Day: April 20, 2016

Posted on

Growing Awareness of Cyber Framework Bodes Well for Global Risk Management

By Danielle Kriz, Sr Director, Global Policy, Palo Alto Networks and Sean Morgan, Advisor, Cybersecurity Policy, Palo Alto Networks

Earlier this month, Palo Alto Networks joined approximately 1,000 stakeholders at theCybersecurity Framework Workshop 2016, organized and hosted by the National Institute of Standards and Technology (NIST) on its campus in Gaithersburg, Maryland. The workshop represented just the latest example of an ongoing, inclusive dialogue that started during the initial development of the Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”) in 2013 and has continued since its official launch in February 2014.

The workshop highlighted the many ways that governments around the world, and businesses large and small, have uniquely applied the Framework to help manage and reduce their cybersecurity risks. NIST should be commended for its continued efforts to bring together key stakeholders from industry, academia and government to discuss uses and best practices and ensure the Framework remains the flexible, voluntary guidance document it was intended to be. Although the Framework has gathered extensive support across, and promotion by, multiple industry sectors since its launch – as evidenced by the broad spectrum of entities engaged in the workshop dialogue – NIST’s leadership and guidance remains essential.

From our perspective, a few key themes emerged at the workshop. One was the growing global dimension of the conversation – not simply about the Framework itself, but about the broader importance of developing a common cyber risk management lexicon as the world becomes increasingly interconnected. The central tenets of the Framework’s Core – Identify, Protect, Detect, Respond and Recover – provide precisely this type of shared baseline necessary to facilitate strategic cyber risk management conversations across organizational levels and borders.

One panel, in particular, on international alignment of the Framework, featuring speakers from Japan and Italy, was a testament to this conversation’s expanding reach. Increased international engagement in and acceptance of this type of inclusive, public-private partnership approach to cybersecurity policy development is essential. More granularly, a reaffirmation of the value of using globally accepted, industry-led, voluntary consensus standards for cybersecurity risk management will help drive greater competition and innovation in the global marketplace.

Another important discussion at the workshop was how U.S. federal agencies are using the Framework. In fiscal year 2016, the CIO FISMA Metrics – a critical tool for measuring department and agency cybersecurity – are organized around the Framework’s five functions. U.S. federal agencies and contractors in the workshop session reported various degrees of activity; some were already mapping various activities to the Framework, while others reported that more awareness about the Framework was needed. We strongly support the efforts to drive alignment of cybersecurity requirements for federal information systems with the Framework. It is good for federal cybersecurity, exemplifies a best practice to industry, and indicates to other governments around the world the United States’ sincerity about utilizing the Framework.

Finally, the workshop featured a series of conversations about the future of the Framework. One question was about the value of updating it. We agree with many in industry that it is too soon to make major changes and move to “version 2.0.” The Framework needs to gain traction with a broader diversity of stakeholders to more fully realize its potential as a risk management tool. Any updates should focus on Framework refinement rather than expansion. To this end, like others in industry, we believe that the list of voluntary standards (the “informative references”) should be updated if new standards have gained widespread, voluntary global adoption since the Framework was first published. We also believe NIST’s efforts to raise awareness about the Framework should reflect global security trends toward threat prevention as an integral part of the “Protect” function.

On these and other issues, NIST used the workshop as an opportunity to solicit stakeholder input, and we encourage that all future decisions continue to be made in the same inclusive and thoughtful manner as that which produced the Framework itself. Since that original inception and throughout its development and implementation, Palo Alto Networks has been a strong advocate for the Framework’s importance both individually and as part of broader technology coalitions. As a company, we believe strongly in the principles the Framework espouses: public-private partnership, the importance of sound cyber risk management policies, and a recognition that cybersecurity policies and standards must be considered on a global scale. We look forward to continuing to be a constructive part of this important dialogue.

and

[Palo Alto Networks Research Center]

Posted on

Navigating the Breach Regulatory Maze: Proper Incident Risk Assessment and Response

Cyber attacks. Lost paper files. Third-party snafus. Misdirected emails. Endless are the ways in which sensitive personal information is accidentally or deliberately exposed. Despite best efforts, it is impossible to stop sensitive data from falling into the wrong hands.

According to a new report, Risk Based Security identified 3,930 data breaches reported during 2015, exposing more than 736 million records. Poorly managed, these data security and privacy breaches put organizations at high risk for regulatory fines, lawsuits, lost business and reputational harm. In addition, customers, patients and employees affected by the exposure of their sensitive information fall prey to identity theft and other forms of fraud.

The Challenges of Incident Risk Assessment
No incident is alike. The types and sensitivity of data exposed, the root cause of the incident, the nature and intent of the recipient of the exposed data—these and other variables make consistency of incident risk assessment a difficult challenge for privacy, compliance and risk professionals.

For example, the Risk Based Security report found that:

  • Hacking accounted for 64.6 percent of breaches and 58.7 percent of exposed records.
  • Nearly half of breaches involved passwords and more than 45 percent exposed email addresses.
  • The breaches reported covered more than a dozen industry sectors, from technology to government to retail to healthcare.

In addition to incident variability, data breach laws are a maze of growing complexity and ambiguity. There are 51 state and territory breach notification laws that have different definitions of personal information, allow varying exceptions and have different requirements regarding notification thresholds, content and timing. And these laws are rapidly changing and getting stricter:  In 2015 and the first part of 2016, 10 states enacted new addendums or breach laws. Adding to the complexity is a plethora of federal regulations and standards—HIPAA, GLBA and PCI to name a few—as well as international laws and the long awaited European Union’s General Data Protection Regulation (GDPR).

The primary struggle for privacy and compliance professionals is lack of consistency given the manual and highly subjective methods of conducting the required multifactor risk assessments. This is understandable, given the challenge of assessing the unique nature of each incident against this backdrop of complex breach notification regulations and lack of purpose-built and automated incident risk assessment tools. And if such a homegrown tool is developed, many organizations find it doesn’t scale, it can’t keep up with the changing regulations and is difficult to use.

Four Steps to Successful Incident Risk Assessment and Response
In order to reduce the risks from unavoidable privacy or security incidents, organizations need an automated and highly consistent process for incident risk assessment. This process must allow each unique incident to be assessed with the latest updates to breach notification laws. To help you accomplish this, consider these four tips:

  1. Understand the difference between an event, an incident and a breach. These terms are often used synonymously or incorrectly, but important distinctions exist. For example, an incident is an event that violates an organization’s security or privacy policies involving sensitive information. A breach, on the other hand, is an incident that meets the legal definition of a breach and requires notification to affected individuals.
  2. Develop a scalable process for reporting incidents. Timely and efficient reporting of suspected incidents by employees, customers and third-party entities is critical for implementing a successful incident response process. Use web forms to efficiently and securely capture incident information and to automatically route the information to the appropriate professionals for investigation and incident risk assessment.
  3. Automate data breach risk assessment. Given the short time line for notifications based on a multifactor incident risk assessment, you need a system that is agile and provides a multifactor risk assessment based on the latest in breach notification laws across all jurisdictions where you have regulatory obligation.
  4. Track trends in incident categories and root causes. Learn from your incidents. Accurately identifying weaknesses in your systems, departments or processes can reduce the number of incidents and your organizational risk. Automation is key to ensuring proper analysis and risk mitigation.

Organizations can ill afford to underestimate the importance of consistent incident risk assessment and response. Done right, this process provides a road map for successfully responding to potential breaches, meeting regulatory requirements and protecting the people who trust us with their most confidential information.

Join Mahmood Sher-Jan at ISACA’s North America CACS in New Orleans 2-4 May. Sher-Jan will present Navigating the Data Breach Regulatory Maze (session 234/Privacy Track) in depth on Tuesday, May 3.

Mahmood Sher-Jan, CEO, RADAR® business unit, ID Experts

[ISACA Now Blog]

Posted on

New on Security Roundtable: Cyber Insurance is a Misnomer

Security Roundtable is a community designed to share best practices, use cases, and expert advice to guide executives on managing cybersecurity risks. In this article, excerpted below, Scott Kannry, CEO of Axio Global, dives into why attention to detail is key when evaluating cyber insurance.

“My title is not meant to suggest that cyber insurance is flawed.  To the contrary; it’s a valuable risk transfer instrument that has performed as advertised in the vast majority of loss situations and often provides policyholders with a gateway to a host of response and mitigation providers that otherwise might be too costly or unavailable when most needed.  Most articles questioning the viability of the product are usually centered on denied claims from types of insurance policies that were not designed to cover emerging cyber risks, or written by folks whose knowledge of actual policy language harkens back to earlier generation policies that sometimes contained strict stipulations about maintaining consistent levels of security.

Rather, my title intends to raise awareness that ‘cyber insurance,’ as is commonly offered by the insurance industry, is not an “all-risk” type of policy that covers anything and everything resulting from a cyber event…”

Read the full article at Security Roundtable.

[Palo Alto Networks Research Center]

English
English
Exit mobile version