Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia.

Similar presentations


Presentation on theme: "INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia."— Presentation transcript:

1 INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

2 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 2 Agenda 1.Critical Infrastructure definition 2.Who is at risk? 3.Global trends and challenges 4. Role of government 5. Recent initiatives 6. Critical infrastructure strategy 7. Risk assessment and management

3 © 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 3 What is Critical Infrastructure Protection?

4 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 4 Critical infrastructure definition Industries, institutions, and distribution networks and systems that provide a continual flow of the goods and services essential to a nation’s defence and economic security These infrastructures are deemed “critical” because their incapacity or destruction could have a debilitating regional or national impact Critical infrastructure protection is concerned with the readiness, reliability, and continuity of infrastructure services so that they are less vulnerable to disruptions, so that any impairment is of short duration and limited scale, and that services are readily restored when disruptions occur

5 © 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 5 Who is at risk?

6 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 6 Who is at risk? Sectors targeted by terrorists – aviation, energy and finance Critical infrastructure – e.g. telecommunications and power generation Organisations that transport explosives or products which could be used in conventional, chemical, biological or radiological attacks, e.g. fertilisers Organisations that manage facilities where large numbers of people gather e.g. airports, shopping centres, major entertainment venues or sporting venues Organisations that might suffer collateral damage in a terrorist attack

7 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 7 Examples of critical infrastructure 1. Food and agriculture6. Water 2. Banking and finance7. Public Health 3. Communications8. Government Services 4. Energy9. Emergency Services 5. Transportation10. Defense

8 © 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 8 Global trends and challenges

9 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 9 Global industry trends High availability systems – 24x7 on demand services Complex operational models including joint ventures and collaboration Mergers and acquisitions increasing Greater use of outsourcing for IT and business processes Off-shoring is increasing Globalisation On-line competitors from other countries Increased governance regulation Decreased market regulation

10 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 10 The challenge is not just terrorism Understanding downtime tolerance, organisational and downstream impacts Understanding business processes and key dependencies Rapidly changing organisational processes, systems and infrastructure Knowing who is responsible for protection in outsourced environments Understanding, managing and communicating risks remotely Broad scope of threats across and between countries Direct threats from competitors – especially remotely Awareness of and management of regulatory requirements in different jurisdictions Increased shareholder expectations Private sector BCM still buried in information technology Maintenance and testing of plans

11 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 11 Dependencies Each of the critical infrastructure sectors is increasingly interdependent and interconnected. Disruptions in one sector are increasingly likely to affect adversely the operations of others Our society, economy, and government are increasingly linked together in a complex system. Disruptions to that system can cascade well beyond the vicinity of the initial occurrence and can cause regional and, potentially, national or international disturbances

12 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 12 Interdependencies

13 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 13 Critical infrastructure imperatives Operators are re-thinking their needs in relation to critical infrastructure and asking key questions, such as: Are we a target or likely to be at risk because of the politics or geography of physical location or industry, or because of a potential target nearby? Do we know what infrastructure and personnel are imperative for the ongoing operation of our business? Have we assessed our external dependencies and their preparedness? Have we adequately and reliably assessed risks to those key assets? Do we have appropriate strategies in place to protect our infrastructure assets or alternatively do we have appropriate contingency plans (BCP) in place? Have we considered the internal threats associated with the risk of infiltration?

14 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 14 Australian example – obligations of critical infrastructure operators Owners and operators of critical infrastructure have responsibility to: Provide adequate security of their assets; Actively undertake the planning process in accordance with the relevant standard; Conduct an annual review of the risk management plan; Participate in any exercises to test plans conducted by government authorities; and Report any incidents or suspicious activity to State or Territory police. In Australia, the Standard for Risk Management (AS/NZS 4360) is the standard by which all critical infrastructure will be assessed to assist with the review of risk management plans for prevention (including security), preparedness, response and recovery (PPRR) Standard requires establishment of the strategic context. In the current security environment, security risk assessments should also consider terrorism in all its forms.

15 © 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 15 Role of government

16 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 16 Government role To ensure risks are identified and managed for the protection of services provided by Government to commerce, industry and the community. To identify, monitor and manage risks affecting the country or region: Foreign hostility Extremists and activities Predictive services (e.g. weather forecasting, seismic monitoring, intelligence gathering, trend analysis) Provide guidance, education and regulations for private sector operators to manage critical infrastructure Provide monitoring and compliance services for the private sector To collaborate with other nations on trans-national risks such as terrorism

17 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 17 Government initiatives Australia Risk management guidance Industry forums (closed and open) Computer Network Vulnerability Assessment program Industry based compliance eg Financial services

18 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 18 Government initiatives Japan Financial institutions – there are security standards prepared by FISC The Japanese government agency is preparing basic strategies for information security policy in Japan Electric power and telecommunications – the ISAC organisation has been established, sharing knowledge as to protection of critical infrastructure within the industry

19 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 19 Government initiatives China The Chinese government has established national security standards relating to infrastructure protection based on international standards such as ISO/IEC, and ANSI Some examples of national security standards include: Encryption technical standards (GB/T 15277, GB/T 17964, GB17901) Digital signature standards (GB/T 15852) Authentication mechanism (GB/T 15843) Physical security and environment protection (GB/T 2887, GB 50174) Firewall standards (GB/T 18019, GB/T 18020) Proxy server standards (GB/T 17900) Router security standards (GB/T 18018) Network architecture and security (GB 15278, GB/T 17963) Information system security classification standards (Gb 17859) Security assessment standards (GB/T 18336)

20 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 20 Government initiatives Hong Kong The Hong Kong government has a security bureau, which has established an Emergency Response System to handle disastrous events. The ERS lays down the policy, principles and operation in response to emergencies in general, including those arising from natural disasters or terrorist attacks

21 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 21 Government initiatives Philippines The Task Force for Security Critical Infrastructure (TFSCI) looks at critical infrastructure protection. A National Security Plan was prepared in 2004, and is due to be implemented in 2005.

22 © 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 22 Critical infrastructure strategy

23 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 23 Critical infrastructure strategy Critical success factors for CI protection to be successful Consider all of the business Address the expected and the unexpected across all business areas Consider day-to-day risks as well as catastrophic events Be aware of specific critical infrastructure obligations as prescribed by Government Understand the business needs and tolerances Consider: Risk reduction and organisational hardening Operations during a crisis Business recovery Business resumption Set a target that is affordable

24 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 24 Strategy considerations – it is not just terrorism!

25 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 25 The 5 Critical infrastructure strategy areas 1. Institutional 2. Public Private Cooperation 3. Legal Framework 4. Technology 5. International Cooperation

26 © 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 26 Implementing Critical Infrastructure Protection

27 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 27 Key Aspects 1. Institutional aspects Coordinate, recommend and propose appropriate institutional arrangements. Identify roles and associated responsibilities to coordinate the national security effort. Identify organisations that should be mandated to play the identified roles Roles and Functions Policy Development Research and Development Response and Recovery Enforcement and Operation Regulatory and Monitoring Education and Awareness Leads Sector leads Define security management framework Identify Institutional arrangement Assessment of findings Gap analysis Issues and challenges

28 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 28 Key Aspects 2. Public-Private Cooperation Review and analyse the current level of cooperation between public and private sectors. Coordinate, recommend and propose partnership arrangement between the public and private sector that are considered essential. Consolidate processes between the private and corporate sector. Prevention of cyber attacks Detection of abuse and malicious activities Response and Corrective measures Institutional Roles and responsibilities framework Key organisations Cooperation Models Areas of cooperation Roles Identification Models assessment Performance measure of key organisations Regulatory Outsourcing Service oriented R&D Common interest group

29 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 29 Key Aspects 3. Legislative and regulatory aspects Review of existing regulatory and legislative frameworks governing operations and implementations of security systems and integrity for electronic transactions Review of existing current legislation to verify if it is able to accommodate the various MSC flagship applications. Perform analysis to confirm compliance to international laws Review and advise any amendments in the current legislative and regulatory framework if deem necessary.

30 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 30 Key aspects Objective : Identify and review on existing laws and regulations governing information security and Perform analysis to confirm compliance to international laws Legal Compliance Content Commercial Transaction Information assets Personal data Computer network Electronic communication Legal Risk Management Enforcement Measure Source: NISP Project, MOSTI 2005 Define Infosec Legal Framework Identify existing L&R Malaysian Laws Malaysian Codes, Policies and Guidelines International instruments Foreign Legislation Assessment of findings Gap analysis

31 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 31 Key Aspects 4. Technical aspect  Outline the security requirement framework for the procurements and acceptance of all G2B, G2C and G2G processes including flagship applications and services and their implementations.  Address and identify issues regarding the Certification Authority (CA) and cryptography related areas.  Formulate detailed requirement statements for the selected technical framework, processes or structures  Validate the security level of the identified critical applications

32 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 32 Key Aspects Objective : Review of existing information security requirement against international standards and best practices and identify deployment of security controls and safeguards to CNII Source: NISP Project, MOSTI 2005 Identify critical sectors Regulated sectors – Finance – Communication – Government Define compliance checklist MS ISO ISO Common Criteria Management, technical and operational controls Determine and review existing security requirement & controls Security policies & guidelines Security standards Analysis of findings Gap analysis

33 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 33 Key Aspects 5. International aspect Analyse the available international security implementation models Determine the feasibility to implement such model locally for Malaysia. Define benchmark criteria Selection of countries Information Security Legislation Information Security Regulation Information Security Standards and Best Practices CERT Computer Forensic Co-ordination and Continuity Management ASEAN Countries G7 Countries South Korea and Taiwan Comparative Analysis – International Security Implementation Model

34 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 34 Key Aspects Objective : Analyse the available international security implementation models and determine the feasibility to implement it locally for Malaysia. This is also to allow coordination for international cooperation and communications Source: NISP Project, MOSTI 2005 Define benchmark criteria Selection of countries Information Security Legislation Information Security Regulation Information Security Standards and Best Practices CERT Computer Forensic Public Key Infrastructure (PKI) Co-ordination and Continuity Management ASEAN Countries G7 Countries South Korea and Taiwan Comparative Analysis – International Security Implementation Model

35 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 35 Overall Approach and Methodology Phase 1Phase 2Phase 3Phase 4 Formulation of Information Security Vision Information Gathering and Analysis Development of National Information Security Policy Development of Roadmap & Action Plan Project Management & QA

36 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 36 Conclusion Note enough is happening in the region – some countries have not begun Government has a role to manage, inform and regulate Private sector responsibilities are also important Operators should conduct broad-ranging and comprehensive risk assessments Identify where risks can be reduced Collaborate with other operators on shared risks Understand business impacts Develop a mitigation strategy and continuity plan Test the plan!

37 © 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved. The KPMG logo and name are trademarks of KPMG. 37 Questions?


Download ppt "INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia."

Similar presentations


Ads by Google