opportunities, flexibility, and cost savings by outsourcing services . . . We utilize shared and public suppliers for a number of essential services…

. . . but how do we manage the

right relationships and mitigate

the resulting risks in a reliable

way over time?

3

Dependency Concepts and Terminology

External dependency risk management – aka supply chain risk management, vendor management or critical infrastructure risk management. External entity - external supplier who has access to, control of, ownership in, possession of, responsibility for, or other defined obligations related to one or more assets or services of the organization.

1.1 DataProcessing

2.1 Telecommunications Power Supplier

Critical Service 1

Critical Service 2

Critical Service 3

1.2 DataProcessing

1.3 DataProcessing

2.2 Telecommunications

Organization X Police

Fire

EMS

Threat Intelligence, ie, US-CERT

4

Growing External Dependency Risks:

Role of Relationships & Partnerships

5

Intertwining of Physical and Cyber Domains

But also less predictable impacts . . .

Physical Disruptions

Cybersecurity

Disruptions

New modes of attack • Physical-enabled cyber attack

• Cyber-enabled physical attack

Protection of

Physical Cyber

Assets

Cyber protection of

physical assets

6

Evolving threat challenges

• Growing frequency and intensity of

weather events

• Directed man-made attacks; terrorism

• State sponsored cyber events

We Depend on Evolving Cyber Ecosystems

7

Greater Dependency Every Day

CYBER

We are in a major transformation because our critical infrastructures, economy, personal lives, and even basic understanding of—and interaction with—the world are becoming more intertwined with digital technologies and the internet. In some cases, the world is applying digital technologies faster than our ability to understand the security implications and mitigate potential risks.

• —James Clapper, Director of National Intelligence, March 2013

8

Recent News

9

Partnering to Prepare and Respond

Relationships - Partnerships

Law Enforcement and First

Responder Communities

Private Sector

State and Local Governments Federal Departments and Agencies

Public-Private Partnership in Action

DHS, NSA, and FBI provided on-request support to organizations that

were attacked.

DHS has improved its capability to aid the attacked organizations:

• Information gathering, analysis, and sharing

• Recommendations for mitigations

• Clarification of contact points

“A year ago, quite frankly, the capability was not there. We did not have the capacity to collaborate nearly as effectively as we do now. I won't say that it has become almost pro forma, but it's become a lot more routine for how we do this now than it was just a few months ago.”

—Mark Weatherford, DHS Deputy Undersecretary for Cybersecurity, January 2013

11

Cooperation (and Information Sharing)

Is it getting better?

12

A Practical Case for Situational Awareness

13

Resilience Management & External Dependency Management:

Simplifying a Complex Challenge

14

What Is Resilience?

“… the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents…”

- Presidential Policy Directive – PPD 21

February 12, 2013

Protect (Security) Sustain (Continuity)

Perform (Capability) Repeat (Maturity)

Emergency

Management

Yesterday’s Preparedness Planning

Continuity of Operation

(COOP) Business

Continuity

IT Disaster Recovery

How can a resilience view help?

Crisis

Management

Emergency

Management

16

Information Security

IT Disaster Recovery

Today’s Preparedness Planning

Continuity of Operation

(COOP) Business

Continuity

Emergency

Management

Supply Chain

Continuity

Crisis

Management Contingency Planning

Pandemic

Planning

Preparedness

Planning

Operational Risk

Management

Enterprise Risk Management

IT Operations

Privacy

Risk

Management

Workforce

Continuity

Cyber Protection

Crisis Communications

Information Security

17

Desired Direction

Supply Chain Continuity

Continuity of Operation (COOP)

IT Disaster Recovery

Business Continuity

Crisis Management

Emergency Management

Contingency Planning

Pandemic Planning

Preparedness Planning

Operational Risk Management

Enterprise Risk Management

IT Operations

Privacy

Risk Management

Workforce Continuity

Information Security

Cyber Protection

Crisis Communications

IT

Disaster Recovery

Business

Continuity

Crisis Communications

Emergency Management

Crisis Management

Information Security

IT Operations

Supply Chain

Continuity

Risk Management

Workforce Continuity

Operational Resilience

18

Example Resilience Framework: Cyber Resilience

Review (CRR) Domains*

Asset Management Know your assets being protected & their requirements, e.g., CIA

Risk Management Know your biggest risks and address them in a manner that considers cost and your risk tolerances

Configuration and Change Management Manage asset configurations and changes

Service Continuity Management Ensure workable plans are in place to manage disruptions

Controls Management Manage and monitor controls to ensure they are meeting your objectives

Situational Awareness Actively discover and analyze information related to immediate operational stability and security

External Dependencies Management Know who your most important external entities are and manage the risks they pose to essential services

Training and Awareness Ensure your people are trained on and aware of cybersecurity risks and practices

Incident Management Be able to detect and respond to incidents

Vulnerability Management Know your vulnerabilities and manage those that pose the most risk

Key Attributes of a Resilience Program

* Based on Carnegie Mellon CERT Resilience Management Model http://www.cert.org/resilience/rmm.html

DHS Cyber Resilience Reviews

• DHS sponsored and coordinated with Carnegie Mellon CERT support

• Data collected from critical infrastructure and state/local government organizations in facilitated Cyber Resilience Review (CRR) assessments

-Located in US

-Data from CRRs conducted since 2011

• Strict non-attribution of results

• Not a scientifically rigorous study (yet) due to the limited sample size

• A snapshot of operational resilience as depicted in the ten domains of the CRR

0

0.2

0.4

0.6

0.8

1

1.2

Participant Average

All Sectors –10 CRR Domain Areas M

atu

rity

Ind

icat

or

Lev

el (

MIL

)

22

External Dependency Management – A Process Perspective

Managing External Dependency Risk

23

Monitor and ImproveExternal Dependency

Management

Establish and Maintain External Dependency

Management Plan

Define and maintain supplier and

contract/agreement requirements

Establishment of new suppliers and agreements/contr

acts

Transition, renewal or termination

Suppliers/ Vendors

Establish Relationships

Categorize and analyze suppliers

Monitor Supplier Performance and

Risk

SharedInfrastructure

Evaluation of new suppliers and agreements/

contracts

External Dependency management

information repository

Supplier reports and information

ManageRelationships

Public Services

• DHS launched the C3 Program in February, 2014 to complement the launch of the NIST Cyber Security Framework (CSF)

• The C³ Voluntary Program helps sectors and organizations that want to use the CSF by connecting them to existing cyber risk management capabilities provided by DHS, other U.S. Government organizations, and the private sector.

• The C3 website (http://www.us-cert.gov/ccubedvp) describes the various programs DHS offers to critical infrastructure partners, including Federal, State, local, and private sector organizations

• Many of the programs described on the following slides can also be found on the website

Website:

http://www.us-cert.gov/ccubedvp

General C3 inquiries: ccubedvp@hq.dhs.gov

24

Critical Infrastructure Cyber Community (C3)

In Closing…….

25

• External dependency risk management is one of today’s key business challenges

• Dependencies extend well beyond just your vendors

• Relationships and partnerships are key – organizations cannot effectively manage dependency risks on their own

• The complexities of the today’s cyber and physical disruption landscape requires new tools

• Taking a converged approach to the challenge is key

• Resilience management can help provide a roadmap to simplify the management of operational and dependency risks

26

Contact Information:

Charles M. Wallen – charles.m.wallen@swbell.net