Upload
rolando-kellum
View
244
Download
2
Embed Size (px)
Citation preview
INFORMATION RISK MANAGEMENT
ADVISORY
Critical Infrastructure Protection Cheryl Goh, KPMG MalaysiaAlan Chong, KPMG Australia
2© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Agenda
1.Critical Infrastructure definition
2.Who is at risk?
3.Global trends and challenges
4. Role of government
5. Recent initiatives
6. Critical infrastructure strategy
7. Risk assessment and management
3© 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
What is Critical Infrastructure Protection?
4© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Critical infrastructure definition
•Industries, institutions, and distribution networks and systems that provide a continual flow of the goods and services essential to a nation’s defence and economic security
•These infrastructures are deemed “critical” because their incapacity or destruction could have a debilitating regional or national impact
•Critical infrastructure protection is concerned with the readiness, reliability, and continuity of infrastructure services so that they are less vulnerable to disruptions, so that any impairment is of short duration and limited scale, and that services are readily restored when disruptions occur
5© 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Who is at risk?
6© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Who is at risk?
•Sectors targeted by terrorists – aviation, energy and finance
•Critical infrastructure – e.g. telecommunications and power generation
•Organisations that transport explosives or products which could be used in conventional, chemical, biological or radiological attacks, e.g. fertilisers
•Organisations that manage facilities where large numbers of people gather e.g. airports, shopping centres, major entertainment venues or sporting venues
•Organisations that might suffer collateral damage in a terrorist attack
7© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Examples of critical infrastructure
1. Food and agriculture 6. Water
2. Banking and finance 7. Public Health
3. Communications 8. Government Services
4. Energy 9. Emergency Services
5. Transportation 10. Defense
8© 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Global trends and challenges
9© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Global industry trends
•High availability systems – 24x7 on demand services
•Complex operational models including joint ventures and collaboration
•Mergers and acquisitions increasing
•Greater use of outsourcing for IT and business processes
•Off-shoring is increasing
•Globalisation
•On-line competitors from other countries
•Increased governance regulation
•Decreased market regulation
10© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
The challenge is not just terrorism
•Understanding downtime tolerance, organisational and downstream impacts
•Understanding business processes and key dependencies
•Rapidly changing organisational processes, systems and infrastructure
•Knowing who is responsible for protection in outsourced environments
•Understanding, managing and communicating risks remotely
•Broad scope of threats across and between countries
•Direct threats from competitors – especially remotely
•Awareness of and management of regulatory requirements in different jurisdictions
•Increased shareholder expectations
•Private sector BCM still buried in information technology
•Maintenance and testing of plans
11© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Dependencies
•Each of the critical infrastructure sectors is increasingly interdependent and interconnected. Disruptions in one sector are increasingly likely to affect adversely the operations of others
•Our society, economy, and government are increasingly linked together in a complex system. Disruptions to that system can cascade well beyond the vicinity of the initial occurrence and can cause regional and, potentially, national or international disturbances
12© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Interdependencies
Region B Region A
DDiissaasstteerr
Train station
Power Station
Telco
$
Financial Institution
13© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Critical infrastructure imperatives
•Operators are re-thinking their needs in relation to critical infrastructure and asking key questions, such as:•Are we a target or likely to be at risk because of the politics or
geography of physical location or industry, or because of a potential target nearby?
•Do we know what infrastructure and personnel are imperative for the ongoing operation of our business?
•Have we assessed our external dependencies and their preparedness?
•Have we adequately and reliably assessed risks to those key assets?
•Do we have appropriate strategies in place to protect our infrastructure assets or alternatively do we have appropriate contingency plans (BCP) in place?
•Have we considered the internal threats associated with the risk of infiltration?
14© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Australian example – obligations of critical infrastructure operators
•Owners and operators of critical infrastructure have responsibility to:•Provide adequate security of their assets;•Actively undertake the planning process in accordance with the relevant
standard;•Conduct an annual review of the risk management plan;•Participate in any exercises to test plans conducted by government
authorities; and•Report any incidents or suspicious activity to State or Territory police.
•In Australia, the Standard for Risk Management (AS/NZS 4360) is the standard by which all critical infrastructure will be assessed to assist with the review of risk management plans for prevention (including security), preparedness, response and recovery (PPRR)
•Standard requires establishment of the strategic context. In the current security environment, security risk assessments should also consider terrorism in all its forms.
15© 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Role of government
16© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Government role
•To ensure risks are identified and managed for the protection of services provided by Government to commerce, industry and the community.
•To identify, monitor and manage risks affecting the country or region:•Foreign hostility
•Extremists and activities
•Predictive services (e.g. weather forecasting, seismic monitoring, intelligence gathering, trend analysis)
•Provide guidance, education and regulations for private sector operators to manage critical infrastructure
•Provide monitoring and compliance services for the private sector
•To collaborate with other nations on trans-national risks such as terrorism
17© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Government initiatives
Australia
•Risk management guidance
•Industry forums (closed and open)
•Computer Network Vulnerability Assessment program
•Industry based compliance eg Financial services
18© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Government initiatives
Japan
•Financial institutions – there are security standards prepared by FISC
•The Japanese government agency is preparing basic strategies for information security policy in Japan
•Electric power and telecommunications – the ISAC organisation has been established, sharing knowledge as to protection of critical infrastructure within the industry
19© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Government initiatives
China
•The Chinese government has established national security standards relating to infrastructure protection based on international standards such as ISO/IEC, and ANSI
•Some examples of national security standards include:•Encryption technical standards (GB/T 15277, GB/T 17964, GB17901)•Digital signature standards (GB/T 15852)•Authentication mechanism (GB/T 15843)•Physical security and environment protection (GB/T 2887, GB 50174)•Firewall standards (GB/T 18019, GB/T 18020)•Proxy server standards (GB/T 17900)•Router security standards (GB/T 18018)•Network architecture and security (GB 15278, GB/T 17963)• Information system security classification standards (Gb 17859)•Security assessment standards (GB/T 18336)
20© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Government initiatives
Hong Kong
•The Hong Kong government has a security bureau, which has established an Emergency Response System to handle disastrous events.
•The ERS lays down the policy, principles and operation in response to emergencies in general, including those arising from natural disasters or terrorist attacks
21© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Government initiatives
Philippines
•The Task Force for Security Critical Infrastructure (TFSCI) looks at critical infrastructure protection.
•A National Security Plan was prepared in 2004, and is due to be implemented in 2005.
22© 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Critical infrastructure strategy
23© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Critical infrastructure strategy
Critical success factors for CI protection to be successful•Consider all of the business•Address the expected and the unexpected across all business
areas•Consider day-to-day risks as well as catastrophic events•Be aware of specific critical infrastructure obligations as prescribed
by Government•Understand the business needs and tolerances•Consider:
•Risk reduction and organisational hardening•Operations during a crisis•Business recovery•Business resumption
•Set a target that is affordable
24© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Strategy considerations – it is not just terrorism!
BBuussiinneessss IInntteerrrruuppttiioonn
Business processes:· Supplier failure· Breakdowns· Legal shutdown
Technology:· Stopped· Erroneous/corrupted· Erratic
Premises:· Damaged· Destroyed· Utility failure (power/water)
People:· Sick or injured· Unavailable for work· Denied access to location
25© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
The 5 Critical infrastructure strategy areas
1.Institutional
2.Public Private Cooperation
3.Legal Framework
4.Technology
5.International Cooperation
26© 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Implementing Critical Infrastructure Protection
30© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Key aspects
Objective : Identify and review on existing laws and regulations governing information security and Perform analysis to confirm compliance to international laws
Legal Compliance
Content
Commercial Transaction
Information assets
Personal data
Computer network
Electronic communication
Legal Risk Management
Enforcement Measure
Source: NISP Project, MOSTI 2005
Define Infosec Legal Framework
Identify existing L&R
Malaysian Laws
Malaysian Codes, Policies and Guidelines
International instruments
Foreign Legislation
Assessment of findings
Gap analysis
32© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Key Aspects
Objective : Review of existing information security requirement against international standards and best practices and identify deployment of security controls and safeguards to CNII
Source: NISP Project, MOSTI 2005
Identify critical sectors
Regulated sectors
–Finance
–Communication
–Government
Define compliance
checklist
MS ISO 17799
ISO 15408 Common Criteria
Management , technical and operational controls
Determine and review existing
security requirement & controls
Security policies & guidelines
Security standards
Analysis of findings
Gap analysis
34© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Key Aspects
Objective : Analyse the available international security implementation models and determine the feasibility to implement it locally for Malaysia. This is also to allow coordination for international cooperation and communications
Source: NISP Project, MOSTI 2005
Define benchmarkcriteria
Selection ofcountries
Information Security Legislation
Information Security Regulation
Information Security Standards and Best Practices
CERT
Computer Forensic
Public Key Infrastructure (PKI)
Co-ordination and Continuity Management
ASEAN Countries
G7 Countries
South Korea and Taiwan
Comparative Analysis
–International Security Implementation Model
35© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Overall Approach and Methodology
Phase 1 Phase 2 Phase 3 Phase 4
Formulation of Information
Security Vision
Information Gathering and
Analysis
Development of National
Information Security Policy
Development of Roadmap & Action Plan
Project Management & QAProject Management & QA
36© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Conclusion
•Note enough is happening in the region – some countries have not begun
•Government has a role to manage, inform and regulate•Private sector responsibilities are also important•Operators should conduct broad-ranging and comprehensive risk assessments
•Identify where risks can be reduced•Collaborate with other operators on shared risks•Understand business impacts•Develop a mitigation strategy and continuity plan•Test the plan!
37© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.
Questions?