wayne tufek university of melbourne: cyber security as business risk
DESCRIPTION
Wayne Tufek, IT Security and Risk Manager, University of Melbourne delivered this presentation at the 2013 Corporate Cyber Security Summit. The event examined cyber threats to Australia’s private sector and focussed on solutions and counter cyber-attacks. For more information about the event, please visit the conference website http://www.informa.com.au/cybersecurityconferenceTRANSCRIPT
![Page 1: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/1.jpg)
Corporate Cyber Security Summit
Wayne Tufek
Corporate Cyber Security Summit
November 13th
Grand Hyatt, Melbourne
Cyber Security Risk as Business Risk
![Page 2: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/2.jpg)
AGENDA
• Security Framework Example
• Designing and Implementing an Information Security program
• Information Security Risk as Business Risk
• The Security Processes You Must Get Right
• Questions
![Page 3: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/3.jpg)
A Security Framework
Governance
Operational
![Page 4: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/4.jpg)
Designing and Implementing an Information Security Program
Governance
Operational
1
1. Designing and
implementing an
information security
program
![Page 5: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/5.jpg)
Does Information Security Risk exist?
• Common definition of security – Confidentiality
– Integrity
– Availability
![Page 6: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/6.jpg)
Information Security is a Property of Something Else
• Reputation
• Regulation
• Revenue
• Resilience
• For security to be relevant, it must solve business problems
![Page 7: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/7.jpg)
Linking Security to Business Drivers
• Sherwood Applied Business Security Architecture (SABSA)
• http://www.sabsa.org/
• http://www.sabsa-institute.com/members/sites/default/inline-files/SABSA_White_Paper.pdf
• Business driven architecture – Goals
– Objectives
– Success factors
– The security program demonstrably supports, enhances and protects
![Page 8: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/8.jpg)
SABSA
![Page 9: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/9.jpg)
SABSA
Trusted Business Operations
Components
Products Tools
Physical Security Mechanisms
Names Procedures Encryption Databases Passwords Access Control
Lists Firewalls Logs
Logical Security Services
Identification Registration Certification Directories Authentication Authorisation Access Control Audit Trail
Security Strategy
Process Design Policy & Legal Framework Technical Design
Business Strategy
Attribute Profile Risk Model Trust Model
Goals Relationships Market Regulation People Materials Finance Production
Contextual
Conceptual
Logical
Physical
Component
Operational
![Page 10: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/10.jpg)
Business Driven Security Program
Business requirements
Business Drivers for Security
Attributes
Business goals and objectives
• Sell more widgets
• Be the best X
Business requirements abstracted
into one or more statements of
security relevance
Standardised and reusable
specification of the business
requirement
![Page 11: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/11.jpg)
Attributes
• Business attributes
• Accessible – Information to which the user is entitled to gain
access should be easily found and accessed by that user
• Access controlled – Access to information and functions within the
system should be controlled in accordance with the authorised privileges of the party requesting access. Unauthorised access should be prevented
![Page 12: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/12.jpg)
Attributes
![Page 13: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/13.jpg)
Example
• Identity Management Project – Business requirements
– Business drivers for security
– Business attributes
• Project Scope – Banking organisation
– Automated user provisioning/de-provisioning
– Single sign on
– High availability platform
![Page 14: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/14.jpg)
Example
Protect the reputation of the organisation
Ensure compliance with regulations
Maintain the accuracy of information
Be the best bank in the world
Be the most trusted brand
To provide great customer service
Business requirements
Business Drivers for Security
![Page 15: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/15.jpg)
Example
Attributes
• Access controlled
• Accessible
• Available
• Brand enhancing
• Reputable
• Efficient
Protect the reputation of the organisation
![Page 16: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/16.jpg)
Example
Attributes
• Auditable
• Compliant
Attributes
• Accurate
• Duty Segregated
• Protected
Ensure compliance with regulations
Maintain the accuracy of information
![Page 17: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/17.jpg)
Example
Business requirements
Business Drivers for Security
Attributes
![Page 18: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/18.jpg)
Corporate Cyber Security Summit
Information Security Risk as Business Risk
![Page 19: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/19.jpg)
A Security Framework
Governance
Operational
2
2. Cyber Security
Risk as Business
Risk
![Page 20: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/20.jpg)
Overview of IT Risk
• Risk
• IT Risk
• IT Governance
• Risk management
![Page 21: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/21.jpg)
What Causes IT Risk?
• George Westerman from MIT Sloan • http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
– Failure of oversight and governance processes (ineffective IT governance)
• Series of poor decisions and badly structured IT assets
• Locally optimised decisions
• Lack of business involvement
– Uncontrolled complexity
– Inattention to risk
• IT risk results from decision-making
processes that ignore the full range of business needs that arise from using IT
![Page 22: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/22.jpg)
The Business Consequences of IT Risk
Source: George Westerman
http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
Availability
Access
Accuracy
Agility
![Page 23: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/23.jpg)
The Business Consequences of IT Risk (cont)
Enterprise IT Risks
Availability Access Accuracy Agility
Business continuity
DRP
Information protection
Knowledge sharing
Preventing attacks
Data Integrity
Regulatory compliance
Ability to implement
major strategic
change
Technology &
Infrastructure
Applications &
Information People & Skills Vendors &
Other Partners Policy &
Process
Organisational
IT Risk Factors
Configuration management
Degree of standardisation
Age of technology
Architecture complexity
Redundancy
Data integrity
Degree of customisation
Turnover
Skills planning
Recruiting\training
IT\Business relationship
SLAs
Use of firms standards
Sole source risk
Controls
Degree of standardisation
Accountability
Cost cutting
Complexity
Funding
Source: George Westerman
http://cisr.mit.edu/research/research-
overview/classic-topics/it-related-risk/
![Page 24: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/24.jpg)
Example Risk Factors
• Availability – Alternative site
– Excessive time to restore (RTO, RPO, MTO)
– Special hardware or equipment or a unique environment
– Network links
![Page 25: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/25.jpg)
Example Risk Factors
• Access – Financial impact of unauthorised modification of
data
– Impact of unauthorised disclosure
– Are duties segregated?
– Is access based on the users role?
– Can the system track user actions and provide reports?
– How effective is the access provisioning/de-provisioning process?
![Page 26: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/26.jpg)
Example Risk Factors
• Accuracy – What is the financial impact of incorrect
applications?
– How will inaccuracy impact customers and the organisation’s reputation?
– What regulatory and government compliance is required?
– Is there a high level of customisation?
– Are calculations performed by any third parties?
![Page 27: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/27.jpg)
Example Risk Factors
• Agility – Is the system hard coded with custom features
difficult to modify?
– Is the system supported by the vendor?
– Does the system require hard to obtain technical resources to maintain support?
– Can the system be scaled in terms of volume?
– Is the documentation adequate?
– Does the system run on out of date software
![Page 28: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/28.jpg)
Example
• Single Sign-On implementation
Availability
Access
Accuracy
Agility
Source: George Westerman
http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
![Page 29: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/29.jpg)
Example
• Moving corporate data to the cloud
Source: George Westerman
http://cisr.mit.edu/research/research-overview/classic-topics/it-related-risk/
Availability
Access
Accuracy
Agility
![Page 30: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/30.jpg)
Corporate Cyber Security Summit
The Security Processes You Must Get Right
![Page 31: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/31.jpg)
A Security Framework
Governance
Operational
3
3. The Security
Processes You Must
Get Right
![Page 32: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/32.jpg)
The Processes
• Vulnerability management
• Incident response
• Security awareness
Vulnerability management
Incident response
Security awareness
These are the processes that should be considered the
foundation of your security operations function. Certain
operational security processes are critical in ensuring that
information security is managed effectively.
![Page 33: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/33.jpg)
Is that it?
• Some key security processes exist in the governance layers
• Other processes to consider
![Page 34: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/34.jpg)
Getting it Right?
• Documentation – Purpose
– Process description
– Process flow chart
– Responsibility matrix (RACI)
– Metrics
![Page 35: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/35.jpg)
Vulnerability Management
• Phases – Policy
– Discovery
– Reporting
– Prioritisation
– Response
– Eliminate root cause
– Monitor
![Page 36: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/36.jpg)
Incident Response
• Phases – Preparation
– Identification
– Containment
– Eradication
– Review
![Page 37: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/37.jpg)
Security Awareness
• C-level support
• Understand your organisations culture
• Partner with other business areas
• Metrics
• Change in behaviour is the goal – Define the behaviours (in English)
– Engage through social media
– Use entertainment as a teaching tool
![Page 38: Wayne Tufek University of Melbourne: Cyber security as business risk](https://reader030.vdocuments.net/reader030/viewer/2022020218/557feb82d8b42aa4628b4657/html5/thumbnails/38.jpg)
Questions