Jon Murphy, National Practice Lead, AOS Top 10 Trends for 2015 in Information Tech Risk Management ITRM is more than merely security hardware and apps under the control of an overworked network admin. It is strategic and tactical process, technology, and people in various roles and levels working collaboratively to protect vital organizational assets like data, information, ability to delivery timely, and reputation. Organizations need continuous, current, Actionable InsightSM about probable sources of majorly impactful risks and threats. Then and only then are they adequately prepared to make the smartest investments in continuing education, process improvement, and procedures for the proper use of the right technology for their situation. This multi-media, interactive presentation will cover the current top trends for 2015 in ITRM and that Actionable InsightSM - what your organization can and should do about likely and impactful IT risks and vulnerabilities.

1. @NTXISSA
Top 10 Trends in TRM
Jon Murphy, CISSP, CBCP, NSA-IAM/IEM, ITILv3, CHS-V, MBA
National Practice Lead, TRM Consulting & Services
Alexander Open Systems (AOS)
April 24, 2015

2. @NTXISSA
Disclaimer
 All thoughts and opinions expressed in this presentation, or by Jon
Murphy directly, are his own and should NOT be interpreted as those of
Alexander Open Systems (AOS), or any other organization that might be
mentioned. The mention of any organizations should not be interpreted
as endorsement.
 Some material contained herein was obtained and is used with the
express written permission of AOS, and other organizations and MAY NOT
be used or reproduced in any way without each of these parties’ express
written consent in advance.

3. @NTXISSA
Overview
• What is TRM
• The Top Ten Trends
• Why You Need IT
• Where Are You
• Conceptual Solutions
• What The Future May Hold
• More Resources
• Q & A

4. @NTXISSA
Why Technology Risk Management (TRM)
• TRM includes:
• IT Sec
• BC/DR
• Governance & Compliance
• Exponential Growth of Threats
• D&D Insiders
• Outside Hackers
(Commercial, Organized Crime, State Sponsored)
• Competitor Espionage
• Continuously Growing Regulations & Requirements
• Increases are a mandatory cost of doing business
• FFIEC, SOx, HIPAA, PCI, GLBA, Dodd-Frank, NERC, OCC, etc…
• Volume reduction, Fines, and jail time for failure to comply
• Cost of data breach up 23% - as much as $20,000 a day
• Ever increasing expectations for “adequate” safeguards by
consumers and courts

5. @NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 5
What’s Your Biggest Exposure?
# 3 Paper
# 1 Employee
Negligence
# 2 Hacking

6. @NTXISSA
Top Ten Trends
1. Hacks may become data destruction
attacks
2. Threat actors are becoming more
sophisticated
3. Attacks and resultant legislation will push
industry standards around cyber risks and
improve threat intelligence information
sharing

7. @NTXISSA
Top Ten Trends -cntd
4. Predictive threat intelligence analytics are
critical
5. Third Party Service Provider Risk Management
is becoming an increasingly important concern
among firms
6. TRM must become a board-level issue
7. Embracing and adapting to the new
“boundless network,” is inevitable and we
must also invest in training its workforce to
properly access and protect corporate data

8. @NTXISSA
Top Ten Trends - cmpltd
8. Identity and Access Management are ever
increasingly a key security control area
9. Cyber benchmarking is imperative
10.TRM is not MERELY a Technology Issue

9. @NTXISSA
Why?
• There are at least 5 reasons

10. @NTXISSA
Why would strangers want your info?
1. Identity theft for resale or immediate profit
2. Damage reputation of competitor
3. Steal intellectual property
4. Blackmail
5. Cyber Crime –
Its An Epidemic;
The Nation’s Top Cop
Says So

11. @NTXISSA
We Help Clients Progress
Their Maturity Level
Technology Risk Management Maturity Model
Level 1:
Threat Defense
• Security is
“necessary evil”
• Reactive and de-
centralized monitoring
• Tactical point products
Level 2:
Checkboxes and
Defense-in-Depth
• Check-box mentality
• Collect data needed
primarily for
compliance
• Tactical threat
defenses enhanced
with layered security
controls
Level 3:
Risk-Based Security
• Proactive and
assessment based
• Collect data needed to
assess risk and detect
advanced threats
• Security tools
integrated with
common data and
management platform
Level 4:
Business-Oriented
• Security fully
embedded in
enterprise processes
• Data fully integrated
with business context;
drives decision-making
• Security tools
integrated with
business tools
Approach
Scope
Technology

12. @NTXISSA
Where are we now?

13. @NTXISSA
What concrete steps can you undertake?
Seven action items to start:
1. Get and stay informed
2. Learn the cultural risk appetite
3. Create a risk register and matrix
4. Perform a self assessment
5. Create an incident response plan
6. Add layers to defense in depth
7. Get help

14. @NTXISSA
Get & Stay Informed
1. Associations – e.g.; ISSA, InfoSec Community
on LinkedIn
2. Blogs – e.g.; http://www.vogelitlawblog.com/
3. Newsletters – e.g.; Info Risk Today

15. @NTXISSA
Learn The Cultural Risk Appetite
• The amount and type of risk that an organization is willing
to take in order to meet their strategic objectives.
• Both formally and informally set and driven by leadership,
SO?
1. Has leadership experienced cyber crime personally?
2. Is there an enterprise risk management office?
3. Is security the realm of some lowly network admin in the
bowels of the M.I.S. department?

16. @NTXISSA
1. List all the realistic bad things that could
happen
2. Rank them by likelihood (1-Least to 5-
most) and
3. Impact (1-Least to 5-most)
4. Plot them in a matrix
5. Concentrate on the 5/5s 5 / 5s
Create a Risk Register & Matrix

17. @NTXISSA
Perform A RVA Self Assessment
• Have the business do it first
• Then involve an IT Pro
• Better yet, involve a risk
management Pro
• Use a recognized methodology &
tool,
e.g.; Shared Assessments

18. @NTXISSA
• Create an incident response plan
1. Use the list from action item 3
2. Either create an overarching plan as
guide to every thing on the list or a
plan for each
3. The plan should contain:
1. Who can invoke the plan
2. When to invoke the plan
3. Who does what
4. Alternate roles & responsibilities
5. How to do what
6. What is BAU
4. Don’t forget the post mortem for
lesson learned
You can’t run . . .
or do this !

19. @NTXISSA
1. Bad guys and insiders are
getting more savvy by the day
2. One – three layers of tech
defense is the norm (NOT
ENOUGH)
3. Technology, process, and
people must interact optimally
4. Prepare for the worst and
hope for better
5. You need professional
expertise
The education you’ve undertaken will quickly tell you:

20. @NTXISSA
Reasonable Security HW/Systems to Deploy:
Next Generation Firewalls
Encryption
Updated Software Patches
Complex Passwords
Multi-factor Authentication
Device/Appliance Inventory
Intrusion
Prevention/Detection
Anti-malware

21. @NTXISSA
What The Future Holds
NTX ISSA Cyber Security Conference – April 24-25, 2015 21

22. @NTXISSA
Additional Resources
 Ponemon Institute
http://www.ponemon.org/
 Shared Assessments™
http://sharedassessments.org/about/
 ISO 31000
http://www.iso.org/iso/catalogue_det
ail?csnumber=43170
 AOS Security Consulting
http://www.aos5.com/security/

23. @NTXISSA
Questions?
http://www.aos5.com/security/consulting

24. @NTXISSA@NTXISSA
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – April 24-25, 2015 24
Thank you