Question

Management processes that support cyber risk management

In this unit’s notes, you explored how cybersecurity can be bolstered by implementing management processes that are aligned with protecting your organization’s most critical information systems.

For this class-wide discussion forum, share the management processes employed by Sony that contribute to managing cyber risks.

Also, discuss the challenges Sony faces in terms of maintaining an effective talent pool of cybersecurity professionals.

  

Answer 1

Cyber Security :

Cyber security is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. It's also known as information technology security or electronic information security.

Types of cyber threats

The threats countered by cyber-security are three-fold:

1. Cybercrime includes single actors or groups targeting systems for financial gain or to cause disruption.

2. Cyber-attack often involves politically motivated information gathering.

3. Cyberterrorism is intended to undermine electronic systems to cause panic or fear.

So, how do malicious actors gain control of computer systems? Here are some common methods used to threaten cyber-security

Cyber Security Risk Management :

Risk management is a concept that has been around as long as companies have had assets to protect. The simplest example may be insurance. Life, health, auto and other insurance are all designed to help a person protect against losses. Risk management also extends to physical devices, such doors and locks to protect homes and autos, vaults to protect money and precious jewels, and police, fire and security to protect against other physical risks.

Bolster System :

The Bolster System is designed to manage the process of documenting all fire barrier penetrations and passive fire protection within a building.

Bolster Systems offers the only fully integrated fire stopping app that records the whole survey and fire stopping installation process, even down to printing labels with a specially coded mobile printer.

Bolster Systems maps the location of all walls and floors, schedules each fire-stopped area (along with a picture of the installation), records when it was installed, what materials were used and its reference number and printed label provide a permanent record of fire-stopped locations for contractors carrying out renovation work.

The system not only provides evidence of fire-stop compliance when a building is completed, it also provides building owners with a system they can use to maintain and manage an inventory of the impact of maintenance works on post-occupancy fire-barrier integrity.

What is cybersecurity risk management?

Rather than doors, locks and vaults, IT departments rely on a combination of strategies, technologies and user education to protect an enterprise against cybersecurity attacks that can compromise systems, steal data and other valuable company information, and damage an enterprise’s reputation. As the volume and severity of cyber attacks grow, the need for cybersecurity risk management grows with it.

Cybersecurity risk management takes the idea of real world risk management and applies it to the cyberworld. It involves identifying your risks and vulnerabilities and applying administrative actions and comprehensive solutions to make sure your organization is adequately protected.

Risk management process

Start with a cybersecurity framework developed from each area of the business to determine what the desired risk posture of the business should be.

Guidance Software recommends using new technologies that can find and map data across the enterprise. Once data is mapped, organizations make better decisions on how that data is governed and reduce their risk footprint. For example, even with training and a strong security culture, sensitive information can leave an organization simply by accident, such as data stored in hidden rows in spreadsheets or included in notes within employee presentations or long email threads. Scanning the enterprise for sensitive data at rest and then removing any data stored where it does not belong greatly reduces the risk of an accidental loss of sensitive data.

Deloitte recommends that the risk management process follow the Capability Maturity Model approach, with the following five levels:

1.     Initial (chaotic, ad hoc, individual heroics) - the starting point for use of a new or undocumented repeat process

2.     Repeatable - the process is at least documented sufficiently such that repeating the same steps may be attempted

3.     Defined - the process is defined and confirmed as a standard business process

4.     Managed - the process is quantitatively managed in accordance with agreed-upon metrics

5.     Optimizing - process management includes deliberate process optimization/improvement.

When the desired risk posture is determined, examine the enterprise technology infrastructure to determine a baseline for the current risk posture and what the enterprise needs to do to move from the current state to the desired state of risk exposure.

As long as proactive steps are taken to understand potential risks, there will be less of a likelihood of risk exposure and falling victim to a cybersecurity incident.

Deloitte also recommends doing a risk/reward calculation, then prioritizing those network security enhancements that will provide the greatest improvements at the lowest cost. Some enterprises may be comfortable with 99 percent of all security upgrades being made. Others, particularly in regulated industries, will want to be closer to 100 percent. So there should be incremental steps and goals (i.e., 5 percent improvement within six months) that can be measured to determine if the enterprise is progressing toward its planned cybersecurity risk posture.

However, even small security vulnerabilities can lead to large losses if network systems are connected in such a way that intrusion into an unimportant area can provide an unauthorized entry into more important systems and more sensitive data.

The only way to make a system 100 percent secure is to make sure it isn’t accessible by anyone, which is impractical at best. The more locked down a system is, the harder it may be for authorized personnel to conduct business. If authorized users find they cannot access the systems or data they need in order to perform their jobs, they may look for workarounds that could compromise systems.

Cybersecurity solutions and risk management services

Ideally, an organization will develop a comprehensive security posture that includes a combination of technologies such as firewalls, endpoint protection, intrusion prevention, threat intelligences and access controls. To get there, organizations might want to consider risk management services for a comprehensive assessment and solution recommendations to make sure their security budget is optimally spent.

Several firms offer comprehensive risk management services. Among them:

·        Deloitte

·        E&Y

·        Booz Allen Hamilton

·        Hewlett Packard Enterprise

·        Coalfire

·        KMPG

·        PwC

·        Symantec