Sharing Information to Manage Risk USCIS /SEVP Joint Initiative Briefing
December 18, 2015 What happened? What is current status? How do we prepare for whatever is next? Two related, but different perspectives 2
Information Sharing Considerations Purpose for sharing Sharing community Fitness Transactional matters Feedback Security, privacy, civil liberties and anonymization Trust, trust, trust 3
Information Sharing Considerations We can and should learn lessons from experience sharing across various risk management perspectives One interesting lesson: Nobody wants to be the first one to share (dance) 4
The CIDAWG EVERYONE HAS A STAKE DHS established the Cyber Incident Data and Analysis Working Group (CIDAWG) in February 2015 to explore the benefits and the feasibility of a cyber incident data repository. CIDAWG participants include private sector IT risk management professionals representing various critical infrastructure sectors and functions and insurance companies. The CIDAWG identified: The value proposition Information sharing challenges and solutions 16 comprehensive incident data categories CIDAR Data Input Fields DHS’s role is to facilitate the dialogue and shepherd the effort. CIDAWG conclusions and key finding are NOT DHS positions. 5
Why do we need a repository? CISOs Vendors New security Peer to peer Insurers solutions benchmarking Build up information to More coverage at lower Incentives for better understand rates for those who organizations to improve impacts, and frequency invest in “best in class” their overall cyber risk of cyber events and “best controls identified by the management practices in class” controls repository 6
CIDAR What it IS envisioned to be: A trusted and secure repository that enterprise risk owners and insurers could use to voluntarily and anonymously share, store, aggregate, and analyze sensitive cyber incident data. What it’s NOT envisioned to be: NOT a repository of specific insurance claims! NOT a platform to share cyber threat indicators for immediate action! – it’s a loss library NOT to be built and operated by the Government – could be managed by an industry or academic consortium 7
The Value Proposition Identifying Top Risks Informing and Effective Controls Showing Return on Peer-to-Peer Benchmarking Investment Advancing Risk Allowing for Sector Management Culture Differentiation Supporting Forecasting, 8 Trending, and Modeling
The Challenge Primary Fear : Sensitive incident data would open organizations to liability, exposure, and/or otherwise negatively affect their businesses A particular exploit could be connected with a contributing company or companies (large-scale incidents) A robust anonymization protocol could lead to a situation where the obfuscation of the data source makes the data unverifiable Who can access the data? – Ensure information is not disseminated to outside (unvetted) parties How will the data be protected and managed? What’s the extent of third party insight into the contributors’ identity and data? WHO SHOULD OPERATE THE REPOSITORY? Nobody wants to be the first one to share (dance) 9
CIDAR Data Points Profile Posture Incident Data 10
Back-Up 11
Methodology Data collected is basic, useful and should be easy-to-acquire – answering the questions requires minimum resources. Optimally the data provides a comprehensive picture of incidents including impact and costs associated with their recovery and mitigation yet at the same time: Each data point is analytically independent of the others to the greatest degree possible so that lack of data in one area does not hinder analysis in another. CIDAR can function with incomplete data. The anonymity of the submitting organization is safeguarded – avoiding the possibility of inference. Contributors can periodically change data and/or input additional data as they learn more about the outcome of incidents. Common taxonomy is used such as NISTIR 8138, and the NIST Cybersecurity Framework. Design allows for future automation and scaling. Questions posed avoid speculations. 12
Illustrative Questions 13
Next Steps Collect feedback from the public on Data Input Fields: Do you already track data sought after in the questions? If not, could it be easily obtained and tracked and what would be the additional cost of tracking these new data points? Would you be willing to share data associated with these data points? Which data would you be willing to share and which of these data would you be hesitant to share? Why? Under what circumstances would you be willing to share the information sought after in this repository? What additional data points should be collected into the repository? Solidify cyber incident data ontology/taxonomy in order to standardize data collection Design and prototype a CIDAR Portal combines a robust, secure and highly cost effective platform architecture and advanced functionality explore what kind of analytic products a CIDAR could produce based on the data resulting from responses to the cyber incident reporting questionnaire 14
Recommend
More recommend