Cyber Security. & GRC Metrics That Tell a Story! Presented by: Swarnika Mehta Manager, KPMG Cyber Security Services

Similar documents
Third Party Risk Management ( TPRM ) Transformation

Digital Labor Analytics

The Concept: Moving from Data Analysis to Data Analytics

Data rich governance. Three keys to leading consumer data and information practices. kpmg.com

Top 5 reasons incident response is failing. kpmg.com

Presentation for INCC LUMS 2008 May 2, 2008 Presented by Shahed Latif, KPMG LLP, Silicon Valley

RSA ARCHER IT & SECURITY RISK MANAGEMENT

Energy Trading Risk Management (ETRM) System Selection and Implementation Top Challenges

Change, Controls & Risk

Elevate your organization. To reach the Cloud.

Emerging & disruptive technology risks

IIROC 2015 Financial Administrators Section Conference

Welcome to the 404 Institute Webcast

DATA SHEET RSA IDENTITY GOVERNANCE & LIFECYCLE SERVICES ACCELERATE TIME-TO-VALUE WITH PROFESSIONAL SERVICES FROM RSA IDENTITY ASSURANCE PRACTICE

Certification - Good and poor practice seen in banks

Powered by technology, our experts are unlocking the value of your audit. Dynamic Audit

Positioning Internal Audit to Deliver Value

Solutions. The New CIO Agenda INDUSTRIAL MANUFACTURING. Transforming information technology to strategic effectiveness and efficiency

SOLUTION BRIEF RSA ARCHER PUBLIC SECTOR SOLUTIONS

Enterprise risk management Protecting and enhancing value Advisory

Securing Intel s External Online Presence

KPMG s financial management practice

Business Risk Intelligence

Right now! 26th Annual Insurance Conference Tuesday, November 28, kpmg.ca/insuranceconference2017

How well does your procurement measure up?

Ready for GDPR? Five steps to turn compliance into your advantage

DevSecOps Embedded Security Within the Hyper Agile Speed of DevOps

Insights into Mining Issue 12: Unlocking the value of D&A

Powered by DATA+ ANALYTICS. KPMG Audit

VULNERABILITY MANAGEMENT BUYER S GUIDE

The KPMG Employee Engagement Plus Index

KPMG Smart Controls. Putting you in control of your controls. kpmg.co.uk

Internal controls over financial reporting

Key TSA provisions your M&A team needs to know now

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Scenario planning and uncertainty

Enterprise Risk Management (ERM) - Impact of 2017 COSO ERM Model

The importance of the right reporting, analytics and information delivery

Intelligent automation and internal audit

Innovating compliance through automation

CFO Financial Forum Webcast

Michael Lammie Director, PricewaterhouseCoopers

Are you prepared to deal with the exposures associated with an Oracle ERP related breach?

Trusted by more than 150 CSPs worldwide.

Internal controls over financial reporting

Astrus Third Party Intelligence

IT Strategic Plan Portland Community College 2017 Office of the CIO

IT Strategic Plan Portland Community College 2017 Office of the CIO

The importance of the right reporting, analytics and information delivery

Fulfilling CDM Phase II with Identity Governance and Provisioning

Data & Analytics enabled Internal Audit

Effective Risk Management With AML Risk Assessment. January 25, 2017

GRI s G4 Guidelines: the impact on reporting

Building a Roadmap to Robust Identity and Access Management

Services to Local Government

RSA Solution for egrc. A holistic strategy for managing risk and compliance across functional domains and lines of business.

Outsourcing banking processes: The question is no longer if, but how to effectively manage extended enterprises

Financial Services Internal Audit insights. Effective Internal Audit RAISING THE BAR. May 2014

RSA ARCHER INSPIRE EVERYONE TO OWN RISK

Assessing value in digitally enabled business operating models. #FutureOfTax

NATIONAL INSTRUMENTS VISUALIZES GROWTH WITH XACTLY

CREATING ORDER FROM CHAOS: METRICS THAT MATTER

Reinventing Record to Report For Worry-Free Governance

Right-sizing SOX Frameworks with Risk Management. Chris McClean Vice President, Research Director

KPMG s Major Projects Advisory Project Leadership Series: Stakeholder Management and Communication

Your incentive compensation plans have no borders. Why should your compliance processes?

Minimizing fraud exposure with effective ERP segregation of duties controls

Source-to-pay: Delivering value beyond savings

Internal controls over financial reporting Uncovering the full picture of control costs

CRISC EXAM PREP COURSE: SESSION 4

Control and testing transformation

4/26. Analytics Strategy

IT Managed Services. Agenda

VULNERABILITY MANAGEMENT BUYER S GUIDE

Practices in Enterprise Risk Management

Leveraging a Dynamic Management Model for Success in Upstream

KPMG s National Charity application form

Cisco Customer Journey Analyzer

The importance of a solid data foundation

Your global work force is your business. Helping you effectively manage your mobility programs across borders is ours.

GRI s G4 Guidelines: the impact on reporting

ISACA San Francisco Chapter

Capital project source-tocontract life cycle management

GCC VAT implementation roadmap are you ready?

Risk Management and the Internal Audit profession Two sides of the same coin? 30 th September 2015

Technology Assurance: A Challenge for RAFM in an Evolving Market. Jerusa Verasamy

The Value- Driven CFO. kpmg.com

STREAM Integrated Risk Manager Take control of your GRC

Implementing Analytics in Internal Audit. Jordan Lloyd Senior Manager Ravindra Singh Manager

CMMI for services implementation

Back to School for Business Services how to get it right?

Intelligent Automation and Internal Audit

Finance disrupted. Future of finance in healthcare: As the industry adjusts to continuous disruption, the finance function has an opportunity to lead

Gain strategic insight into business services to help optimize IT.

ERP IMPLEMENTATION RISK

RSA ARCHER MATURITY MODEL: AUDIT MANAGEMENT

2013 Legislative & Regulatory Landscape

RSA. Sustaining Trust in the Digital World. Gintaras Pelenis

Introducing Rational Insight: Make Better Decisions by Overcoming Information Blind Spots Chris Thorp IBM Rational Software Consultant

The 2014 Guide to SAP Enterprise Performance Management (EPM) Solutions: An excerpt. David Williams SAP

Transcription:

Cyber Security & GRC Metrics That Tell a Story! Presented by: Swarnika Mehta Manager, KPMG Cyber Security Services Eva Benn Senior Associate, KPMG Cyber Security Services

Contents 2

Introduction

In the news Hackers Stole Credit Card Information From Thousands of Arby s Customers Jonathan Vanian Feb 09, 2017 Hackers have stolen customer credit card information from an unknown number of Arby s restaurants, according to a report on Thursday. Read more at: http://fortune.com/2017/02/09/arbys-restaurantshackers-data-breach/ Military personnel data leaked in Dun & Bradstreet database By James Rogers, Published March 16, 2017 The huge leak of a Dun & Bradstreet database containing the details of almost 33.7 million people includes over 100,000 military personnel, according to the security researcher who reported the leak. Read more at: http://www.foxnews.com/tech/2017/03/16/mil itary-personnel-data-leaked-in-dunbradstreet-database.html 4

The hard questions How do we distill the important information and complex metrics in a way that can be consumed by senior executives and the board? Information Security Metrics Program (ISMP) 5

Key Metrics

Key reporting metrics Application Security Server Security Endpoint Security Incident Management Vendor Security Operations Low % of % Applications scanned % Vulnerabilities % of ICF/non-ICF servers missing sev 4/5patches Time to remediate security events % of endpoints missing critical security patches Medium High Closed Pending Open High, Medium, and Low Risk Vendors 8.8 Average vendor risk score # of resources with certifications Time to remediate vulnerabilities CSP % of ICF/non-ICF Servers with AV and CSP installed % of endpoints with Anti-Virus installed Time to resolve incidents % of vendors completed risk assessments On Track Delayed Security projects 7

How do I tell the story? Align with business goals Q1 Q2 Q1 Q2 Q1 Q2 % customer satisfaction Provide holistic trends in cyber security risks 5 7 2 9 58% 23% Reporting by stakeholders Vulnerabilities remediated Reduction in compliance failures 39% 45% 58% 23% High Medium Low Facts that matter! Which numbers have gone up? Which numbers have gone down? Operational Redundancies Data Leakage Vendor Risk Insider threat Malware Demonstrate ROI on IT investments Focused metrics Investment Savings Do it again! 8

Metrics Program and Technology Enablement

Common Challenges People No business context Lack of awareness Poor delivery Process Technology Arbitrary thresholds No clear requirements Too many metrics Lack of capability to gather, collect or analyze data Manually producing metrics is too time consuming Not all historical data is usable and requires expensive cleanup 10

Key components of an ISMP Roles and responsibilities with supporting processes needed to operationalize the program and keep it relevant over time Organizing metrics results into visually appealing and intuitive reports at each stakeholder level. Examples include management level memo, program level scorecard and operational level dashboard Governance and Ongoing Maintenance Presentation and Reporting Scope and Coverage Measurement and Analysis Areas of measurement within the program. This includes domains (e.g., Endpoint Security, Threat Management) and relevant metrics within each domain Extraction and Collection Collecting raw metrics data from identified data sources or source systems to calculate metrics. Calculating metrics based on raw metrics data and analyzing results using thresholds, weighting, targets, trending, etc. 11

Building an information security metrics program Strategy and Design DEFINE STRATEGY DESIGN BUILD ROADMAP Implementation (Manual) DEVELOP METRICS PHASED ROLLOUT OPERATIONALIZE Implementation (Enhanced) AUTOMATE FULL ROLLOUT DATA & ANLAYTICS Non-existent Mature 12

Enhancement opportunities Aggregate Score by Domain Metrics will be aggregated into domains (e.g. Incident Management, Mobile Security, etc.) An aggregated score will be provided for each domain using simple, yet specific formulae Weighted Metrics Metrics will be weighted based on their importance on applied assets (e.g. critical application vs. non-critical application) to help with prioritization of metrics Thresholds and tolerance levels will help analyze if the measured or calculated value of each metric is helping track risks as well as performance objectives Risk & Control Mapping Risks will be mapped to each domain so that the user will be able to decide on appropriate actions to be taken based on the types of risk exposure Relevant controls will be mapped to each domain to provide the user with the ability to devise an initial remediation strategy and action Dimensions Each metric report can be dimensionalized (filtered), through relationships, so that the user can come in from a different view point (e.g. Segment, Region, Country, Business Unit, Sub BU, Data Center, Data Center Supplier, IT Area, Stakeholder, CISO). User will be able to view trends for each metric and compare against other related metrics Drill Down Capability Users will have the ability to drill down into each domain to see individual metric reports and other detailed information (e.g. server name, stakeholder, etc.) 13

Do s and Don ts

Lessons learned Sustainability Rationalize frameworks (simplify and integrate) Leverage automation to support operational enablement Lessons learned Single view of risk Define scope of existing risk reporting activities Manage cyber risk within the organizational context Align correlations to business objectives and risks Focus on key metrics Scalability Build a culture of continuous improvement Design process and capabilities (process and tools) to mature over time Ownership & Accountability Establish a structured cyber risk reporting capability Rationalize processes and frameworks to enable prioritization and decision making Differentiate governance versus operational roles and responsibilities Ensure board level awareness of key cyber risk and compliance issues 15

Considerations for implementing an ISMP As with any additional capability added to an organization, there are several cost considerations that need to be accounted for, actual cost will depend on the scope of the ISMP. People Additional resources need to be hired or current resources need their responsibilities prioritized to support operationalizing the ISMP Raw data owners need to allocate time to support collection of metrics data Process Metrics collection, reporting development, ISMP ongoing maintenance and training processes need to be developed and executed once the ISMP is operational Additional processes to extract data may need to be defined Gather contextual data for metrics (e.g., thresholds, dimensions) Technical implementation of processes to extract data Big Security Data Technology Initial investments towards a metrics solution for automated aggregation, reporting and analytics. 16

Thank you

kpmg.com/socialmedia The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity and the views presented herein are those of the presenter. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.) The KPMG name and logo are registered trademarks or trademarks of KPMG International.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback