Cyber Security Risk Reduction State of Washington And Washington Transit Insurance Pool

Cyber Security Risk Reduction

State of WashingtonAnd

Washington Transit Insurance Pool

PRIMA Seattle Chapter - V1.8 2

Value for PRIMA Members

• Hear lessons learned from the State of Washington and WSTIP cyber risk reduction experiences

• Learn how to reduce cyber liability risks in your area of responsibility

• Learn about available resources you can use for your cyber risk reduction program

June 16, 2011


Speakers

• Jerry Spears – Washington Transit Insurance Pool

– Deputy Director (Claims, IT and Finance)

• Doug Selix – State of Washington, Office of Financial Management

• IT Security and Disaster Recovery Program Manager• WSTIP Consultant

June 16, 2011


Agenda

1. Cyber Liability Overview2. State of Washington Cyber Risk Reduction3. WSTIP Approach to Cyber Risk Reduction4. WSTIP IT Security Review Project Overview5. WSTIP Results from IT Security Review Project6. How PRIMA Members can use this Information7. Q&A

June 16, 2011


Part 1

Cyber Liability Overview(Jerry Spears, WSTIP)

June 16, 2011


What is a Cyber Liability?

• The concept of Cyber Liability takes into account first- and third-party risks. The risk categories include:– Privacy issues – Impact from data security breach,– Infringement of intellectual property, – Malicious attacks you appear to cause or facilitate,– Any other serious trouble that may be passed from

first to third parties via computing technology such as the Web.

June 16, 2011


Organizational Impacts from Cyber Losses

• Costs associated with RCW Required Notification– RCW 42.56.590 Personal information — Notice of security

breaches.

• Cost of recovery and mitigation– ~$200 – Estimated Private Sector cost per record in

data breach (Ponemon Institute 2010 US Cost of a Data Security Breach Report)

• Unplanned Cost Impact to budget planning• Loss of ReputationJune 16, 2011

http://apps.leg.wa.gov/rcw/default.aspx?cite=42.56.590

http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/US_Ponemon_CODB_09_012209_sec.pdf


How Big Is The Problem?

• Data Security Breach Information: – www.datalossdb.org

• Regulations Are Likely To Increase– Proposed Kerry/McCain ‘‘

Commercial Privacy Bill of Rights Act of 2011’’• Result of frequent hi-profile data breach incidents• Result of perception that IT security controls are weak.• Result of dissatisfaction with self-managed IT security• Very prescriptive – this will cost all organization• Basis for future Cyber Liability Claims

June 16, 2011

http://www.datalossdb.org/

http://kerry.senate.gov/imo/media/doc/Commercial%20Privacy%20Bill%20of%20Rights%20Text.pdf


Impacts to Citizens

• What happens with Public Organizations that Manage Cyber Liability Poorly?– Citizen Identity Theft – If Personal Data exposed– Reduced Public Sector Services due to cyber

liability costs– Reduced Trust in Institutions and Management

Teams– Reduced support to continue funding the current

organization

June 16, 2011


How Do We Manage This Risk Area?

• Reduce the Risks?• Accept the Risks?• Transfer the Risk?

• The answer is “Yes”, we apply all of these strategies to Cyber Risks.

June 16, 2011


Approach

• Reduce Risk by working to identify things we can improve– Eliminate known vulnerabilities – Mitigate unacceptable risks

• Accept risks based on sound risk management principles

• Transfer residual risks to Cyber Liability Insurance

June 16, 2011


Part 2

State of WashingtonApproach To

Cyber Security Risk Reduction(Doug Selix, OFM)

June 16, 2011


What is “Cyber Security”?

• Confidentiality – Protect data defined by law as “Private”– Only allow authorized access to private data– Know the risks to this class of data - leaks bite.

• Integrity– Insure data accuracy and authenticity

• Availability– Ensure systems operate within expected norms

June 16, 2011


Cyber Security Risk Basics

Threats + Vulnerabilities – Mitigation = Risk– Cyber Security Threats• Attackers, Employees, Errors & Omissions

– Cyber Security Vulnerabilities• People, Process, Technology

– Cyber Security Mitigation• Risk Based Approach

June 16, 2011


What is the “Problem”?

• Residual Cyber Security Risk is the Problem

• Although you cannot eliminate the cyber threat, you can manage Cyber Security Risk

June 16, 2011


Managing the Risk

• A strategic Cyber Security Risk Management Plan is Imperative– Take a Risk Management Approach– Identify Organizational Risk Appetite – Identify Key Information Technology Assets

• Organizational Mission, Data, People, Technology,

– Identify and evaluate IT Security Controls– Identify Residual Risks, make sure they are known– Document Acceptance of Residual Risks

• Demand incremental and evolutionary improvements to IT Security Maturity

• Establish a “Culture of Security”June 16, 2011


IT Security Maturity

Source: Microsoft Corp.

June 16, 2011


Business Challenge

• Improving IT Security is Complex– IT Security is viewed by management as a cost,

not an end customer service– Probability of IT Security event for a single

organization are low (but impact is high).– Decision makers are not comfortable with this

subject.– IT Security is hard to understand, is never done,

and is expensive

June 16, 2011


Organizational Change

Change = Vision + Dissatisfaction + First Step

Build a “Culture of Security”

June 16, 2011


State Approach

• Information Services Board (ISB)– Established by RCW– Makes State IT Policy and Sets Standards– Controls Agency Delegated Authority for IT Spend

• Can withhold/withdraw for non-compliance

– Concerned about Cyber Liability Risks• ISB Established Clear Policy and Standards– Establish Standards (Shall, Must, Do)– Establish Accountability (Process)– Communicate Expectations to Agencies– Establish Verification Process

June 16, 2011

http://www.isb.wa.gov/

http://www.isb.wa.gov/policies/security.aspx


ISB IT Security Policy

• Establishes Clear Expectations• Authorizes the ISB Standards• Directs Agencies on Level of Risk to Accept• Establishes that IT Security is part of Overall IT

Architecture• Requires Agencies to Document How they Comply

with the IT Security Standards• Makes Agency Heads Accountable• Requires Independent Compliance Audits Every 3

YearsJune 16, 2011


ISB IT Security Standards

• Requires Documentation– Personnel Security– Physical and Environment Security– Data Security– Network Security – Access Security– Application Security– Operations Management– Security Monitoring & Logging– Incident Response

June 16, 2011


Bottom Line

• State approach is:– Based on Risk Assessment Approach– Demands Compliance– Verifies Compliance– Aligns with Organization Development • Vision, Dissatisfaction, First Step• Implements Incremental and Evolutionary

Improvements• Establishes a “Culture of Security”

June 16, 2011


Lesson LearnedMost Powerful Weapon

• Ask an Executive to Accept the Residual Risk – They don’t like that. – Requires a good Persistent Flashlight – – Persistent Risk Assessments– Document Residual Risks– Document Risk Acceptance

June 16, 2011


Loss Prevention Results

• In the past two years:– No loss of IT Physical Assets due to preventable

causes– No significant loss of data requiring agencies to

comply with RCW 42.56.590

June 16, 2011


WSTIP Approach to Cyber Risk Reduction

(Jerry Spears, WSTIP)

June 16, 2011


General Strategy

• Adopt the State Approach to fit WSTIP Needs• Use a Subject Matter Expert to Perform an Initial Risk

Assessment of member IT environments Based on ISB IT Security Standards

• Provide Members with tools and resources to identify, understand, and manage Cyber Risks

• Wrap our hands around an emerging exposure that impacts all of us

• Help members establish and appropriate “Culture of Security” within their organizations

June 16, 2011


What Subject Matter Expert?

• We contracted with Doug Selix to develop a process and perform member reviews.– OFM Knows and Approves– Supported by OFM Risk Management as a good thing.

• Member’s thought he was a terrific resource – the “Escalade” of IT Security SME’s– Takes a coaching approach to help member staff

understand risks he identifies – not an audit– We are not selling anything except best practice

June 16, 2011


WSTIP Board View

• They like this approach to Cyber Loss Prevention– Initial Board Approval in 2007– Initial Scope Limited to Small Members– Found Lots of Risks– Expanded to Include Medium Size Members– Found More Risk– Provided Aggregate Cyber Risk Data to the Board– Funded line item in the budget from 2008 forward – We have spent $88K to date

June 16, 2011


WSTIP Member View

• Process is credible• No direct cost to the member• Results have value internally and with the

WSTIP relationship• Independent 3rd party is offering thoughtful

suggestions about their IT infrastructure• Facilitates IT security maturity.

June 16, 2011


WSTIP IT Security Review Project Overview

(Doug Selix, OFM)

June 16, 2011


Member Profile

• Member IT Environment is:– Small IT staff• Most are technically competent with the hardware• Limited IT management and IT Security Skills • Focused on operational needs, not security.

– Underfunded– The result of years of small unfinished IT projects– Many vendor supplied applications

June 16, 2011


Step 1Assessment Process

• WSTIP establishes engagement and non-disclosure• Approached as a partnership with the member

– This is not an “Audit”, It is a “Review” • Review member IT Security policy and current IT

configuration and designs• Conduct a Site Visit and Interviews• Document what is found

– physical security status– Level of compliance with ISB IT Security Standards– Top risks that should be addressed

June 16, 2011


Step 2Risk Reduction Strategy

• Both WSTIP and Member get Assessment Results– Provides a basis for a discussion about Cyber Risks– Provides a bases for an Action Plan to reduce

Cyber Risks– Provides a baseline for a follow-up review to

measure progress towards reducing Cyber Risks

June 16, 2011


Step 3Follow Up

• Opportunity to provide other value added services to members:– IT Governance Coaching– Opportunity to further assist member is doing the

right thing– Independent Cyber Risk Management Review

June 16, 2011


Review Project Deliverables

• Photo Analysis Report– Photo’s taken during the site visit – Comments on risk observations– Suggestions for risk reduction where appropriate

• IT Security Review– Comparison to the ISB IT Security Standards– Comments on risk observations– Suggestions for risk reduction where appropriate

• Risk, Threats, and Vulnerabilities – Top 10 Risks• Management Presentation When RequestedJune 16, 2011


How Has This Helped WSTIP?

(Jerry Spears, WSTIP)

June 16, 2011


Organizational Change

Change = Vision + Dissatisfaction + First Step

June 16, 2011

Vision Supplied by ISB and WSTIPDissatisfaction Supplied by WSTIP Board, Confirmed by ResultsFirst Step WSTIP Supplied IT Security Reviews

Change Incremental maturity towards a “Culture of Security”Better IT management in member organizationReduced Cyber Liability Risk


What Was Learned

• Large members are managed pretty well• Most risk exposure comes from small and

medium sized members– Lack of IT Security Skills at management and staff

levels• They don’t see the problem• They don’t know how to fix it

– Underfunded for mature IT management– IT environments are a collection of small incomplete

projects that leave risksJune 16, 2011


Was it Worth the Cost?

• Yes– Provided WSTIP with documentation of risks– Provided a gentle push in the right direction by

exposing residual cyber risks to a trusted audience– Provided members with a valuable service they

may not have been able to afford on their own.

June 16, 2011


What is the ROI?

• Hard to Measure• Improvements to the WSTIP/Member

Relationship – Significant• We feel the investment has been worth the

cost

June 16, 2011


Impact to PRIMA

• Local government organizations you represent are like Transit Systems– Come in many sizes– May not have the ability to manage Cyber Risks– Risk exposure WSTIP found, most likely the same

for others– Risk exposure can be reduced using an approach

similar to WSTIP’s

June 16, 2011


References

• Cost of a Data Security Breach• Cyber Liability Explained• Dept. of Homeland Security Advice• Information Service Board• Microsoft Cyber Security Resources• Open Security Foundation – Data Loss Databas

e

June 16, 2011

http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/US_Ponemon_CODB_09_012209_sec.pdf

http://www.insurenewmedia.com/pages/cyberliability.asp

http://www.dhs.gov/files/cybersecurity.shtm



http://datalossdb.org/

http://datalossdb.org/


Questions

June 16, 2011


Speaker Contact Info

• Jerry Spears – Washington Transit Insurance Pool

Phone: 360-586-1800Email: [email protected]

• Doug Selix – State of Washington, Office of Financial Management

Phone: 360-664-7670 (OFM), 253-951-4825 (Cell)email: [email protected], [email protected]

June 16, 2011

mailto:[email protected]

mailto:[email protected]

Documents

Cyber Security Risk Reduction State of Washington And Washington Transit Insurance Pool