32
INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

Embed Size (px)

Citation preview

Page 1: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

INFORMATION RISK MANAGEMENT

ADVISORY

Critical Infrastructure Protection Cheryl Goh, KPMG MalaysiaAlan Chong, KPMG Australia

Page 2: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

2© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Agenda

1.Critical Infrastructure definition

2.Who is at risk?

3.Global trends and challenges

4. Role of government

5. Recent initiatives

6. Critical infrastructure strategy

7. Risk assessment and management

Page 3: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

3© 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

What is Critical Infrastructure Protection?

Page 4: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

4© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Critical infrastructure definition

•Industries, institutions, and distribution networks and systems that provide a continual flow of the goods and services essential to a nation’s defence and economic security

•These infrastructures are deemed “critical” because their incapacity or destruction could have a debilitating regional or national impact

•Critical infrastructure protection is concerned with the readiness, reliability, and continuity of infrastructure services so that they are less vulnerable to disruptions, so that any impairment is of short duration and limited scale, and that services are readily restored when disruptions occur

Page 5: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

5© 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Who is at risk?

Page 6: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

6© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Who is at risk?

•Sectors targeted by terrorists – aviation, energy and finance

•Critical infrastructure – e.g. telecommunications and power generation

•Organisations that transport explosives or products which could be used in conventional, chemical, biological or radiological attacks, e.g. fertilisers

•Organisations that manage facilities where large numbers of people gather e.g. airports, shopping centres, major entertainment venues or sporting venues

•Organisations that might suffer collateral damage in a terrorist attack

Page 7: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

7© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Examples of critical infrastructure

1. Food and agriculture 6. Water

2. Banking and finance 7. Public Health

3. Communications 8. Government Services

4. Energy 9. Emergency Services

5. Transportation 10. Defense

Page 8: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

8© 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Global trends and challenges

Page 9: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

9© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Global industry trends

•High availability systems – 24x7 on demand services

•Complex operational models including joint ventures and collaboration

•Mergers and acquisitions increasing

•Greater use of outsourcing for IT and business processes

•Off-shoring is increasing

•Globalisation

•On-line competitors from other countries

•Increased governance regulation

•Decreased market regulation

Page 10: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

10© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

The challenge is not just terrorism

•Understanding downtime tolerance, organisational and downstream impacts

•Understanding business processes and key dependencies

•Rapidly changing organisational processes, systems and infrastructure

•Knowing who is responsible for protection in outsourced environments

•Understanding, managing and communicating risks remotely

•Broad scope of threats across and between countries

•Direct threats from competitors – especially remotely

•Awareness of and management of regulatory requirements in different jurisdictions

•Increased shareholder expectations

•Private sector BCM still buried in information technology

•Maintenance and testing of plans

Page 11: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

11© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Dependencies

•Each of the critical infrastructure sectors is increasingly interdependent and interconnected. Disruptions in one sector are increasingly likely to affect adversely the operations of others

•Our society, economy, and government are increasingly linked together in a complex system. Disruptions to that system can cascade well beyond the vicinity of the initial occurrence and can cause regional and, potentially, national or international disturbances

Page 12: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

12© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Interdependencies

Region B Region A

DDiissaasstteerr

Train station

Power Station

Telco

$

Financial Institution

Page 13: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

13© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Critical infrastructure imperatives

•Operators are re-thinking their needs in relation to critical infrastructure and asking key questions, such as:•Are we a target or likely to be at risk because of the politics or

geography of physical location or industry, or because of a potential target nearby?

•Do we know what infrastructure and personnel are imperative for the ongoing operation of our business?

•Have we assessed our external dependencies and their preparedness?

•Have we adequately and reliably assessed risks to those key assets?

•Do we have appropriate strategies in place to protect our infrastructure assets or alternatively do we have appropriate contingency plans (BCP) in place?

•Have we considered the internal threats associated with the risk of infiltration?

Page 14: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

14© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Australian example – obligations of critical infrastructure operators

•Owners and operators of critical infrastructure have responsibility to:•Provide adequate security of their assets;•Actively undertake the planning process in accordance with the relevant

standard;•Conduct an annual review of the risk management plan;•Participate in any exercises to test plans conducted by government

authorities; and•Report any incidents or suspicious activity to State or Territory police.

•In Australia, the Standard for Risk Management (AS/NZS 4360) is the standard by which all critical infrastructure will be assessed to assist with the review of risk management plans for prevention (including security), preparedness, response and recovery (PPRR)

•Standard requires establishment of the strategic context. In the current security environment, security risk assessments should also consider terrorism in all its forms.

Page 15: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

15© 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Role of government

Page 16: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

16© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Government role

•To ensure risks are identified and managed for the protection of services provided by Government to commerce, industry and the community.

•To identify, monitor and manage risks affecting the country or region:•Foreign hostility

•Extremists and activities

•Predictive services (e.g. weather forecasting, seismic monitoring, intelligence gathering, trend analysis)

•Provide guidance, education and regulations for private sector operators to manage critical infrastructure

•Provide monitoring and compliance services for the private sector

•To collaborate with other nations on trans-national risks such as terrorism

Page 17: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

17© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Government initiatives

Australia

•Risk management guidance

•Industry forums (closed and open)

•Computer Network Vulnerability Assessment program

•Industry based compliance eg Financial services

Page 18: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

18© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Government initiatives

Japan

•Financial institutions – there are security standards prepared by FISC

•The Japanese government agency is preparing basic strategies for information security policy in Japan

•Electric power and telecommunications – the ISAC organisation has been established, sharing knowledge as to protection of critical infrastructure within the industry

Page 19: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

19© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Government initiatives

China

•The Chinese government has established national security standards relating to infrastructure protection based on international standards such as ISO/IEC, and ANSI

•Some examples of national security standards include:•Encryption technical standards (GB/T 15277, GB/T 17964, GB17901)•Digital signature standards (GB/T 15852)•Authentication mechanism (GB/T 15843)•Physical security and environment protection (GB/T 2887, GB 50174)•Firewall standards (GB/T 18019, GB/T 18020)•Proxy server standards (GB/T 17900)•Router security standards (GB/T 18018)•Network architecture and security (GB 15278, GB/T 17963)• Information system security classification standards (Gb 17859)•Security assessment standards (GB/T 18336)

Page 20: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

20© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Government initiatives

Hong Kong

•The Hong Kong government has a security bureau, which has established an Emergency Response System to handle disastrous events.

•The ERS lays down the policy, principles and operation in response to emergencies in general, including those arising from natural disasters or terrorist attacks

Page 21: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

21© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Government initiatives

Philippines

•The Task Force for Security Critical Infrastructure (TFSCI) looks at critical infrastructure protection.

•A National Security Plan was prepared in 2004, and is due to be implemented in 2005.

Page 22: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

22© 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Critical infrastructure strategy

Page 23: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

23© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Critical infrastructure strategy

Critical success factors for CI protection to be successful•Consider all of the business•Address the expected and the unexpected across all business

areas•Consider day-to-day risks as well as catastrophic events•Be aware of specific critical infrastructure obligations as prescribed

by Government•Understand the business needs and tolerances•Consider:

•Risk reduction and organisational hardening•Operations during a crisis•Business recovery•Business resumption

•Set a target that is affordable

Page 24: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

24© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Strategy considerations – it is not just terrorism!

BBuussiinneessss IInntteerrrruuppttiioonn

Business processes:· Supplier failure· Breakdowns· Legal shutdown

Technology:· Stopped· Erroneous/corrupted· Erratic

Premises:· Damaged· Destroyed· Utility failure (power/water)

People:· Sick or injured· Unavailable for work· Denied access to location

Page 25: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

25© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

The 5 Critical infrastructure strategy areas

1.Institutional

2.Public Private Cooperation

3.Legal Framework

4.Technology

5.International Cooperation

Page 26: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

26© 2004 KPMG, an Australian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Implementing Critical Infrastructure Protection

Page 27: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

30© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Key aspects

Objective : Identify and review on existing laws and regulations governing information security and Perform analysis to confirm compliance to international laws

Legal Compliance

Content

Commercial Transaction

Information assets

Personal data

Computer network

Electronic communication

Legal Risk Management

Enforcement Measure

Source: NISP Project, MOSTI 2005

Define Infosec Legal Framework

Identify existing L&R

Malaysian Laws

Malaysian Codes, Policies and Guidelines

International instruments

Foreign Legislation

Assessment of findings

Gap analysis

Page 28: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

32© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Key Aspects

Objective : Review of existing information security requirement against international standards and best practices and identify deployment of security controls and safeguards to CNII

Source: NISP Project, MOSTI 2005

Identify critical sectors

Regulated sectors

–Finance

–Communication

–Government

Define compliance

checklist

MS ISO 17799

ISO 15408 Common Criteria

Management , technical and operational controls

Determine and review existing

security requirement & controls

Security policies & guidelines

Security standards

Analysis of findings

Gap analysis

Page 29: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

34© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Key Aspects

Objective : Analyse the available international security implementation models and determine the feasibility to implement it locally for Malaysia. This is also to allow coordination for international cooperation and communications

Source: NISP Project, MOSTI 2005

Define benchmarkcriteria

Selection ofcountries

Information Security Legislation

Information Security Regulation

Information Security Standards and Best Practices

CERT

Computer Forensic

Public Key Infrastructure (PKI)

Co-ordination and Continuity Management

ASEAN Countries

G7 Countries

South Korea and Taiwan

Comparative Analysis

–International Security Implementation Model

Page 30: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

35© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Overall Approach and Methodology

Phase 1 Phase 2 Phase 3 Phase 4

Formulation of Information

Security Vision

Information Gathering and

Analysis

Development of National

Information Security Policy

Development of Roadmap & Action Plan

Project Management & QAProject Management & QA

Page 31: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

36© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Conclusion

•Note enough is happening in the region – some countries have not begun

•Government has a role to manage, inform and regulate•Private sector responsibilities are also important•Operators should conduct broad-ranging and comprehensive risk assessments

•Identify where risks can be reduced•Collaborate with other operators on shared risks•Understand business impacts•Develop a mitigation strategy and continuity plan•Test the plan!

Page 32: INFORMATION RISK MANAGEMENT ADVISORY Critical Infrastructure Protection Cheryl Goh, KPMG Malaysia Alan Chong, KPMG Australia

37© 2005 KPMG, a Malaysian partnership, is part of the KPMG International network. KPMG International is a Swiss cooperative. All rights reserved.The KPMG logo and name are trademarks of KPMG.

Questions?