Cybersecurity Metrics: Reporting to BoD
9
Click here to load reader
-
Upload
pranav-shah -
Category
Technology
-
view
745 -
download
3
Transcript of Cybersecurity Metrics: Reporting to BoD
Cybersecurity MetricsREPORTING TO THE BOARD OF DIRECTORS
August 15, 2016 PRANAV SHAH ([email protected]) 1
Agenda Cyber Threat Landscape
Enterprise Digital Assets at Risk of Cyber Attacks
Enterprise Response to Cyber Risks
Enterprise Cyber Risk Scorecard
August 15, 2016 PRANAV SHAH ([email protected]) 2
Cyber Threat Landscape
August 15, 2016 PRANAV SHAH ([email protected]) 3
Expanding Attack Surface (Where) Sophisticated Attacks (How) Motivation (Why)
Cybercriminals Websites Phishing Financial Gain
Hacktivists Email Accounts Malware/Ransomware Intellectual Property Theft
Nation States Cloud Accounts SQL Injections Theft of Classified Data
Hackers IoT Devices DDoS Disruption of Service
Malicious Insiders Third Parties Loss of Mobile Devices Theft of PII/Credit Card Data
Nonmalicious Insiders External Network Connections Insider Theft
Endpoints (Laptops, Mobiles, etc.) Hacking Attempts
Social Engineering
Credit Card Number: $0.50 Email Accounts (per 1000): $20 Cloud Accounts: $7-$8Healthcare Accounts: Up to $50 Custom Malware: Up to $3,500 DDoS Attack: Up to $1,000/day
Cyber Threat Landscape
CIS® Cyber Alert Level Indicator:
Trends for The Who, Where, How and Why of Cyber Threats
Well Funded Cyber-Crime Economy
Motivated Threat Actors (Who)
Incr
easi
ngD
ecreasing
Enterprise Digital Assets at Risk of Cyber Attacks
August 15, 2016 PRANAV SHAH ([email protected]) 4
External Websites 4 External Network Connections 15 Hardware/Virtual Servers 11K
User Email/Instant Messaging Accounts 5K Physical Data Centers 5 Databases 5K
Executive Email/Instant Messaging Accounts 50 Removable Media Devices 1K Users with Privileged Access 102
Cloud/Social Media Accounts 10 Wi-Fi Hotspots 25 Privileged Accounts 25K
IoT Devices 1K Network Devices 1.2K Users with Remote Access 1.1K
Endpoints (Laptops, Mobiles, etc.) 10K Business Applications 500 File Shares/SharePoint Sites 2.4K
Personally Identifiable Information (SSN, etc.) 1.2M Electronic Health Records (EHR) 0.5M PCI/Credit Card Data 5M
GLBA Records 1.1M European Union (EU) Personal Data 50K Canadian Personal Data 10K
What Critical Digital Assets Are We Protecting From Cyber Risks?
Increased 10% Risk Decreased 10% Risk No Significant Change Risk
Number of Records of Regulated Data Stored in Our Data Centers
Number of Access Points
Enterprise Digital Assets at Risk of Cyber Attacks
August 15, 2016 PRANAV SHAH ([email protected]) 5
Personally Identifiable Information (SSN, etc.) 1.2M Electronic Health Records (EHR) 0.2M PCI/Credit Card Data 1M
GLBA Records 1.1M European Union (EU) Personal Data 0 Canadian Personal Data 0
Product Pricing Lists 3 Sales Order Data 4 Customer Lists 2
Enterprise Strategic Plans 2 Trading Data 3 Contracts/SOWs 2
Proprietary Source Code 5 Sales Projections 6 Contact History 10
Financial Reporting Records 10 Loans Data 7 Payment History 2
Legal Documents 2 Bank Transactions 10 Web/Mobile Click Data 4
Pending Patents 2 Regulatory Reporting Data 3 Web/Mobile Preferences 4
What Critical Digital Assets Are We Protecting From Cyber Risks?
Increased 10% Risk Decreased 10% Risk No Significant Change Risk
Number of Records of Regulated Data Stored at Third/Fourth Parties
Number of Digital Repositories Storing Confidential DataCorporate Data Transaction Data Customer Data
Enterprise Response to Cyber Risks
August 15, 2016 PRANAV SHAH ([email protected]) 6
Budget Line Items CY PY Budget Line Items CY PY
Technology CapEx/OpEx $35M/$71M $33M/$66M BCP/DR Program Management $335K $335K
Cyber Operations CapEx/OpEx $3M/$6.2M $2.5M/$5.9M 3rd Party Risk Management $1.3M $1.2M
Security Awareness $110K $100K Cyber Risk Management CapEx/OpEx $0.9M/$1.8M $0.7M/$1.5M
Privacy Office $650K $650K $100M Cyber Insurance - Premium $3M $2.5M
# of Resources Budgeted CY PY # of Resources Budgeted CY PY
Cyber Operations 55 45 BCP/DR Program 2 2
Security Awareness 1 1 3rd Party Risk Management 3 2
Privacy Office 3 3 Cyber Risk Management 4 3
# of Cyber Controls In Operation CY PY # of Cyber Controls In Operation CY PY
NIST Cyber Framework 101 85 EU Safe Harbor/GDPR 6 6
PCI DSS v3.2 12 12 HITECH Act 9 9
GLBA 501 (b) 7 7 IT SOX Compliance 24 24
FFIEC InfoSec 45 40 Canada PIPEDA 5 5
• Joined the Cyber Information Sharing and Collaboration Program
• Responded to OCC on Newly Issued (Oct) Cyber Proposed Rules
• Coordinated with Law Enforcement on Ransomware Threats
• Launched 4 Cyber Awareness Campaigns with a focus on Phishing
Performing Cyber Operations Activities - 1st Line of Defense
How Are We Protecting Ourselves Against Cyber Risks?
Investing in Cybersecurity
Enterprise wide Cyber Controls Are Designed and Implemented
Additional Cyber Specific Activities Undertaken
Enterprise Response to Cyber Risks
August 15, 2016 PRANAV SHAH ([email protected]) 7
# of Risk Assessments Performed CY PY # of Risk Assessments Performed CY PY
Cyber Vulnerability Assessments 35 25 3rd Party Risk Assessments 8 12
IT Infrastructure Risk Assessments 12 10 Application Risk Assessments 25 35
Cyber Compliance Risk Assessments 3 3 Privacy Risk Assessments 3 3
# of Audits/Examinations Performed CY PY # of Audits/Examinations Performed CY PY
Cyber Internal Audits 3 2 Cyber Attestation Reports (SOC1, SOC2) 4 4
Cyber External Audits 1 1 Cyber Regulatory Examinations 3 1
• Privacy Committee • BCP/DR/Cyber Incident Response Committee
Assessing Risks and Evaluating Controls
Auditing Cyber Controls - 3rd Line of Defense & Results of Attestation Reports/Regulatory Examinations Enterprise wide Cyber Controls Are Designed and Operating Effectively
How Are We Protecting Ourselves Against Cyber Risks?
Managing Cyber Risk and Compliance - 2nd Line of Defense Enterprise wide Cyber Risk Management Framework Has Been Instituted
Committees Have Been Set Up to Meet on a Monthly Basis
• Cyber Compliance Committee • 3rd Party Risk Management Committee
• Enterprise Risk Management (ERM) Committee • Cyber Risk Management (CRM) Committee
Enterprise Cyber Risk Scorecard
August 15, 2016 PRANAV SHAH ([email protected]) 8
Enterprise Cybersecurity Rating CY PY Rating of Critical 3rd Party Vendors CY PY
Current Rating as on October, 2016 670 650 Average Rating of 3rd Party Vendors 590 570
Minimum Rating in the past 12 months 630 640 Minimum Rating of 3rd Party Vendors 500 480
Maximum Rating in the past 12 months 680 680 Maximum Rating of 3rd Party Vendors 690 690
Enterprise Cybersecurity Incidents CY PY 3rd Party Cybersecurity Incidents CY PY
# of Cyber Incidents Detected 25 18 # of Cyber Incidents Detected 51 35
System Downtime (Hours) 50 40 System Downtime (Hours) 300 270
# of Access Points Compromised 4 4 # of Access Points Compromised 45 45
# of Regulatory Records Leaked 100K 0 # of Regulatory Records Leaked 210K 300K
# of Instances of Leaked Confidential Data 0 5 # of Instances of Leaked Confidential Data 8 20
# of Open Findings CY PY # of Open Findings CY PY
Cyber Audit 35 28 Cyber Regulatory Examinations 5 4
Cyber Risk Assessment 21 41 Cyber Attestation Reports (SOC1/SOC2) 14 12
# of Projects # of Projects
Budgeted/Not Started 2 At Risk 3
On Track 5 Off Track 1
Project Status Project Status
How Are We Doing in Protecting Against Cyber Risks?
BitSight® Cybersecurity Ratings Scores
Severity Level 1 Cybersecurity Incidents
Critical Cybersecurity Audit/Examinations Findings
Status of Cyber Projects
Ratings Guide: High Moderate: Low: < 500650 - 800 500 - 649
Enterprise Cyber Risk Scorecard
August 15, 2016 PRANAV SHAH ([email protected]) 9
NIST CSF Categories »
Benchmark Ratings »
Critical Digital AssetsCurrent
State
Future
State
Current
State
Future
State
Current
State
Future
State
Current
State
Future
State
Current
State
Future
State
Access Points » 2.9 3.2 3.1 3.4 2.8 3.1 3.0 3.0 3.1 3.2
Regulated Data » 3.2 3.2 3.3 3.4 3.1 3.1 3.0 3.0 3.2 3.2
Confidential Data » 2.9 3.2 3.0 3.4 3.0 3.1 2.9 3.0 3.0 3.2
How Are We Doing in Protecting Against Cyber Risks?
Cyber Controls Maturity Scores
RecoverIdentify Protect Detect Respond
3.2 3.5 3.2 3.33.1
