Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Security Risk Reduction State of Washington And Washington Transit Insurance Pool.

Similar presentations


Presentation on theme: "Cyber Security Risk Reduction State of Washington And Washington Transit Insurance Pool."— Presentation transcript:

1 Cyber Security Risk Reduction State of Washington And Washington Transit Insurance Pool

2 Value for PRIMA Members Hear lessons learned from the State of Washington and WSTIP cyber risk reduction experiences Learn how to reduce cyber liability risks in your area of responsibility Learn about available resources you can use for your cyber risk reduction program June 16, 2011PRIMA Seattle Chapter - V1.8 2

3 Speakers Jerry Spears – Washington Transit Insurance Pool – Deputy Director (Claims, IT and Finance) Doug Selix – State of Washington, Office of Financial Management IT Security and Disaster Recovery Program Manager WSTIP Consultant June 16, 2011PRIMA Seattle Chapter - V1.8 3

4 Agenda 1.Cyber Liability Overview 2.State of Washington Cyber Risk Reduction 3.WSTIP Approach to Cyber Risk Reduction 4.WSTIP IT Security Review Project Overview 5.WSTIP Results from IT Security Review Project 6.How PRIMA Members can use this Information 7.Q&A June 16, 2011PRIMA Seattle Chapter - V1.8 4

5 Part 1 Cyber Liability Overview (Jerry Spears, WSTIP) June 16, 2011PRIMA Seattle Chapter - V1.8 5

6 What is a Cyber Liability? The concept of Cyber Liability takes into account first- and third-party risks. The risk categories include: – Privacy issues – Impact from data security breach, – Infringement of intellectual property, – Malicious attacks you appear to cause or facilitate, – Any other serious trouble that may be passed from first to third parties via computing technology such as the Web. June 16, 2011PRIMA Seattle Chapter - V1.8 6

7 Organizational Impacts from Cyber Losses Costs associated with RCW Required Notification – RCW 42.56.590 Personal information — Notice of security breaches. RCW 42.56.590 Cost of recovery and mitigation – ~$200 – Estimated Private Sector cost per record in data breach (Ponemon Institute 2010 US Cost of a Data Security Breach Report) (Ponemon Institute 2010 US Cost of a Data Security Breach Report) Unplanned Cost Impact to budget planning Loss of Reputation June 16, 2011PRIMA Seattle Chapter - V1.8 7

8 How Big Is The Problem? Data Security Breach Information: – www.datalossdb.org www.datalossdb.org Regulations Are Likely To Increase – Proposed Kerry/McCain ‘‘Commercial Privacy Bill of Rights Act of 2011’’Commercial Privacy Bill of Rights Act of 2011 Result of frequent hi-profile data breach incidents Result of perception that IT security controls are weak. Result of dissatisfaction with self-managed IT security Very prescriptive – this will cost all organization Basis for future Cyber Liability Claims June 16, 2011PRIMA Seattle Chapter - V1.8 8

9 Impacts to Citizens What happens with Public Organizations that Manage Cyber Liability Poorly? – Citizen Identity Theft – If Personal Data exposed – Reduced Public Sector Services due to cyber liability costs – Reduced Trust in Institutions and Management Teams – Reduced support to continue funding the current organization June 16, 2011PRIMA Seattle Chapter - V1.8 9

10 How Do We Manage This Risk Area? Reduce the Risks? Accept the Risks? Transfer the Risk? The answer is “Yes”, we apply all of these strategies to Cyber Risks. June 16, 2011PRIMA Seattle Chapter - V1.8 10

11 Approach Reduce Risk by working to identify things we can improve – Eliminate known vulnerabilities – Mitigate unacceptable risks Accept risks based on sound risk management principles Transfer residual risks to Cyber Liability Insurance June 16, 2011PRIMA Seattle Chapter - V1.8 11

12 Part 2 State of Washington Approach To Cyber Security Risk Reduction (Doug Selix, OFM) June 16, 2011PRIMA Seattle Chapter - V1.8 12

13 What is “Cyber Security”? Confidentiality – Protect data defined by law as “Private” – Only allow authorized access to private data – Know the risks to this class of data - leaks bite. Integrity – Insure data accuracy and authenticity Availability – Ensure systems operate within expected norms June 16, 2011PRIMA Seattle Chapter - V1.8 13

14 Cyber Security Risk Basics Threats + Vulnerabilities – Mitigation = Risk – Cyber Security Threats Attackers, Employees, Errors & Omissions – Cyber Security Vulnerabilities People, Process, Technology – Cyber Security Mitigation Risk Based Approach June 16, 2011PRIMA Seattle Chapter - V1.8 14

15 What is the “Problem”? Residual Cyber Security Risk is the Problem Although you cannot eliminate the cyber threat, you can manage Cyber Security Risk June 16, 2011PRIMA Seattle Chapter - V1.8 15

16 Managing the Risk A strategic Cyber Security Risk Management Plan is Imperative – Take a Risk Management Approach – Identify Organizational Risk Appetite – Identify Key Information Technology Assets Organizational Mission, Data, People, Technology, – Identify and evaluate IT Security Controls – Identify Residual Risks, make sure they are known – Document Acceptance of Residual Risks Demand incremental and evolutionary improvements to IT Security Maturity Establish a “Culture of Security” June 16, 2011PRIMA Seattle Chapter - V1.8 16

17 IT Security Maturity Source: Microsoft Corp. June 16, 2011PRIMA Seattle Chapter - V1.8 17

18 Business Challenge Improving IT Security is Complex – IT Security is viewed by management as a cost, not an end customer service – Probability of IT Security event for a single organization are low (but impact is high). – Decision makers are not comfortable with this subject. – IT Security is hard to understand, is never done, and is expensive June 16, 2011PRIMA Seattle Chapter - V1.8 18

19 Organizational Change Change = Vision + Dissatisfaction + First Step Build a “Culture of Security” June 16, 2011PRIMA Seattle Chapter - V1.8 19

20 State Approach Information Services Board (ISB) – Established by RCW – Makes State IT Policy and Sets Standards – Controls Agency Delegated Authority for IT Spend Can withhold/withdraw for non-compliance – Concerned about Cyber Liability Risks ISB Established Clear Policy and Standards – Establish Standards (Shall, Must, Do) – Establish Accountability (Process) – Communicate Expectations to Agencies – Establish Verification Process June 16, 2011PRIMA Seattle Chapter - V1.8 20

21 ISB IT Security Policy Establishes Clear Expectations Authorizes the ISB Standards Directs Agencies on Level of Risk to Accept Establishes that IT Security is part of Overall IT Architecture Requires Agencies to Document How they Comply with the IT Security Standards Makes Agency Heads Accountable Requires Independent Compliance Audits Every 3 Years June 16, 2011PRIMA Seattle Chapter - V1.8 21

22 ISB IT Security Standards Requires Documentation – Personnel Security – Physical and Environment Security – Data Security – Network Security – Access Security – Application Security – Operations Management – Security Monitoring & Logging – Incident Response June 16, 2011PRIMA Seattle Chapter - V1.8 22

23 Bottom Line State approach is: – Based on Risk Assessment Approach – Demands Compliance – Verifies Compliance – Aligns with Organization Development Vision, Dissatisfaction, First Step Implements Incremental and Evolutionary Improvements Establishes a “Culture of Security” June 16, 2011PRIMA Seattle Chapter - V1.8 23

24 Lesson Learned Most Powerful Weapon Ask an Executive to Accept the Residual Risk – They don’t like that. – Requires a good Persistent Flashlight – – Persistent Risk Assessments – Document Residual Risks – Document Risk Acceptance June 16, 2011PRIMA Seattle Chapter - V1.8 24

25 Loss Prevention Results In the past two years: – No loss of IT Physical Assets due to preventable causes – No significant loss of data requiring agencies to comply with RCW 42.56.590 June 16, 2011PRIMA Seattle Chapter - V1.8 25

26 WSTIP Approach to Cyber Risk Reduction (Jerry Spears, WSTIP) June 16, 2011PRIMA Seattle Chapter - V1.8 26

27 General Strategy Adopt the State Approach to fit WSTIP Needs Use a Subject Matter Expert to Perform an Initial Risk Assessment of member IT environments Based on ISB IT Security Standards Provide Members with tools and resources to identify, understand, and manage Cyber Risks Wrap our hands around an emerging exposure that impacts all of us Help members establish and appropriate “Culture of Security” within their organizations June 16, 2011PRIMA Seattle Chapter - V1.8 27

28 What Subject Matter Expert? We contracted with Doug Selix to develop a process and perform member reviews. – OFM Knows and Approves – Supported by OFM Risk Management as a good thing. Member’s thought he was a terrific resource – the “Escalade” of IT Security SME’s – Takes a coaching approach to help member staff understand risks he identifies – not an audit – We are not selling anything except best practice June 16, 2011PRIMA Seattle Chapter - V1.8 28

29 WSTIP Board View They like this approach to Cyber Loss Prevention – Initial Board Approval in 2007 – Initial Scope Limited to Small Members – Found Lots of Risks – Expanded to Include Medium Size Members – Found More Risk – Provided Aggregate Cyber Risk Data to the Board – Funded line item in the budget from 2008 forward – We have spent $88K to date June 16, 2011PRIMA Seattle Chapter - V1.8 29

30 WSTIP Member View Process is credible No direct cost to the member Results have value internally and with the WSTIP relationship Independent 3 rd party is offering thoughtful suggestions about their IT infrastructure Facilitates IT security maturity. June 16, 2011PRIMA Seattle Chapter - V1.8 30

31 WSTIP IT Security Review Project Overview (Doug Selix, OFM) June 16, 2011PRIMA Seattle Chapter - V1.8 31

32 Member Profile Member IT Environment is: – Small IT staff Most are technically competent with the hardware Limited IT management and IT Security Skills Focused on operational needs, not security. – Underfunded – The result of years of small unfinished IT projects – Many vendor supplied applications June 16, 2011PRIMA Seattle Chapter - V1.8 32

33 Step 1 Assessment Process WSTIP establishes engagement and non-disclosure Approached as a partnership with the member – This is not an “Audit”, It is a “Review” Review member IT Security policy and current IT configuration and designs Conduct a Site Visit and Interviews Document what is found – physical security status – Level of compliance with ISB IT Security Standards – Top risks that should be addressed June 16, 2011PRIMA Seattle Chapter - V1.8 33

34 Step 2 Risk Reduction Strategy Both WSTIP and Member get Assessment Results – Provides a basis for a discussion about Cyber Risks – Provides a bases for an Action Plan to reduce Cyber Risks – Provides a baseline for a follow-up review to measure progress towards reducing Cyber Risks June 16, 2011PRIMA Seattle Chapter - V1.8 34

35 Step 3 Follow Up Opportunity to provide other value added services to members: – IT Governance Coaching – Opportunity to further assist member is doing the right thing – Independent Cyber Risk Management Review June 16, 2011PRIMA Seattle Chapter - V1.8 35

36 Review Project Deliverables Photo Analysis Report – Photo’s taken during the site visit – Comments on risk observations – Suggestions for risk reduction where appropriate IT Security Review – Comparison to the ISB IT Security Standards – Comments on risk observations – Suggestions for risk reduction where appropriate Risk, Threats, and Vulnerabilities – Top 10 Risks Management Presentation When Requested June 16, 2011PRIMA Seattle Chapter - V1.8 36

37 How Has This Helped WSTIP? (Jerry Spears, WSTIP) June 16, 2011PRIMA Seattle Chapter - V1.8 37

38 Organizational Change Change = Vision + Dissatisfaction + First Step June 16, 2011PRIMA Seattle Chapter - V1.8 38 Vision Supplied by ISB and WSTIP DissatisfactionSupplied by WSTIP Board, Confirmed by Results First StepWSTIP Supplied IT Security Reviews ChangeIncremental maturity towards a “Culture of Security” Better IT management in member organization Reduced Cyber Liability Risk

39 What Was Learned Large members are managed pretty well Most risk exposure comes from small and medium sized members – Lack of IT Security Skills at management and staff levels They don’t see the problem They don’t know how to fix it – Underfunded for mature IT management – IT environments are a collection of small incomplete projects that leave risks June 16, 2011PRIMA Seattle Chapter - V1.8 39

40 Was it Worth the Cost? Yes – Provided WSTIP with documentation of risks – Provided a gentle push in the right direction by exposing residual cyber risks to a trusted audience – Provided members with a valuable service they may not have been able to afford on their own. June 16, 2011PRIMA Seattle Chapter - V1.8 40

41 What is the ROI? Hard to Measure Improvements to the WSTIP/Member Relationship – Significant We feel the investment has been worth the cost June 16, 2011PRIMA Seattle Chapter - V1.8 41

42 Impact to PRIMA Local government organizations you represent are like Transit Systems – Come in many sizes – May not have the ability to manage Cyber Risks – Risk exposure WSTIP found, most likely the same for others – Risk exposure can be reduced using an approach similar to WSTIP’s June 16, 2011PRIMA Seattle Chapter - V1.8 42

43 References Cost of a Data Security Breach Cyber Liability Explained Dept. of Homeland Security Advice Information Service Board Microsoft Cyber Security Resources Open Security Foundation – Data Loss Database Open Security Foundation – Data Loss Database June 16, 2011PRIMA Seattle Chapter - V1.8 43

44 Questions June 16, 2011PRIMA Seattle Chapter - V1.8 44

45 Speaker Contact Info Jerry Spears – Washington Transit Insurance Pool Phone:360-586-1800 Email:jerry@wstip.org Doug Selix – State of Washington, Office of Financial Management Phone:360-664-7670 (OFM), 253-951-4825 (Cell) email:doug.selix@ofm.wa.gov, dselix@comcast.netdoug.selix@ofm.wa.govdselix@comcast.net June 16, 2011PRIMA Seattle Chapter - V1.8 45


Download ppt "Cyber Security Risk Reduction State of Washington And Washington Transit Insurance Pool."

Similar presentations


Ads by Google