David Clarke, CITSO at Digital Arena, presented at CIO Event October 2014

1. SECURITY BENCHMARKING, BEST PRACTICE AND STRATEGY DEVELOPMENT
David Clarke
Vciso

2. David Clarke
• Created CERT on a Financial Intranet trading $3.5
Trillion a day ,CPNI Member 10 Years.
• Managed Global Managed Security Services with a
$100-$300 million Global install base 500 + Customers
with $3.4 Billion dollar Contracts.
• Created , maintained and improved regulatory and
compliance commitments including Global PCI-DSS,
ISO 27001 (10,000+ Security Devices/Systems ).

3. • Breach Legislation, IT or Legal?
• " the proposed regulation of up to 5% of
annual worldwide turnover, or €100"

4. • Information Sharing , Who,When, How
• "The ICO has imposed a monetary penalty
of £200000 on the British Pregnancy
Advice Service (BPAS) for exposing
thousands of personal"

5. • Compliance is the best protection?
• "Resistance is futile" Gartner
• "Brighton and Sussex University Hospitals NHS
Trust fined £325k after hard drives with highly-sensitive
patient data were sold on eBay, - "

6. • Best Practice or is this Compliance ?
• "The ICO can issue fines of up to
£500,000 for serious breaches of the Data
Protection Act and Privacy and Electronic
Communications Regulations." ICO

7. • Incident Response,Strategy
• "There are two kinds of big companies in the
U.S. Those who’ve been hacked by the Chinese
and those who don’t know they’ve been hacked.”
FBI

8. 4 Threats
• Internal Threat
• External Threat
• Regulatory Threat
• The Threat of “inadvertent human
error”

9. Appendix

10. ISO 20000
Change Process
Service Introduction
Problem management
Escalation Processe

11. Security Measurement
• Measure of Compliance
• Measure of System effectiveness
• Measure of People Awareness
• Measuremnet of main Threat Vector

13. 72 Hours to Report
% 5% of Worldwide
Revenue
71

14. Cyber Essentials
Boundary Control
Secure Configuration
Patch Managment
Malware Defense
Access Control

15. Each Event is 0.25 80% achievable =0.2 The Maths
Dependent Events
0.2+0.2+.2+.2=0.8
Previously 0.32
A Dramatic improvement by
using a Leveraged Strategy

16. Probably? Independent Events
0.8x 0.8x0.8x0.8=0.41

17. "Inadvertent
human error
Inadvertent
human error
Hacker
95% Human Error
19:1 Leverage to Hackers

18. Incidents
• Escalation Procedure
• Alerting Procedure
• Password Managment

19. Real Time Incident
1.2 13%
Escalation Management
Judgement Calls
Staff
Working with Outsourcers
Identifying Risk/Direction
Legal
Presenting The Down Side
Define Purpose
Incident End
Mitigation Techniques
Information Control
Post Analysis
Stakeholders
Prerequisites
0.14
0.12
0.1
0.08
0.06
0.04
0.02
0
1
0.8
0.6
0.4
0.2
0
12%
11% 11%
9% 9%
8%
6%
4% 4%
3% 3% 3%
2%
13%
26%
37%
48%
57%
66%
73% 79% 83% 88% 91% 94% 98% 100%

20. Incident Phases

21. • If you would like my worksheet matching
the strategy to cyber essentials and sans
top 20 please email me at cio@vciso.co
• Linkedin with me at
uk.linkedin/1davidclarke
• Twitter @1davidclarke