Professional Documents
Culture Documents
Cyber Risk Resources For Practitioners
Cyber Risk Resources For Practitioners
Cyber Risk
Resources for Practitioners
Cyber Risk Resources for Practitioners
The Institute of Risk Management (IRM) is the world’s leading enterprise-wide risk
management education Institute. We are independent, well-respected advocates of
the risk profession, owned by our members who are practising risk professionals.
IRM passionately believes in the importance of risk management and that investment
in education and continuing professional development leads to more effective risk
management.
We provide qualifications, short courses and events at a range of levels from
introductory to expert. IRM supports its members and the wider risk community
by providing the skills and tools needed to put theory into practice in order to deal
with the demands of a constantly changing, sophisticated and challenging business
environment.
We operate internationally with members and students in over 100 countries, drawn
from all risk-related disciplines and a wide range of industries in the private, third and
public sectors.
A not-for profit organisation, IRM reinvests any surplus from its activities in the
development of international qualifications, short courses and events.
Founded in 1976, CGI is a global IT and business process services provider delivering
high-quality business consulting, systems integration and outsourcing services.
With 68,000 professionals in 40 countries, CGI has an industry-leading track record of
on-time, on-budget projects, whilst aligning our teams with clients’ business strategies
to achieve top-to-bottom line results. We have over 1,200 Cyber Security experts
across the world who work closely with international security associations and standards
bodies. We are one of a few providers worldwide with three accredited security certification
facilities in the UK, the U.S. and Canada. Our nine Security Operations Centres continuously
identify and deploy the best solutions to maintain a state-of-the-art infrastructure, handling
over 70 million cyber events every day.
Our supporters
Foreword
I frequently say that the role of risk with BAE Systems Applied Intelligence.
management is to be the disruptive It is relevant for all professionals, particularly
intelligence that pierces the ‘perfect for those working at board level. It is not
place arrogance’ so often encountered in a technical document about computers
organisations of all types. Our professional and networks (there are plenty of those
inclination to be upbeat and optimistic, elsewhere). It is a document about risk
together with significant personal and management in the context of cyber
organisational investment in how things risk, which we think is breaking new
are, can lead to us being slow to react, or ground. There is also a shorter document
even wilfully blind, to major shifts in the risk summarising the key messages, particularly
landscape and our capabilities for dealing those of relevance at board level, which
with them. At the same time, corporate is available for free download from the
governance developments around the IRM website.
world are placing explicit responsibilities
As with all our thought leadership work,
on boards to ensure that they understand
we are gathering together risk experts to
and manage their risk exposures.
look at fast-moving areas where practice is
Cyber risk is one such development. Over still being developed. We don’t therefore
the past twenty years our working and think that what we have written here will
personal lives have been transformed by be the last word on the subject – we expect
these of technology. We can do things now to see new ideas and practices emerging
to access and organise information, and and welcome comments. I am grateful to
to communicate with each other, that we the RISE SIG, and particularly to its leaders
could not conceive of in the last century. Alastair Allison, David Canham, Matt
The pace of these developments shows no Hillyer and Dan Roberts, for the enormous
sign of abating. Technology has brought amount of work they have done to bring
us huge benefits, but it also poses risks these documents together. I would also
that need to be understood and managed. like to thank the wider international group
But while the risks might seem new, of practitioners, experts and associations
the ways of dealing with them are now that the SIG has brought together to
well established. The IRM has worked to produce, contribute to and comment
develop the profession of risk management, upon this work. Thanks are also due to
providing education, training and practical our sponsors CGI who have made possible
guidance to help organisations approach the design and print of these documents
their risks in a systematic and effective way, as well as contributing to the content. As
from the board down to the shop floor. a not-for-profit organisation such support
is invaluable in helping us maximise our
This document presents the work
investment in the development and delivery
undertaken by IRM’s Risk in Information
of world class risk management education
Systems and E-business (RISE) special
and professional development.
interest group (SIG). It also incorporates
ideas discussed at a series of round table Richard Anderson, Chairman,
events organised by IRM in partnership Institute of Risk Management
Foreword
Loss of Every day the media report another organisation which has been the
victim of a cyber-attack. Usually it’s the loss of corporate data, intellectual
corporate data, property or customers’ financial details – or at worst sometimes all three.
The consequences have varied from regulatory fines and reputational
intellectual loss, through to the complete failure of a business and we know that
property or cyber criminals can infiltrate an organisation’s systems for days, or even
years, without being detected. So businesses and government need to
customers’ understand where the key cyber risks exist within their organisation, how
financial details to detect them and how to protect themselves from this rising threat,
at the right level of cost. CGI is delighted to support this IRM Cyber Risk
– or at worst document of new approaches and best practice, and we look forward to
engaging with their members to help them become confident that they
sometimes are successfully managing their cyber security risk.
all three. Tim Gregory, UK President, CGI
GCHQ
Wendy Holt, CGI
Paul Hopkins, CGI
Tim Stapleton, Zurich North America
CPNI
Roger Garrini, Selex ES
Andy Coombs, HMRC
Jennifer Wood, HMRC
Julian Phillips, JP Risk
Dorothy Maseke, UAP Kenya
Jeff Miller, Zurich Insurance Group
‘‘ Digital technologies,
devices and media have
brought us great benefits
and offer enormous
opportunities but their
use also exposes us to
significant risks.”
Contents
Forewords 03
Our project team 05
Chapter 1: Executive summary – cyber risk and risk management 09
Chapter 2: Introduction 17
Chapter 3: The threat landscape 23
Chapter 4: The iceberg impact of a cyber loss 29
Chapter 5: Governance of cyber threat 41
Chapter 6: Managing business opportunities and information risks 59
Chapter 7: Cyber risk and the supply chain 73
Chapter 8: Cloud: Cyber risk and reality 101
Chapter 9: Mobile devices 121
Chapter 10: Social media – managing risks and seizing opportunities 141
Chapter 11: Building a secure system 161
Chapter 12: Incident management 177
Chapter 13: From learning to behaviour change 195
Chapter 14: Information security and privacy risk transfer –
insurance solutions 207
Chapter 15: Investing in cyber-security 223
Chapter 16: Cyber risk management –
how do I know I have the right people? 233
Chapter 17: Cyber auditing 239
Risks
‘‘
QUOTE HERE
Chapter 16: Managing Business Opportunities and Information Risks
***of were
avoidable and
it is suggested
Those
that responsible for risk
inadequate
attention
managementto the within an
risks may have
organisation need to have
contributed
tounderstanding
potential of the nature
of the risks
breaches being and of the
overlooked.
practical tools and
techniques that are
available to address them.”
Chapter 01:
C hapter 0 1
Executive summary
Cyber risk and risk
management
Chapter 1: Executive
Summary – cyber risk
and risk management
Carolyn Williams
Those responsible Digital technologies, devices and media We are aiming to offer some independent
Chapter 01
have brought us great benefits and offer and practical guidance for fellow risk
for risk management
enormous opportunities but their use professionals. Other professionals outside the
within an also exposes us to significant risks. The IT field may also find it useful. Some of the
organisation need media regularly present us with examples group’s findings and recommendations are
to have a full of organisations that have suffered based on research amongst IRM members
financial loss and reputational damage around the world. The document is intended
understanding primarily for risk professionals, from all types
as a result of problems arising from their
of the nature of information technology systems, whether of organisation and in all locations, who
the risks and also this is as a result of human error, deliberate are charged with ensuring that their own
wrongdoing or some other form of organisations are equipped to manage these
of the practical
technology systems failure. Governments risks, but there are also some important
tools and techniques messages for the boards of organisations,
and regulators are getting interested and
that are available are increasingly calling on businesses to where ultimate responsibility will lie. Effective
to address them. take action to protect both their own assets governance arrangements for cyber risk
and also the national infrastructure. issues are needed and some further ideas
on this are set out in chapter 5.
Those responsible for risk management
within an organisation need to have a
full understanding of the nature of the What do we mean
risks and also of the practical tools and
techniques that are available to address by cyber risk?
them. Increasingly regulators and investors By ‘cyber risk’ we mean any risk of financial
will expect organisations to provide loss, disruption or damage to the reputation
information on their cyber exposures, which of an organisation from some sort of failure
should be integrated with the organisation’s of its information technology systems.
overall consideration of risk exposure and Such a risk could materialise in the
appetite. Cyber risk is never a matter purely following ways:
for the IT team (although they have an vital
•d
eliberate and unauthorised breaches
role) as human and organisational factors
of security to gain access to information
are just as important as having the right
systems for the purposes of espionage,
hardware and software.
extortion or embarrassment.
This guidance document from the IRM’s •u
nintentional or accidental breaches of
RISE (Risk in Information Systems and security, which nevertheless may still
E-Business) Special Interest Group attempts constitute an exposure that needs to
to de-mystify the subject of cyber risk. be addressed
•o
perational IT risks due to poor systems
integrity or other factors
More about the nature of the threat can be Social media has brought vast changes
C h a p t er 0 1
found in chapters 2 and 3. to our personal, social and business lives
and has the potential to offer enormous
Organisations should not only be concerned
opportunities or do great damage to
with these things happening to them
organisations. An effective response plan to
directly, but should also consider the effects
address this new environment will include
should key companies in their supply chain
the development of a social media policy,
or other parts of their extended enterprise
deployment of a multi-disciplinary team,
be affected. (See chapter 7 for more about
effective training, careful handling of
supply chain considerations).
customer complaints and active monitoring
Increasingly organisations will have of the organisation’s own presence on the
suppliers in the new world of outsourced web. (For more about social media risk see
services and infrastructure that has been chapter 10).
termed “the cloud”. Use of the cloud
Mobile devices have become part of our
in itself neither increases nor decreases
everyday life and the lines between business
the risk profile; an effectively controlled
and personal use have become blurred, with
environment migrated to the cloud will,
implications for organisational security. The
if the controls remain in place, continue
RISE group’s research found that over 90%
to be effectively controlled, while a poorly
of respondents said that their organisations
controlled environment will be fraught
allowed the use of personal mobile devices
with risk and threat regardless of the IT
for business use, but only 37% exercised
infrastructure choice. (For more information
any controls in relation to the configuration
see chapter 8).
and security of these devices. Risk managers
will need to be creative to find a balance
Cyber = Opportunity between what the user wants and what the
organisation needs. (For more about mobile
New ways of working bring risks as well as devices see chapter 9).
opportunities. The business benefits offered
to organisations by cloud computing,
BYOD1, social media and the ‘internet of
things’ introduce a range of new risks as
well as causing existing risks to evolve.
Keeping track of this rapidly changing
world while maintaining the flexibility to
react to opportunities will be a challenge
to organisations. (For more on information
security risk and business opportunity
management see chapter 6).
C h a p t er 0 1
data breach, investment are vital Some form of data breach, deliberate or
accidental, is now considered inevitable
deliberate or People – what Verizon calls ‘the carbon
3
for all organisations at some point. It will
layer – can be a weak point but are also
accidental, is the organisation’s main asset and defence.
happen, so a robust incident response
procedure needs to be in place to minimise
Investment in training programmes and
now considered communications campaigns can be very
financial and reputational damage when
a breach occurs. Risk professionals need
inevitable for effective, particularly where account is
to make sure that their processes can
taken of the organisation’s risk culture
all organisations and how this influences the transfer of
respond to a breach in a timely manner
to protect the organisation’s reputation
at some point. what is learned into everyday activity in
as well as minimise any harm to clients
the workplace. (For more information see
and customers. (For more information
chapter 15 on investment and chapter 13
see chapter 12).
on learning and behaviour).
Questions the
organisation should ask
itself about cyber risk
Does our •D
o we have an effective enterprise •W
hat is the value of the information we
risk management process in place hold (e.g. intellectual property, financial,
cyber-risk and are cyber risks fully integrated strategic plans and other business critical
strategy into this process? information, customer/personal data)?
•A What are our ‘crown jewels’ that need
support our re we clear who is responsible for
the most protection?
managing risks, can we identify who
wider on the board is responsible, who •W
hat is the potential impact if this
explains the risks to them and on what information is stolen or corrupted
strategic information will decisions be made? (e.g. reputational damage; damage to
priorities? •H
ave we considered our risk appetite market value and share price; loss of
in relation to cyber risks, have we competitive advantage and market share,
communicated this to all functions and direct liabilities to third parties affected,
do we know if our resources being regulatory censure)?
deployed effectively? How would we •H
ow much would it cost a third party to
know if inappropriate risk taking was obtain this information and what could
taking place? it be worth to them?
•A
re we fully aware of the regulatory •W
hat are our customers/clients’
and legal exposure? What privacy and expectations of our cyber security?
data security laws and regulations might •H
ow many of our critical business
the organisation be subject to? What functions are outsourced to third parties?
are the implications for our investment Have we conducted due diligence on the
decisions? cyber security risks across our extended
•D
oes our cyber-risk strategy support our enterprise and supply chain, including the
wider strategic priorities? Does our risk use of cloud based services? How much
mitigation facilitate and enable growth? private and sensitive information is shared
Are our controls delaying or blocking with these third parties? What provisions
progress and are we agile enough to are there in the contracts to deal with
exploit market opportunities? cyber risk?
•D
o we invest sufficiently in cyber risk •A
re our systems engineered to the
mitigation, including training, incident best levels of security? What could
preparedness and assurance? How do be improved?
we prioritise our investment?
•D
oes our culture support the necessary
activities to manage this risk?
•D
oes our internal audit programme give
us sufficient assurance in respect of our
cyber risk management?
Do our business •D
o we have an effective mobile device Training
C h a p t er 0 1
strategy? How do we control the use
continuity plans of personal devices for organisational •D
o we have an effective cyber
business? risk training programme in place
include cyber including reporting of breaches and
•A
re we using social media in our
risk scenarios? organisation? How do we know what
subsequent actions?
our employees, customers and the public •A
re there initiatives in place to
are saying about us on social media? support learners after the training
Do we have a social media strategy and has taken place?
could we manage a social media crisis? •D
oes our cyber risk training focus on
the technology, the organisation or
the individual?
Incident response
•H
ow will we know if we are being or
have been attacked?
•D
o we have an incident response plan
and have we tested it? Do we have
arrangements to obtain specialist advice
and services post-breach (e.g. customer
help lines)?
•W
ho has the responsibility to declare a
cyber risk incident?
•D
o our business continuity plans include
cyber risk scenarios?
•M
ight we have cover under our existing
insurance policies for financial losses
caused by cyber-risks? Are there any
other risk transfer possibilities?
•A
re we prepared to do a root cause
analysis following a breach, particularly
to identify human factors, and are we
prepared to act on the findings?
•C
ould we defend our level of preparation
in the aftermath of an attack?
Risks
‘‘
QUOTE HERE
Chapter 16: Managing Business Opportunities and Information Risks
***of were
avoidable and
it is suggested
The
that threats are pervasive
inadequate
attention to the
and agile, of national and
risks may have
international concern
contributed
toand consequently, all
potential
breaches being
organisations need to
overlooked.
accurately assess their
cyber risk exposure.”
Chapter 02:
C hapter 0 2
Introduction
Chapter 2: Introduction
Alastair Allison CISM SIRM
The earliest “pyrates” recorded were the Sea Cyber crime is the use of computer
Chapter 02
Peoples in the 14th century BC who patrolled technologies to commit a crime. Cyberspace
Cyber crime the lucrative trade routes around the Aegean is defined as “the independent network of
and Mediterranean seas. Some historians information technology infrastructures. It
challenges have seen them as displaced Minoans includes the internet, telecommunication
many of our following the destruction of their civilisation networks, computer systems and embedded
with the eruption of Thera (now Santorini), processors and controllers in various
traditional and the subsequent displacement of people industries”4.
throughout the Mediterranean. Nevertheless,
governance the “pyrates” intercepted the trade for their
Criminality will always follow the money. In
the 19th Century in the UK, highwayman
models. own benefit. Roll forward to the modern,
Dick Turpin was after the riches of the few.
digital, trade routes where the majority of
In the 20th Century criminals Jesse James
today’s business is conducted.
and Ronnie Biggs blew up the money vaults
Modern day predators now prowl these and took stacks of cash. This digital age of
digital trade routes for their own benefit. the 21st Century is no different: Bobnev
Russian Alexandr Sergeyevich Bobnev, busted the digital vault for virtual cash. In all
one of the top cyber criminals on the FBI’s these cases, wealth was taken away from the
wanted list, was indicted in 2007 for his rightful owner. But is this the only motivation
alleged participation in a money laundering of cyber criminals? According to the 2013
scheme involving unauthorised access to the Verizon report, Cyber criminals fall into three
accounts of a major provider of investment distinct threat types: activists, criminals and
services. He accessed compromised spies. We add two further distinctive threat
accounts and transferred funds to money types; your own staff and your own systems.
mules in the United States – a cyber pirate
•A
ctivists are opportunistic in their
perhaps. Where the Sea Peoples may have
approach and often use only basic methods
been “pyrates” simply to survive, their
but, unlike the criminals who may be
activities were geographically limited. Cyber
financially motivated, their key aim may be
pirates have no geographical borders and
to cause embarrassment or, in the case of
international law enforcement is simply
“script kiddies”5 they may simply want to
not agile enough to keep up with them.
see what they are capable of doing.
Indeed, cyber crime challenges many of our
traditional governance models. But what do
we actually mean by “cyber crime”?
5 In hacker culture a script kiddie or skiddie is an unskilled individual who uses scripts or programs
developed by others to attack computer systems and networks and deface websites. It is
generally assumed that script kiddies are juveniles who lack the ability to write sophisticated
hacking programs or exploits on their own, and that their objective is to try to impress their
friends or gain credit in computer-enthusiast communities. Wikipedia – accessed 7 Oct 13.
Cyber risk is •C
riminals are motivated by financial and have an agile patching cycle, the
Chapter 02
gain and use increasingly high levels of weakest link will always be the person
pervasive and is sophistication during their attacks including behind a keyboard!
blackmailing vulnerable staff members
not just about to steal data from their employer’s
•O
wn systems, often built over a
number of years or grown in line
crime and organisation. There is a whole underground with the business and mergers and
criminal marketplace of capabilities to acquisitions, these pose a significant
stealing money, perpetrate cyber crime including help threat type in their own right. Poorly
or assets to desks, marketing services and trade fairs supported and insecure operating
where anyone can buy anything from systems, poor patching controls and a
exchange for hacked passwords to virus scripts. lack of investment in security all add up
money. •S
pies are state controlled and employ to making it easier for the active threat
the most sophisticated techniques. They actors such as those shown above.
can target everything, from intellectual
Whilst it is tempting to look at these threats
property for increased competitive
in terms of our own organisations we must
advantage to nation state infrastructure
also review the impact across our extended
in order to cause damage for political or
enterprise, looking at our exposure
warfare purposes.
should a supplier, partner or customers be
•O
wn staff represent the insider threat compromised. Consequently, we must not
– the hard to detect shadow operating lose sight of the fact that the cyber risk is
within the secured perimeter. The macro pervasive and is not just about crime and
and micro economic situation has stealing money, or assets to exchange for
threatened the livelihoods of many and money, but also encompasses risks arising
there is increasing evidence that criminal from other factors such as government
gangs are targeting vulnerable staff espionage, hacktivism, script kiddies, system
in organisations to help steal valuable integrity etc. Further, we must bear in mind
information. With insider assistance, these that it is not just the bigger businesses that
criminals are able to plant technologies are targets.
within the organisation which enable
them to carry out attacks on systems. We Experts have noted that companies may at
should also not forget the humble human times forgo investment in security since they
error which, when compounded by poorly have not been attacked before or because
controlled and secured systems, has the they mistakenly believe that they have
capability of opening up opportunities nothing a cyber adversary would want”6.
for others to exploit. Even if you keep Smaller businesses also have an unsupported
all your systems up to date with patches, belief that they are immune from the
threat. Small businesses are actually easier
6 Bucci, SP, Rosenweig, P and Inserra D, 2013, A Congressional Guide: Seven Steps to U.S.
Security, Prosperity, and Freedom in Cyberspace accessed on line at http://www.heritage.org/
research/reports/2013/04/a-congressional-guide-seven-steps-to-us-security-prosperity-and-
freedom-in-cyberspace on 8 April 2013
It is absolutely
63% f small businesses were attacked by an unauthorised outsider in the last year
o
Chapter 02
know what 15% of small businesses detected that outsiders had successfully penetrated their
network in the last year (up from 7% a year ago)
constitutes the
data “crown
9% of small businesses know that outsiders have stolen their intellectual property
or confidential data in the last year (up from 4% a year ago)
targets and there is growing evidence Having identified the key data,
of criminals going for the less protected organisations need to review the risks,
organisations, exploiting multiple failures in based on the threat vectors described
technology, processes and people; indeed above to determine potential motivations
staff related incidents have risen sharply for an attack and how intent someone
in small businesses. According to Verizon’s might be in obtaining the data. This may
2013 Data Breach Investigations Report lead to withdrawing the use of computers
(DBIR), 99 percent of breaches involved if the information is so sensitive and facing
techniques that were not considered highly a real threat of discovery. However, for
difficult. Most data breaches are successful most commercial organisations, examining
because the criminals found an easy entry their operating environment across
point and not because they employed the extended enterprise is the next key
some level of sophisticated attack. The BIS stage to seeing what vulnerabilities exist.
2013 Information Security Breaches report Whilst this research looks at some robust
highlights some very specific statistics for solutions that could help overcome some
small businesses as shown above. At the key risks, organisations have to consider
end of the day no organisation is safe their proportionality i.e. if the solutions
or immune. are proportionate to both the risk they
face and the size of the organisation.
But is it really all doom and gloom? Should
we simply switch off the computers and 100% security is expensive, intrusive and
go back to paper and typewriters like the rarely achievable in this fast paced world
Russian Government proposed to do in that we live in. Consequently, organisations
2013? Not necessarily. must be able to respond to incidents in an
effective manner that protects the potential
It is absolutely crucial that organisations
victims as much as possible. We are not
know what constitutes the data “crown
suggesting surrender to the inevitable at the
jewels” be it customer data, credit card
expense of preventing breaches in the first
data, intellectual property or knowledge.
place. However, there needs to be a balance
These organisations need to have a clear
between risk efficient prevention and being
understanding of what value these
ready to react when the need arises.
“crown jewels” bring to the organisation.
Each organisation Today we live in an interconnected world facing organisations and put together this
Chapter 02
with so much data that it is critical to document that aims to help risk managers
must identify the exercise oversight of the information assess the risk by de-mystifying it. Stripping
being transferred and shared between it of the techie speak, we also aim to bring
risks appropriate organisations in our complex supply about a sense of perspective that will allow
for them and chains. That level of interconnectedness for an informed debate, free from the
was debated at the G20 Summit in Davos scaremongering. With the right approaches,
prioritise them which drew attention to the reliance on organisations can face up to the risks and
according to their web-based technologies and cyberspace with simple controls, eradicate 85% of all
to control our national infrastructure. threats. With the right approaches, we can
established risk Governments have realised the threat look to seize the opportunities that cloud,
of cyber risk and it has appeared on social media and mobile devices can bring.
frameworks. They some national strategic risk registers.
It is not appropriate for this document
will also need to Consequently, there are growing
to provide all the scenarios, risk lists or
regulatory and legal demands being
determine the made on businesses to not only protect
a risk profile. It also does not aim to
dive into the technical detail for the IT
appropriateness data but also the national infrastructure.
practitioners. This is because our own
The EU, UK, USA, Israel, China, Iran and
survey highlighted a gap in the risk
of the material to Syria have all announced significant cyber
manager’s understanding of the cyber risk
capabilities being put in place with not
their organisation. all of them being for defence purposes.
landscape and its borderless characteristic.
Additionally, we specifically did not want
The EU has a proposed Cyber Security
to replicate the fact that there is a wealth
Directive on its books with an aim of
of good material on technical controls
increasing international law enforcement
and the lower level detail. Consequently,
and data sharing in a bid to tackle these
this research aims to de-mystify the cyber
growing threats.
risk landscape and provide risk managers
So, the threats are pervasive and agile, with the guidance to take an informed
of national and international concern and approach, for example when facilitating
consequently, all organisations need to cyber risk workshops. Each organisation
accurately assess their cyber risk exposure. must identify the risks appropriate for
This is where the IRM Cyber Research them and prioritise them according to their
comes in. In the first half of 2013 the IRM established risk frameworks. They will also
RISE SIG undertook a survey of several need to determine the appropriateness of
hundred IRM members and contacts around the material to their organisation but this
the world to assess their perceptions of document covers the key themes and whilst
cyber risk and their organisation’s response not all the approaches are suitable for the
to it. Based on the results of this work, small business, they are at least scaleable.
we have looked at some of the key risks
Risks
‘‘
QUOTE HERE
Chapter 16: Managing Business Opportunities and Information Risks
***of were
avoidable and
it is suggested
The
that threat to national
inadequate
attention to the
security from cyber
risks may have
attacks is real and
contributed
togrowing,
potential whether from
breaches being terrorists,
hacktivists,
overlooked.
cyber criminals, or
hostile foreign states.“
Chapter 03:
C hapter 0 3
The threat landscape
Chapter 3:
The threat landscape
Centre for the Protection of
National Infrastructure (CPNI)
One major Cyberspace and the internet have How big an impact are
Chapter 03
Threats, extortion and denial “It was a drama and it was interesting
C h a pt e r 0 3
of service attacks – albeit portraying the worst of a worst-
93% of large Apart from the theft of sensitive business case scenario. However, if it served to
corporations information, there is also the threat that help raise awareness and if businesses
cyber-based systems can be disrupted to are now taking things more seriously as
and 87% prevent normal service. A Denial of Service a result of what was portrayed on screen,
then it was useful.”
of small (DoS) attack could prevent customers from
accessing key websites, such as those for
businesses had online banking. There is also the threat
What is Government
of disruption to critical industrial control
experienced a systems such as supervisory control and doing?
cyber breach data acquisition (SCADA). Almost all key National policy is led by the Office of
industrial infrastructures and processes Cyber Security & Information Assurance
in the are managed using computers and (OCSIA), which supports the Minister for
past year. communications networks. This includes the Cabinet Office and the National Security
the flow of gas and oil through pipes, Council in determining priorities in relation
the processing and distribution of water, to securing cyberspace. The unit provides
the management of the electricity grid, strategic direction and coordinates the
the operation of chemical plants, and the National Cyber Security Programme (now
signalling network for railways. This is why £860 million over 5 years) which is delivered
CPNI is helping operators to understand by lead government departments and
and mitigate vulnerabilities in these systems agencies such as the Home Office, Ministry
by funding research and working with of Defence, Government Communications
international partners. Headquarters (GCHQ), the Security Service
In 2013 the Channel 4 television drama, MI5, CPNI, the Foreign & Commonwealth
Blackout, illustrated a possible worst-case Office (FCO) and the Department for
scenario of a cyber attack on the UK’s Business, Innovation & Skills (BIS).
National Grid system. Showing scenes
of lawlessness and chaos within a few
days of the power going down – with
gridlocked traffic, looting, communications
breakdowns and the government
implementing its emergency response
plan – Blackout received mixed reactions
from viewers and opened an animated
debate about whether such a scenario
was possible. One cyber analyst said:
•D
oes the organisation understand the What support is available?
C h a pt e r 0 3
value of the information it holds – its
‘data crown jewels’ (e.g. intellectual Plenty of advice and guidance is available,
property, financial, strategic plans and for example on risk management,
other business critical information, technical security measures and incident
customer/personal data)? response services. Organisations also
need to be prepared to address the
•W
hat is the board’s understanding of
overarching questions, and articulate
the potential impact if this information
their own understanding of the value and
is stolen or corrupted (e.g. reputational
vulnerabilities of their business information.
damage; damage to market value
and share price; loss of competitive The delivery of protective security advice to
advantage and market share)? the national infrastructure and companies
Companies benefit from managing risks of national economic importance is
across their organisations (and also into undertaken by CPNI, who recommend that
their wider ‘extended enterprises’ of managing new and emerging threats such
suppliers, partners etc;) drawing effectively as those posed by cyberspace, should be at
on senior management support, risk the heart of any organisation’s corporate
management policies and processes, risk management strategy. For these
a risk aware culture and the assessment companies CPNI (see www.cpni.gov.uk)
of risks against objectives. provides a range of support, training, and
guidance documents to assist them to:
Information on both the potential threats
and implementing risk management •u
nderstand security threats (terrorism,
through corporate governance is explored espionage and sabotage),
in the ‘Executive Companion’ of Cyber • determine their exposure (risk), and
Security Guidance for Business (referred •m
anage risks in line with their
to above). In addition, detailed guidance corporate appetite.
sheets are provided outlining the measures
that can be taken to reduce information
risk in ten key areas. The contents of
both the ‘Executive Companion’ and the
detailed guidance sheets can be used to
support a board-level comprehensive risk
management regime which can be effective
in managing the organisation’s information
risks. https://www.gov.uk/government/
publications/cyber-risk-management-a-
board-level-responsibility
Risks
‘‘
QUOTE HERE
Chapter 16: Managing Business Opportunities and Information Risks
***of were
avoidable and
it is suggested
This chapter will
that inadequate
attention to the
focus on the wider
risks may have
business impact
contributed
to potential
already being felt
breaches being
by organisations
overlooked.
Chapter 04:
C hapter 0 4
The iceberg impact
of a cyber loss
C h a pt e r 0 4
• Supply Non-Insurable Insurable
• Chain • Fines • Crisis Management
• Cloud • Reputational Damage • Forensics
• Mobile • Loss of Customers • Investigation
• Social • Loss of Employees • Customer Notification
• Media • Stock Devaluation • Business Interruption
It is often difficult to quantify the impact of publicity which is associated with the
intellectual damage to your organisation’s reputation breach. In conducting this research it has
following a breach. It is an area where been difficult to find evidence of long term
property some insurance can provide an element of share price damage associated purely with
can have a restorative cover – see the cyber insurance a cyber loss. Indeed some research has
chapter – but generally organisations will suggested that the impact on share price is
devastating have to monitor and assess the ongoing reducing as perhaps shareholders become
impact. impact to their brand and reputation. less sensitive to breaches. A report published
in the Journal of Computer Security in
Loss of customers 2011 suggested that “with increased media
The loss of customers is a likely consequence reporting of information security breaches
from a significant cyber loss. This may be without apparent devastating effects on
due to the termination of a contract through targeted corporations, investors lowered their
breach of a service level agreement related assessment of the costs of such breaches”.
to the loss or through negative publicity It is safe to assume however that where the
created from the incident. The longer term cyber loss has other significant impact in terms
impact of a loss can also have a major effect of major customer losses or highly punitive
on new customer acquisition. Indeed within regulatory fines then the organisation’s share
certain sectors, including the public sector, price would suffer some negative effect.
financial services or healthcare, a significant
loss may prevent your organisation from
tendering for future opportunities Case Study – Sony
Corporation
Loss of employees
As well as customers being lost by the Following the theft of details for 77
negative publicity of a cyber loss, it is equally million of its PlayStation Network
possible for your own employees to be customers in April 2011, Sony saw a
affected. For employees within a highly continuing decline in its share price
professional environment, the association of around 24% in the months after
with an organisation which has suffered the incident. However, despite the
a significant breach may be viewed as reported $150m cost of the incident
damaging to long term career prospects. to Sony, over the longer term their
Indeed following the high profile information share price has recovered. In addition
security breach at HBGary, which highlighted there is no doubt that the incident
significant issues in employee controls, certainly created some brand damage
employee turnover increased as individuals although the impact of this may have
sought to protect their professional profiles. been lessened by the loyalty of Sony’s
customer base.
Stock devaluation
Share price is certainly impacted in the
immediate aftermath of a disclosure of
C h a pt e r 0 4
Increasingly the regulatory authorities, on and in most cases good practice to provide
top of the fines imposed, will also require adequate assurance against a cyber loss,
organisations to undertake corrective action when the investments are driven by a loss
which will be monitored and audited by event the time and scale of the spending
the same authorities. These corrective may fall badly with business planning or at
programmes are designed by the authorities a time of poor business performance. It is
and therefore the scope is often broader and therefore the sudden requirement to invest
the implementation timescales much shorter capital in improved IT infrastructure which is
than would have been the case under an the major impact.
internally developed programme.
This is also the most common area in which
Devaluation of intellectual
organisations are affected with over 60% property
of IRM’s cyber risk survey respondents The loss of intellectual property can have
highlighting the increased costs of correction a devastating impact on an organisation
action programmes following a breach. with many not being aware of a theft until
This was 24% higher than the next most a competitor launches a similar or identical
common, fraud. product. Indeed a case study described in
the supply chain risk chapter (Chapter 7) in
These programmes are therefore extremely this document details similarities between
costly to the organisation with a particular the American F-35 fight jets and the Chinese
demand on employees through increased J-31 fighter jets, with the Chinese designs
overtime or specialist skills brought in on getting to market first. In the IRM Cyber
a temporary basis. Indeed the costs of the Risk Survey, almost 20% of organisations
programmes alone are often many times suffering a cyber breach were the victims of
higher than the original penalty imposed a loss of intellectual property, the 4th most
by the regulatory authority. common business impact of a loss.
It has also been observed that small
IT network upgrade costs
businesses are particularly vulnerable to this
Often cyber losses will highlight weaknesses
particular loss. Typically small businesses have
within IT network infrastructure which have
the weakest cyber security controls, yet they
been exploited by the cyber threat. For some
are often disproportionately reliant on their
organisations these weaknesses may have
intellectual property. For these organisations
been known and a prior risk assessment
a cyber loss may not just be a failed
determined it was a tolerable risk against
customer tender or being second to market
the likelihood of the threat. Unfortunately
for a new product – it can result in the
now that this weakness is externally known
loss of all income streams and the ultimate
the likelihood of repetition is certain and
closure of the business.
therefore the previously costly network
enhancements must now take place.
C h a pt e r 0 4
is also a fundamental requirement of • eview all the risks identified in the
R
getting investment for an information above processes within a workshop of
security programme to address cyber all key stakeholders. This brainstorming
risk – See Investment chapter 15. approach will draw out new risks which
have been missed.
Tools to assist with risk
identification Quantifying the impact
This section provides risk professionals As we saw from the IRM Risk Survey
with some simple tools to assist in the described earlier, many organisations
identification of risk impact areas which struggle to quantify the impact of a cyber
may affect the organisation in the event of loss after it has happened, so making an
a cyber loss. This information can then be assessment of the potential impact can
used to aid the development of a business be very difficult for risk professionals. This
estimate of the financial impact of an event. approach can help to provide an estimate of
the possible exposure the business may face
Although cyber risk can appear daunting
from a significant cyber loss – thresholds are
for non-specialist risk managers, the actual
only suggestions and should be adapted for
identification of risks should follow the same
your business.
process as you currently utilise. This chapter
proposes the following basic techniques, All thresholds should be tested by your IT
although there should be no reason to colleagues to ensure that the appropriate
divert from your current processes: numbers are applied for your own
organisation.
• Questionnaires
• Focus on the key information within
the business and the stakeholders
who access and use this information.
• Lessons learned review
• E stablish if and how information
security breaches within your company
or industry have happened and capture
the relevant risks for your organisation.
• Stakeholder interviews
• onduct one-to-one sessions with key
C
business stakeholders focussing on
critical business information and how
it could be accessed.
C h a pt e r 0 4
Enforcement Bulletins (March 2012,
August 2012, October 2012, June 2013)
1. Which of your company assets are
7. Verizon, 2013, 2013 Data Breach
at risk?
Investigation Report, http://www.
verizonenterprise.com/DBIR/2013/ 2. Which areas of non-insurable risk
could affect the business?
8. Zurich, 2013 “Meeting the Cyber Risk
Challenge” Harvard Business Review 3. What would the impact profile be
for a typical cyber loss?
9. Lawrence A. Gordon, Martin P. Loeb
and Lei Zhou, 2011, “The impact of 4. How effective are your existing
information security breaches: Has there controls in managing this impact
been a downward shift in costs?” profile?
Appendix 4.1 –
Data protection fines
by country
Chapter 04
Data from DLA Piper, March 2013, Data Protection Laws of the World – data accurate
at time of writing, but no responsibility is taken for the accuracy of the data.
C h a pt e r 0 4
Risks
‘‘
QUOTE HERE
Chapter 16: Managing Business Opportunities and Information Risks
***of were
avoidable and
it is suggested
Corporate
that inadequategovernance
attention to the
is a scheme for ensuring
risks may have
that the executive
contributed
tomanagers,
potential who have been
breaches
placedbeingin charge
overlooked.
of the company, fulfil
their duties.”
Chapter 05:
C hapter 0 5
Governance of
cyber threat
Chapter 5: Governance
of cyber threat
David Canham
….this chapter Governance of the cyber threat is complex This chapter will also consider the importance
Chapter 05
and has many layers. Organisations are of accountability in relation to managing the
will examine increasingly exposed to the outside world cyber threat and how that influences the
through digital offerings and access to development of international standards and
whether the internet both for business purposes setting security expectations to provide an
traditional and personally by staff. Organisations are effective framework for managing the
increasingly interlinked and cooperation cyber-risk landscape.
governance between public, private and the state is
When thinking about cyber governance it
is adequate paramount in understanding the range of
is clear that the challenges are many and
threats and sharing “best practice”. With
varied with an increasingly faceless threat,
and question such a wide ranging and multi-faceted threat
immediacy and speed of attack as well as
landscape this chapter will examine whether
whether traditional governance is adequate and
complex motivations. Organisations need to
be clear on their responsibilities, preventive
organisations question whether organisations give sufficient
measures and their ability to react to
time and thought at their key committees and
give sufficient boards to the cyber threat that in some cases
incidents. Indeed, with intelligence agencies
providing advice and governmental concerns
time and they cannot clearly see or articulate.
over protection of the critical national
This chapter will examine the current capacity infrastructure, there is a degree of the cyber
thought at their and mandate of oversight structures within threat that is outside of the organisation’s
key committees organisations. Further, it will examine direct control. The next sections will examine
the pace of technological change when the traditional approach to Governance and
and boards considered alongside the pace of regulatory will then go on to explore what differences
to the cyber change and consider if the existing may need to be recognised or built into
regulatory frameworks enhance or constrain governance frameworks in order to deal
threat… organisations attempting to govern the with the cyber challenges.
cyber landscape.
Strategic
Planning
Stakeholder
Expectations
Systems
Change and Management
attitudes,
continuous Board processes &
improve Responsibility resources
Measure
Stakeholder
& analyse
Impact
Chapter 05
models to governance
Before we start on the challenges that There is much written about governance
cyber risk presents to governance models, codes and the way in which organisations
let us briefly discuss what we mean when respect or abuse their own governance
we talk about governance. There are a systems and controls. Notable examples
number of models available to define of poor practice include Enron, Polly Peck
governance. However, we have adapted the and Hollinger International. However,
model taken from the Institute of Directors’ when talking about cyber governance a
“Director’s Handbook” as shown opposite. different landscape applies. The traditional
This shows that it is the management internal bad practice, financial irregularity
board’s responsibility to direct and control or director fraud is not the key risk focus.
the company so that the right systems, A new breed of threat exists that is
attitudes, processes and resources are characterised by being faceless, borderless
in place to implement the strategy that and can be perpetrated inside or outside of
will meet the stakeholder expectations. the organisation by factions, organisations
These are then measured and analysed or territories unknown. It can infiltrate
over time to identify areas for continuous organisations and remain dormant for some
improvement and change that will sustain time before becoming active and detectable
the longevity of the organisation, thereby but at that point, it is almost too late. The
meeting the stakeholder expectations. Or, damage could already be done.
as the Corporate Governance Committee
Cyberspace is a concept that has grown
of Japan states,
at a phenomenal rate and organisations
“Corporate governance is a scheme for have not necessarily been able to keep
ensuring that the executive managers, pace with it or gain a full understanding
who have been placed in charge of the of the context to be able to respond to
company, fulfil their duties.” the opportunities and challenges it brings.
Traditional governance measures are
The UK Corporate Governance Code
challenged by a cyber environment that
(formerly the Combined Code) sets out
presents a dynamic risk to the fitness of
standards of good practice in relation
such traditional governance measures.
to board leadership and effectiveness,
These measures could currently involve:
remuneration, accountability and relations
with shareholders. • reactive committee structures,
• static policies,
• partially educated staff and
• r easonably static risk management
based on quarterly reporting cycles
Chapter 05
Where responsibility for information security resides
10%
19%
● COO
● CEO
● CIO
23%
48% ● Other
In terms of committee oversight, the IRM survey found that of the 171 respondents,
only half had a designated committee to oversee information security risk despite
the plethora of media stories on the subject and the increasing levels of fines being
levied around the globe on organisations that have a breach.
11%
● Yes
● No
48%
36% ● Don’t know
Chapter 05
Modification or manipulation of data or
Propaganda/ introduction of contradictory data to influence
disinformation a political or business outcome or destabilise a
Integrity
foreign regime.
Cyber-attacks may
use hacking techniques Attacks on websites to coerce their owners (both
to modify, destroy or Intimidation public and private) into removing or modifying
otherwise compromise content, or pursuing some other course.
the integrity of data.
Permanent destruction of data to hurt competitors
Destruction or attack foreign governments. This may, for
example, form a part of wider conflict.
Attitudes, It is also important to note that the consideration which we discuss further
Chapter 05
attitudes, values and behaviours that flow below and these are:
values and through the culture of the organisation are
•D
oes the delegated authority take into
crucial to the effectiveness of governance
behaviours that and the ability to meet the modern cyber
account the “cyber” environment?
•W
hat is the accountability for prevention
flow through threats. Bureaucratic organisations with
and response?
tight traditional governance structures may
the culture of find that governance is slow moving and •W
hat is the Governance for delegated
authority in the extended enterprise?
the organisation committee based, organisations that are
younger with more free flowing attitudes
a re crucial to Does the delegated authority take into
are likely to be able to move quickly to
account the “cyber” environment?
address cyber challenges. Further, the
the effectiveness different value systems in organisations
For instance, is there a need for a more
dynamic sign-off process? Traditionally, larger
of governance will potentially impact the effectiveness of
organisations have strict protocols from the
governance and potentially the attitude to
and the ability cyber risk. For instance the organisation
shop floor level to board level to sign-off
and commit the enterprise to a course of
to meet the targeted on aggressive growth is potentially
action. In some cases this involves a number
less likely to be willing to invest in underlying
modern cyber security controls than one that’s more
of sign-off loops and paper production. In a
world where cyber opportunities and threats
prudent and balanced in their strategic
threats. aims on protecting the existing operation.
evolve in real time, traditional authority routes
may not be fit for purpose and may need to
Regardless of the value system of the be more agile. Decisions such as who holds
organisation it is important that throughout the authority to use the corporate twitter
the governance structures employed, account or who has the authority to invoke
lessons are learnt and messages permeate emergency crisis measures in the event of
the organisation to allow the response to a cyber-attack need to be clear. Roles and
the cyber threats faced evolve appropriately responsibilities need to be defined because
and intelligence is shared. So taken each from a practical view point, in this particularly
element in turn in terms of practical advice media centric world of instantaneous global
and assessment the following sections will communications, inaction due to lack of clear
give some insight. authorities can be equally damaging as the
event itself.
Delegated Authorities
The delegated authorities to commit the What is the accountability for
organisation to spend, enter a partnership, prevention and response?
outsource or external relationships, etc. For those organisations operating in the
will vary depending on the size and shape real-time cyber-world, which is probably
of the organisation and the nature of the vast majority of businesses, clear
operations. However, from a practical accountability is paramount. When
view point there are some key points for an incident occurs the leadership and
accountability has to be clear and has
Chapter 05
Incident Management chapter later in this responsibility of the CEO and a business
research. Also, when an opportunity can problem, the challenge is to move oversight
be seen in the market place, organisations away from solely technical governance
need to be clear on who owns the response committees into the strategy and business
and be clear on the roles of, for example, management processes. As mentioned
marketing and communications or security. earlier in the RISE survey only 53% of
Practically, from what is witnessed through respondents had a specialist information
the IRM RISE SIG perspective, organisations security committee. So in considering this
struggle with who leads on cyber issues from a practical viewpoint, the following
such as social media, cyber response, points should be considered:
strategy etc.
• T he structure, capability and seniority
of committees
What is the governance for delegated
authority in the extended enterprise? • T he use of management information
Increasingly, organisations are networks of to inform debate
interconnected organisations ranging from
the small enterprise to the multinational Structure, capability and seniority
with a network of suppliers, distributors, Does the committee structure your
regulators and customers all of whom organisation adopts consider the authority
have an interest in the organisation. Some required to drive the appropriate culture
of these groups will have delegation and and make informed investment choices to
authority to act on behalf of the extended respond to the cyber threat? Further, does
enterprise. Governance of these delegations the committee understand the nature of the
is equally as important for the prime risk? The results of our survey highlighted
organisation to understand and exercise. that most organisations do not have in-
house specialists with 49% relying instead
on external advice. To make matters worse,
Committees
our research found that the translation of
Traditional committee structures provided
technical cyber security risks into a language
oversight on a periodic basis with usually
that the boards and senior leaders could
lag Management Information7 making
understand was a significant challenge. This
decisions and documenting these on an
is particularly important where budgetary
informed risk basis. However, with so
decisions are required. If the importance is
much in an organisational agenda the
not recognised, investment and momentum
management and oversight of information
behind mitigating and addressing cyber
security risk is often the preserve of
risks is lost over the growth imperatives of
committees in the CIO / CISO directorate
the organisation.
structure or the technology department.
to inform debate
Designing Management Information (MI) is used to
and using drive business decisions. MI can take the Hackers stole information from at least
form of lag or lead indicators 8. It is always 45.7 million payment cards used by
lead a challenge in organisations of all sizes customers of US retailer TJX. The firm
said it did not know the full extent of
indicators to find adequate lead indicators. Most
the theft and its effect on customers.
governance committees will look at lag
requires a measures and base oversight decisions TJX stated the security breach may also
on these. Consequently, traditional lag have involved TK Maxx customers in
collaborative measures are reactive in nature and in the UK and Ireland but felt that at least
approach terms of the emerging and fast-paced cyber three-quarters of the affected cards had
threat, may not be sufficient to inform the expired or data had been masked. The
across the cyber risk management debate. External data was accessed on TJX’s systems in
Watford UK and Massachusetts USA
business. case studies are useful, TK Maxx and Sony
over a 16-month period from July 2005
for instance, but practically applying lead
indicators in your organisation to spot and covered transactions made by credit
trends and potential incidents is difficult. and debit card dating as far back as
When considering governance committees December 2002.
and the MI they will need, particularly if Taken from BBC Website March 2007
they look at vulnerabilities or incidents, a
more real time approach has to be adopted.
Designing and using lead indicators
requires a collaborative approach across
Organisational Polices / Standards
the business. Nevertheless, spending time
Key to the management of risks and the
reviewing and creating clear and concise
governance framework of an organisation are
MI is usually time well spent.
its policies and standards. These should set
out minimum controls, culture and approach
to how an organisation should behave. In
information security risk these are equally
important and crucial in managing the control
environment. There are a number of practical
considerations including:
• P olicies and standards tailored to the
audience
• Education and awareness is a key component
• Considering the extended enterprise
Chapter 05
to the audience regular targeted awareness bulletins using
Ensuring policies and standards are tailored multiple communication channels. One
to fit the intended audience is key. For example is to post bulletins about a breach
example, most organisations will have or incident that has appeared in the media
technical standards that are designed for and extract one or two key messages that
the IT community to mandate activities all staff should note as applying to the
such as secure email, secure applications organisation. Quick and dirty messages
development etc. These will be written that react to other people’s misfortunes
in a clear way and set out a technical but help to keep the message alive within
standard of control, potentially in line with the business are effective.
International Standards. Other policies, such
as use of communication systems, social Considering the extended
media etc. will be aimed more at all the enterprise
staff in an organisation and as such, they As an organisation sets its own policies
need to take into account the culture of and standards it also needs to consider the
the organisation and the knowledge and extended enterprise and how it will gain
competencies of the audience. Differences assurance that the same principles are being
in these groups must be understood and applied. There are a number of ways to do
policies and standards written that are fit this, including:
for purpose.
•p
lacing stipulations in contracts to
act in accordance with the parent
Education and awareness policies/standards
are key components
• c arrying out a standard audit through
Organisations can have the best policies
an accredited supplier aligned to an
and standards in place but without an
international standard
appropriate education and continuous
awareness programme they become • carrying out your own audit programme.
shelf-ware. Many organisations will rely However an organisations looks to control
on annual computer based training this, the underlying principle should be that
(CBT) but with an ever-changing threat the parent organisation needs to protect its
landscape it is recommended that there reputation and its data across the extended
is an increased level of awareness. enterprise.
To support CBT, organisations should
‘‘
C hapter 0 5
Risk management is a
key process that informs
the other elements of the
governance framework
and provides the insight
into the health of that
framework.”
Chapter 05
Risk management is a key process a crowded organisational agenda where
that informs the other elements of the pressures to grow or deliver service compete
governance framework and provides the with those of security.
insight into the health of that framework.
Through understanding the risk profile,
delegated authorities can be reviewed and RISK APPETITE –
the polices and standards can be amended. “Do you really mean that?”
In addition the external insight that risk
management brings can help to bridge “We have no appetite for a data loss or
the translation issue between technical security breach” could be translated into
staff and business leaders providing they “I am going to throw as much money
all understand the key components involved. as it takes to build my cyber fortress”.
In terms of practical considerations, these In other words, the IT department and
include: the information governance efforts have
• T he role of risk appetite, tolerance and a blank cheque. Do we really mean that
categorisation or are we going to accept that a breach/
incident is inevitable and we really want
• Key risk indicators
to prevent the preventable?
• Risk identification and assessment
• External intelligence
The practical • L ead – forward looking indicators can be brought to the decision makers.
Chapter 05
used to predict and shape changes However, despite a push by the British
challenge for in a risk’s profile Government to be open about breaches to
improve external intelligence and knowledge
the risk • L ag – after event indicators used to
sharing, there remains a reluctance to share
adjust or measure the assessment
manager is of a risk information on breaches. Our survey found
that while 61 out of 232 respondents
provoking •C
ountermeasure – measurement of
indicated that data breaches had impacted
current control action effectiveness
this debate in terms of an assessed risk
their business, only a small handful were
then prepared to share any detail.
in a crowded In an ideal world a mixture of the three types
We have considered a simplified governance
would be ideal but it is not always possible
organisational to identify these. External benchmarking, model and given some practical thoughts
your own organisation’s management some of the issues facing organisations. We
agenda. reporting or risk event analysis is a good will now consider how the challenges may
place to start to build these metrics. be different in a cyberspace environment.
Chapter 05
corporate agenda education or both
Advocacy is crucial to any topic. Risks or The threats posed by cyberspace means that
issues gaining airtime and staying on the organisations must develop clear policies and
organisational agenda is no different. As standards. However with organisations using
the ISF suggests, ensuring clear roles and cyber space to market their wares, increase
responsibility in relation to cyber risk in the sales or even profile prospective clients or
boardroom is key, not only to set direction recruits, the applicability of these policies to
and policy, but to secure any necessary an individual’s personal life and corporate
funding. Organisations, by their nature life becomes blurred. Take for instance
will not always see information security the CEO using their own personal Twitter
as the top of their investment list. At account to talk about company business.
worse they may see it as an overhead or What happens when they move on? Or the
expense to achieving the strategic aims. claims handler befriended over LinkedIn by
Executive sponsor nomination and clear a broker or IFA for preferential treatment,
accountability is essential if organisations or in extreme cases the staff member
are to ensure commitment to security threatened or manipulated over social media
investment, whether that is financial or to carry out malicious activity? Organisations
time investment. It is also important for have a practical duty to raise awareness of
good governance. organisational policy but they may also need
to consider the typical usage scenarios and
Further it is vital that the issue of cyber
consider education of staff in a way that
and information security is not buried in
handles those blurred boundaries.
IT or CISO governance structures as the
impacts and controls reach much wider
as we will demonstrate throughout this Compliance, regulation
guidance document. Technical protection and the law
is important, but in an increasingly Many organisations are operating within
digital world the social engineering and a regulatory or compliance regime. In
cultural challenges are equally, if not more addition, there are local and international
important as people need to understand legal stipulations of which organisations
why they are doing things and what to need to be aware. However simply
watch out for. As the IoD governance complying with the basic stipulations is
model alludes to, tone from the top is vital not necessarily demonstrating compliance.
to set the right attitudes and behaviours Under the “comply or explain” principle
and business ownership on the corporate of corporate governance, as stipulated
agenda sends a clear message that the by the UK Corporate Governance Code,
executive level take the subject seriously with similar requirements in many other
and everyone else should do so too. All territories, those organisations putting
staff are responsible for security. growth over protecting the security interests
and doing the “minimum” to get by, run an
It is vital that increased reputational and regulatory risk. threat could be when intelligence agencies
Chapter 05
C hapter 0 5
governance incorporates cyberspace across Information and External Intelligence
the extended enterprise, is sponsored at the to monitor your threat exposure?
executive level and has sufficient space on
the corporate agenda and key governance
forums. The Information Security Forum Reading list and websites
recommends the CISO has a direct line to 17. Information Security Forum, The Standard
the governing body of the organisation or of Good Practice Governance – June
via a senior member of an independent 2013
risk function to enable this to happen. It is
18. CESG/BIS/CPNI/Cabinet Office 10 steps to
strongly recommend that this is a minimum
Cyber Security accessed via http://www.
and that the cyber and information security
bis.gov.uk/assets/biscore/business-
is embedded, understood and clearly
sectors/docs/0-9/12-1120-10-steps-to-
articulated throughout the organisation
cyber-security-executive)
using risk management principles to
provide informed direction and effective 19. BIS, Cyber Risk Management – A Board
governance with increasing agility. Level Responsibility, July2013 accessed
via https://www.gov.uk/government/
Questions for the board uploads/system/uploads/attachment_
1. Is “cyber” on the board agenda? data/file/34593/12-1119-cyber-risk-
management-board-responsibility.pdf
2. Is your governance structure dynamic
enough to react to “real time” threats? 20. ISACA – The Computer Forensics and
Cybersecurity Governance Model
3. Do you have dynamic risk assessment http://www.isaca.org/Journal/Past-
processes to assess, manage and react Issues/2003/Volume-2/Documents/
to cyber threats? jpdf032-ComputerForensicsandCyber
4. Are the lines of delegation and response security.pdf
clear in your organisation to allow speed 21. DCAF – Democratic Governance
of decision making in reacting to a cyber Challenges of Cyber Security – 2009 -
incident? http://www.dcaf.ch/Publications/
5. Are your security policies, processes Democratic-Governance-Challenges-
and procedures clear and understood of-Cyber-Security
throughout your organisation? 22. FCA – RBS Ruling – July 2013 accessed
6. How comprehensive is your education via http://fca.org.uk/rbs-fined
and awareness programmes in security 23. BBC – Hackers Target TK Maxx Customers
and do they consider personal and – March 2007 accessed via http://news.
professional accountability? bbc.co.uk/1/hi/business/6508983.stm
7. Does your enterprise work across
multiple territories with different
legislative and regulatory regimes?
Risks
‘‘
QUOTE HERE
Chapter 16: Managing Business Opportunities and Information Risks
***of were
avoidable and
it is suggested
This
that chapter is intended
inadequate
attention to the
to demystify some of the
risks may have
opportunities cyber and
contributed
tothe digital age offers. And
potential
breaches being how enterprises
it suggests
overlooked.
can better exploit these
in a secure manner.”
Chapter 06:
C hapter 0 6
Managing Business
Opportunities and
Information Risks
Chapter 6: Managing
Business Opportunities
and Information Risks
BAE Systems Applied Intelligence
These scenarios are based on our Within the information security domain,
Chapter 06
experience of helping organisations both risk and opportunity management
understand the importance of their critical as well as the interaction between them
information assets and the level of risk is gaining increasing focus. For example
posed to those information assets; and Chief Information Officers have
in implementing an appropriate and responsibility for safeguarding their
commensurate set of controls that protects organisations data with appropriate cost
these information assets in line with their effective controls, whilst also enabling
risk appetite and in supporting the business business activities to fully realise the
in the pursuit of its strategy. opportunities this information offers.
Technological innovation continues to Most mature organisations will have
radically impact and change the way processes in place to manage risks and
society and business interacts and operates. to identify and track opportunities.
Indeed, in the Harvey Nash CIO Survey But how many ensure that the two
2013 71 per cent of respondents believed processes are aligned and that appropriate
that their organisation had to embrace new engagement between risk and opportunity
technology or risk losing market share 9. management exists?
It is only right that this book contains a
Too little alignment between risk and
chapter on how risk officers can support
opportunity management can impact on
their organisations benefit from the
business performance if each function pulls
opportunities these innovations present,
the organisation in an opposite direction.
but in a secure manner.
Too much focus on business opportunity
can expose the organisation to levels of risk
Balancing opportunity far in excess of stated tolerances. Too much
focus on downside risk on the other hand
and risk management can create stagnation.
We now all live and work in a ‘connected’
The ideal situation is where cyber risks are
world. Our business and personal domains
considered properly and as an integral part
are blurring and this has helped to create
of the opportunity management process.
a bewildering growth in the potential
The components of this balance between
opportunities available to organisations. But it
opportunity and risk management are
has also significantly increased the risks they
illustrated in Figure 6.1 which considers:
face. Reduced ‘barriers to entry’ have swelled
the number of threat actors seeking to exploit • T ime: what is the urgency of exploiting
this connected world to their own benefit, the opportunity and if so what is the risk
be it fraudulent activity for financial gain, appetite in this situation? If timescales are
cyber espionage or the promotion of activist short, does this increase the security risk
movements. to the organisation?
RISK
PROJECT
COST TIME
•C
ost: what is the cost of implementing •R
isk: what is the risk that the information
controls for a certain security risk? Does to be used as part of an opportunity can
this cost still make the opportunity be compromised? Can the integrity of
financially viable? Is this cost considered this information be ensured as part of
acceptable in order to meet business the opportunity?
strategy?
Expenditure
A B C D E F G A B C D E F G
Risk Risk
It is also worth noting that once the The left-hand chart shows restrictions of a
Chapter 06
opportunity has become ‘business as compliance-led approach with the straight
usual’, it is important that risk management line expenditure response, regardless of the
remains involved to ensure that the risk. Areas above the red line are indicative
opportunity remains viable and that the of being over-managed and correspondingly
security risk remains within the corporate those below are undermanaged. It is
risk appetite. important to use an approach that ensures
controls are appropriate and commensurate
A common issue we see is that
to the level of risk, as illustrated in the
organisations base their risk management
right-hand diagram. This approach can
plan on a compliance-driven approach. This
also ensure the response is supportive of
can be driven by operating in a regulated
the organisations strategy and objectives
industry that blinkers risk management
and allows for a more flexible risk tolerant
to other models, or which focuses too
approach to larger opportunities over
heavily on impact over likelihood. Adopting
smaller ones.
this approach can impact opportunity
management by creating areas of over- A second key issue we commonly see is
control while also exposing the organisation that enterprises are not extracting the
to additional exposure by under-controlling greatest value from existing spend. Risk
other areas. This is illustrated in the two officers increasingly demand not only a
graphs below left. better return on their investment but also
to ensure that risk management decisions
are aligned with corporate strategy. This is
illustrated in the diagram below.
Save cost
2 1
need to ensure both a
Reduce
better return on investment
3 risk
and that risk management
4 decisions are aligned with
Unachievable corporate strategy.
Spend
Risk Cost
Information security often Weak costing of
identifies risk late and in information assets and
isolation from business risks means they are ignored
•A
n ability to react in an agile and In reality managing the opportunities and
Chapter 06
confident manner to new opportunities risks of personal mobile devices is far more
A key
that arise as a result of technological complex. Typically it is rare that the business
foundation is innovation and new business models case for staff to bring their own mobile
ensuring that that will arise as a result. The enterprise devices or technology into the enterprise has
an appropriate will be able to thrive in uncertain and been fully considered, let alone documented.
increasingly competitive times because Correspondingly there are usually no
risk governance
it has the appropriate flexible risk performance or risk indicators assigned to
structure is mitigation in place commensurate to measure whether implementation delivers
in place that the level of risks and opportunities the predicted benefits of increased efficiency
recognises the faced; and and productivity.
•A
more resilient enterprise that is better
relationships
prepared to react in the event of a Delta airlines recently announced they
and inter- cyber incident. Demonstrating robust would be supplying tablets to all of their
dependencies risk management processes protects pilots. They will replace paper copies
between risk reputation and allows organisations of flight manuals and maps with an
to build confidence and trust in estimated saving of $13 million per year.
and opportunity
relationships with partners, customers, They will also replace a wide variety
and the suppliers and in new markets. of personal devices that its pilots have
associated In the following section we outline four already been using.
costs of each. scenarios illustrating some of the risks and
opportunities associated with emerging
Similarly we rarely find comprehensive risk
technologies being adopted in the
assessments conducted for how the use of
enterprise.
personal mobile devices might affect the
overall risk profile of the enterprise. This is
Scenario 1: Mobile devices (Bring
because the two primary drivers for their
Your Own Device & Bring Your implementation commonly by-pass formal
Own Technology) change management or assurance processes
On the face of it there should be a clear cut in place.
case for enhancing operational productivity
by introducing personal mobile devices into The first driver is from the bottom up. Staff
the enterprise. Models for how this might will adopt practices and processes utilising the
work already exist – for example those in increased functionality offered in advance of
place for company cars – that would only corporate policy. This exposes the enterprise to
need some adaption for mobile devices. increased information security risk without the
ability to leverage the opportunities offered.
Driven from the top down it may have
approval from the board but will only deliver
benefit to a small group within the enterprise.
A plethora Most commonly we see top down initiatives Enterprises are increasingly seeking to
Chapter 06
Chapter 06
correctly configured the sheer volume of business information that can be collected
security alerts generated, including false from these systems. Efficiencies are realised
positives as well as low priority alerts can through greater automation, centralisation
overwhelm analysts. Furthermore, unless and reduced associated overhead. From
there is an aggregation tool in place, an enterprise perspective these make a
capable of drawing together the various compelling reason to pursue the opportunity.
feeds, analysts will spend most of their The opportunity crosses into two other
time trying to connect the dots across scenarios: remote diagnostics conducted
different monitoring tools. centrally can then be transmitted to mobile
devices held by field staff; and big data
In order for risk officers to be able to truly
collected from the engineering network can
embrace big data to help secure their
be used to better calibrate and understand
enterprise it has to be in a way which
the performance of the system.
overcomes the risks highlighted. When they
find themselves hampered by an inability Engineering systems have traditionally not
to efficiently process and analyse security been built with cyber security in mind. This
alert data; with a corresponding impact was not an oversight or intentional omission,
that decisions are delayed or made on the there was simply no need. The system was
basis of limited insight, it would indicate going to stand alone, use separate protocols
the enterprise is missing the significant risk and be operated by specialist staff. Security
management opportunities available to by obscurity was enough.
improve security.
Connecting these systems to corporate
networks that are connected to the internet
Scenario 3: Connecting engineering has radically changed the risk profile that
and corporate networks requires more effective risk management
The practice of connecting previously and mitigation measures.
disparate networks and systems together
is becoming increasingly common in the
In December 2012 Saudi Aramco,
enterprise. At a personal level there are
the national oil producer of Saudi
apps available to enable smartphones to
Arabia was the victim of a targeted
operate domestic lighting and audio systems
cyber attack. The attack successfully
as well as unlock and switch on vehicles.
compromised the corporate network
This scenario explores the opportunities and
with the intention of traversing to the
risks associated with connecting enterprise
engineering production network and
engineering and corporate networks, for
disrupting oil and gas production. While
example industrial controls systems.
unsuccessful in preventing production
Control networks and corporate IT networks it did wipe the hard drives of 30,000
are connected to improve efficiency, in computers on the corporate network.
controlling industrial control systems,
Scenario 4: What the future might In the meantime risk officers have to
Chapter 06
10 http://blogs.hbr.org/2013/06/rethinking-security-for-the-in/
11 http://www.darkreading.com/vulnerability/tackling-enterprise-threats-from-the-int/240161055
Conclusions and •W
here imbalances between risk and
Chapter 06
opportunities are detected, prompt
recommendations remediation to address this will help
Organisations need to bring business ensure opportunities can still be pursued
opportunity management and information but in a secure manner.
risk management together into the same • T his normally entails recognising
room. But balancing both is difficult. information risk management is not
It requires three different skillsets: an IT concern to be addressed through
understanding of business strategy; technical controls. Rather, it is a business
knowledge of the technologies involved; function that must be informed by the
and an understanding of the current enterprise strategy, priorities and risk
threats. But the impacts of getting it right appetite. It also has to be flexible enough
are significant and having an imbalance to recognise that risk appetite may vary
between the two can create significant with each opportunity identified.
damage. Too much focus on opportunity
The pace of technological innovation and
and the enterprise will be exposed to a
the rapid evolution of industrialised cyber
level of risk in excess of tolerances; applying
threats makes it all the more important
information risk management controls too
to ensure an appropriate mechanism for
tightly restricts the ability to successfully
recognising and responding to opportunity
pursue opportunities. In summary:
and risk is put in place. Paralysis in decision
• E nsure there is ownership and making can be the result or worse still the
responsibility for risk governance enterprise can expose itself to far greater
and its interaction with opportunity risk while missing the opportunity to
management at Board level. This should properly exploit the new industrial digital
then flow down the enterprise through economy.
management to the operational level
We have no shortage of examples where
allowing lines of communication both
we have seen this situation develop,
up and down the enterprise.
especially around the use of BYOD within
•A
way to ensure an effective balance is the enterprise. Enterprises unable or
to conduct regular risk assessments and unwilling to recognise and respond to new
receive regular key performance and technologies can frequently find their staff
risk indicators between these. These adopting and integrating these into their
allow the board and senior managers to working practices anyway. Adoption can
understand how the risk profile of the increase the level of exposure of critical
enterprise changes over time. It would information assets to associated threats.
also ensure the tolerance levels remain It also means the enterprise has to try to
appropriate and that the corresponding retro controls, possibly harming their ability
control sets are commensurate to the to pursue the opportunities these new
level of risk faced. technologies offer.
•R
ecognising the opportunities and risks The digital
Chapter 06
Appendix 6.1
Key questions for the enterprise to ask in balancing risk with opportunity management.
Chapter 06
Is the enterprise able to show they…
And common answers that indicate risk and opportunity is not in balance.
Risks
‘‘
QUOTE HERE
Chapter 16: Managing Business Opportunities and Information Risks
***of were
avoidable and
it is suggested
This
that chapter aims to
inadequate
attention to the
provide guidance on the
risks may have
principles of assessing
contributed
toparties
potentialwithin the
breaches being
organisational supply
overlooked.
chain that handle
critical data.“
Chapter 07:
C hapter 0 7
Cyber risk and the
supply chain
12 Critical data is any data that is essential to the operation of the business and provides
it with a competitive advantage or is core to its operational role. It could be Intellectual
property of designs or personal data of customers for the placing of insurance.
Chapter 07
Case Study: Supply Chain Attacks
In February 2011, it was reported in the In February 2013, the first photos
media that a cyber attack had occurred of the Chinese Shenyang stealth
on the RSA Security division of the EMC fighter aircraft, designated as the J-31,
Corporation where SecureID tokens were emerged on Chinese internet forums.
potentially compromised.
While there is no proof that China’s
In May 2011, computerweekly.com latest stealth fighter stole design
reported that US-based global defence specifications from American stealth
firm Lockheed Martin said it had beefed fighter projects, the Chinese jet appears
up security around remote access to its IT to share many design characteristics of
network after a “significant and tenacious the American F-22 and F-35 jets.
attack” on 21 May, which could be linked
IMPACT: Reputational damage and
to the breach at RSA. Lockheed Martin
erosion of trust in partner organisations;
were building the stealth Jet fighters –
potential loss of competitive advantage
designated F22 and F35.
in certain markets due to exploitation
In March 2012, British aircraft of intellectual property; national security
manufacturer BAE Systems confirmed vulnerability.
that its systems had been hacked
3 years previously (2009) whilst
they were working on the designs
of the American F-35.
“Data security and other cyber exposures believe that they have nothing a cyber
“Monitoring
Chapter 07
Chapter 07
• L oss of intellectual property including
designs or strategies for market
A global company reported that they
penetration resulting in loss of
were contacted by an individual claiming
competitive advantage.
to have over 10,000 of their customer
• L oss of customer data, or access to and records and offering to sell it back
disclosure of, customer data outside of to them before it went on the open
business policy. market. The company were able to
• Instances of losses of customer data, or verify the data was theirs and that it had
access to, and disclosure of customer originated from one of their suppliers.
data outside of policy which are not
The company immediately set up an
identified and addressed appropriately.
incident response team and found that
• Inadvertent use of personally identifiable a rogue employee within a supplier
data to support big data analytics had stolen the data (due to weak
leading to a regulatory breach or harm controls) and had passed the data on
to individuals. for re-sale. The data, including customer
• Industrial espionage to undermine data from nine other companies in the
business critical operations, investments same sector, had passed through hands
or mergers and acquisitions. in three countries. At least six other
• Regulatory non-compliance marketing companies had bought the
data believing it to be legally obtained.
• Distress to customers and individuals
• Damage of organisational reputation Within the first week the global
company took out three injunctions in
• A loss of market share
three different jurisdictions and ensured
•A
dverse share price fluctuations its supplier took every measure to limit
including deliberate short-selling after the spread of the data to the market
manipulation of company reputation. and seek full recovery. In its subsequent
follow up work, the Global company
belatedly found over 23 weak security
practices in its third party’s operations.
Earlier due diligence and better
governance would have exposed
these weaknesses.
The regulators were informed early in
the process and it was only the swift
and extensive action taken to recover
the data that prevented a fine being
levied. The company did not pay for
the recovery of the data.
Chapter 07
today are more likely to use cloud
The supply chain can become large for computing technology (Zurich/Advisen).
many organisations. One company reported The IRM survey showed that over 90% of
they had over 6000 suppliers and they had respondents permitted the use of mobile
assessed the information security risk each devices such as smartphones and tablets
presented to its business and that they yet 53% of respondents failed to use
would apply differing levels of supplier security applications to control data security
management and oversight according on such devices. With this in mind, it is
to that risk. They also expected their essential for organisations to ensure that
third parties to do the same and exercise such technology within their supply chain
sufficient oversight and management of does not inadvertently leak sensitive data to
their third parties. the public cloud or allow it to be extracted
though a third party application.
THE IRM RISE Special Interest Group
cyber risk survey noted that over 45% of The agility of smaller suppliers will increase
respondents did not review information the risk of data leakage if they do not
security practices of a potential supplier have robust risk management practices
prior to contract award, thus leaving in place. A state of “data anarchy” may
a significant gap in the governance of well be present whereby data is not
the supply chain. Furthermore, business classified and flows freely around the
units within organisations may have internet and cloud solutions (such as Drop
procured services outside the normal Box) without any controls in place. Data
procurement process and these suppliers will be beyond effective control of the
may go undetected from a cyber-risk review organisation and could result in serious
perspective. Nevertheless, it is essential to financial consequences. Data anarchy could
assess whether these organisations have well exist within third parties unless there
recognised that they remain accountable is sufficient oversight from the contracting
for their information exchange operations party. Consequently, if an organisation has
even when they have outsourced the not conducted reasonable due diligence
function. The size of the supply chain to take adequate technical and procedural
is clearly a key challenge for many measures for the protection of the data it
organisations but the need to develop transfers, it may be in breach of regulatory
effective governance and oversight requirements that could result in fines at a
controls is essential. Additionally, time when the power to hand out greater
organisations must also challenge fines is growing.
the need to send critical data in the first
place and remove any data not actually
required by the recipient (see box opposite).
Framework
There are certain key steps to ensuring It is essential to determine how cyber risk in
supply chain cyber security practices are the supply chain is to be governed so that
effective and these are outlined below. all subsequent processes are measurable
•D
evise a risk and cyber supply chain and justifiable and to prevent over-
governance framework including risk committing resources. As far as possible
tolerance this should fit into existing processes. It
• Identify critical data being shared across could involve simply verifying the state of
the supply chain and its value to the the supplier’s cyber environment annually
organisation through a self-assessment questionnaire
such as the one at Appendix 7.1 or it could
• Educate (internal and external)
become part of the wider organisational
• Review contract wording due diligence processes.
• Undertake due diligence activities
In essence, a governance framework
• Monitor performance during the contract is required to provide oversight of the
• Implement an escalation process supply chain risk, determine the
• Ensure effective evidence gathering policies and procedures and ensure the
risks are being managed to within the
• E nsure effective incident reporting
organisational tolerance limits. Clear roles
processes.
and responsibilities need to be defined
However, even if all these steps are taken, including who has ultimate responsibility
they can provide no guarantee against the for each supplier (Contract Owner) and
activities of individuals or staff at suppliers who manages the supplier relationship
who might commit malicious activities or on a day-to-day basis (Contract Manager).
are prone to human error.
The governance process should consider The governance process surrounding the
Chapter 07
the business impact of a data loss against supply chain risk posed from cyber threats
its risk appetite and set the risk parameters should cover the normal governance areas
as shown in the example at Figure 7.1. In including the determination of values and
terms of certain data types, such as medical behaviours, measurement and effective
data or personal sensitive data, the risk oversight so that timely intervention can
appetite will be shaped by the regulatory be made to prevent an issue becoming
environment which may also prove useful in a crisis. Such a review can be aligned to
determining quantitative thresholds for the particular standards or guidelines that the
number of records involved or the sliding organisation is using such as ISO27001,
scale of financial penalties in the event of as listed below.
a breach. Again, this should fit into the
organisational risk process and allow for
effective reporting of risks that are
above threshold.
1. Security policy
3. Asset management
5. Secure areas
7. Access control
With the governance framework in place from publicly available data. It is good
Chapter 07
to allow effective and risk based oversight practice when an organisation can identify
of the supply chain, it is essential to map data according to the criticality of it to the
the key governance requirements to the business. For example, an organisation
risk threshold diagrams so that the contract may classify any data that could affect its
owners/managers can clearly see the share price, such as unpublished financial
relationship between what they are doing results, as TOP SECRET. If that organisation
with the risks to the organisation. For has outsourced its printing operations
example, Figure has been used to drive to a third party, those results will leave
the high level due diligence reviews that the organisation to be printed and
will be required. subsequently returned to head office for
release and distribution. The classification
Identify that Critical Data level can be used to determine the level
There are two steps to identifying data of protection during transit and handling
critical to a business. The first is to identify and also any contractual requirements such
the types of data that are critical to the as confidentiality clauses. Consequently,
business and the second is to identify data classification permits the control
where it goes outside the organisation. environment to be designed according
to the risk to the organisation rather
Such data could be designs, floor plans than taking a one-size-fits all approach.
or requirements for bespoke systems that It also then allows suppliers to be ranked
give competitive advantage or it may be according to the classification of data they
customer records. process and, when combined with an
What will help the identification is a understanding of the volume or frequency
data classification system so that the of data exchange, can be used to tier
most sensitive data is identified separately the suppliers.
Risk
Filtering can then be applied to the list product and get to market. For personal
Chapter 07
of suppliers to identify the key suppliers data, it is widely accepted that only five
Data so that those that process no data can key pieces of information are required
components be filtered out. The criterion for filtering for identity theft. Consequently, any data
suppliers could be based on: exchange involving five or more pieces
will depend of such data poses a greater risk than
• the volume of data,
anonymised data particularly if that data
upon the • sensitivity of the data and is unencrypted.
data being • t he number of data components
As no organisation has the resources to
(name, address etc.).
protected. conduct on-site reviews of all its suppliers,
With data components, the actual number filtering is an attempt to create a risk
that are shared compared to the whole based approach to supply chain oversight.
picture will give a measure of the risk that It also aims to shape a governance model
a competitor could gain advantage from IP by understanding the scale of the task
theft or a data loss. Data can be assessed involved. Using Figure as our example, the
by being put through a filter so that, for filtering for the current supply chain could
example, only those with high sensitivity be extended as shown opposite to create
(medical records or high net worth IP) are three tiers of suppliers. However, other
classified as high risk. companies may be further filtered out if
Data components will depend upon the an independent cyber-review had already
data being protected. For system design taken place in the last 12 months and there
for example, the more complete the design were no additional services added since the
specifications are to the end product the last cyber-review. Thus, it would be easy
easier it is for others to assemble that new to create a tiered view of the supply chain
Volumn of Data
data over Sensitivity
time
Number
of data
components
Critical suppliers
Education is a that allows resources to be directed at the As Bayuk outlines in his ISACA article,
Chapter 07
highest risk areas. This might look like the the use of scenarios as an approach to
critical part of following: vendor due diligence is a useful tool.
He outlines the following five scenarios
supply chain • T ier 3 – Low risk organisations that share
for organisations to consider:
data but with a narrow number of data
management. components that of themselves, do not A. T he firm compiles a list of questions
constitute a threat to customers if the intended to identify control activity that
data was lost. Self-assessment surveys would support business requirements.
issued every three years. The vendor fills out the questionnaire.
• T ier 2 – Medium risk organisations that Where vendor answers do not match
directly support core business but with requirements, this is reported.
smaller volumes of data exchange and B. Same as scenario A, but in addition,
lower sensitivity of data. These require the vendor is interviewed via telephone
less oversight and on-site visits required or e-mail to explain questionnaire
every second year only. answers and provide evidence of
• T ier 1 – High risk organisations that alternative controls.
directly support core business and require
C. S ame as scenario A, but in addition,
annual oversight with on-site visits and
where vendors are considered high risk,
quarterly performance reviews.
the firm visits the vendor site to verify
answers and clarify responses.
No evidence of
Due diligence
cyber assurance
Critical suppliers
D. The firm reviews the vendor data should first train internal staff to be
Chapter 07
processing environment by charting the competent in conducting such evaluations
path taken by data in scope. The vendor so they can ask the fundamental questions
is requested to provide documented and understand the implications behind
evidence of controls. The firm confirms the responses.
its understanding of the vendor
Light touch approaches that rely on
environment via phone interviews.
suppliers responding to critical questions
E. Same as scenario D, but in addition, or to provide evidence of accreditation to a
where vendors are considered high specific standard still requires someone to
risk, the firm performs or requires assess the responses and make a judgement
independent verification of controls, on behalf of the business. On-site reviews
to include Internet scans, onsite audits require a different level of competency
and/or reports of independent auditors. and a certain amount of legal awareness
if liabilities are not to be inadvertently
Regardless of the methodology chosen, it
transferred between parties. Each role
is clear that all organisations have limited
involved in the evaluation process needs
resources for assessing the adequacy of
to be examined and training performed
the supply chain. Furthermore, the need
where appropriate.
to classify data and assess the exchange of
such data not only applies to the existing A contributor to this research stated that
supply chain but also to new contracts. they provided a one day training course
Such an exercise can be used to determine to over 70 of their contract managers
the level of controls that should be on how to plan, conduct and assess the
implemented as part of contract award. outcomes of on-site reviews including
For example, if the contracting parties what constituted good evidence, and what
are to exchange personal or personal typically to watch for when conducting
sensitive data on a daily basis then it may a cyber-review. The training allowed
be necessary to put secure email solutions the contract managers to dig deeper,
in place. If the parties will be exchanging assess the evidence and to challenge the
intellectual property involving design responses so that they were able to make
specifications then a secure operating a firm recommendation to the business
environment in a private cloud solution on whether or not to trade with that
may be required. supplier. As non-specialist staff, they were
not only provided with the training and
Education appropriate toolkits but they also had
Education is a critical part of supply support from subject matter experts to deal
chain management. Indeed, the act of with the more challenging technical and
conducting due diligence and working with procedural aspects of cyber security that
the supply chain to resolve the issues is part only experience and specialist knowledge
of that education process. An organisation can provide.
embarking on supply chain evaluations
13 Table and contents are kindly provided with permission from Zurich Insurance Group (UK General Insurance)
and KPMG.
Chapter 07
global bank global financial institution payment global financial
institution organisation institution
Number of high 800 (‘08/’09) 100-250 250+ 300 50-100
risk third party
suppliers
No of third party 800 (‘08/’09) 100-250 100-250 300 50-100
security reviews
planned for 2009
Number of third Unknown 50-100 250+ 300 50-100
party security
reviews planned
for 2010
Self-assessment No Yes Yes Yes Yes
Telephone Yes Yes No No No
interview
On site Yes Yes Yes Yes Yes
assessment
Base Bespoke by Bespoke based ISF Bespoke Bespoke
questionnaire client on ISF aligned to aligned to BITS
PCI DSS
No of days 1 1-5 & 5-10 1-4 4 2
on site
It is clear that there is no “one-size fits risk presented as described above although
all” approach and each organisation will agreeing a remediation plan may require
need to determine what is appropriate for further negotiation or possibly renewal of
it to do given the risk and the resources the contract depending upon the severity
available. It will also be necessary to of the findings.
determine the level of training required
Due diligence is normally associated with
to support the process. However, the
new contracts so it is essential that business
conduct of due diligence prior to contract
as usual processes are devised to keep
award is the right thing to do. Of course,
abreast of the changing landscape and that
many organisations also have a large
the supply base responds to the changing
supply base already in existence so taking
risk context. This is best achieved through
the above for guidance, due diligence on
the performance monitoring processes.
information security capability should be
conducted retrospectively according to the
Due diligence for information security and oversight of all the companies and the
cyber risks is likely to be a one-off exercise total plans outstanding whilst the risk and
at the beginning of a contract or at contract compliance team may just need to know
renewal but continued compliance with the that annual inspection plan is on target
contract terms, service level agreements and that actions are being appropriately
and performance metrics will need to be managed and escalated. Appendix 7.2
monitored in a business as usual approach. provides some examples that could be
For this to occur, performance management used to achieve performance reviews
needs to be embedded into other due dedicated to information security.
diligence or contractual review processes
so that the data security risk remains in Escalation process
context with the other business activities Of course, not all suppliers in the chain will
being performed. wish to accommodate remediation actions
as it will no doubt add costs to the service
The following need to be in place:
they provide. Even with increased regulatory
•U
pdating of the risk assessment of pressure to safeguard personal and personal
the cyber environment sensitive data, some organisations will resist
•R
egular risk reporting against other any action that adds costs to their business.
suppliers It is essential, therefore for organisations to
• E vidence of proportional oversight have clearly defined escalation procedures
activities according to the risk that can lead to the appropriate decisions
being made to manage the risks as they
• E scalation of any data security breaches
present themselves.
to the appropriate internal team charged
with managing such issues. Figure 7.5 – Escalation Process highlights
•R
egular relationship meetings with any four potential scenarios and what escalation
actions recorded, agreed and resolved. processes may need to happen, including the
option of terminating a contract. This is not
•A
ssessment/monitoring of emerging,
always possible as a supplier may be the only
new and existing risks
source of a product or service or the industry
•R
eview of the progress against standard is such that the proposed changes
remediation plans from audits/due will put them at a commercial disadvantage
diligence work. within their sector. In such cases it may be
Tracking of remediation work is essential necessary to accept the risk. If this is the
if gaps and vulnerabilities are to be closed case, full documentation should be kept
down in a timely manner. As with all of the decision and the rationale for it in
reporting, it needs to be tailored to the case it is required for internal review and
organisation and the detail tailored to the potentially for regulatory purposes in the
audience. For example, details on each future. Notwithstanding this, if organisations
remediation action for a single company are to take cyber security seriously and
is appropriate only to that company or enforce the same approach in the supply
the team charged with ensuring actions chain, they must be prepared to make hard
commercial decisions even if there has essential to also compare one year with
Chapter 07
been a long term relationship. Data the next and spot trends.
security is no longer a risk than can be
readily accepted or ignored. It has to be Ensure effective incident reporting
proactively managed across the extended Devising an incident reporting process
enterprise and for some, it may mean that that is risk based with pre-defined severity
the cultural fit now has to be challenged. levels and takes into account the regulatory
reporting requirements is essential. In
Evidence some jurisdictions and/or industries there
Supply chain governance requires accurate is a mandatory requirement to report
and up to date business evidence to be information security breaches and it is
maintained of all phases of the process important therefore that processes and
(including post-contract). These documents contracts are in place with third parties
provide a complete audit trail of decision to ensure this occurs. It is also important
making, data evidence, signature, risk that proportional responses are made in
assessments etc. in the event that a data respect of any breach to prevent undue
breach does occur and the oversight of the escalation and setting off time consuming
supplier is called into question. This does and costly activities that are not required.
carry its own risks and organisations will If the incident can be handled appropriately
have a duty to ensure that all evidence is at a local or junior management level then
securely stored, classified and retained for it should be.
the correct retention periods. Evidence is
If no progress Yes
No
Consider termination Risk acceptance –
sign off by Exec owner
Chapter 07
1. Bayuk, J, 2009 Vendor Due Diligence website http://www.thebci.org/
ISACA Journal Volume 3 10. Verizon, 2013, 2013 Data Breach
2. Bucci, SP, Rosenweig, P and Inserra D, Investigation Report, accessed via
2013, A Congressional Guide: Seven http://www.verizonbusiness.com/
Steps to U.S. Security, Prosperity, and resources/reports/rp_data-breach-
Freedom in Cyberspace accessed investigations-report-2013_en_
on line at http://www.heritage. xg.pdf
org/research/reports/2013/04/a- 11. Zarella, E, 2008, You Can’t Outsource
congressional-guide-seven-steps-to- Control ISACA Journal Volume 6
us-security-prosperity-and-freedom-
in-cyberspace on 8 April 2013 12. Zurich/Advisen, 2013, 2nd Information
Security & Cyber Liability Risk
Case Study of the Chinese
3. Management Survey,
Fighter jet accessed via http://
killerapps.foreignpolicy.com/ 13. Zurich, 2013 “Meeting the Cyber Risk
posts/2012/10/31/chinas_newest_ Challenge” Harvard Business Review
stealth_flighter_flies on 22 Mar 13
4. Experian/Ponemon Institute, 2013,
Securing Outsourced Consumer
Data, accessed via Experian Website,
http://www.Experian.com/
ConsumerDataStudy on
4 April 2013
5. IRM, May 2013, Cyber Risk
Management Survey
6. ISACA, 2002, Effect of 3rd Parties on
an Organisation’s IT Controls ISACA
Journal Volume 4
7. ISO 31000:2009 – Risk Management
Principles and Guidelines
8. ISO/IEC 27001:2005 – Information
Technology – Security Techniques –
Information security Management –
Requirements
Appendix 7.1 –
Due diligence questions –
an example
The following table aims to be a compromise between a superficial review and the more
Chapter 07
detailed question sets used by some contributors to this research paper involving in excess
of 150 questions. It provides a list of questions that might typically be used to assess the
effectiveness of a third party cyber environment. Organisations wishing to use this list
should integrate it into a risk assessment based on the level of good practice observed
and an assessment of the vulnerabilities and threats resulting from any gaps as described
further below. An alternate approach is to have closed questions only where by the “No”
responses are all highlighting the gaps but the responses, whilst easier to provide and total
up, can mask a multitude of sins unless all ambiguity is removed.
1. Who is responsible for the day to day security within your organisation?
4. How are risk assessments communicated and how is sign off obtained from the key
stakeholders within the organisation?
8. Do you test staff understanding of data security policies on induction and once a year
after that?
9. Does your policy include any specific notification requirements if there are incidents in relation
to organisational information?
10. Is there an emergency response process for dealing with serious security incidents and attacks?
13. Do you know where all information is stored within your organisation? How?
14. What policies, procedures and practices do you have in place for secure transfer of customer
and sensitive data?
15. How do you keep track of all your IT hardware and removable media?
16. What is your destruction policy for hardware, removable media and paper documents?
19. Who is responsible for informing IT about leavers and joiners? Can you talk me through your
process?
20. What checks apply prior to the appointment of temporary staff and contractors?
21. How are all new joiners including temporary staff and contractors made aware of your security
policies?
Chapter 07
22. Are there any additional measures taken to vet those staff with access to customer data either
on appointment or on promotion/change of role?
23. How do you inform staff of changes or updates to the security policy?
24. How are temporary members of staff made aware of your security policies?
28. How do you protect your back-up tapes and who is responsible?
29. Can you describe the process around transportation of data for backup / destruction –
is the data encrypted?
30. Can you describe the process for the destruction of hardware, removable media and paper
documents?
31. How do you protect your sensitive areas or key services from fire or flood?
32. Do any of your suppliers or their suppliers manage or have access to organisational data/
systems?
36. How do you ensure that this software is always containing the most up to date protection?
38. What processes are in place to make backups of your systems holding and processing
organisational information?
39. Where are back-up media stored on-site? What is the retention period on-site?
44. What exceptions to information security policies and procedures are in place and what controls
are in place addressing any additional risk?
45. If anyone is responsible for storing back-up media at their home, do you provide a safe?
46. Can staff access social media, Facebook etc.? Can staff access their email via web applications?
47. Are there controls in place that monitor the appropriateness of data leaving the network?
Chapter 07
50. If yes – what security mechanisms are in place to prevent unauthorised access to organisational
information over wireless (e.g. authentication mechanism, encryption, firewall segregation
from main network)?
52. Do you have a formal IT asset register, or if not, as an alternative do you have a formal list of
your critical assets which hold organisational information?
53. How often do you carry out independent testing of your internet facing applications?
54. If you develop your own bespoke applications how do you test them before going live? What
data do you use?
56. How would an individual member of staff report a security incident or event?
59. Is any organisational data stored or replicated for BC & DR purposes? Describe the security
controls around this data?
60. How often does your internal audit check the organisation compliance with information
security policies?
61. What independent assessments are you subject to SAS70, PCI, ISO27001 etc.?
62. What training takes place with regard to information security and how many staff have
received this in the last 12 months?
63. Do you have agreed procedures in place with your third party suppliers in regards to reporting
data security breaches within an agreed timeframe?
Each response to the above could be rated according to a predefined scale which in turn
could be used to drive an objective risk rating to compare one party to another. One scale
might include; Best Practice, Good Practice, Adequate, Needs Improvement, Ineffective.
Thus, a completed assessment would look as indicated in the diagram below:
Chapter 07
2. Who do they report to? Best Practice
4. How are risk assessments communicated and how is sign off obtained
Ineffective
from the key stakeholders within the organisation?
7. How do you know people have read the policy? Best Practice
8. Do you test staff understanding of data security policies on induction and
Ineffective
once a year after that?
9. Does your policy include any specific notification requirements if there are
Needs Improvement
incidents in relation to organisational information?
10. Is there an emergency response process for dealing with serious security
incidents and attacks?
13. Do you know where all information is stored within your organisation?
How?
14. What policies, procedures and practices do you have in place for secure
transfer of customer and sensitive data?
15. How do you keep track of all your IT hardware and removable media?
25
Score
23
20
Best practise 4 6.3% 49.2%
17
15
Good practise 10 15.9%
10 Adequate 17 27.0%
10
9
5
Best practise 23 36.5% 50.8%
4
Ineffective 9 14.3%
0
Best Good Adequate Needs Ineffective
practice practice improvement TOTAL 63 Overall risk High
assessment risk
Effective rating
Adequate 17 27.0%
Ineffective 9 14.3%
Appendix 2 – Tracking
the remediation plans –
an example
Chapter 07
and oversight
by company Tracking the remediation of a number of
It is recommended that a template is companies will require a mechanism that
prepared that allows consistent reporting of allows for the risk to be assessed as well
information security capabilities in the third as manage the closure of the risks. One
parties that cross refers to the question set method is a simple spreadsheet list with a
issued so that cross referencing can occur. number of actions noted against a closure
The report should cover the following date as shown in the diagram below. This
headings/fields and is probably easiest shows the severity of the risk attached to
to manage within a spreadsheet: each remediation action and which month
they are due to be completed. “Time Now”
•R
eference Number (i.e. question number
is annotated with the blue vertical line
from the issued due diligence questions)
whilst the yellow and red areas show those
• Review finding actions that are greater than 30 or 60 days
•R
ecommended action by the contracting overdue respectively. At the base of the
organisation table is the total number of actions due per
risk rating which in this case is four levels of
• Agreed action(s) between the parties severity. There are software tools available
• Status (i.e. red, amber or green) that help with this process as well as
manage the evidence gathered in support
• Start date of the remediation process.
• Due date
• Actual delivery date
• Issues raised (for use at intervening
periods prior to delivery date)
• Issue resolution
• ISO 27001 or other such standard
mapping (i.e. refer to a control
reference number)
• Supervisor’s comments.
Chapter 07
3rd Party Oversight Plan 2013
100
Number of tasks
80
60
40
20
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Debs, the table is in the InDesign file with the same name
Progress of 3rd party reviews
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
No. of reviews planned 20 4 4 3 7 9 7 7 4 6 8 10
No. of reviews completed 20 4 8 2 2
Shortfall 0 0 4 3 -2 -11 -18 -25 -29 -35 -43 -53
Remediation planning actions
No. of parties to remediate 0 4 4 4
New 173 31 0 12
Total closed 8 15 37 46
Total open 165 165 165 110 110 110 110 110 110 110 110 110
Risks
‘‘
QUOTE HERE
Chapter 16: Managing Business Opportunities and Information Risks
***of were
avoidable and
it is suggested
Rarely
that does a day go
inadequate
attention to the
by without a significant
risks may have
software or service
contributed
toprovider
potential announcing that
breaches being
their product or service
overlooked.
will be migrating to
“the cloud”.
Chapter 08:
C hapter 0 8
Cloud: Cyber risk
and reality
Chapter 8: Cloud:
Cyber risk and reality
Dan Roberts
Can companies move to the cloud with migrate any of a range of IT infrastructure
Chapter 08
confidence, knowing that risk is managed, into a management environment, while
and that data, including confidential and leaving other elements of infrastructure
personally identifiable data, is protected? under the direct management of the
Can companies be confident that levels of company itself leads to the idea that
service will remain the same or be better? there may not be many type of “cloud”
Can companies be confident that capacity implementations.
will be there when and as required?
So instead of talking about “outsourced
While we cannot answer those questions providers” we now speak generically
without doubt, it is possible to consider about something called the cloud. And
the threats posed by the cloud against while we may talk about the cloud, it is
traditional IT infrastructure threats. That important to keep in mind that this in
comparison, depending on each company’s actuality represents one or many different
risk appetite and tolerance, should provide providers of systems and infrastructure to
insight into the real risks associated with one or more companies or divisions within
cloud in context of the existing risk IT a company.
related risk environment that companies
The different types of cloud can be
currently live with.
thought of along two dimensions – the
coverage of systems and infrastructure
Defining “Cloud” within the company, and the depth of
services provided.
As with so many trends, cloud has grown
to become an all-encompassing term, in
Coverage of Systems and
this case for the outsourcing of information
systems infrastructure in various forms.
Infrastructure:
Companies need a wide range of systems
But what is “the cloud”, who owns it,
to operate effectively, from general ledger
where is it, and is it safe? While there are
and financial reporting, logistics, HR systems
multiple types of cloud (discussed below)
and others specific to the business of the
conceptually cloud is the migration of
company. We can think of cloud coverage
capability from within the control of the
in terms of the range of systems that are
company to an outsource provider or
outsourced. This leads to a hybrid cloud
manager of systems and infrastructure.
environment in which a subset of systems
Yet even within that definition there are migrate to the cloud, while other systems
many potential subsets. Are we outsourcing remain under the operational control
the management of the application, the and management of individuals within
systems and platforms, or only a subset of the company.
the systems and platforms? The potential to
Chapter 08
Companies The threat profile of information system is critical for most businesses today to
need a goes far beyond cyber threat alone, and simply “open their doors” to do business.
while that is a topic of this paper, we also Threats to the availability of systems can
wide range originate from malicious external attacks,
are looking at the range of threats to the
of systems IT and information infrastructure. The or simply from poor management practices.
to operate majority of threats, cyber or otherwise, What is important to stress is that threats
effectively, from fall into the following categories: to IT Infrastructure are not dependent upon
general ledger •D
ata theft or loss covering the potential an internal or external threat environment,
loss of data for gain of individuals or or dependent on “cyber” as the vector for
and financial introduction of exploitation of weaknesses.
competitors, damage to the brand, or
reporting, loss of data resulting in the inability to These threats are not new. Our question
logistics, run the business. Note that the loss of is: are these threats different in a cloud
data and the resulting impact on the environment, and if so, is the threat profile
HR systems
business is not “cyber” per se, and that greater, the same (but different) or even less
and others the penetration of systems via cyberspace than in the traditional corporate owned and
specific to the is not the only threat to data. managed IT Infrastructure?
business of •U
nauthorised access to or use of
the company. systems and data or information is a
threat to any business, and across the
business. For example, inadequate
management of user rights could
result in the creation of fake vendors,
unauthorised payments, leaking of
corporate plans to competitors, or simply
a loss of control over who does have
access, and to what information.
•P
rivate information exposure can
occur through malicious intent (such as
from the theft of credit card or banking
information, or medical information), or
through poorly functioning systems that
allow for data leakage. Again, these are
threats to the business that may or may
not have a “Cyber” component.
Chapter 08
the information has value and therefore and classification
should be protected. Companies therefore Closely related to the issue of logical
should define the sensitivity (legal or access to data is the establishment of
commercial) of information and implement levels of security classification of data.
security commensurate with their assessed The classification and segmentation of
level of sensitivity. data allows for different levels of security
and access. Some information should
Ownership of infrastructure be available publicly (published price
Historically companies have ‘owned’ lists, train schedules, etc.) while other
(even though the equipment may in information is of a far more confidential
fact be leased for accounting purposes) nature (blueprints, network diagrams,
their own IT infrastructure, and been pricing models, budget, etc.).
responsible for day to day management.
This includes asset recording to systems
patches and applications, to user access
and capacity planning and management.
This ownership model has required a
significant investment in operational
management of the infrastructure. Such
management has come at a price, and
from an IT Audit perspective, it has been
common to see inadequacies in control
environments in which effective control
would result in increased operational
expenditure.
1980s
Chapter 08
Mini-computers Personal computer
From mainframes there is an End User Computing came into its
evolution to the mini-computer, best own with the advent of the Personal
exemplified by the Dec and the word Computer. By 1985 we begin to see
processing computers produced the first portable personal computers
by Wang. These mini-computers – twenty pound metal cases with
provided the first active peer to peer floppy disk drives, and the earliest
network environments, in which the hard disk drives. The day of personal
monolithic central network was not data had arrived, and the assumption
longer the single source or controller was that data and processing would
of all data. The move to “End User continue to push further out from
Computing” had begun. the datacentre, and that one day,
corporate IT would be replaced by
user developed applications.
1980s
Present/Future
Chapter 08
of threats and consider them from the
When determining the threat profile of a traditional IT or cloud perspective. In doing
traditional IT versus cloud implementation so, we can also consider the mitigation or
alternative, it is important to consider the controls aspects of each, and in so doing,
specific threats associated with each of develop a set of questions or tests that we
the two option. We argue that the range can apply to each option.
of threats is the same regardless of the
selection of traditional IT or cloud. Our list The threats: traditional vs. cloud
includes: In considering threats to traditional IT
• Access control environments, it is worth providing a
• Segregation of duties quick definition. By traditional we mean
those IT environments that are hosted
• Information Security
within the physical premises of the
• Classification and access authorisation organisation, be those premises owned
• External penetration or malware or leased, and for which the organisation
controls both logical and physical access.
• BCP/DRP Traditional IT environments also include the
• Availability software, both application and systems/
• Operations network, development or managed by
• Backups the IT department of specialists of the
organisation. By “cloud” we mean the
• Load balancing range of cloud options defined above.
• Capacity planning It is probably worth noting that today there
• Project management are very few businesses that are completely
“traditional IT environments” as almost all
• Ownership
exploit to some degree, cloud type services
• Monitoring or applications.
• Commercial agreements
• Service Level Agreements
• Safe harbour
system or data.
With most cloud based infrastructure, determination
This function frequently is assigned to an individual or and administration of access remains with the service
team within IT, and can be a boring and time consuming user. Where provision moves to the cloud provider, it is
activity. As such it is not unusual to find that the processes important to put in place review processed to ensure that
function adequately at best. Coordination with other parts revocation of access is being performed when requested.
of the organisation are required, such as HR to confirm
Assessment: No change to risk profile.
new starters, terminations or departures, and changes
in role function that require changes in system access.
Segregation of duties
Segregation of duties is a fundamental control, and is Migration to a cloud environment does not alter the
applicable across applications and operational functions fundamental importance of segregation of duties.
within IT departments and across the business more In addition, it does not change responsibility for
generally. The establishment of systems based segregations implementation and management of system level access,
of duties and the management of those segregations is or application level controls and their implementation.
an important discipline in the traditional IT infrastructure
Assessment: No change to risk profile.
environment. Some examples of segregation of duties
include multiple signoffs for payments, isolation of
developers from production environments, and not
allowing individuals that set up vendors to issue
payments to vendors.
Information security
Information classification and access authorisation: Movement of corporate information to a cloud
infrastructure environment does not change the nature
Access to the right information is critical to effective
of the sensitivity of information. Nor does it alter the
accomplishment of role responsibilities. This must be
threat profile associated with any piece of information.
balanced the danger of inadvertent or intentional release,
Classification of information remains an important
theft, or loss of information, depending on the criticality
aspect of information security, as is determination of the
of that information.
appropriate logical (and physical) infrastructure. Sharing
Information security, through technical access controls, of critical information on common logical drives in a cloud
Chapter 08
network and application security, and the application of environment is as dangerous as sharing that information
controls over information is critical. To enable this to be on common drives in a traditional IT environment.
accomplished in a meaningful and cost effective manner,
Assessment: No fundamental change to risk profile.
the classification of each piece or type of information is
needed. Information that is of the highest commercial
sensitivity needs to be protected. Likewise, access to client
or customer information, in particular personally sensitive
or identifiable information, must also be protected.
Traditional IT infrastructure has provided frameworks and
systems to control access, and to classify information.
Separation of servers, disk “farms”, encryption and
additional monitoring have provided comfort that such
information is being protected.
Effective levels of information security and protection via
segregation, monitoring and security can be expensive and
time consuming, and is a classic area starved of resources.
The risks can be high, as can remediation costs.
Availability
Uptime availability relies on a number of potential points The only significant change in a cloud infrastructure
of failure throughout the infrastructure, from the environment is outsourced management of availability
“terminal” (be it a PC, laptop or mobile device) through of the “host” systems, data and physical support
local routers, network connections, and “host” systems environment. Associated with that change is the ability
and the physical infrastructure required to house and to include service level and uptime requirements that
maintain each element. can be linked to penalties for failure to achieve such
availability targets.
Assessment: Potential reduction in the risk profile.
Operations
Backups: Confirmation of backup and recovery capability remains
the responsibility of the client, even when the function
Backups of data are taken at regular intervals for two
is performed by or through the cloud infrastructure.
primary reasons: to ensure the ability to recreate a
Contractual agreements remain only as good as the
situation at a certain historical date/time, and the free
client’s ability to confirm to their own satisfaction that
online storage, saving space and cost of equipment.
such operational activities are being performed on their
Management of backups is a core activity of IT Operations, behalf. This means that it remains important to periodically
and backups should always be removed to off-site perform recovery tests to confirm that backed-up data can
locations to reduce the risk of a loss of data, and the ability be restored as and when required.
to recover to the most recently saved position. This requires
Equally, the cloud is as fraught with risk as any platform,
Chapter 08
a set of operational disciplines be put in place, including
and the commercial health of any cloud provider should be
the regular cycling of backups to/from off-site locations,
carefully considered before using such providers for critical
regular recovery tests, and periodic auditing of the off-site
functions such as backup and recovery capabilities. For
registers to confirm that all backup data is accounted for.
example, on 9 August 2012, The Register (online) reported
“Blue Solutions have now received emailed confirmation
that Doyenz will no longer be providing or supporting the
rcloud backup and recovery service in the UK by the end of
this week, 10 August 2012. We understand that Doyenz
has emailed UK resellers and MSPs directly to notify them
of the change. Doyenz’s removal of the rcloud service is
surprising and disappointing. We understand that Doyenz
will retain client data on its systems until only 31 August
2012. We believe [but this is unconfirmed to us] that
Doyenz will offer our UK resellers using the rcloud service
the option to back up data to its US cloud servers.”
Assessment: The risk profile is not higher or lower,
but certainly changes.
Project management
Change to implemented systems, technologies and Cloud is the delivery channel for information supporting
processes should be managed through formal Life Cycles processes. Project Management therefore should view the
and project management professionals. The PMBOK cloud simply as an alternative delivery platform.
(Project Management Body of Knowledge) provides
Assessment: The quality of project management
one commonly accepted set of guidance for delivering
processes and individuals remains the same in the
projects. In our traditional IT environments, effective
cloud environment.
project management is fundamental to achievement of
cost effective, timely delivery of functionality and process
change across the business.
Ownership
Actual balance-sheet ownership of IT resources has been Cloud, depending on the type (IAAS, PAAS, SAAS, NAAS)
both an accounting and cash flow issue, not a technical provides the ability to smooth IT expenditure, yet also
issue. Decisions to capitalise certain IT spend (hardware removes or alters the ability to capitalise IT costs.
naturally, software, and development activity) has gone
Assessment: The risk / reward structure is altered,
hand in hand with the desire to smooth total IT spend,
and FDs wishing to continue to capitalise IT costs
and to control such spend from unexpected changes
may need to consider how this can be accomplished
(as discussing capacity planning above). Fundamentally
in a cloud environment.
however, there are few compelling reasons (provided
data retention and destruction policies are in place) for a
company to actually own (or lease) a particular piece of
equipment or software.
Commercial agreements
IT Infrastructure requires a range of commercial Commercial agreements do not disappear by moving the
agreements, frequently with a large number of providers of cloud, they simply change to reflect the nature and range
materials, consumables and services. Because of the wide of services that will be included in a single contract with
range of services, it is important that a vendor database the cloud service provider. While this can reduce the total
and set of procurement standards are in place and number of contractual relationships, it does not abrogate
monitored for compliance. the need to negotiate appropriate contracts, or to ensure
that the contracts meet the full range of needs of the user
A core element of many contracts includes the “Right
Chapter 08
of the service.
to Audit”. The clauses can be limited in some cases to
auditing against the contract itself, while other clauses can Further, as cloud providers grow in size and aggregate
be wider, allowing auditing of wider performance issues. delivery platforms into consolidated data centres, the Right
to Audit, while important, may result in a reduced ability
Fraud can become ‘easier’ where the number of suppliers
to actually perform an audit of the “datacentre” or other
increases, the controls over vendor acceptance are weak,
physical infrastructure. Operational support activities could
or where there are few people who understand the nature
still be audited.
or uniqueness of a service being provided. For example,
where maintenance services are required but not fully Assessment: Little change to risk profile, no increase
understood in terms of market costs for such services, in risk.
it is possible to fraudulently exaggerate the cost of such
services, and skimming the extra fees for personal gain
(example witnessed by the author, with jail time for the
Chapter 08
Finally, IT infrastructure, traditional or cloud,
must be monitored constantly to ensure
The larger the
that service levels are being met, that cloud provider,
potential service issues are being identified
early, and to ensure that changes needed generally the
are being planned for implementation prior less negotiating
to actualisation of the issue. Of course, the
exact date or time of the actualisation of power or leeway
any issue or event can rarely be predicted.
What is important is to ensure that both (or
exists in the
all) parties are monitoring such information contract.
as is available to ensure that there is as
much notice of the event as possible, or to
ensure that responses to the event(s) are
effective and rapid.
References
(1) (http://www.accountingweb.co.uk/
article/sage-moves-mid-market-erp-
suite-cloud/543954)
(2) (http://www.informationweek.
co.uk/security/management/5-
dropbox-security-warnings-for-
business/240005413 and http://www.
techrepublic.com/blog/security/
dropsmack-using-dropbox-to-steal-
files-and-deliver-malware/9332)
(3) http://www.coso.org/documents/
Cloud%20Computing%20
Thought%20Paper.pdf
(4) http://en.wikipedia.org/wiki/Thin_
client (as accessed on 12/10/2013)
Risks
‘‘
QUOTE HERE
Chapter 16: Managing Business Opportunities and Information Risks
***of were
avoidable and
it is suggested
This
that chapter will
inadequate
attention to the
examine the business
risks may have
benefits of mobile device
contributed
touse and also look at the
potential
breaches
threat being
vectors.”
overlooked.
Chapter 09:
C hapter 0 9
Mobile Devices
14 Wikipedia defines Mobile Devices as a small, handheld computing device, typically having
a display screen with touch input and/or a miniature keyboard and weighing less than 2
pounds. It therefore excludes the traditional laptop from the scope of mobile devices.
Chapter 09
are not just the introduction of the
technology but also the right behaviours There are a range of options available to
if critical data assets are to be protected. organisations when considering the use
With the right risk assessment and testing of mobile devices depending upon the
and the right level of staff behaviour, mobile value of the data within an organisation
devices can be secured to meet business and the level of controls that need to
needs and allow faster adoption of new be put in place. This is everything from
technologies and working practices. the “do nothing” option where BYOD is
permitted with no organisational controls
or interference, to the prohibition of
Definitions devices as they pose unacceptable risk
BYOD – Bring your own Device: Employee to the organisation. This is represented
is permitted to bring their own device and schematically opposite. Other options
use it for work-related purposes may also be available to organisations
depending upon their existing or planned
BYODT – Bring your own Device & infrastructure. For example, using 3G or
Technology: BYOD plus the employee’s 4G mobile devices securely connected
choice of applications, software and to the organisational network and using
open-source IT tools such as the cloud collaborative tools such as Sharepoint rather
and software development kits. than having any organisational data on
the device.
The relative merits of these options are devices involving the sharing or storing
Chapter 09
discussed in Appendix 9.2 to this chapter. of such data that are highlighted in this
However, we do explore the “do nothing” chapter break down to five primary risks
option further within the chapter because as follows:
it poses some significant challenges if the
•M
alware propagation leading to data
organisation wishes to reverse that decision
leakage, data corruption and physical
at a future point in time. Nevertheless, the
theft
idea of this diagram is to show that, with
a full and proper risk assessment and clear •C
riminal acts including identity theft,
understanding of the value of the data, fraud or account takeover including
a solution that permits the use of mobile unauthorised access to the network
devices is probably available. •A
ccidental or intentional data breach
leading to harm to customers,
reputational damage and possible fines
The risks •H
igh net worth individuals could be
The UK Information Commissioner’s Office blackmailed or kidnapped
states that mobile devices, particularly • Interception leading to breach, reputation
under a BYOD policy, “must not introduce damage and possible fine
vulnerabilities into existing secure
environments” (ICO March 2013, p5) and The most likely risk scenario is considered
“must not put personal data processes on more fully on the following page:
these devices at risk” (ICO March 2013, p9).
However, personal data is not the only type
of information that can cause damage to an
organisation if there was a loss. Intellectual
property or commercially sensitive data such
as client lists or the annual results before
formal announcement, are all data types
that pose a risk to the organisation if lost or
stolen. The vulnerabilities of using mobile
Chapter 09
Preconditions Event(s) Risk(s)
Notwithstanding
Personal data is edited on
the risks, there the device. This data may be
staff objectives or possibly
are many and customer data. 1. Device is lost or stolen
varied reasons Sensitive corporate data
or…
“mobile services True, writing reports, designing and collaboration and responsiveness and all
Chapter 09
CHAPTER 09
of emerging patterns is the blurring of
Push back against the use of mobile boundaries between personal and business
devices has come from IT Security and the activity”. The “always-on” expectation
business on the basis of data leakage risks might increase work pressure and decrease
from capabilities such as Apple’s Siri and staff morale. This will need to be closely
cloud solutions like DropBox. Regulated monitored by organisation to prevent
industries are nervous that they will open burnout and mental stresses and strains.
a new avenue for data loss breaches that However, if we were to adopt these new
could affect their reputation or regulator technologies and address such concerns,
censure. However, if organisations are to how might we go about implementing a
prevent the underground use of mobile successful mobile device strategy?
devices, they need to assess the risks to
their critical data. A blanket ban on mobile
devices is not a viable strategy and above all, The key steps
it will prevent organisations optimising the There are three key steps associated with
opportunities such devices can bring to lower implementing a successful mobile device
cost, increase innovation and efficiency. strategy. These are:
Anecdotally, a common response, when
asking organisations why they wanted to • Devise the operational framework
use mobile devices, was a nod and a wink, • Configuration management
“… because the Execs want it”. “Business • Data segregation
lounge envy” of the latest gadgets, while
understandable, is not by itself a robust
business case to drive a procurement strategy
or to change a business operating model.
Devise the operational framework cover the lifecycle of the device including
Chapter 09
Chapter 09
Network MDM Device MDM Application Based MDM
Which devices are permitted Authorised and Determine which operating
on the network unauthorised device systems & versions are
inventory permitted on the network
Determine access levels Authorised and Determine which
(i.e. (Guest, limited or full) unauthorised user inventory applications are permitted
on the network
Define the who, what, Continual vulnerability Control enterprise
where and when of assessment and remediation application access on
network access of connected devices a need to know basis
Which groups of employees Create mandatory and Educate employees about
are permitted to use the acceptable endpoint security MDM policy
devices components to be present
on the device
a more complex one that automatically device is also used by other family members
Chapter 09
enables encryption of all the data on the using a shared iCloud account, there is a
device. Users should have access to material risk of accidental data breach if business
and guidance notes on how to configure data is accessed by another family member.
their devices to remain compliant with the For other risk considerations on using the
business policies. It is useful if this is done cloud, refer to Chapter 8.
on four levels as shown opposite.
Assistance is available in this area as Data Segregation
many of the device providers have the Identifying the critical data to the
information to hand for organisations. For organisation and classifying it according to
example, organisations can freely download its value will enable organisations to take a
the Security Overview for Deploying iPhone tiered approach to its control environment
and iPad for iOSx from the Apple website. that is proportional to the risk. This
extends to how the data may need to be
segregated. At the one level, it may be as
Integration with Cloud Technology
simple as adopting BYOD and separating
One key area for the risk manager to
the personal and corporate data and not
consider is the acceptable use of the cloud
allowing the two to become co-mingled on
in conjunction with the mobile devices.
the device. If data classifications are used,
For example, Apple users can configure
the use of Data Leakage Prevention tools
their device to allow documents, contacts,
and tools to label emails in a consistent way
emails etc. to be sent to and stored in the
could prevent certain data classifications
iCloud. If a BYOD policy is being adopted
from being sent out without being
as opposed to corporate devices, this poses
encrypted, thus segregating data types.
a significant risk as corporate data and
It is also possible to sandbox applications
personal data may leak to the cloud. If that
User guidance
so that corporate data is contained in a The use of modern technology is a key part
Chapter 09
separate virtual world that can be password of modernisation and in many ways, mobile
protected and encrypted without denying devices offer organisations opportunities for
the personal use of the device. Should the innovation and value creation but if they
device then get lost or stolen, the corporate wish to capitalise on that opportunity they
data can be remotely wiped without must do so in a conscious way. Nevertheless,
compromising the personal data. the use of new technology should be
accompanied with a risk assessment fully
cognisant of the criticality of the data being
The “do nothing” option shared and stored on the device. It may
In researching this topic we came across well be that the assessment concludes there
organisations that made no attempt to is no risk or that the organisation wishes
control the use of mobile devices and had to take the risk but at least that is making
not considered the risk. There is no doubt an informed decision. The table below
that businesses wish to remain competitive highlights two risks that could arise from
as well as attractive to new talent. taking the “do nothing” approach.
Risk managers Organisations that do not have a sound Reading list and websites
Chapter 09
business case for the adoption of mobile Aerohive Networks White Paper, 2012,
will need to devices will not be able to articulate clearly “BYOD & Beyond: How to Turn BYOD in
for what purposes such devices may or to Productivity”
find a balance may not be used. This is likely to lead to a
Information Commissioner’s Office (ICO),
between what proliferation of mobile device use and will
March 2013, Bring Your Own Device,
ultimately increase the risk of data leakage
the user wants that for some will be incompatible with the ISACA, 2012, Securing Mobile Devices
and what the regulatory environment within which they Using COBIT® 5 for Information Security
operate and for most could undermine the
ISACA Journal Vol 1, 2013 – “BYOD
organisation protection of the organisational interests.
Security considerations of Full Mobility
needs. and Third Party Cloud Computing”
Conclusion ISACA Journal Vol 4, 2013 – “Leveraging
Mobile devices are the way ahead for & Securing the Bring Your Own Device
many organisations and offer plenty of and Technology Approach”
opportunities. Risk managers will need MaaS360, 2012, “The 10 Commandments
to find a balance between what the user of BYOD”, accessed via http://www.
wants and what the organisation needs. maas360.com/products/mobile-device-
It will be necessary to protect the secrets management in Jan2013
that give competitive advantage or data
under regulatory protection and look to
be less restrictive over the rest. Over-the-
air configuration will help organisations
achieve operational flexibility within an
appropriate control framework but other
potential risk issues around ownership
and access need to be resolved before
implementation begins so that the design
can be influenced with the outcome.
Nevertheless, the paradigm shift to mobile
devices by users is a reality that businesses
need to address and those that fail to do
so will either miss out on opportunities in
the evolving market or face data incidents
as employees find ways of using their
own devices.
Chapter 09
Agreement (EUA) could be used as a
template by organisations to ensure that
the key risks are addressed and users are
fully aware of their responsibilities. This
EUA was devised after an organisational
risk assessment on the data permitted to
be shared in comparison to the data used
within the company. It then mirrored its risk
adverse culture. Consequently, it is provided
only as an illustration and all organisations
will need to consider whether its own EUA
is fit for the intended use of the mobile
devices being employed.
Reference xxxxxxxxxxxxxxxxxxxx
Owner
Enforcement Date dd-mm-yyyy
Issue Date dd-mm-yyyy
Purpose
The purpose of this policy is to establish the rules and conditions every
user must accept in order to use a privately-owned device for accessing
[Company]’s network either locally or remotely, and accessing [Company]’s
information by whichever means through these devices. These rules and
conditions have been put in place in order to ensure that appropriate
protection is given to [Company]’s information which is stored on the private
device or accessible through the device. In signing this agreement, the user
acknowledges that there is a risk of their personal data being erased by
[Company] in the event of a security breach and this data, if not recently
backed up, will be permanently lost. Further, the user consents to [Company]
implementing the necessary physical controls and technical enhancements to
guarantee the protection of [Company]’s information.
In alignment with the [Company] Risk Policy, this policy applies to information
in all forms used within [Company], regardless of the format or location in
which it is kept
For the purposes of this policy information includes (but is not limited to):
• Correspondence (including e-mail, instant messages)
• Reports
• Documents
• Manuals
• Customer policies
• Electronic or printed information
• Voice (including conversations, phone calls, recordings)
All [Company] employees (including fixed term employees) who are authorised
Chapter 09
to use a privately-owned device to access [Company]’s network either locally or
remotely are required to sign and abide by the End User Agreement.
15. If found to be essential, automatic wipe and MDM Erase will also affect
Chapter 09
my private information and configuration on the device. I agree that it
is my responsibility to make regular back-ups of my private information
on the device, so that my private information can be restored to a
replacement handset if necessary.
16. [Company] has the right to suspend all information transmission
between the mobile device and the [Company] environment and
[Company] information or complete a remote wipe in the event that:
a. the mobile device is not password-enabled
b. the mobile device has an Operating System that is compromised or
that does not meet [Company] IT security standards
c. a breach of any [Company] Policy is suspected or detected.
d. I am absent from work for a prolonged period in which case the
standard policy for restricting access will apply.
17. I will immediately report any lost, stolen, deposed or transferred
privately-owned device under MDM to the IT Helpdesk. If I dispose,
sell or transfer ownership of this device, or cease to be entitled to
access [Company]’s network, I will remove all [Company] applications
and data.
18. I agree to allow [Company] to remotely access my device to remove
all [Company] data and [Company] applications should I no longer be
authorised as an MDM user.
19. [Company] has the right to audit [Company] data held on the device.
Date:
Users Signature:
Name:
Appendix 9.2 –
Mobile Device Options
Chapter 09
Containerised and A risk to personal identifiable As per above with Increased costs and
Chapter 09
secure Cloud. data, intellectual property additional strengths: All management overhead
or sensitive organisational valuable data is protected compared to earlier options.
data exists and needs to be and retained by the
mitigated through heightened organisation separate from
control environment. the personal data with full
remote wipe capability in
the event that the device is
lost or the individual leaves
the organisation.
Multiple personas Users only need to carry Personas are completely Integration of calendars
on device. one device. isolated from the others; and email accounts
difficult for any malware to between work and personal
infiltrate from one persona personas may prove
to another. difficult; currently limited
to Android devices only.
Management of personas
can be a software as a
service and can reduce
costs; high satisfaction
rate for users who can still
play games and use their
personal apps without IT
policy restrictions.
Corporate devices only. Companies who prefer to Consistent configuration May not reduce number
control their IT assets, the management; enforcement of user devices held
baseline configuration and of standard security per person; potentially
the deployed policies. baselines; increased business increased costs.
agility and innovation;
data security assurance,
retained accountability
and responsibility within
the organisation.
Devices prohibited. Not applicable. Absolute security of data Unlikely to be popular
with all data being kept with staff; may lead to
within the confines of the unauthorised use or people
established IT infrastructure. finding ways around
the prohibition; reduces
innovation and potentially
the business agility.
***of were
avoidable and
it is suggested
Two
that thirds of world
inadequate
attention to the
leaders are engaged
risks may have
in diplomatic relations
contributed
toon Twitter.“
potential
breaches being
overlooked.
Chapter 10:
C hapter 1 0
Social media –
managing risks and
seizing opportunities
Chapter 10
render social media both a valuable tool social media has to be taken seriously
and a catastrophic threat to the ones into account by senior management,
that are affected by their use in various audit committees and boards of directors.
different ways. These actors must ensure that they not
only identify the risks and opportunities
On one hand, social media is considered
that social media engenders but also have
increasingly a vehicle for organisations
the right risk management mechanisms in
to interact with internal and external
place in order to manage them as effectively
stakeholders: organisations are using social
as possible.
media tools and ‘big data’ platforms to
build brands and communities which can Finally, this chapter does not seek to provide
engage customers in regular feedback an unequivocal definition or a list of what
dialogues; HR managers look for job social media is and includes. As a rapidly
candidates on LinkedIn and XING; R&D evolving reality and uncharted territory,
teams publish their development guides rather than a static list of platforms, social
on corporate Wikis; and technical support media is not a term that could (or should)
personnel use instant messengers to discuss be strictly defined. However, in the context
in real time critical issues with the product. of this chapter, social media can be seen
as the means of technology-supported and
On the other hand, the extensive use of
internet-based interactions through which
social media renders organisations subject
users can create, share and/or exchange
to numerous risks that can cause serious
information and ideas for numerous and
damage to them if not managed properly.
diverse purposes, such as entertainment,
The fact that in the UK more than 51 per
business, communication, recovery after
cent of organisations do not address social
disasters and education.
media risk as part of their risk assessment
process, with 45 percent indicating that
they have no plans to do so in the coming
year’s audit plan, reveals the perfunctory
management that those risks receive.
Additionally, of those that do address
social media risk, 84 per cent rated their
organisation’s social media risk-assessment
capability as “not effective” or just
“moderately effective.”
Chapter 10
had a 17 per cent chance of guessing Unprofessional Employee Behaviour:
the correct answer to a secret question One of the most revealing examples of
after accessing their social media this risk is the case of Domino’s Pizza.
profile4. As it becomes evident, the fairly The company had a shocking experience
basic methods and simple password in April 2009, when two employees
controls that social networking sites posted on YouTube a video that showed
use in order to verify a users’ identity them contaminating sandwiches and
render quite easy the creation of a ‘fake’ pizza with body fluid. The video was
organisational account; or give the ability spread through YouTube and other social
to an individual to pretend to be another media all over the Internet, bringing
individual; or to take control of an very quickly the company in front of
organisation’s page in social media. a significant public relations problem.
This tactic is commonly known as As Domino’s spokesman Tim McIntyre
account or identity hi-jacking and its noted, “Even people who’ve been with
consequences can be severe for the us as loyal customers for 10, 15, 20 years
subject of the hi-jacking. are second-guessing their relationship
with Domino’s, and that’s not fair.”6
Last February, Burger King faced a
relevant social media problem. The Apart from that example, oversharing
company’s Twitter account had been of corporate information by employees
hacked — its name had been changed to can also happen unwittingly. It is true
McDonalds and its background replaced that a large number of social media users
with an image of Fish McBites. In the post information about their work. A
hour it took for officials to regain control, recent study of Twitter users found that
hackers proceeded to send 53 tweets 62 per cent of them tweet about their
to the burger chain’s more than 80,000 work, with more than one in 10 doing
followers, ranging from the mildly funny it daily 7. Additional leakages can come
(“if I catch you at a Wendy’s, we’re from contractors, vendors, partners, and
fightin!”) to the patently offensive affiliates. As it will be explained further
(“We caught one of our employees in below, such behaviours can expose the
the bathroom doing this...,” with an organisation to data breaches and loss of
image of a drug user shooting up) 5. confidential information, the implications
of which that can be staggering for the
organisation.
•C
andidate screening: social media sites misconduct 8. Clearly, then, a determining
Chapter 10
•P
roductivity and Professional • P hysical Safety: Online activity can lead
Chapter 10
Standards: According to a study to actual physical attacks if users of social
conducted by uSamp in March 2011, media reveal personal details such as their
social media is listed as one of the causes address, family details or location (either
for approximately 60 per cent of work directly or indirectly). The likelihood of
interruptions10. Such statistics increase this risk materialising increases when it
even more organisations’ concerns comes to people that have significant
regarding the impact of social media on roles or key positions in society, politics
their employees’ productivity and nurture and the business world.
the impression that social media captures •G
overnance: The option of personal
their attention and leads to the waste and direct internal communication that
of valuable time. Undoubtedly, loss of social media provides to the employees
productivity will occur if social media is of a company can undermine the norms
mismanaged by the organisation and and lines of authority that exist among
its people. different levels of the hierarchy and, thus,
affect negatively the effectiveness of the
Also, inadequate use can undermine organisational structure and the quality
professional standards, because social of administration. Of course, such a risk is
networking at work can blur the lines more likely to occur when social media is
between personal and professional life. used by a critical mass of employees that
Finally, there is also the possibility that as communicate through it with each other.
employees connect with one another on
social media hostile work relationships
may be created. This can happen if some
employees get offended by information
they find on their colleagues’ profiles.
•T
echnical fault: The vulnerability of 3. Risks associated with
Chapter 10
some social media sites to technical information
faults can result in a failure to implement
•R
eputation: Perhaps the most damaging
the user’s privacy settings. In this
potential impact of social media is the
case, information that is confidential,
one it can have on the reputation of an
personal or sensitive in other ways
organisation or an individual. Employees,
may be released.
customers, suppliers and vendors not
•B
andwidth: Ponemon Institute recently only can be an organisation’s greatest
surveyed over 4,000 IT security leaders ambassadors, but also can undermine
in 12 countries and, according to their its brand and public image. At the
answers, one of the top two negative same time, social media users can post
consequences of widespread social media defamatory comments about a business
use is reduced IT bandwidth (77 percent) and its products – or services – and then
– a fact which increases costs. In the share it with each other. After all, no
context of an organisation, if there is lack one can control or change what is
of proactive management and adequate posted online.
planning, insufficient bandwidth will
• L egal and regulatory risks: The
cause problems to all the services that
fact that content is posted, accessed
rely on the bandwidth12.
or distributed by users or employees
through the organisation’s social
media pages renders the organisation
subject to certain obligations regarding
compliance with regulation and certain
legal frameworks. Failure to comply
with such schemes can create financial
and legal liabilities to the organisation.
Exposures to legal liability can derive
from, inter alia: slanderous, libellous,
or defamatory comments; leakage of
sensitive information; online bullying;
and breach of intellectual property rights.
•C
risis Management: Cases such as that From many perspectives, the consequences
Chapter 10
of the Arab Spring have demonstrated for the organisation can be disastrous.
how extremely powerful social media If the company’s competitive advantage
can be in serving as a vehicle through is based on the information leaked, a
which pressure groups form and gain data breach could damage irreversibly
voice. In a crisis situation, virtual pressure the company’s strategy and, as a
groups can be created so fast that the consequence, its financial performance.
organisation will be unable to respond Moreover, a disclosure of client
promptly, whereas an inappropriate information can lead to loss of trust
management can aggravate both the and confidence towards the organisation
crisis and its consequences. from the clients’ side or cancellation of
•D
ata Leakage: In the era of big data, cooperation between the two parties.
organisations receive, produce, edit, Finally, other potential implications of
share and store a massive amount of inadvertent information leakage are
information on a daily basis. According the detriment of its reputation or the
to the 2013 Information Security failure of the organisation to comply
Breaches Survey in the UK, 14% of large with information security laws and
organisations had a security or data regulations.
breach in the last year relating to social
networking sites13. From confidential HMV, the international media retailer,
documents and internal communication has experienced a relevant traumatic
to trade secrets and intellectual property, data breach incident in the past. In
data can be leaked and even become January 2013, a disgruntled social media
publicly available via social media manager hijacked one of the company’s
websites. Once this happens, it will social media accounts and made available
not be possible to fix the damage by to the public details about recent layoffs
completely deleting what has already and mismanagement14.
been posted online. Data breaches take
place when employees accidentally or
deliberately send valuable corporate
data to destinations outside of the
organisation’s network borders.
Chapter 10
risk management, public relations,
None of the myriad risks associated compliance, audit, and any other
with social media use can be eliminated affected function. The team should
completely. However, taking a thoughtful be formally chartered so that each
approach and structured approach to person understands his or her role and
understanding and assessing the risks responsibilities. A project or programme
and then developing and implementing a manager should help the team track
comprehensive plan will reduce significantly and maintain progress.
an organisation’s susceptibility.
Training: All levels of hierarchy must
3.
1. D
evelopment of a social media receive proper and regular training
policy: Companies need to have on how to implement, monitor and
policies that set guidelines regarding enforce the guidelines that the policy
what acceptable use of social media has set out. However, top management,
means to them and their employees. brand managers and social media
These policies should address areas page administrators have to receive
such as employee use of social media at tailored training, as they have key roles
work, social media use during employee as ambassadors of the organisations
hiring or termination, and vendor at an external level and as leaders
management policies. In addition, that define the tone-from-the-top at
policies must include all the types of an internal level. The content of the
sites and channels that the term ‘social training sessions must include security
media’ refers to, such as YouTube, and compliance issues, as well as more
Pinterest, Google+ and micro-blogging advanced themes, such as using social
sites, instead of focusing only on the media for sales and improvement of
most obvious media, such as Facebook internal workflows. In addition to
and Twitter. this training, companies can also take
Engage a multidisciplinary team:
2. advantage of the online courses and
Many organisations mistakenly think webinars for users that some of the
of social media as an IT or marketing best social media tools now come
problem. Because social media activity equipped with.
can affect a wide range of departments
and functions, representatives from all
the affected groups must participate
in order to address the issues related
to social media. An effective strategy
brings together senior members of
4. C
areful handling of customer Monitoring of the company’s own
6.
Chapter 10
Chapter 10
to submit their ideas for a better logo,
The most The advantages of social media when Gap decided to revert back to the logo
used in the right way are multiple:
common they had had for more than forty years.
•C
ommunication with a massive In this way, Gap established a new sense
password in audience and a global market: of trust with their community, which feels
as though it is now part of the logo and
2012 was still According to a recent study by Burson
the brand. In addition, by introducing the
– Marsteller, 80 per cent of social media
“password”. users prefer to connect with brands new logo online before it went out, Gap
through Facebook16. This fact gives an saved the high expenses associated with
idea of the potential that businesses rebranding their stores and advertising.
can unlock if they utilise social media •D
igital Word-of-Mouth: When existing
effectively in order to advertise and customers share positive comments
promote their brands. More specifically, or experiences regarding products or
social media can serve as a vehicle for services, they can inspire the confidence
them to reach a massive global audience of new customers and be an important
in a direct, interactive and – usually – deciding factor for choosing a company
free way. over its competitors.
•C
ontinuous improvement and •E
nhanced relationship with clients
Innovation: The feedback and criticism and consumers: The information
that a business receives through these gathered through social media enhances
channels nurtures and orientates efforts businesses’ market intelligence and
towards progress and continuous enables them to understand profoundly
improvement. In this way, the business their relationship with consumers, while
understands its customers’ needs, the digital intelligence acquired informs
attitudes and experiences and provides the marketing, sales and media relations
new or improved products and services activities. Retailers, for instance, are
accordingly. collecting data from multiple social
media sources in an effort to offer their
When Gap used Facebook to announce consumers products that meet more
their plans for a new logo a few years closely their personal goals, such as a
ago, it was hit with a massive amount healthier lifestyle. Furthermore, insurance
of negative comments. However, Gap companies are combining customer
managed to turn the situation around and information gathered through social
make the most out of it. More specifically, media with real driving data collected
not only did the company listen to the from car censors so as to tailor their
negative comments regarding their new policies and premiums in ways that reflect
logo, but it also did something essential real risk and are not based only on the
about it. After trying to alleviate the criteria of age, gender and geography.
•T
alent: Acceptance of social media in Besides, the more active a company is
Chapter 10
the workplace could serve as a criterion in social media, the more “friends” and
for talented candidates to pick a specific “fans” it will have. As Erik Deckers, author
organisation for employment instead of of the books Branding Yourself and No
other employers who are not embracing Bullshit Social Media, notes, “these people
this access. At the same time, human may be able to help a company through
resources departments take advantage a crisis. Instead of relying only on internal
of social media as a tool for recruiting staff to help mitigate the damage, the
new talent. company will have a group of consumers
•C
risis management: social media can that may do some work for them.”
be used by governments, organisations, •C
oordination in the context of the
mainstream media, and the public to extended enterprise: Initiators and
make the flow of information instant intrapreneurs are not just using social
(and instantly helpful) when help is media to make their efforts more
needed most. For example, one Facebook transparent and accessible; they are using
user created a Hurricane Sandy news these platforms to improvise and organise
page that received 191,000 likes and that new ways to get the job done. They are
dispensed loads of information critical for using these tools and technologies to add
those wanting to know which areas were value to existing processes or to create new
safe, to identify the where their friends “just-in-time” processes (and programmes)
and family are, and to stay aware of the that the C-suite and other senior managers
progress of relief efforts. had never envisioned. Social Media inside
and out of the enterprise lowers the costs
In the case of organisations, social media and increases the power of individuals to
can help them prevent a flow of false, productively coalesce and coordinate on
misleading or negative information by their own initiative.
replying timely and effectively to certain
events and crises. “If someone searches For example, implementing a multi-media
your brand, you want them to see the proposal developed by MIT students, a
following results page: your paid ad, your company’s supply chain and procurement
corporate website, your blog, Facebook teams utilized LinkedIn, private Tweets
page, YouTube channel, LinkedIn, your and cut-and-paste Sharepoints to quickly
tweets and Twitter account, says Lindsay coordinate go-to-market product changes
Durfee of PR/PR. “Because now you with key vendors. By overcoming diverse
have taken up almost all 10 spots on issues, such as incompatibility among
the search results pages of Google, communications networks and the lack of a
Yahoo! and Bing. Customers searching proactive IT department, the ad hoc network
for you will see everything you have to enabled suppliers to transparently coordinate
offer instead of websites trashing your and collaborate with each other as well as
organisation.” respond to their customers’ requests.
Chapter 10
organisation: As Kelda Wallis of
As every industry, brand and organisation Tempero Social Media Management
is characterised by specific needs and highlights, “the key in determining your
attributes, best practices regarding social social media strategy is to understand
media cannot be generalised. Rather your social purpose. In other words,
than being a panacea to heal the gaps find what you can give to your audience
and possible mistakes that companies’ and how you want to connect with
conduct in the context of their marketing it”. In doing so, the organisation has
and corporate strategy, social media to create strategy that is based on the
should be seen as a tool that facilitates the value it can deliver to its customers
communication of an organisation with its and fully considers the appropriate
stakeholders and empowers it to seize the use of social media channels in order
wide range of opportunities that the digital to match its unique attributes. Finally,
era has to offer. In order to achieve that the social media strategy must not be
though, there are several parameters that isolated from the corporate one. On the
organisations should have in mind. These contrary, is should embrace and support
are the following ones: all the components and functions of the
1. L istening is essential: Before, while organisations in the best possible way.
and after an organisation builds its Communicate your social media
4.
social media strategy, it is essential that strategy adequately: All levels and
it listens to what is being said on social employees of the organisation must
media. Listening must not be limited to be aware of how social media are
the competitors and the target audience utilised by the organisation. However,
of an organisation, but it should rather it is equally important that they are
include all the wider conversations that communicated what they are allowed
take place on social platforms. and not allowed to post about the
Analyse what you “hear”: By
2. brand, the works place or their
listening to its current or potential colleagues online. Also, it is essential
audience, the organisation collects for that top management gives the right
free data that can be distributed to tone-from-the-top by embracing the
utilised by its various divisions: from social media strategy and policy and by
sales and marketing to production and being the ambassadors of the brand on
finance. In addition, it enhances its the different platforms.
database in a way that renders much
easier the conduction of benchmarking
analysis as well as the comprehension
of what the current trends and the main
influencers are.
According to the analysis realised in this Have you trained your employees so as
Chapter 10
paper, the answer to the cyber threats to increase their awareness of risks and
the organisations are exposed to due to opportunities associated with social
the use of social media is not to ignore media use?
social platforms or ban their use within
What is the structure of roles and
the organisational premises. Organisations
responsibilities regarding social media
must rather realise the uniqueness of the
in the context of your organisation?
advantages that this tool can offer them
and make sure that they allocate the right How has your organisation made sure that
resources through an adequate strategy it is able to manage a crisis related to a
so as to turn social media into a vehicle social media incident (e.g. an employee
through which they deliver value to dismissal gone public via Twitter)?
their audience.
Bibliography
Chapter 10
1
McLuhan, Marshall. Understanding 8
http://www.acas.org.uk/media/
Media: The Extensions of Man. New York: pdf/f/q/1111_Workplaces_and_
McGraw Hill, 1964.Federman, M. (2004, Social_Networking-accessible-version-
July 23). What is the Meaning of the Apr-2012.pdf
Medium is the Message? Retrieved 9
http://www.huffingtonpost.com/
09-08-2013 from
alexandra-samuel/when-hr-decisions-
http://individual.utoronto. become-_b_2664001.html
ca/markfederman/article_
http://harmon.ie/Company/
10
mediumisthemessage.htm
PressReleases/press-release-
2
Burson – Marsteller Twiplomacy Study may-18-2011
2013: http://twiplomacy.com/
http://www.websense.com/content/
11
twiplomacy-study-2013/
ponemon-institute-research-
3
http://www.consumerreports.org/ report-2011.aspx?cmpid=prnr11.10.06
cro/news/2010/05/consumer-reports-
http://www.websense.com/content/
12
survey-social-network-users-post-
ponemon-institute-research-
risky-information/index.htm
report-2011.aspx?cmpid=prnr11.10.06
4
Robert Lemos, “Are Your ‘Secret
https://www.gov.uk/government/
13
Questions’ Too Easily Answered?,”
uploads/system/uploads/attachment_
Technology Review, May 18, 2009,
data/file/200455/bis-13-p184-2013-
http://www.technologyreview.com/
information-security-breaches-survey-
web/22662/?a=f
technical-report.pdf
5
http://www.bbc.co.uk/news/world-
http://www.huffingtonpost.com/
14
us-canada-21500175
alexandra-samuel/when-hr-decisions-
http://www.nytimes.com/2009/04/16/
6
become-_b_2664001.html
business/media/16dominos.html?_r=0
http://gizmodo.com/5954372/the-25-
15
Chapter 10
Risks
‘‘
QUOTE HERE
Chapter 16: Managing Business Opportunities and Information Risks
***of were
avoidable and
it is suggested
You
that only have to read
inadequate
attention to the
about the increasing
risks may have
number of publicly
contributed
toquoted
potential data breaches
breaches
to seebeing
that an insecure
overlooked.
system is not good
for business.“
Chapter 11:
C hapter 1 1
Building a secure
system: Why do
we need to do it?
How do we get it?
And where should
we start?
Chapter 11:
Building a secure system: Why do we
need to do it? How do we get it?
And where should we start?
Paul Hopkins, CGI
secured system will ultimately have a However, at the end of the day, the systems
significant impact on the business. Secure were compromised and exploited due to
systems engineering, is not something weaknesses in the overall system design
that usually gets prioritised against the that were not adequately assessed at the
need to get to market quickly or reduce outset by the system designers.
costs, unless of course the business truly
understands the risks. It is possible you may be fortunate enough
not to have your business put at risk as a
This chapter covers the risks arising from consequence of a security breach. However,
poor security engineering. We look at the it is likely that the cost and difficulty of
potential impact on the business, what fixing the issues once discovered are
steps can be taken to mitigate these and substantially more than identifying and
therefore what questions all risk managers mitigating the issues earlier in the system
should be asking their internal and external development process. For a start, the
architects and developers, highlighting the problem may be within a third party
potential impact of software development component and it might not be possible
methods such as AGILE on secure to fix it directly yourself without their
development methodologies. help. Alternatively the flaw may be in your
software or technology so you might have
the ability to directly address the problem.
Insecure Systems – However, the problem may not be as simple
Bad for business? as re-coding a file, e.g. it may be that the
You only have to read about the increasing database you originally selected for its
number of publicly quoted data breaches fast handling of queries has no way to
to see that an insecure system is not adequately separate user data and therefore
good for business. If you fail to keep your requires a new database technology! So,
customers’, or your organisation’s, data the scale and variation of the problem to
confidential and available then potentially be addressed once discovered can vary
the consequences could be serious. The from quite minor to very significant, and
organisation could face a huge fine that’s without considering the additional
(e.g. TJ Maxx [8]), it could lose customers, operational impacts while you fix the
it could get swallowed up by the competition problem (such as increased monitoring).
(e.g. HBGary [7]) or it could contribute
to the Company going out of business
(e.g. Nortel [9]).
Chapter 11
and enterprise software annually. There
Why it’s hard are also fewer but substantially higher
Securing systems is not trivial. An operating impact year on year increases affecting
system has tens of millions of lines of code, software within technologies such as
2
a database server or a web server can mobile platforms or Industrial Controller
contain several millions of lines of code. Equipment (SCADA). Of particular interest
The software is resident on a complex are reports which correlate vulnerabilities
mesh of servers, network infrastructure from internet facing web applications across
and multiple protocols on top of which the a variety of industry sectors. In these we
actual application is built that delivers the find common serious security issues, with
services which differentiate the organisation one study [1] citing that 53% of all systems
and provides value to your customers. scanned contained a vulnerability that was
So it’s not surprising that, given this rich potentially exploitable. Whereas a separate
stack of technology, some ‘issues’ might study of different applications [5] showed
arise either through the complexity of the that 86% of the websites contained at
application being assembled or through least one serious flaw. So, if you take into
delivery pressures. account that such scans often check only
for the ‘known’ bugs and flaws, then the
Unfortunately, such issues can quickly
question remains how many more latent
become security vulnerabilities. You only
security bugs and flaws that are not yet
have to examine a number of prolific
known are within such applications?
security industry reports [1], [4] to see
that there are substantial numbers of
How can it be
Chapter 11
Chapter 11
a pure specification document; indeed in
previous projects CGI has found potential
Plotting the journey
use cases or more precisely misuse/abuse
Clearly articulated security requirements
cases have been helpful in communicating
are the starting point for any secure system
2
with system architects and developers the
development. These security requirements
threats and risks to the system. The benefit
have to be related back to the actual system
is that the architects and designers clearly
required by the business and its risk profile,
understand why they are implementing
and so are dependent upon the initial risk
security controls and their relationship to
assessment for a system (or application),
the threats to the system rather than see
the threats, the potential vulnerabilities
them as annoyances that get in the way
and the true impact to the business of the
of implementing the business solution.
failure. This enables the subsequent secure
Communication and collaboration
development process to be tailored relative
between the business users, developers
to the risk profile for the system, with the
and security experts is essential to get the
appropriate steps, quality and review gates.
requirements understood and implemented
If security requirements are going to be as they are intended, rather than wait for
useful for subsequent development, then disappointment at the end of the project.
they need to be specific and not general
With the requirements documented and
statements such as “the application must
an understanding of the application risk,
authorise all users”. It is far better to help
the processes to be applied to the system
the developers and designers with “the
development including the quality/security
application must authorise users using the
review gates can be defined and the next
username, Memorable Word and PIN code”.
stage can be entered, which is to review
The requirement can then be further refined
the initial design.
to constrain the subsequent functionality
so that “each (web) page must check that
a user’s session is valid” and the “default
behaviour is to deny access to all (web)
pages without a valid session”. Typically,
this is not a quick exercise but elements
can be re-used and their relationship to
the business risks justifies their inclusion.
16 In reality such an attack also requires the subversion of some of the components of the network infrastructure
between the user and the application (such as on a wireless network), but then the server certificates were used
as a secondary protection mechanism to ensure only the authentic application is being communicated with.
Chapter 11
number and frequency of vulnerabilities 1. Independently analyse the system
disconcerting that may be latent within the libraries and design against specific threat or attack
frameworks that you use as part of your patterns. Microsoft’s STRIDE is one
was that system. For example, a recent study by an such generic pattern frequently used
26% of all
2
application security company [3] found that to stimulate that process, but it’s also
37% of the most popular frameworks and important to look at the specific threat
(29.8 million) libraries (used primarily for building web patterns within your industry, e.g. for
library based applications) contained at least one banking and retail applications the ‘man
vulnerability. Possibly more disconcerting in the browser attacks’.
downloads was that 26% of all (29.8 million) library
2. Look at the technologies used and
downloads contained those vulnerabilities.
contained This problem is increasingly likely in mobile
understand where there may be
incompatibilities, particularly with
vulnerabilities. devices where libraries, such as Webkit,
security controls such as cryptographic
have been shown to contain serious flaws
libraries/APIs and access control.
affecting the integrity of a number of
Alternatively, as is the case for mobile
mobile (browsers) and subsequently the
development, the design may be
devices themselves.
considering using common functionality
A third security issue is the introduction of to develop applications (HTML5/
malicious code into the system or where Javascript) that may undermine the
perhaps that application becomes malicious security on specific platforms. Or it may
(i.e. once deployed). Mobile applications use the specific mobile platform toolkit
often have integrated (via a Software that may initially make the design
Development Kit) connection to advertising, stronger, but will need any operational
in order to generate revenue. Unfortunately, platform patching to be carefully
some such benign apps have also been considered to avoid applications on one
discovered to connect back into a malicious platform being patched while there is
ad network (such as BadNews [13], [10]) lag in fixing the other platforms.
that will serve up malware potentially
3. Understand and capture how the
compromising the customer’s device.
architecture is built up. How and
Fortunately, there are a number of steps where the important data flows and is
that the system designers should be going stored? Where the security controls are
through at this stage to avoid such failures. placed? What assumptions are being
made at the network, in the operating
system, in the application (and its
software stack of libraries/frameworks)
and what assumptions are we making
about the user and their environment.
one potential development issue, there 3. Train and give the developers access to
Chapter 11
are also many other types associated with both security testing tools (e.g. those
web applications (Cross Site Scripting used to test and manipulate protocols
(XSS), broken authentication mechanisms, and application input) as well source
forced browsing etc), with databases (SQL code analysis tools for potential security
2
injection), within the code in operating flaws. Some of the analysis tools can be
systems (such a buffer overflow, race run outside of working hours to reduce
conditions). the downtime for development.
However, unlike the earlier design flaws, 4. Ensure that the team has a security
these programming errors can be more champion within it, someone who is
readily addressed during the development prepared to mentor (and train) other
process by the programmer, as long as they team members, help resolve security
are provided with the right tools, process, questions and share best practice/
standards and training. lessons learned.
5. Use the output of automated tools (or
Development Checklist: third party services – including those
1. Coding standards have been defined embedded within mobile app stores)
and the code is checked to ensure such as source code analysis to look
it adheres to those standards and for common recurring problems that
is understandable for maintenance might indicate that developers don’t
purposes. Automated tools can be fully understand certain issues and use
used to check code against the defined this to focus the ongoing training and
standard (e.g. checkstyle). sharing of best practice.
2. Train the developers to write secure
code, by understanding common
attack patterns, such that they validate
and sanitize input or use trusted
security APIs from organisations such
as OWASP. For instance there are
increasingly good guidelines for mobile
application development from both
the manufacturer (e.g. Apple) and
governments (CESG [12]).
Developing Security Culture & Skills: Creating a security culture is not an easy
Chapter 11
thing to achieve, especially if you have a
the skills and diverse or large geographically distributed
Setting the tone
organisation. However, CGI has found the
security culture Developing the skills and security culture is focusing on the following steps helps:
one of the most important activities needed
is one of the
2
to develop a secure system. All of the 1. Getting buy in from senior stakeholders
most important people involved in building the system must early and clearly articulating the benefits
believe that a secure system is worthwhile, to them.
activities and not only will it protect the business 2. A clear message from the senior
needed to and the customers, but also they must have stakeholders disseminated to the rest
the right skills and training to achieve it. of the organisation.
develop a It is also something that must be right at
3. Focused training for developers (on
secure system. the inception, throughout the project and
long after it is completed and embedded security vulnerabilities/common patterns
into the team. and security test tools).
So far in this chapter the focus has been 4. Giving frequent feedback to the
on designers and developers, yet in reality, developers and using it to refine the
when it comes to constructing a system, training of the existing development
we need to know that many of the roles or next generation team so that the
involved (e.g. project managers, contracts, lessons learnt are not lost. Be careful to
business managers) all believe in the value capture and manage this knowledge
of the steps outlined. Otherwise they with incoming or new suppliers and
may be tempted to trade-off without teams otherwise you may find yourself
understanding the implications – “early starting from scratch all over again.
delivery rather than compete security 5. Giving frequent feedback and
testing” or “choose not to check third communicating with the rest of the
party secure development practices before ‘development’ team on the security
purchasing for cost reasons” or “perhaps progress. The benefits and successes,
not check the identity of all users in the such as the number of bugs and
interests of usability”. flaws avoided through design and
development reviews and testing.
6. Include security in reporting
mechanisms. Staff and managers
will always respond to what they
are measured on.
Chapter 11
is ensuring that you have established the support from the management and
secure development practices as being organisation (based on improved security
relevant and ‘alive’ within the organisation: results! – remember to measure).
•Y
ou have established and defined •Y
ou have focused on your organisation’s
2
the development process so that it is needs (the technologies used, the supply
repeatable, constantly improving and chain/partners, the agility needed)
adapting to the business. and most importantly the risk the
organisation is prepared to accept.
1 Do you follow a defined process to build secure systems? Have you defined the
appropriate review/quality gates?
2 Do you have the support of senior management, Project Managers, Contracts
and Developer teams for a secure development process?
3 Do your suppliers understand and support this process?
4 Do you regularly and clearly identify the realistic threats and risk to system data
and functionality?
5 Have you provided clear security requirements that can be tested against?
6 Have you independently reviewed the architecture? What threats have been
modelled? Do you understand how the system protection works across all
technology? What assumptions have been made about the environment and
ongoing operations/maintenance/customer interaction with the system?
7 How have you developed the code? Have you defined secure coding standards?
Have you trained your development teams to understand the key risks and threats
and how to protect against them? Have you given them security testing tools and
source code analysis tools to check for problems?
8 Do you conduct independent testing that simulates real-world attacks?
9 Do you measure and feedback regularly the results and lessons learnt from testing
and source code analysis into developer training?
10 Are you developing the right skills and culture to consistently build secure systems?
Do you have the right security champions in place?
References
2013 Internet Security Threat Report,
1. Anonymous speaks: the inside story
7.
Chapter 11
of-the-hbgary-hack/
2. T he Most Dangerous Code in the
World: Validating SSL Certificates in 8. T JX, Visa Agree to $40.9 Million Payout
Non-Browser Software; M. Georgiev for Data Breach; BankInfoSecurity;
et al; 2012; http://www.cs.utexas. http://www.bankinfosecurity.
edu/~shmat/shmat_ccs12.pdf co.uk/tjx-visa-agree-to-409-million-
payout-for-data-breach-a-648
3. The Unfortunate Reality of Insecure
Libraries; Aspect Security; March 9. C
hinese Hackers Suspected In Long-
2012 http://cdn1.hubspot.com/ Term Nortel Breach; Wall Street Journal;
hub/203759/docs/Aspect-Security- February 2012; http://online.wsj.
The-Unfortunate-Reality-of- com/news/articles/SB100014240529
Insecure-Libraries.pdf 70203363504577187502201577054
HP 2012 Cyber Security Risk
4. 10. Bad News for Android as Fake Ads
Report; 2012; http://www. Target Google play; Mobile World
hpenterprisesecurity.com/ Live; April 2013; http://www.
collateral/whitepaper/ mobileworldlive.com/badnews-
HP2012CyberRiskReport_0213.pdf for-android-as-fake-ad-network-
targets-google-play
https://info.whitehatsec.com/
5.
2013-website-security-report.html 11. Attackers can slip malicious code
into many Android apps via open
Scammers bug retail registers
6.
Wi-Fi; ArsTechnica; Sept 2013;
with $40 keylogger devices; SC
http://arstechnica.com/
Magazine; October 2013;
security/2013/09/attackers-can-slip-
http://www.scmagazine.com/
malicious-code-into-many-android-
scammers-bug-nordstrom-registers-
apps-via-open-wi-fi/
with-40-devices-to-skim-card-data/
article/316001/
Chapter 11
Guidance for iOS; CESG, November
2013; https://www.gov.uk/
Do you measure
government/publications/end- and feedback
user-devices-security-guidance-
regularly the
2
apple-ios-application-development/
end-user-devices-security-guidance- results and lessons
apple-ios-application-security-
guidance learnt from testing
13. “Mobile Devices = New Malware and and source code
New Vectors”; Palo Alto Networks;
August 2013; http://researchcenter.
analysis into
paloaltonetworks.com/2013/08/ developer training?
mobile-devices-new-malware-and-
new-vectors/
14. Cisco Secure Development Lifecycle;
Cisco; Retrieved November 2013;
http://www.cisco.com/web/about/
security/cspo/csdl/index.html
15. Oracle Software Security Assurance;
Oracle; Retrieved November 2013;
http://www.oracle.com/us/support/
assurance/overview/index.html
16. Microsoft Security Development
Lifecycle; Microsoft; Retrieved
November 2013; https://www.
microsoft.com/security/sdl/
default.aspx
17. The Trustworthy Computing Security
Development Lifecycle. The Benefits;
Microsoft; March 2005; http://
msdn.microsoft.com/en-us/library/
ms995349.aspx#sdl2_topic4
Risks
‘‘
QUOTE HERE
Chapter 16: Managing Business Opportunities and Information Risks
***of were
avoidable and
it is suggested
This
that chapter aims
inadequate
attention to the
to provide guidance
risks may have
on effective incident
contributed
tomanagement
potential in
breaches
response beingto cyber
overlooked.
related events.”
Chapter 12:
C hapter 1 2
Incident
management
Chapter 12:
Incident management
Alastair Allison CISM SIRM and Jeff Miller
Chapter 12
of Information security and incident
The major risk arising from not having management are considered below.
incident management procedures in
place is one of reputational damage.
“Organisations should develop a taxonomy
of risks and potential failure modes and
develop easily accessible quick response
guides for the likely scenarios” (Bailey
and Brandley).
Respond
Recover
& contain
Chapter 12
NIST also highlight how there should be
Who Literature used in this research suggests guidance on prioritising incidents according
that there are between four and six phases to the risk severity. Incident levels could be
has the of the incident life-cycle. However, they all tiered such that:
tend to agree on the key components and
responsibility/ we represent these in our five phases on • T ier 1 – Localised/internal breaches or
authority to incident management shown in Figure 12.1. attempted external attacks that can be
The most crucial of which is probably the easily isolated and contained through
declare an “Prepare” phase. local management actions. Such breaches
may also affect a single customer and are
incident? Incidents, by their very nature tend to
unlikely to warrant regulator attention.
be fast paced. An airline pilot is trained
to handle an aircraft in crash-landing • T ier 2 – Unusual and immediate threat
scenarios yet hopes to never use that such as a deliberate/persistent attack or
training. Nevertheless, such training has breach that could harm large numbers
saved countless lives as the training allows of customers and the reputation of the
the pilot to respond with some familiarity organisation and requires key decisions to
to procedures rather than having to think be made by senior executives or managers
on their feet in a crisis. In very much the to contain and bring under control.
same way, examining potential crisis
scenarios involving data losses will help Accountability and Responsibility
organisations prepare response plans which A key component of the preparatory phase
can be rehearsed so that the chances of is to identify who has the responsibility/
a successful outcome are maximised. authority to declare an incident and the
The next few paragraphs describes each team members that would respond to
of these five phases in a little more detail. it. The team should be a small group
committed to solving the problem and
mitigating any damage that it may cause.
Preparation Phase
Consequently it will need to have people
Documentation with certain skill sets, experience and
Appendix 12.1 – Incident Management authority “to respond to incidents, perform
Checklist looks at the key steps required analysis tasks and communicate effectively”
to define the preparatory work that has to (ISACA, p260) to make a rounded response
be completed to cover the before, during and it may also include external parties such
and after incident contexts such that the as public relations or legal expertise. Usually
processes can be put in place. NIST (2012, there will be a core team that is augmented
p11) highlights that not only should these by specialists according to the specific
preparatory actions be documented but context of the incident. Such a team may
that there should also be documented be a centralised team or distributed such
guidelines for interactions with other that virtual working mechanisms have to be
organisations regarding incidents including put in place including conference facilities.
all the contact details and the facilities to
be put in place such as phones (NIST p31).
Any good business continuity practitioner Likewise, those organisations that have cyber
thread through- will tell you that incident plans are not insurance may have a requirement capture
out all phases worth the paper they are written on if certain information such as costs or response
they are untested. Cyber incident scenarios logs and times and to notify the potential
is the need to should be built in to the BCM testing losses within a determined timeframe. The
regime and rehearsed. Lessons will be learnt person who should have responsibility for
communicate in about the best way to handle situations or this needs to be identified in advance and
a manner that about the composition of the incident team templates to track costs and mitigating
and these should be smoothed out before activities need to be prepared in advance.
protects the an organisation needs to do it for real.
interests of the Detect and assess
Immediate actions The following section is a case study from
organisational Upon forming in response to any incident, a global insurer who, whilst they do not
aims and, where the immediate actions of the team would exactly fit the 5 phase model described in
be expected to be to: this chapter, do have all the key components
appropriate, in place.
• Conduct a risk assessment
the victims of • Contain the breach
Technical logs and detections
the incident. • Recover the data Key to timely detection at the technical
•C
ommunicate and notify appropriate level is the ability to aggregate log events
stakeholders and raise specific events to the attention of
• Investigate the incident handlers. The primary drawback to this is
the sheer volume of events generated within
• Identify improvement mechanisms
a large enterprise and the maintenance
including addressing the root cause.
and updates required to specific “events
Communication of interest” which will be escalated.
A recurring thread through-out all phases is A two pronged approach is recommended
the need to communicate in a manner that with critical devices, such as perimeter
protects the interests of the organisational firewalls, IDS/IPS devices, logged to an active
aims and, where appropriate, the victims security event monitoring platform and
of the incident. Law Enforcement agencies secondary, or contextual device logs (routers,
and the media should be “contacted switches, domain controllers, application
through designated individuals” (NIST, logs), being aggregated to a central logging
p20) and for regulated industries there warehouse for future reference and/or
are usually Approved Persons that notify analysis. This approach reduces the amount
breaches and incidents to the regulator. of data that must be sifted for primary alert
These need to be identified and staff need triggers yet provides a means to research the
to be aware of the contact procedures context around these events.
involved if the incident is to be effectively
controlled.
Chapter 12
an automated fashion using basic string determination of lessons learned
searches across the active log streams. through the creation of an After Action
Log rates and volumes are also monitored Report if necessary. Modifications to
by the automated system and are used the monitoring, detection, or response
for system diagnostics as well as security processes or capabilities are identified
alerts. A device changing logging rates may and implemented if required.
indicate an event of interest.
Once an event is identified as “interesting”
it is escalated to a trained “event handler” Actions and escalations
to confirm or collect ancillary information The specific actions and escalations taken
to determine the type and severity of the during each of these phases is dependent
event (or series of events). on the type of incident as well as the
criticality of the systems impacted:
Once it has been determined a security
incident has occurred, response activities • Incident category examples:
typically fall into the phases of Analysis, • Commodity malware
Containment, Remediation, and Post-
Incident. • Hacking /exploit tools
•A
nalysis – Steps taken to better • Privilege escalations
understand the incident and its impact to • Reconnaissance
systems or information. This determines
• System exploits
the scale of the incident as well as the
categorisation and criticality. • Characteristics affecting criticality:
•C
ontainment – Engagement of the • Criticality of the systems
proper teams to prevent further spread
• Data staging /exfiltration
of the incident. The closure of the initial
attack vectors, identification of necessary • Impacts to system availability
remediation actions, and gathering • Fraud
of evidence for forensic purposes as
necessary.
•R
emediation – The actions taken to
prevent a recurrence of the incident
on the target system and other similar
systems within the environment. This
includes the cleanup of any remnants of
malicious activity which occurred during
the incident.
Chapter 12
“Containment is important before Recovery occurs after the incident and
an incident overwhelms resources or Appendix 12.1 – Incident Management
increases damage. Most incidents require Checklist discusses some of the detailed
containment, so that is an important components to consider. Recovery involves
consideration early in the course of restoring systems and processes to normal
handling each incident” (NIST p35). operations including the implementation
Containment will also be a management of any remediation actions to prevent a
judgement as to what reasonable steps re-occurrence. NIST (2012, p37) term the
have to be taken. In the Supply Chain phrase “Eradication and Recovery” for
chapter, there is a case study that involved this phase pointing out the need to also
an organisation taking legal proceedings eradicate things like malware and breached
out in three jurisdictions simply to contain user accounts which is useful to consider
the spread of a data theft being sold in the but in essence, that could have either been
market. They also felt it was reasonable achieved during the “containment” exercise
to employ a private investigator. Each or is central to recovery with such activities as
organisation will assess the risk according applying patches, changing passwords etc.
to the data but the involvement of external
Organisations need to consider that a
stakeholders during a breach such as law
successful attack may be followed by a
enforcement should not be overlooked in
subsequent attack on the same resource
the preparation phase so that reporting
or system or that the same attack method
requirements can be duly met. Bailey
may be used on other systems so part
and Brandley suggests that this means
of the recovery is to put all remediation
maintaining “service level agreements
in place and to increase detection and
and relationships with breach remediation
monitoring. However, remediation can be
provider and experts” or at the very least,
both large and expensive and it will be
identifying who needs to be contacted
necessary to take a risk based approach to
and how. Response teams should become
any remediation plan with the intent “to
acquainted with the conditions under which
increase the overall security with relatively
law enforcement should be contacted
quick (days to weeks) high value changes”
and incidents are reported to them. NIST
(NIST, p37).
(2012, p11) point out that poor conviction
rates for cyber-security incidents is down to
organisations that “do not properly contact
law enforcement” agencies.
Containment also includes co-ordinated
messages to victims, the media and other
customers/clients and these should also be
rehearsed before they are used for real.
Processes also need to be reviewed and at a much earlier stage. By doing so, the
Chapter 12
changed but our research suggests that organisation might be able to identify ways
organisations are not always good at of reducing future costs. The level of analysis
applying the fixes or to validating that they will depend upon the severity of an incident
are still working sometime after the event. and how widespread it was felt across the
As with any risk and control activity, the organisation and supply chain. However,
controls need to be assured for design and the key components of a closure report are
operating effectiveness according to the suggested at Appendix 3 – Post Incident
criticality of the process not just at the point Closure Report.
of implementation. We would contend that
if an incident has warranted the instigation
of a response team, new controls should be Knowledge share
reviewed within the first 12 months to give The EU, UK and US are leading calls for
assurance that the incident has a reduced increased co-operation mechanisms to share
likelihood of re-occurring. early warnings on cyber risks and incidents.
Finally, as is discussed in the Insurance Businesses are being encouraged to share
Chapter, certain costs can be recovered incident data so that they can learn from
through cyber insurance and the recovery each other. However, the IRM survey on this
process needs to ensure that the costs topic saw a marked decline in respondents
are calculated and maintained ready for to the incident section by over 50% of
submission to the insurance carrier. all respondents. Indeed, of those that did
reply less than 3% were prepared to share
Lessons learnt data on their incidents and even then the
The final phase is to have a wash-up of sharing was on a limited basis. The gap,
the events. This meeting aims to pull the therefore, between the political aspiration
response team together to affect closure for data sharing and the preparedness of
and review what went well, what did not businesses to do so appears to be a big one
and set about a virtuous circle of process to overcome. Nevertheless, there are already
improvement. This should also consider some forums committed to knowledge
staff behaviours, ability to respond to sharing of cyber management and also
stressful situations and the leadership of incidents. Whilst these appear to be
involved. It should also aim to see if any contained to specific sectors, it is a step
useful early warning indicators can be in the right direction.
identified to detect such an incident
The success of the internet is down to its Reading list and websites
Chapter 12
ease of use and lack of controls yet these 1 Bailey, T and Brandley, J, Jul 2013,
Cyber risk strengths are also its weaknesses to provide Ten Steps to Planning an Effective
is never a a safe and open trading platform. The Cyber-Incident Response, Harvard
criminal activity still follows the money Business Review accessed via http://
matter purely but instead of being in bank vaults, the blogs.hbr.org/cs/2013/07/ten_
money can be gained from on-line activity.
for the Better intelligence and data sharing among
steps_ to_planning_an_effect.html
on 12 July 2013
IT team. businesses will help in the fight against
2. Humphreys, E, 2010, Information
cybercrime by raising the barriers to
Security Risk Management Handbook
successful attacks and also help reduce the
for ISO/IEC 27001, BSi
number of cyber incidents that businesses
need to respond to. Organisations should, 3. ISACA, 2011, Certified Information
therefore, consider industry specific forums Security Manager Review Manual,
to share knowledge on incidents. In doing Chapter 5
so they may prevent the same incident
4. NIST SP800-61 Revision 2, 2012,
happening elsewhere in the supply chain
Computer Security Incident
in our ever inter-connected world.
Handling Guide
Online Trust Alliance 2013 Data
5.
Conclusion Protection & Breach Readiness
“Putting the development of a robust Planning Guide accessed via
plan on the fast track is imperative for https://otalliance.org/resources/
companies. When a successful cyber- Incident.html on 23 July 2013
attack occurs and the scale and impact 6. Zurich Insurance Group, Insights
of the breach comes to light, the first magazine – Security and Privacy
question customers, shareholders, and Risks, accessed via http://view.
regulators will ask is, “What did this pagetiger.com/ZurichInsights/
institution do to prepare?” (Bailey and SecurityandPrivacyRisk2012/
Brandley). True resilience needs effective on 23 July 2013
incident management protocols to be in
place and able to be operated at different
management levels according to the
severity of the risk to the organisation.
Risk managers and audit professionals
need to determine if their processes
are truly robust to respond to a cyber-
attack in a timely manner to protect
the organisational reputation as well
as minimise the harm to the customers/
clients affected by the crime.
Appendix 12.1
Incident Management Checklist
When a breach occurs it is important to deal with it quickly and efficiently to minimise
any impact to those affected and to the organisation. Being prepared before the event
allows organisations to not only respond but continuously improve their processes and
learn from others. Use the checklist below to assess your organisational readiness to
deal effectively with any data breach.
Chapter 12
Before:
Pre-breach preparation
Identify team members – who should respond
and how often should they meet?
Monitor the systems – how will you know if a
breach occurs?
Data Collection – How do you review how you
collect data, including 3rd party data, cloud services
and subsequently audit it?
Classify the data – If any data is lost will you
understand the potential impact based on its
classification and the level of protection it needs
to be afforded?
Data Storage – Where is the sensitive data held,
stored or archived and are there adequate controls
in place?
Training – Are staff trained to report breaches and
are the team members trained in
how to handle a breach?
Escalation – Are the escalation routes clear
according to the severity of a potential breach?
Regulatory Authorities – Are you aware of any
regulatory reporting requirements and timeframes?
Specialist Support – Will you need specialist
service providers/advice in the event of
a breach such as public relations, risk engineering,
eDiscovery and forensics?
Communication – Is the organisation ready to
communicate with customers, partners, stakeholders
and the press in the event of an incident?
Documented Plan – Is all the above in a
documented plan or process flow?
Chapter 12
During:
Dealing with a breach
Assess the situation
What, where, when and how?
Who knows?
What action has been taken and by whom?
Notification
Who needs to be informed within the
organisation?
Who can help?
Who can make the appropriate decisions?
Containment
Confine the damage and spread of the breach
Victim notification
Many jurisdictions require that victims
have to be notified within a set time
frame. However it is simply good practice
to notify and limit the harm to others.
Call centre
Establish a central call centre and information
page where potential and actual victims can
find out more about the breach and what
they need to do.
Public relations
Have statements ready to restore your
reputation and show that you are in control.
Legal defence
How will you defend yourself in court or
with regulators?
Appendix 12.1
Incident Management Checklist
After:
Chapter 12
Public relations
Ensure the PR team continue to monitor and
respond to the fallout and that messages are
consistent.
Notify regulators
Ensure all relevant regulatory authorities are
notified and kept up to date with open and
transparent communication as applicable.
Post-incident review
Establish a review team to investigate the root
cause of the breach, identify lessons learnt to
prevent re-occurrence and to improve future
breach handling procedures.
Appendix 12.2
Incident Evaluation Initial Checklist
Once an incident has been detected, quickly understand what has happened and
help determine what actions need to be taken by following this quick agenda.
Incident evaluation:
Chapter 12
Initial agenda
WHAT has happened?
Actions needed?
Other information?
Appendix 12.3
Post Incident Closure Report
A full and proper review of the incident should occur including a root cause
analysis so that process and behavioural improvements can be made where
appropriate. It can also provide regulators with the necessary information they
need to assess the measures taken by the organisation to prevent a re-occurance.
Chapter 12
Chapter 12
Risks
‘‘
QUOTE HERE
Chapter 16: Managing Business Opportunities and Information Risks
***of were
avoidable and
it is suggested
Weinadequate
that will seek to provide
attention to the
some guidance on
risks may have
developing support systems
contributed
toto improve the transference
potential
breaches
of cyber being
risk learning to
overlooked.
appropriate information
asset handling.”
Chapter 13:
C hapter 1 3
From learning to
behaviour change
professionals now Most organisations try to combat the lack When Donald Kirkpatrick wrote the now
know that it is of cyber threat awareness with information world renowned research paper ‘The Four
the transference security training, but the sad fact is that Levels’ in 1954, he was referring to the
even if the training is compelling, if left at complacency of learning professionals
of learning
that, then only a small percentage of the satisfying themselves that effective training
into workplace desired behaviours will be transferred to had taken place, by producing metrics
behaviours that the workplace. such as the volume of training courses
determines how available, and the volume of employees
Learning transference of any kind will not
that had been put through that training.
effective a training take place in an organisational vacuum.
Most L&D professionals now know that it is
This chapter will seek to provide some
course has been, the transference of learning into workplace
guidance on developing support systems
not for L&D job to improve the transference of cyber
behaviours that determines how effective
a training course has been, not for L&D
security, but for the risk learning to appropriate information
job security, but for the security and safety
security and safety asset handling. This guidance should be
of the organisation. This will not come
considered in partnership with the strategic
of the organisation. as a surprise to most Chief Information
owners of organisational development and
Security Officers (Forrester, 2013), indeed
operational risk.
the very fact that the activity known as
This chapter aims to: ‘Spear Phishing’ (Lockheed Martin, 2012)
•K
now the impact and significance of has recently entered the cyber threat
learning transference within different consciousness, underpins the fact that
internal risk cultures; cyber criminals know that it doesn’t matter
how formidable information security
•B
e able to identify the learning
policies and technological defences are,
propensity of different types of risk
if there is an employee behind all of that
culture;
security investment that is ignorant to the
•H
elp support a risk culture aligned importance of information risk protocols,
learning response to support a then there will always be a ‘workaround’
cyber-risk management initiative. to organisational cyber defences.
Chapter 13
coming from a disaffected employee is a
Most threat, but assessing the likelihood of the
A good place to start the support and
monitoring of cyber risk learning is to have
organisations risk of a breach materialising from that a look at the way in which risk information
avenue, or from a loyal employee accidently flows around the organisation (e.g. breach
will place leaving the cyber security door ajar, then incidents, technical RCA findings, outcome
information most information security professionals and recommendations from cyber threat
would probably place the latter closer to audits, etc.) and how IT contributes to,
security training the red area on the risk map. and interacts with, corporate operational
at the centre Most organisations will place information risk information.In order to influence the
security training at the centre of any plan to organisation, and assess the effectiveness
of any plan address information risk ignorance, however, of cyber threat learning initiatives, there
must be a collaborative forum external
to address in his 2002 book ‘The Success Case Method’
to day to day IT operations, comprised of
Brinkerhoff found that of any structured
information learning event only 15% of unsupported influential business and IT risk stakeholders,
employees will successfully carry the desired in essence an Information Risk Committee.
risk new behaviours into the workplace, 70% There will always be a need for the
ignorance. try and fail with the final 15% not bothering technical risk committee within IT and by
in the first place. Accepting the research on structuring deference to the Information Risk
face value it is reasonable to conclude that a Committee, this will bolster collaboration
little extra effort supporting employees, post and business inclusion. Remember, business
learning, will lead to a lower likelihood of a influence is an essential ingredient of any
breach as a result of ignorance. effectively embedded cyber risk awareness
programme. Figure 13.1 depicts how this
could look.
After the learning event
This may seem to be an odd place to start in Risk culture
a chapter about cyber risk learning, but any
seasoned Information Security Professional, It is important to understand the type of
adept in the specific cyber risk management risk environment within which you will
protocols to protect the organisation, will be attempting to support the learning
have already included those requirements transference. The IRM has already
in a competent learning medium. Therefore conducted extensive research into the
this chapter is focused on supporting the importance of risk culture, and how to
learning transference from organisational go about understanding the risk culture
risk requirement to workplace risk practice. in an organisation. Therefore there is no
need to re-iterate that work here (see the
bibliography for a reference to this research).
People ‘feel’ For the purposes of this chapter there will component of individual risk learning that
Chapter 13
be an assumption that a risk cultural exercise needs to be influenced during the process
risks when they has been conducted, or there is a sufficient of learning transference.
understanding of the current risk culture
first come across to assess two key cultural components, risk
Most people underestimate the impact or
relevance of risk events that seem far off or
them, in the perception and risk propensity. These cultural
unlikely, and most employees will take this
factors are believed to directly influence risk
case of a cyber behaviour (Sitkin and Weingart, 1992), see
perception, along with the associated risk
behaviour, from the information security
risk this will figure 13.2.
learning event on into workplace practice.
People ‘feel’ risks when they first come
typically be first across them, in the case of a cyber risk this
Clearly assessing and interpreting a risk
culture is a nebulous and complex exercise,
encountered will typically be first encountered during
there are however easily obtainable
the information security training. It is this
during the first feeling that will shape the employee
indicators that will help support the learning
transference process. With deference to
information perception to the inherent personal risk
Figure 13.2, the following cultural factors
in a situation. It is only over time, with
are among the most straightforward to
security training. appropriately relevant information, cognitive
determine and leverage:
thinking and rational discourse with respected
peers will this feeling be ‘shaped’, and it is this
Figure 13.1
Executive/trustee board
Audit committee
activities
IT/business
boundry Information risk
committee Informs and monitors actions
(Technical only)
Reports on risk activities
Chapter 13
Figure 13.2
Organisational Organisational
Outcome history control systems leadership Experience
(outcome of (is the risk (how does my with the risk
prior risky controlled) manager treat
decisions) the risk)
Inertia How
(habitual way the risk is
of handling risk) explained
Risk Risk (postitive or
propensity perception negative)
Chapter 13
transference aids, consideration would need to be
With deference to Brinkerhoff’s work, given to cramming in all the intense,
Kirkpatrick identified numerous ‘road and necessary, knowledge associated
blocks’ to learning transference in the with correct procedure for all or most
70% of learners that ‘tried and failed’, business activities, this naturally dilutes
the most common of which being learning the overall impact of the learning event;
retention. There are numerous tactics that 2. They allow the employee to walk out
can be deployed to address this, however, of the training with the broad concepts
two of the simplest (and most cost of the information security learning,
effective) ways of supporting the safe in the knowledge that the detail of
learning are as follows. the required processes when protecting
an information asset will be quickly
Job aids accessible when they return to their
In essence a job aid is a memory jogger desk. Naturally, most employees are not
designed to quickly provide the relevant passionate about risk, cyber criminals
information the employee needs, job aids and information security, so it is not
support two areas of learning transference: surprising to learn that most employees
1. They allow the training designers to will forget the facts and processes
focus the content on appropriate risk taught in an information security
taking behaviour, the negative and course. In fact employees may forget
personal impact of a breach and how as much as 71% of the content by
the learning doesn’t stop at the end of the following day (Ebbinghaus, 1850),
the course but continues on into the see figure 13.3.
90
80
70
60 19 minutes
50 63 minutes
40 525 minutes
1 day
30 2 days 6 days 31 days
20
10
0
Elapsed time since learning
Contextual: This type of aid is just the Most organisations do this, and the content
Remember right amount of information required to may very well be the best that money can
the easier it jog the memory for the task at hand. These buy, however, if the refresher training is
will include notices above bins for secure delivered in the same format, year in year
is to access out, then ‘doing the information security
disposal of information, a ‘safe haven’
information course’ will become a compliance overhead.
check list near faxes, and popups on the
security content, first daily use of an internet browser. A typical method to consider when
keeping the content fresh draws on the risk
the lower the Reference: For those employees that want information presented for consideration at
likelihood to perform an activity, and understands organisational risk committee meetings.
of someone that there is a specific way to do things, This will include legislative changes, new
but cannot remember the exact process enforcement measures by regulators, the
giving up and
need a easily accessible place to get hold activities of hackers and internal emerging
performing the of this information, consider an intranet risks that may come from breaches or a risk
task in the best page or smart phone readable reference control failure identified through audit (also
way they can document where all of the learning known as a ‘lessons learnt’ or risk review
content from the information security process). In order to make the delivery more
remember. training is available, along with policies engaging consider having a pre-assessment,
and procedures. Remember the easier it for year one onwards passing the employee
is to access information security content, in competent areas (most learning
the lower the likelihood of someone management systems can deliver this
giving up and performing the task in approach), therefore assuring the employee
the best way they can remember. that the refresher training is targeted on
their weak areas only, this is a technique
that will carry more impact if it is combined
with all other required compliance learning.
Chapter 13
be exposed to the information
If an employee hasn’t participated in the security learning?
information security training in the first
place, then they have little or no chance 2. Are there employees within the
of applying the required behaviours in 10% that have never been exposed
the workplace. Therefore, monitoring the to the learning?
effectiveness of learning transference starts 3. Are there entire departments, teams
with the attendance in the learning event. It is or divisions within the 10%?
reasonable to assume that most organisations
If the organisation has a learning
monitor this type of activity, but consider the
management system (LMS), then a
scenario below to improve impact in this area.
monitoring system similar to figure 13.5
Assuming for a moment that routine could easily be developed in order to start
monitoring of attendance discovers that in the collecting learning data to answer the
last 12 months 90% of employees have taken above questions.
and passed the annual information security
training, not bad, and in most organisations
this would be classed as a green or satisfactory
key performance indicator, however, how
many organisations then put measures in to
address the following questions:
Figure 13.5
Day 1
The LMS user account Day 14 -28
is created and read
within 48hrs of a new The status of the Day 28+
employee starting, the enrolments are
employee profile should checked by the As part of the Day 365
contain line manager, LMS and the line compliance
location, division and job manager is notified monitoring process, Modules that are
designation. Learning via escalating email an LMS produced required to be
is then automatically alerts if any of the governace report is taken annually will
assigned and the modules are not reviewed at local and be automatically
employee is emailed completed. group governance re-enroled and a
confirmation of the meetings to identify notification is sent
enrolled learning and has and chase non- to the employee
28 days to complete. compliant employees. when an automatic
enrolment has
taken place.
Look again at In summation, this chapter seeks to invite 3. Is there a mechanism for employees
Chapter 13
the reader to look again at the current to feedback on any difficulty they are
the current approach to cyber risk learning with the experiencing in applying the learning?
aim of bolstering the ‘human firewall’
approach to against cyber attack. Suffice to say that
4. Is there a process for monitoring
employee attendance along with an
cyber risk a 90% learning penetration is a healthy
evidenced process for the follow-up
metric, and it would be challenging to
learning with reach and sustain 100% compliance, but
on non-attendees?
5. Does risk management and / or
the aim of identifying the ‘10%’ at the front of the
information security feature in the
learning initiative and understanding a
bolstering little more about the human environment employee induction?
that learning is going to be applied in,
the ‘human will positively inform the delivery and
6. Are there current or future plans
to assess the risk culture of the
firewall.’ monitoring assumptions of existing cyber organisation?
risk learning strategy.
Whether that be the discovery that For you, IT risk and
truculence, not absent mindedness, are operational risk
the root cause of non-participation or 1. Does your organisation use a balanced
something else, either way, understanding score card where inappropriate
as much as possible about the existing information risk taking is measured?
cyber risk management ecosystem is just
2. Does the root cause analysis
good governance.
process, following a breach,
include the extent human factors
Getting started contributed to the incident, including
environmental components such as
Try asking the following questions within
poorly documented procedures or
your organisation
unnecessarily complex risk controls?
Chapter 13
Management Organisation. London:
Brinkerhoff, Robert O. The success case Taylor & Francis, 2011. Print.
method find out quickly what’s working
and what’s not. San Francisco, Sitkin, Sim B., and Amy Pablo.
CA: Berrett-Koehler, 2003. Print. Reconceptualising the determinants
of risk behavior. Austin: Dept. of
Hutchins, Eric. “Intelligence-Driven Management [University of Texas at
Computer Network Defense Informed Austin], 1991. Print.
by Analysis of Adversary Campaigns and
Intrusion Kill Chains.” Lockheed Martin Kahneman, Daniel, Paul Slovic,
(2010): Print. and Amos Tversky. Judgment under
uncertainty: heuristics and biases.
Kirkpatrick, James D., and Wendy Kayser Cambridge: Cambridge University Press,
Kirkpatrick. Training on trial how workplace 1982. Print.
learning must reinvent itself to remain
relevant. New York: American Management
Association, 2010. Print.
Webster, Ruth, and David Hillson.
Managing group risk attitude. Aldershot,
England: Gower, 2008. Print.
Rose, Andrew. “Reinvent Security
Awareness to Engage the Human Firewall.”
The S&R Practice Playbook. (2013): Print.
Multiple Authors. “Risk Culture.” IRM
(2012): 1. Print. Available from:
http://www.theirm.org/RiskCulture.html
Risks
‘‘
QUOTE HERE
Chapter 16: Managing Business Opportunities and Information Risks
***of were
avoidable and
it is suggested
The
that costs and expenses
inadequate
attention to the
of data breaches which
risks may have
result in the wrongful
contributed
todisclosure
potential of personally
breaches being information
identifiable
overlooked.
can be wide ranging.”
Chapter 14:
C hapter 1 4
Information security
and privacy risk
transfer – insurance
solutions
run the risk The costs and expenses of data breaches Data breaches can occur in a number
which result in the wrongful disclosure of ways including attacks to companies’
of either of personally identifiable information can networks from malicious code, viruses,
being crippled be wide ranging. According to the 2013 or less exotic offline issues such as lost
Annual Study: Global Cost of a Data Breach laptops or other portable devices, loss of
by attacks conducted by the Ponemon Institute, physical documents, or simply forgetting
the average cost of a data breach to an to shred documents before disposing
against their organisation in 2013 out of the countries of them. Regardless of how it happens,
networks or surveyed ranged from $1.1 million (India) an organisation must take certain steps
to $5.4 million (US). Similarly, organisations once it becomes aware that personally
losing valuable run the risk of either being crippled by identifiable information may have been
proprietary attacks against their networks or losing compromised. As a matter of best practice,
valuable proprietary information which those steps typically include consulting
information can result in extensive first party losses. with legal counsel, conducting a forensics
Although each scenario has its own set investigation, notifying and providing
which can result of unique factors, the costs and expenses remediation services to potentially affected
in extensive first incurred by the victim organisations remain individuals, consulting with a public
fairly consistent. Since the early 2000’s, the relations firm, and establishing a call centre
party losses. insurance industry has offered specific risk to field questions. Similarly, companies must
transfer solutions to help offset the financial take certain steps if cyber attacks result in
impact to companies that can result from network down time or loss or corruption of
the ever growing litany of information their valuable digital assets.
security and privacy threats they face.
Since the vast majority of companies are
You have in previous chapters been not set up to engage in these actions on
presented with an analysis of costs and their own (nor is it advisable to do so),
expenses that are largely uninsurable. This they must engage with third parties. While
chapter examines financial elements that these actions generate additional costs,
may be transferred to a dedicated security many studies have shown they can be the
& privacy or “cyber” insurance policy that difference between restoring the trust of
result not only from data breaches, but also customers and permanently damaging a
from failure to comply with the provisions company’s reputation.
contained in dynamic privacy legislation.
Chapter 14
10-15 years developed products that cover A forensics investigation determines the
A forensics
many of the specific costs and expenses severity and scope of a breach involving
investigation that can result from a data breach or compromised computer systems or
determines privacy incident and which typically fall networks. It is considered a crucial step in
the severity outside the scope of traditional Property the post breach response process since it
& Casualty insurance policies like General helps victim companies accurately assess
and scope of a Liability, Property, and Professional Liability. the situation before going public. Time and
breach involving In the following section, we will further time again, companies that act too quickly
compromised analyse specific costs and expenses to publicly disclose details of a data breach
associated with information security and may actually worsen the situation and suffer
computer systems
privacy incidents that can typically be additional long-term costs. The costs are
or networks. transferred to a dedicated insurance also higher than average even in situations
policy including: where companies are simply complying
1. Forensics Investigation with local laws and regulations that compel
notification within short timeframes.
2. Notification of third parties According to the same Ponemon 2013
3. Call Centre Administration Annual Study: Global Cost of a Data
Breach companies that notify quickly ended
4. Fraud Remediation Services up paying up to $37 more per record
5. Public Relations compared to the average by companies
that took the appropriate time to analyse
6. Legal Advice, Defence, & Settlement the event. In addition, there have also been
7. Regulatory Proceedings, Fines, cases in which breached companies that
& Penalties skipped a forensic exam mistakenly notified
unaffected customers.
8. Business Income Loss
A forensics exam can be performed
9. Restoration of Electronic or
either by a company’s internal staff or an
Digital Assets
outsourced third party. However, internal
10. Cyber Extortion Costs investigations can inadvertently lead
and Expenses to destroyed evidence or questionable
authentication, so third parties are typically
engaged to ensure quality and maintain
objectivity. This is particularly important
in the context if third party lawsuits and
regulatory investigations that might take
place after the event. Companies are
generally in a more defensible position
having engaged an objective third party.
In the European Union, legislation has been Additionally, Massachusetts and other
Chapter 14
proposed that would update the current states have adopted “compliance” models
comprehensive EU Data Protection Directive that allow for less stringent reporting
by changing it to a regulation. In addition requirements when specific security
to greater uniformity and centralized measures such as encryption are in place
enforcement, the proposed regulation at the time of the breach. One of the
includes a data breach notification provision goals behind this approach is to encourage
which imposes a broad requirement to companies to take proactive steps to protect
provide notification if personal information personal information.
of EU citizens is compromised. The
Countries in other regions such as
proposed penalties for non-compliance are
Mexico, the United Arab Emirates (Dubai
severe and could be quantified by assessing
International Financial Centre), Japan, and
up to 2% of the company’s global annual
New Zealand have all passed notification
turnover. The proposed changes are being
laws so this issue is clearly on the radar of
considered for adoption in 2014 with
politicians and lawmakers all over the globe.
expected enforcement beginning in 2016.
While the impact of notification laws is not
In the US, forty-six states, the District intended to be punitive towards companies
of Columbia, Puerto Rico and the that hold sensitive personal data, the end
Virgin Islands have enacted data breach result is a guarantee that a company will
notification laws. The state laws require incur additional expenses if they lose such
companies or individuals that maintain information.
unique personally identifiable information
Notification costs can vary depending
of individuals to notify those individuals
on the number of records or individuals
if such information is lost, stolen or
affected. A scaled approach is common
otherwise compromised.
with the charge per notice gradually
While the basic purpose of each state decreasing as the number of records or
notification law is similar, differences arise individuals increases. Costs can range
in the specific process required such as from $.50 to $5 per notice. The cost can
the use of U.S. Postal Service, certified be impacted by whether the customer
mail, or other special delivery. A breached database has been kept up to date with
company will need to review each state’s current contact information and where the
specific requirements, which is a time individuals are located around the globe.
consuming and costly process on its own. Address validation and establishment of
Many companies hire third party law firms secondary contacts will also increase the
or consultants to assist in determining overall cost. Average notification costs
applicability of state notification laws after based on the Ponemon Global report
a breach has occurred. ranged from $22,232 in India to as much
as $565,020 in the US.
The direct legal expenses associated concerns. Costs are typically calculated by
Chapter 14
“the odds of a While credit monitoring services are focused Public Relations
Chapter 14
primarily on financial elements like credit In addition to the actions already
firm being sued history and account activity, services such as mentioned, companies may engage an
identity monitoring go further by tracking external public relations firm that specializes
are 3.5 times activities relative to medical, employment, in damage control to help mitigate harm
greater when and other types of fraud. One service to its reputation caused by a data breach.
may be more appropriate than the other The direct cost of obtaining a PR firm is
individuals suffer depending on the type of information covered under most security & privacy
financial harm, compromised during a breach along with policies, however the indirect adverse
the global jurisdiction in which it occurred impact on the company is more difficult to
but 6 times and where the affected individuals reside. insure. According to the 2013 Ponemon
Global Study, lost business costs can
lower when the Generally, the number of potentially
account for a significant amount of overall
affected individuals that take advantage
firm provides of such services when offered is very low. costs to the organisation. At the lowest
end of the scale, companies from India
free credit However, research suggests that the need
experienced an average of $283,341 in lost
for these services is increasing. A 2013
monitoring.” Identity Fraud Report conducted by Javelin business while US companies experienced
Strategy & Research found that “1 in 4 data an average of $3,030,814 in lost business.
breach notification recipients became a While the amounts of lost business resulting
victim of identity fraud in 2012, compared from the breach are generally not covered
to less than 1 in 5 in 2011.” The report also by most insurance policies, the direct
suggests that while credit card information expenses incurred to notify, provide credit/
may be the most popular target of attacks, identity monitoring, and wage a public
other elements of personally identifiable relations campaign are covered and can
information may be more useful for have a direct impact on reducing the
committing fraud. amount attributable to lost business.
Issues can also occur relative to a company’s following a data breach. For example,
Chapter 14
service offering. An organisation with consider an IT service provider that needs
business customers may experience to disable key security functionality for
errors and omissions (E&O) claims that several hours during a network upgrade
allege negligence in professional services performed for a third party.
Looking at this issue in the liability context One example of a Federal law is the Privacy
is particularly important due to the average Rule under the Health Insurance Portability
costs that victims may incur if actual and Accountability Act of 1996 (HIPPA),
identity theft takes place after a breach which outlines basic requirements for
since those expenses may well be used to healthcare organisations regarding the
effectively quantify damages. Depending handling of Protected Health Information.
on the nature of information compromised, As part of the American Recovery and
there may also be allegations of emotional Reinvestment Act of 2009 (ARRA),
distress which can drive up costs and the Health Information Technology for
influence the company’s decision to settle. Economic and Clinical Health Act (HITECH)
established a tiered civil penalty structure
for HIPAA violations. Fines can range
from $100 per violation to a maximum
of $1.5 million. The Department of Health
and Human Services has already fined
several entities as a result of violations
of the Privacy Rule.
Chapter 14
foster good will between the company governments have well established
and the regulator. However, the costs of legislation and high penalties of several
an investigation remain significant given hundred thousand dollars.
the need for specialized counsel and the
In addition to government regulatory
cost of potential fines or penalties. Fines
bodies, there are also non-government
and penalties may or may not be insurable
entities that set best practice standards
depending on jurisdiction and the actions
and set contractual fines and penalties for
of the company.
non-compliance. One such entity is the
In the UK the Information Commissioners Payment Card Industry Security Standards
Office (ICO) is empowered to issue fines Council that was established by the major
of up to £500,000 to organisations in payment card brands in 2006. The Council
breach of data protection laws which are established the Payment Card Industry
frequently broken within cyber security Data Security Standard as a uniform best
events. Since it was given the powers to practice requirement for any company that
issue Civil Monetary Penalties in April 2010, processes, stores or transmits credit card
the ICO has issued over £4.6m of fines information. The Council engages third
against organisations. party vendors to assess compliance levels
of organisations subject to the standard.
The range in financial penalties varies
Non-compliance can result in fines or
significantly across the globe with some
penalties. Fines can range from $5,000
countries / jurisdictions yet to apply a
to $100,000 per month.
structure of fines, to the courts ascertaining
the costs of damages right through to the
fines awarded by the Brazil and Mexico
authorities of over US$1.5m (€1.155m).
dependent business income loss many dedicated policies that will pay
sophistication The sophistication and scope of modern for “dependent business income loss”
or essentially, the downstream BI loss a
and scope of cyber attacks can easily cripple a company’s
company incurs due to a network outage
network which in turn can prevent the flow
modern cyber of commerce and in some cases, result in caused by a cyber attack or security incident
the loss of income. For example, an entity aimed at a service provider on which the
attacks can that conducts most of its business online company relies to maintain their network.
easily cripple with no physical storefront locations is Those traditional policies that provide any
at great risk of business income loss if a level of coverage for this scenario typically
a company’s security event such as a virus, malicious do so to an even more limited extent than
direct BI loss.
network which code, or distributed denial of service attack
brings their website or network down for a
in turn can period of time. Many traditional insurance Restoration of electronic
policies are designed to cover business or digital assets
prevent the flow income loss if it results from a physical Many companies operate on the
of commerce peril such as a storm, fire, wind, flood, assumption that workers will have access
etc… However, coverage may not apply to critical data. The rise in use of new
and in some if the BI loss is caused by a network security technologies like cloud computing and
cases, result event. Traditional policies that do provide mobile devices means that companies now
coverage typically do so in a limited capacity have the ability to collect, store, access,
in the loss with a narrow coverage trigger and a small maintain, and share more data than ever
sub-limit. before. In order to harness these new
of income. technologies, data must be converted
Many dedicated security & privacy policies
to electronic or digital format. This mass
contain an element of first party loss
movement towards digitisation acts as
designed to cover net income before
a double edged sword in that it creates
taxes an organisation incurs during the
unprecedented efficiencies and enables
measurable period in which they are
progress while at the same time makes
unable to generate revenue after a network
companies more susceptible to the perils
security incident or cyber attack takes
of cyber attacks than ever before.
place. Some policies are also triggered by
administrative errors or general system
failure independent of a cyber attack.
Dedicated coverage solutions also typically
include a provision for extra expenses the
company incurs to minimize, avoid or
reduce the measurable outage.
Chapter 14
specifications, blue prints, financial, As the cyber threat environment has
competitive, private or confidential evolved, so too have the methods of
information that is maintained by a “cyber extortionists”. Threats from
company in electronic or digital format are individuals purporting to steal valuable
considered highly valued intangible assets information from a company unless they
that if altered, destroyed, corrupted, stolen, are paid a sum of money still exist, however,
or otherwise compromised as a result of a cyber extortionists are becoming more and
cyber attack or other security incident, will more sophisticated in their methods. “Old
result in significant first party expenses to school” types of threats have given way to
restore or recollect. Dedicated security & malware referred to as “ransomware” that
privacy insurance policies typically pay out often freezes a victim’s computer or takes it
for the expenses to first determine whether hostage unless the end user pays a sum of
the data can be restored or recollected. If money to the extortionist. Another type of
it can be restored or recollected, insurance malware referred to as “scareware” baits
policies may pay for additional costs to the end user into clicking on a link that
actually restore the data to its original form. appears to be from a legitimate security
While the intrinsic value of intellectual firm by first creating the false perception
property is not covered by security & that a virus exists on their machine and
privacy policies, the fact that direct costs needs to be removed.
are included may provide some cushion
These types of incidents tend to be small
to mitigate the impact of the incident.
scale for the time being, however, the use
Incidents resulting in the loss, corruption of new technologies to carry them out
or alteration of digital assets represent will only serve to increase the frequency
only a small fraction of the overall claims of attacks. According to a recent press
submitted to insurance carriers offering release, the FBI’s Internet Crime Complaint
dedicated security & privacy policies so Center (IC3) received 289,874 complaints,
there is limited actual loss data from averaging more than 24,000 complaints
which we can draw a firm conclusion per month in 2012. It is clear from the
on the average costs, however, there are numbers that companies must be prepared
several benchmarks that act as guideposts. to deal with the financial impact which
The post incident process is very similar to can manifest itself in the form of forensics
other types of security and cyber events investigations and actual payments to
in that it may require the expertise of an perpetrators.
outside forensics investigation firm to
fully realize the scope and severity of
the incident. Companies may also incur
costs in implementing internal disaster
recovery plans.
•W
hat is my company’s mobile device Javelin Strategy & Research, 2013 Identity
Chapter 14
usage policy? Is BYOD enabled and Fraud Report: Data Breaches Becoming a
encouraged? Treasure Trove for Fraudsters
•W
here, under existing traditional IC3 2012 Internet Crime Report Released:
Property & Casualty insurance policies, http://www.fbi.gov/news/pressrel/
might I have coverage for the financial press-releases/ic3-2012-internet-crime-
loss elements covered in this chapter? report-released
•D
o I have an incident response plan
Data Breach Cost: Risk Costs and
that includes “post breach” vendors
Mitigation Strategies for Data Breaches,
who will provide crisis management
Tim Stapleton, CIPP/US
services on short notice such as forensics
investigation, notifications, fraud Hit Ratios are Still Very Low for Security &
remediation, public relations, legal Privacy: What are companies waiting for?
advice, etc…? Neeraj Sahni and Tim Stapleton, CIPP/US
Sources:
Advisen Cyber Liability Insurance
Market Presentation, Jim Blinn, Cyber
Liabilities Insurance Conference, London,
February, 2013
Empirical Analysis of Data Breach Litigation
Sasha Romanosky, David Hoffman,
Alessandro Acquisti, Carnegie Melon
University, Temple University
NetDiligence Cyber Risk Claims 2013 Study,
Mark Greisiger
Symantec/Ponemon Institute 2013
Cost of a Data Breach: Global Analysis
Practical Law Company Multi-Jurisdictional
Guide 2012/13, Data Protection
Digital Transactions “Mass Reissuance May
be Overkill in Merchant Breach Cases”
www.digitaltransactions.net/index.
php/news/story/1274
Risks
‘‘
QUOTE HERE
Chapter 16: Managing Business Opportunities and Information Risks
***of were
avoidable and
it is suggested
This
that chapter explores
inadequate
attention to the
themay
risks areas
have in which
investment may be
contributed
to potential
required
breaches beingto deliver an
effective information
overlooked.
security programme.”
Chapter 15:
C hapter 1 5
Investing in
cyber security
Chapter 15:
Investing in cyber security
Matt Hillyer
Introduction People
Chapter 15
As both the risk and regulatory pressures The investment in training and awareness
around cyber security continue to increase sessions for your people can be a very
more and more organisations have or will effective way to mitigate a number of
begin to look at investing in comprehensive cyber and other information security risks.
information security programmes. For This element of an information security
some organisations the current perceived programme can also provide good evidence
impact of an information loss is less than of effective controls should an employee’s
the potential cost of investment but as the actions lead to a cyber breach.
chapter titled ‘Iceberg impact of a loss’
demonstrates the true cost of an incident is
ever growing when organisations consider
the indirect as well as direct costs of an
incident. Indeed the upward trend in
regulation particularly the EU Data Privacy
IT can only
Regulation and the proposed EU Cyber
Security Directive
provide part
will dramatically change the penalties
for getting it wrong.
of the
This chapter explores the areas in which solution.
investment may be required to deliver an
effective information security programme
and considers some of the additional
business benefits which may be realised on
top of the risk mitigation. The chapter will
review investment against three headings:
• People
• Process
• Technology
Chapter 15
In general an in-house programme takes around 3 to 4
weeks to write followed by a further 3 days for any refresh
In House Training Course of content for future courses. In addition there will be the
costs of taking people out of the business for the day and
any travel or facility costs.
Accredited Cyber Risk courses are now available and cost
External Training Course
around £1,500 for a 3 day course
As a guide an e-learning package costs around £3,000 –
£5,000 per 20 minutes of content dependent upon the
E-learning package
level of customised graphics and interaction required.
Similar costs would be required for updating the material
Communications programmes can vary hugely in costs but
as a rough figure to fulfil a training brochure to a 10,000
Communications Campaign
employee business would cost around £3,500. Costs will
rise if promotional posters and other collateral are required
•T
ailored to your specific • T ime and resource consuming
In House business needs to develop
Training Course • L ow cost to replicate •O
ngoing requirement to refresh
once it is developed the content and keep it up to date
•C
ostly if required for a large employee
•E
xpert content, always up
External base – more suited to specialist roles
to date and leading edge
Training Course •N
ot necessarily aligned to business
• No setup time required
requirements
•C
an be easily deployed
to remote workers •O
nly suitable for limited amounts
E-learning
•A
ble to test of content per session to maintain
package
understanding with user interest
interactive quizzes
•R elatively easy to reach a
• P ush only messaging which may not
large audience at low cost
Communications be understood or acted upon
• Variety of support media
Campaign • Needs to be supplemented by
available to reinforce
additional training to embed learning
messages
Process •B
usiness Continuity Planning and Testing
– The development of business continuity
Enhancing existing business processes and documentation and
adopting new ones can also address a
•C
ontrols Testing – The regular and
number of cyber risks. With any investment
systematic testing of the information
it is about knowing which areas will make
security controls in place
the most difference to your organisation.
The Department of Defence within the • T hird Party Compliance – The adherence
Australian Government set out 4 processes of suppliers to the information security
which they state could prevent 85% standards required by your business.
of targeted cyber intrusions within the
Defence Signals Directorate:
•U
se application whitelisting to help
prevent malicious software and other
unapproved programs from running
• P atch applications such as PDF readers,
Microsoft Office, Java, Flash Player and
web browsers
Chapter 15
Technology can be both an effective and Having a clear understanding of current
costly way to tackle cyber risk and creating weaknesses or awareness of gaps against
a compelling argument for why you should certain quality standards can help focus
invest in a particular system or piece of an organisation on where to prioritise
software is key. Most likely, as with both investment. The following approaches are
People and Process related investments, examples of how you could graphically
you will not be able to invest in everything. represent current performance.
As stated in the introduction to this Cyber
The first approach is taken from the Good
research, “100% security is expensive,
Practice Guide issued by the former FSA,
intrusive and rarely achievable in the fast
now the FCA. Section 4 of the guide lists
paced world we live in”. Therefore, getting
examples of the good and poor examples
the balance right of investing in technology
of data security and by extrapolating the
to prevent cyber losses and in technology to
good practices, organisations can evaluate
respond to incidents when they happen is
their level of good practice knowing these
very important. Typical areas of technology
have already been baselined within the
investment include:
financial services industry. By assessing on
• L ogical Access – The controls around a predetermined scale and utilising a RAG
authorisation and authentication on status approach to identify performance
information systems gaps against the guide, organisations can
•D
ata Loss Prevention – The systems used see where to focus their attention which in
to identify and prevent the unauthorised this case, is on access management and one
loss of data from systems control of laptops. In the example chart on
page 228, five levels of compliance were
• L ogging and Monitoring – The
used as shown in the table above the chart:
technology used to capture and trend
access data to identify possible breaches
• P enetration Testing – The testing of
IT security through the simulation of
external attacks
• S ecurity Architecture – The IT systems
capabilities to protect information
within it.
12
10
■ Green
2
■ Amber
0 ■ Red
Access rights
Access to the
internet and email
Data backup
Disposal of
customer service
Governance
Laptops
Managing third
party suppliers
Monitoring access
to customer data
Passwords
and accounts
Physical security
Training and
awareness
Chapter 15
to, determining levels on compliance
against ISO 27001 is also possible in graph
form and in this case it also has some
additional controls for the FCA Good
Practice Guide shown opposite. In this
instance, the originator of the assessment
clearly has some further research on the
“unknown” areas but has some clear
non-compliance in incident management,
access control and compliance with legal
requirements whilst potential gaps exist in
two other areas but need to be validated.
Security policy
Organisation of information security
Asset management
Human resource security
Secure areas
Communications and operations management
Access control
Information systems acq’n, development and maintenance
Information security incident management
Business continuity management
Compliance with legal requirements
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Chapter 15
programme can bring a number of http://www.itgovernance.co.uk/
1.
benefits to your organisation: shop/p-1408-managing-cyber-
•G
reater organisational awareness of security-risk-training-course.aspx
cyber risk and its potential impact on 2. ICO, Data Protection Regulatory Action
the business Policy – version 2.0, August 2013
• Internal transparency on cyber risks 3. FSA, Data Security in the Financial
and the controls in place Services, April 2008 accessed via
•C
lear compliance with external http://fca.org.uk/firms/being-
regulatory controls regulated/meeting-your-obligations/
•D
emonstrate strong business practices firm-guides/information-gathering/
to investors data-security
• Improved business performance http://www.dsd.gov.au/infosec/
4.
•C
ompetitive advantage through a top35mitigationstrategies.htm
stronger customer value proposition.
1 Which areas associated with cyber risk is it mandatory for the organisation to invest in?
2 What are the information ‘crown jewels’ which the organisation must protect
4 How much would it cost a 3rd party to obtain this information and what could it be
worth to them?
Risks
‘‘
QUOTE HERE
Chapter 16: Managing Business Opportunities and Information Risks
***of were
avoidable and
it is suggested
In recognition of the
that inadequate
seriousness
attention to theof the threat the
GCHQ
risks may is supporting a number
have
contributed
of initiatives and schemes
to potential
to help protect information
breaches being
systems in the UK and build
overlooked.
the necessary cyber capability
within the workforce.“
Chapter 16:
C hapter 1 6
Cyber risk
management – how
do I know I have the
right people?
Cyber-attacks Cyberspace continues to revolutionise how security arm of GCHQ, and working with
Chapter 16
many of us live and work. Alongside the BIS and the Centre for the Protection of
were listed huge business and social benefits of 24 National Infrastructure (CPNI), a high level
hour global connectivity comes a host of guide outlining the ten steps to cyber
as a Tier 1 risks to the availability, integrity and security security was published in 2012, illustrated
threat to our of the information we hold. The seriousness in Figure 16.1. Whilst it is not an exhaustive
of the threat posed is recognised by the UK guide, it does set out clear, practical steps
national security, government in its 2011 National Security which senior executives should direct to
alongside Strategy. Cyber-attacks were listed as a Tier be taken to improve the protection of
1 threat to our national security, alongside networks and the information they carry.
international international terrorism.
The National Security Strategy also
terrorism. In recognition of the seriousness of the recognised the nascent rise of cyber threat
threat and the huge opportunities of a has left a global shortage of individuals
digitally connected world, the Government with the appropriate skills, knowledge and
Communications Headquarters (GCHQ) experience to mitigate it. As a developed
is supporting a number of initiatives and country, rich in cutting edge research,
schemes to help protect information design, financial services and intellectual
systems in the UK and build the necessary property, the UK has been a persistent
cyber capability within the workforce. target for cyber criminals and sophisticated
GCHQ’s work forms part of the National attacks. Whilst GCHQ has traditionally
Cyber Security Program (NCSP) which is a concentrated on HMG information systems,
cross government strategy involving key it is now working as part of a cross
players such as the department for Business government initiative to bring academia
Innovation and Skills (BIS), Cabinet Office and industry together to grow the skills
and the Engineering and Physical Sciences base and improve the cyber security of
Research Council (EPSRC). UK plc, to more effectively and efficiently
mitigate the cyber risk.
A critical step in the strategy is to help
place responsibility for cyber security at There are a number of key programmes in
board level. Happily, this doesn’t require place to achieve this:
board members to have a deep technical
knowledge but it does require them to
acknowledge that risks to information
should be treated in the same way as
financial or business risks, especially as
threats and vulnerabilities are constantly
changing. Through CESG, the information
Chapter 16
Chapter 16
accredit MSc courses in cyber security to
make it easier for prospective candidates standards for
and employers to recognise those MSc
courses which are seen as meeting a good
cyber security
standard – this is planned to go live in professionals;
autumn 2014. Masters in cyber security
subjects provide a number of benefits developing and
including a bridge between STEM degrees supporting the
and cyber security specialisms, and are
also a great way for people in mid-career talent of the future;
to ‘top-up’ their knowledge or move into
cyber security as a change of career path.
and creating the
For more information on GCHQ Academic right environment
schemes please visit: for cutting edge
http://www.cesg.gov.uk/
awarenesstraining/academia/Pages/
research in cyber
index.aspx security, GCHQ is
acting as a catalyst
Summary for change.
These initiatives are just a snapshot of
the work GCHQ is involved in alongside
its partners in government, industry
and academia “to build the UK’s cross-
cutting knowledge, skills and capability to
underpin all other cyber security objectives
by extending knowledge and enhancing
skills”. By setting standards for cyber
security professionals; developing and
supporting the talent of the future; and
creating the right environment for cutting
edge research in cyber security, GCHQ is
acting as a catalyst for change.
Risks
‘‘
QUOTE HERE
Chapter 16: Managing Business Opportunities and Information Risks
***of were
avoidable and
it is suggested
Asinadequate
that the cyber
attention to the
environment evolves,
risks may have
risk management
contributed
toand internal audit will
potential
breaches
need to being
keep pace.”
overlooked.
Chapter 17:
C hapter 1 7
Auditing cyber risks
Chapter 17:
Auditing cyber risks
David Canham
17 http://www.theiia.org/guidance/standards-and-guidance/ippf/definition-of-internal-auditing/
•3
rd Line – the internal audit function, will also provide additional assurance and
C h ap t e r 1 7
providing assurance on how the first and may also conduct “deep dive” reviews of
second lines of defence are working by certain areas.
conducting independent reviews on a
Clearly not everything can be audited all
risk based basis.
the time – how limited resources should
This model is represented diagrammatically be allocated is a key factor. In a large
in Figure 17.1. This diagram is taken from organisation the complexity and legacy
the IIA publication “What Every Director infrastructure issues will lead to difficult
Should Know About Internal Audit” which decisions on where best to deploy internal
contains further useful information and audit resources. In an SME audit, resource
which can be accessed here: may need to be shared or procured
http://www.iia.org.uk/media/481822/ through a contract and ensuring that this
what_every_director_should_know_ is deployed to the most appropriate risks
4-4-13_web_version.pdf. is essential to achieving maximum value.
In either case a thorough assessment of the
Traditional audit activity is planned using
risk profile provides a framework for these
inputs from previous audits, a review of
decisions to be made and will stand the test
the organisation’s risk register, a view on
of external scrutiny with regulators if there
external trends and cyclical reviews on core
was to be an incident. The organisation can
processes. Reviews are carried out using
legitimately argue that it was adequately
a combination of interviews and testing
managing the risks and prioritising audit
of controls, the results are analysed and
tasks based upon the risks.
reported and action plans developed based
on a severity rating. External audit partners
Senior management
Regulator
Financial controller
Security
Management Internal
Risk management Internal audit
control control
measures Quality
Inspection
Compliance
This chapter will now examine the Phase 0 – high level planning
Chapter 17
Phase 0
Part A
High level
planning
Phase 5 Phase 2
Report & opinion Business analysis
Audit
subject
Phase 3
Phase 4
Evaluate risk
Test effectiveness
& control
C h ap t e r 1 7
internal audit teams are now adopting networks have varying degrees of
Most extended
a more flexible approach based around openness towards their suppliers. As
enterprise rolling plans on a “three plus nine” or cloud provision increases (see chapter 7)
networks have “six plus six” basis. Detailed guidance on some providers have been reluctant to
varying degrees risk based audit planning can be found on let customer organisations’ internal audit
the Institute of Internal Auditors website teams in to challenge and assess against
of openness www.iia.org.uk based around models their own control environment. Whilst it
towards their such as the four step model for financial is understandable that cloud providers
suppliers. services outlined below in figure 17.3. might want to avoid being inundated
by customer inspection regimes, this
In the modern organisation there will be
clearly presents a problem for the internal
a network of internal and external parties
auditor who can find themselves reliant
that will impact and influence the audit
on vendor standard third party assurance
plan. For instance specific contract terms
assessments or limited data obtained from
may be required to allow the organisation
remote access to a vendor. This is an issue
to review processes involving suppliers
that the internal auditors need to identify
and outsourcers. Utilising standards such
early on. Ideally they should influence
as ISAE3402 (a global assurance standard
the contractual wording for such service
for reporting on controls in service
provisions otherwise they could find their
organisations) may provide comfort.
role undermined at the point of audit two
Regulators may also direct an audit of
or three years into the contract.
certain activities should an organisation
ed internal aud
bas it p
si k nce mapp la
R
ssura in
A g
n
4.
3.
ling & asse
rofi ss
kp Assurance map: Optimising assurance across all lines of defence
m
Ris
en
2.
1. Business Risk universe: Potential areas that could break our business
model &
operating
environment Audit universe: Potential areas of assurance
Source: IIA
For evolving Phase 1 – assignment planning matrix from this information which will
Chapter 17
Once the plan has been created inform testing and help in the formulation
cyber threats individual audit assignments can take of findings which will be logged as the
place. Terms of reference should be review progresses and help inform the
a different produced, in conjunction with the final reporting.
way of front line management, outlining
the scope of the internal audit Phase 4 – test effectiveness
thinking may activity and taking into account: Once the risk and control matrix is in place
be required. • t he key stakeholders that need
and the processes mapped and understood,
testing can take place utilising a mix of
to be engaged
1-2-1 interviews, technical testing via 3rd
• an estimate of the time required, and
parties e.g. firewalls, PCI DSS compliance
• a n assessment of the risks and and reviews of 3rd party controls through
controls which will form the basis interaction with suppliers. The findings
of the audit activity. of this process and issues identified will
ultimately lead to the final audit report.
Phase 2 – business analysis
As the review begins and internal
Phase 5 – report and opinion
auditors arrive on site, the first activity
The final stage is the production of the
undertaken is business analysis.
audit report. The findings are graded on
This process is important to establish a
an organisational risk materiality hierarchy.
common view of the process environment
There is usually an expectation that
to be reviewed. This can take the form of
management will remediate in line with
review of process manuals, the creation
this rating. A higher rating usually dictates
of process flow charts and / or narrative
a need for a more speedy resolution plan.
describing how processes that are subject
The aggregated view of all audits in a
to audit operate and will be reviewed. In
specific control area will form an “audit
addition a control register of the points of
opinion” which is reported periodically to
key controls should be created, firstly as
the board, audit committee and, if relevant,
part of identification process and secondly
external interested parties.
to enable effective testing and alignment
to the risks being reviewed. It makes sense to follow a set pattern
to ensure quality and integrity of the
Phase 3 – risk and control analysis organisational audit plan but the traditional
The second stage of the on site process process takes time and is set alongside the
is the analysis of the organisational risk control environment of the organisation
register. This will link the controls identified concerned. With a fast paced cyber
in the business analysis phase to the risk environment a traditional approach may
register and also identify any areas where be sufficient for data security controls
gaps exist in the risk register. The internal but for evolving cyber threats a different
auditor will typically build a risk and control way of thinking may be required.
C h ap t e r 1 7
important in planning and assessing
to the Cyber Environment the risks within an organisation.
So when applying the traditional approach With a reluctance to report and share
to the “cyber environment” there are a information on breaches in the private
number of considerations including and sector particularly, reviewing of publically
not limited to: available information in planning, utilising
informal links between companies and
High level planning reviewing industry databases such as
The scope of the planning phase of ORIC (in the insurance sector) can assist
the audit programme must consider making the organisational audit plan
the expanded cyber threat landscape. more comprehensive.
Traditionally audit plans have been
built around the organisational process Control and remediation
map and risk register but in a “cyber” Throughout the research for this document,
environment additional external factors the authors have highlighted control
need to be considered, as described areas and practical advice across the
elsewhere in this document, for example: organisational cyber landscape. From
an audit viewpoint the threat landscape
• Increasingly, as found in the IRM SIG’s is extensive, from internal to external,
research there will be a network of financial to franchise, criminal to disruptive.
suppliers, 3rd parties and advisors across Essentially when creating the test plans
the organisation. There are a number of and the risk and control matrix the internal
ways of assuring compliance and control auditor needs to consider not just the
through accredited standards but the controls in place but the mix of controls.
internal auditor needs to decide if this At a high level the internal auditor should
satisfies the level of assurance the parent consider the following control types:
organisation requires to meet its own
risk tolerance. •P
reventative – controls designed to
prevent a specific event from occurring
•O
rganisations need to have sufficient
or a risk crystallising such as segregation
monitoring mechanisms in place to give
of duties. Data loss prevention (DLP)
proactive warning of cyber intrusion.
solutions are becoming more common
Traditional controls around security such
place and questions should be raised
as policies, procedures, firewalls etc.
where these do not exist or are
are subject to internal audit scrutiny
inconsistent across a larger enterprise.
but increasingly the internal auditor also
Malware protection needs to be up
needs to consider the wider requirement
to date and in line with the more
for more proactive and enterprise-wide
sophisticated attacks seen across many
monitoring and scanning. For example
industries. Another preventative control
does the organisation have a security
may be the auto-patching processes to
operations centre?
reduce the likelihood of zero-day attacks.
Traditional •D
etective – controls that are designed to Despite this there has to be a degree
Chapter 17
18 A responsibility assignment model defining roles and identifying who is “Responsible, Accountable,
Consulted or Informed.”
Pace of audit •C
lose attention should also be given to
C h ap t e r 1 7
With a fast paced threat landscape the behavioural aspects of cyber risk –
Early stage surrounding the “cyber” environment the actions and motivations of individuals
input into the traditional approach to auditing has – as well as the technical and process
to be questioned. There is clearly a place aspects of information security.
contractual for the traditional based control testing • Internal auditors must keep their
terms may around the organisation’s information knowledge of cyber risks up to date to
control environment but there is also the be able to provide assurance in respect
be needed to consideration of what role does internal of their management. This should cover
audit play in the investigation of an
ensure that incident. Organisations have established
both pro-active and reactive controls and
the use of external intelligence.
assurance processes for dealing with the immediate • Internal audit, risk management and
aftermath of a “cyber event” but the
can be forensic investigation into the weaknesses
operational management should work
closely together to share information
obtained. leading up to the event and the impacts about cyber risks. The internal auditor
could benefit from independent oversight. should not be seen as the ‘headmaster
marking homework’ but as an integrated
Conclusions and part of the risk management process
working with the 1st and 2nd line
recommendations assurance functions to share intelligence
As the “cyber” environment evolves so and validate control responses.
does the need for risk management • T he independence brought by internal
and internal audit to keep pace. Our audit should be a valuable part of the
recommendations are as follows: investigation process after an incident
•C
yber risks, in their broadest sense and or as a response to unusual patterns of
including, for example, social media activity picked up in monitoring.
risks, are likely to be a significant future
risk area for most organisations and Reading list and websites
this should be reflected, following a 1. Institute of Internal Auditors accessed
risk-based assessment, in internal audit December 2013 via
planning and execution. http://www.theiia.org/guidance/
standards-and-guidance/
• P articular attention should be paid to the
ippf/definition-of-internal-
risks associated with interaction and data
auditing/?search%C2%BCdefinition
exchange with suppliers (including cloud
services) and other third parties within 2. Institute of Internal Auditors accessed
the extended enterprise. Early stage input December 2013 via http://www.iia.
into contractual terms may be needed to org.uk/media/481822/what_every_
ensure that assurance can be obtained. director_should_know_4-4-13_web_
version.pdf
As a not-for-profit
organisation support is
invaluable in helping us
maximise our investment
in the development and
delivery of world class risk
management education
and professional
development.”
IRM CGI
T: +44(0) 20 7709 9808 Paul Hopkins
E: enquries@theirm.org Cyber Security
W: www.theirm.org Technical Authority
paul.hopkins@cgi.com
Address:
Institute of Risk Wendy Holt
Management Strategy &
6 Lloyd’s Avenue Innovation Director
London wendy.holt@cgi.com
EC3N 3AX
United Kingdom
£150