IIA – Cyber Security Event Cyber Risks James Humbles June 2016

Understand what “Cyber Risk” is Come to a common understanding on Cyber Risk Evaluate are some example Cyber Risks Build an audit plan that considers Cyber Risk Understand where to find more information on Cyber Risks Learning Outcomes © Aviva PLC - PUBLIC2

Contact Details An experienced and accomplished IT Audit Manager, I now have over 10 years experience in the fields of Internal Audit, IT Audit and Information Security, specialising in Financial Services for the last 7 years. I have had a varied career with roles in both Financial Services and the public sector, both in and outside IT Audit. Explaining risk to and control to people as varied as bin men through to CIOs has given me some unique and interesting insights. This broad range of experience enables me to provide effective challenge to management on how they manage risk and control. I have also obtained professional certifications in both Auditing and IT Auditing, and have great pride in being able to straddle the worlds of Internal Audit, IT Audit and Information Security. Qualifications BSc in Law with Legal Practice Management Diploma in Internal Audit (PIIA) Certified Information Systems Auditor (CISA) K ey skills Auditing. Computers. Security. Drinking Coffee. James Humbles, IT Audit Manager © Aviva PLC - PUBLIC

4 from some sort of failure of its IT systems Cyber Risk means any risk of Financial loss, disruption or damage to the reputation of an organisation

© Aviva PLC - PUBLIC5 “the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise”. In its broadest form, cyber risk is synonymous with IT risk - That is

Common Understanding?

© Aviva PLC - PUBLIC7 Feedback What is Cyber Risk?

© Aviva PLC - PUBLIC8 Defined in the news media, and therefore by popular understanding? Online world and hacking –TalkTalk Information Security? –Confidentiality –Integrity –Availability Cyber Risk is… Cyber Risk is…. Is there a common Understanding?

© Aviva PLC - PUBLIC9 like anything else that could damage a firm’s business – by understanding it…” “cyber risk is one of many risks. it is certainly serious, but it can be understood, and it can be quantified. So it needs to be managed

Example Cyber Risks Inadequately defined incident response procedures If an incident does occur then this process helps you act and respond in the right way for your organisation. A lack of or bad response process = Talktalk. IT Security Perimeter Failure The worst case scenario. A hacker gets in through the security you have and steals data/IP/financial information causing a loss to the organisation Security failure at a third party This is how Target in the USA was attacked. Via their air conditioning supplier, who was connected to their network and had a much lower standard of security. Loss arising from internal compromise Internal employees that use access maliciously or accidentally and cause a cyber event. © Aviva PLC - PUBLIC10

Example Cyber Risk Register © Aviva PLC - PUBLIC11 InherentResidual NoRisk Title ImpactProbabilityImpactProbability 1Malicious Disruption of Services Very HighVery LikelyVery HighPossible 2Non compliance with regulation and legislation Very HighLikelyHighRemote 3IT Service Management failure HighLikelyMediumRemote 4External Hacker / Cyber Criminal Very HighVery LikelyHighVery Likely 5Malicious Insider Very HighLikelyHighRemote 6IT Resilience and Disaster Recovery Very HighPossibleMediumRemote 7Managing Suppliers – Security Failure MediumPossibleMediumRemote 8Shadow IT Failure leading to Cyber Event HighPossibleHighPossible 9IT Development and Implementation HighPossibleMediumRemote 10Business Disruption Very HighLikelyHighPossible

Risk Map © Aviva PLC - PUBLIC12 Very High High Medium Low Remote <10% Possible 10% to 30% Likely 31% to 50% Very Likely > 50%

Audit Plan © Aviva PLC - PUBLIC13

Assurance Map Where do we get assurance from? Questioning risk register. IT Resilience and Disaster Recovery Questioning residual risk Scope is very wide in here Proactiive v Reactive Controls Risk Culture Audit Higher level audit to look at risk mgmt. Audit Plan © Aviva PLC - PUBLIC14

C.S.T.P. Cyber Audits in Aviva © Aviva PLC PUBLIC15 Cyber Security Transformation Programme A review designed to look at the constant innovation required to stay ahead in the security business, and Aviva’s work to be ahead. Includes Programme Governance, as well as detailed workstream audits looking at specific topics such as… Firewalls An audit to look at the specific work stream within our CSTP. This would include looking at Project Management, but also A review of the technical set up of our firewalls. For example, using Data Analytics (CAATS) techniques to interrogate the firewall rulebase. As well as additional review of firewall management processes Disaster Recovery A review of DR capabilities, and control review to ensure these are managed and updated appropriately. Data Goverance Data Governance is an important element of Cyber Risk. To really help mitigate Cyber Risk it is important to know what Data you hold, where it is, and how it is managed. This then allows mitigating controls to be correctly scoped and specified.

Where to go next © Aviva PLC PUBLIC16 ISACA.org SANS NIST. GOV IT Security Blogs Isaca.org/ cyber ISC2

Thank you