Cyber risk management-white-paper-v8 (2) 2015
- 1. A Holistic Approach to CyberRisk Management
- 2. N I S T C y b e r S e c u r i t y H i g h L e v e l F u n c t i o n s A Holistic Approach to CyberRisk Management Companies are faced with many risks and threats while conducting their day-to-day business. One must understand that risk cannot be eliminated, but risk can be managed to an acceptable level. To manage risks, a company needs to know what the risks are and how each affects the organization as well as its strategic objectives. A one size-fits-all strategy does not apply to risk; each organization has their own risk tolerance threshold. According to Symantec Corporation’s Internet Securi- ty Threat Report 2014, “US companies paid $188 per breached record over a period of two years. If the data breach was caused by a malicious attack, then the number rose to $277 per breached record over two years. These expenses covered detection, escalation, notification and after-the-fact response, such as offer- ing data monitoring services to affected customers.” SMART DEVINE’s CyberRisk Management Service (CMS) provides a holistic approach to manage cyber- security risks faced by most organizations, and incor- porates the NIST (National Institute of Standard and Technology) cybersecurity framework as the guide- line. NIST lists five functions which are basic security activities organized at their highest level. Under each function is a variety of activities that must be complet- ed to minimize risk to your organization. Vulnerability Assessment A Vulnerability Assessment is the first step in under- standing the cyber risks faced by your organization, and will help identify all the strengths, weaknesses or security gaps in the computer systems, network and infrastructure. Unlike a penetration test, a Vulnerability Assessment is not invasive and will only identify and classify the vulnerabilities that are found. An assess- ment can also help the organization identify and pri- oritize gaps in their security risk management profile. Conducting an assessment provides a company with a solid understanding of the current state risk profile and work on getting it to an optimal level of security. Industry professionals recommend conducting a vul- nerability assessment on a regular basis. This is an important requirement of many of the regulations and industry standards like Payment Card Industry – Data Security Standards (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), Gramm- Leach-Bliley Act (GLBA) and others. © 2014 SMART DEVINE; All rights reserved. A VULNERABILITY ASSESSMENT WILL DETERMINE AND VERIFY: • Devices that are attached to the network • Unused user accounts • Unnecessary open ports • Software that is not patched • Incorrect permissions on important system files Once vulnerabilities are found in the assets, which in- clude hardware, software and network infrastructure, they are identified and classified according to the or- ganization’s risk tolerance. The next step is to protect the assets from threats. Not all threats can be elimi- nated; so after a study of the likelihood and impact a threat can cause to a business, management should devise procedures to protect high-risk assets from threats. This can be accomplished by implementing protective technology, securing data, controlling ac- cess, creating policies, and user awareness training. The initial time and effort dedicated to protect your data does not mean your company is secure. Cybersecurity is an ongoing project because vulnera- bilities change, and so do the threats that persist. The monitoring of critical events and incidents can help an organization strengthen its posture. However, there must be a way to detect what is going on in your company’s environment with processes such as con- tinuous monitoring, web application scanning and a solid vulnerability management program.
- 3. smartdevine.com 267.670.7300 © 2014 SMART DEVINE; All rights reserved. Crisis Management Plan Many organizations learn how to respond to a se- curity incident only after the attack has happened. A proper Incident Response Plan should be an integral part of every organizations security policy. There are many benefits to being prepared; one such benefit could be obtaining a premium discount on cybersecurity insurance. A well thought out response plan demonstrates that the organization takes infor- mation security seriously and is prepared to handle attacks quickly, thoroughly, and efficiently. A well- conceived Incident Response Plan, proper training for the incident response team, and rehearsing the plan by conducting mock exercises are all very important activities. The last function in this type of CyberRisk manage- ment approach is recover, which is about bringing an organization back to a point before the attack took place. Many organizations have a robust disaster recovery and business continuity plan in place, how- ever, management should consider looking into mod- ifying their existing plan to include a cyber attack as a valid threat. Recovery planning is essential because the quicker management can get up and running after an incident, the better your brand, image and other assets are preserved. Our Approach We use a SMART approach which involves people, process and technology. There is plenty of technol- ogy available in the market to help detect intruders, but that should not be the only driver for your security strategy. An effective security program takes a holistic approach and will involve people and processes in ad- dition to the technology. Humans are often the weak- est link in the equation. User awareness can make a big difference to a security program. Proper user awareness training includes educating employees of cybersecurity risks and developing a risk-awareness culture to help mitigate this issue. Our CMS approach uses automated tools as well as manual validation to minimize the effort and maximize the value for our clients. Not sure your organization has a cybersecurity pro- gram? Call us. If you believe you already have an ef- fective program, consider putting it to a test with our team. New threats to cyber security are frequent mak- ing way for continuous improvement to your plan. Benefits of a Holistic Approach to Cybersecurity 1. Plug Security Holes 2. Determine Security Requirements 3. Increase Security Awareness 4. Document Due Diligence 5. Justify Spending CYBERRISK MANAGEMENT SERVICE INCLUDES: • Vulnerability Assessment • Penetration Testing • Regulatory Compliance (PCI-DSS, HIPAA, GLBA and others) • User Awareness Training • Security Policy Review • Disaster Recovery and Business Continuity Planning • Continuous Monitoring and Incidence Response
- 4. smartdevine.com 267.670.7300 A c c o u n t i n g T a x A d v i s o r y Smart Devine provides a full range of accounting, advisory, tax and investigative forensic and litigation services to organizations across a variety of industries. Smart Devine | 1600 Market Street | 32nd Floor | Philadelphia, PA 19103 | T 267.670.7300 | info@smartdevine.com © 2014 SMART DEVINE; All rights reserved. INTEGRATED TEAM OF PROFESSIONALS SMART DEVINE’s integrated team of business advisory and consulting professionals draw upon experience from both the public and private sectors. Our clients rely on us for our skills, experience and the knowledge we offer in supporting the critical operations of their businesses. For more infor- mation, contact Anil Chacko, Managing Director at Smart Devine’s Business Advisory Group. Anil has extensive ex- perience as an IT Executive in the Financial Services and Insurance industries. Contact Mr. Chacko at 267.670.7311 or achacko@smartdevine.com Anil Chacko, MBA, CISM Managing Director SMART DEVINE OFFERS A FULL LINE OF SOLUTIONS Also Read this White Paper: CYBERSECURITY: Is Your Business Ready? ACCOUNTING &AUDIT • Audit, Reviews & Compilation • Accounting & Tax Due Diligence • Accounting Outsourcing • Agreed Upon Procedures • Business Valuation • Finance Process & Reporting Optimization • Forecasts & Projections • ForensicAccounting & Litigation Support • Internal Control Study & Evaluation • Personal Financial Statements • Retirement PlanAudits & Prep • TrustAccounting • SECAdvisory Services • Special Project Coordination & Support • TechnicalAccounting Consulting • TransactionAdvisory Services • SSAE 16/SOC 1 & SOC 2 Reviews BUSINESSADVISORY • Business Process Outsourcing • Business Performance & Profit Improvement • FinancialAdvisory & Risk Services • Technology & IT Security RISK SERVICES • Corporate Governance Regulatory Compliance • Enterprise Risk Management • Business RiskAssessment • IT RiskAssessment • InternalAudit Services • IT InternalAuditing • InternalAudit Transformation • QualityAssessment Reviews • Sarbanes Oxley/ModelAudit Rule/ NAIC Compliance • SSAE 16/SOC 1 & SOC 2 ReadinessAssessments INSURANCEADVISORY SERVICES • Accounting & Financial Reporting • Tax Services • Claims Services • Underwriting Services • Litigation Support & ForensicAccounting • RiskAdvisory TAX • Tax Return Compliance • Accounting for Income Taxes • ASC 740 (FAS 109) Tax Provision Services • International Taxation • IC-DISC • Tax Planning &Advisory • Tax Controversy • Transfer Pricing • Research & Development Tax Credit • State & Local Taxation FORENSIC & LITIGATION SERVICES • Litigation Services • Environmental Litigation • Forensic Investigations • Trustee & Monitoring Services • Digital Forensics & eDiscovery