Business operations in high-risk areas of the world contend with complex threat environments and risk scenarios that often require a unique response. But traditional approaches to security strategy often miss these jurisdictional risks, leaving organizations vulnerable to threats that range from cybercrime and data breaches to fines and penalties.
Security leaders need to identify high-risk jurisdictions, inventory critical assets, identify vulnerabilities, assess risks, and identify security controls necessary to mitigate those risks.
Across risks that include insider threats and commercial surveillance, the two greatest vulnerabilities that organizations face in high-risk parts of the world are travel and compliance. Organizations can make small adjustments to their security program to address these risks:
Using these two prevalent risk scenarios in high-risk jurisdictions as examples, this research walks you through the steps to analyze the threat landscape, assess security risks, and execute a response to mitigate them.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Traditional approaches to security strategy often miss jurisdictional risks. Use this storyboard to make small adjustments to your security program to mitigate security risks in high-risk jurisdictions.
Use this tool to track jurisdictional risks, assess the exposure of critical assets, and identify mitigation controls. Use the geographic heatmap to communicate inherent jurisdictional risk with key stakeholders.
Use these two templates to develop help you develop your own guidelines for key jurisdictional risk scenarios. The guidelines address high-risk travel and compliance risk.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Assess business requirements and evaluate security pressures to set the context for the security risk assessment.
Understand the goals of the organization in high-risk jurisdictions.
Assess the threats to critical assets in these jurisdictions and capture stakeholder expectations for information security.
1.1 Determine assessment scope.
1.2 Determine business goals.
1.3 Determine compliance obligations.
1.4 Determine risk appetite.
1.5 Conduct pressure analysis.
Business requirements
Security pressure analysis
Build key risk scenarios for high-risk jurisdictions.
Identify critical assets in high-risk jurisdictions, their vulnerabilities to relevant threats, and the adverse impact should malicious agents exploit them.
Assess risk exposure of critical assets in high-risk jurisdictions.
2.1 Identify critical assets.
2.2 Identify threats.
2.3 Assess risk likelihood.
2.4 Assess risk impact.
Key risk scenarios
Jurisdictional risk exposure
Jurisdictional Risk Register and Heat Map
Prioritize and treat jurisdictional risks to critical assets.
Build an initiative roadmap to reduce residual risks in high-risk jurisdictions.
3.1 Identify and assess risk response.
3.2 Assess residual risks.
3.3 Identify security controls.
3.4 Build initiative roadmap.
Action plan to mitigate key risk scenarios
Michel Hébert
Research Director
Security and Privacy
Info-Tech Research Group
Alan Tang
Principal Research Director
Security and Privacy
Info-Tech Research Group
Traditional approaches to security strategies may miss key risk scenarios that critical assets face in high-risk jurisdictions. These include high-risk travel, heightened insider threats, advanced persistent threats, and complex compliance environments. Most organizations have security strategies and risk management practices in place, but securing global operations requires its own effort. Assess the security risk that global operations pose to critical assets. Consider the unique assets, threats, and vulnerabilities that come with operations in high-risk jurisdictions. Focus on the business activities you support and integrate your insights with existing risk management practices to ensure the controls you propose get the visibility they need. Your goal is to build a plan that mitigates the unique security risks that global operations pose and secures critical assets in high-risk areas. Don’t leave security to chance.
Info-Tech has developed an effective approach to protecting critical assets in high-risk jurisdictions.
This approach includes tools for:
Organizations with global operations must contend with a more diverse set of assets, threats, and vulnerabilities when they operate in high-risk jurisdictions. Security leaders need to take additional steps to secure operations and protect critical assets.
The 2022 Allianz Risk Barometer surveyed 2,650 business risk specialists in 89 countries to identify the most important risks to operations. The report identified cybercrime, IT failures, outages, data breaches, fines, and penalties as the most important global business risks in 2022, but their results varied widely by region. The standout finding of the 2022 Allianz Risk Barometer is the return of security risks as the most important threat to business operations. Security risks will continue to be acute beyond 2022, especially in Africa, the Middle East, Europe, and the Asia-Pacific region, where they will dwarf risks of supply chain interruptions, natural catastrophe, and climate change.
Global operations in high-risk jurisdictions contend with more diverse threats. These security risk scenarios are not captured in traditional security strategies.
Figures represent the number of cybersecurity risks business risk specialists selected as a percentage of all business risks (Allianz, 2022). Higher scores indicate jurisdictions with higher security-related business risks. Jurisdictions without data are in grey.
The index assesses a country’s legal framework to identify basic requirements that public and private stakeholders must uphold and the legal instruments prohibiting harmful actions.
The 2020 GCI results show overall improvement and strengthening of the cybersecurity agenda globally, but significant regional gaps persist. Of the 194 countries surveyed:
Not every jurisdiction has the same commitment to cybersecurity. Protecting critical assets in high-risk jurisdictions requires additional due diligence.
The diagram sets out the score and rank for each country that took part in the Global Cybersecurity Index (ITU, 2021)
Higher scores show jurisdictions with a lower rank on the CGI, which implies greater risk. Jurisdictions without data are in grey.
As a result, security leaders who support operations in many countries need to take additional steps to mitigate security risks to critical assets.
Guide stakeholders to make informed decisions about how to assess and treat the security risks and secure operations.
Work with your organization to analyze the threat landscape, assess security risks unique to high-risk jurisdictions, and execute a response to mitigate them.
This project blueprint works through this process using the two most prevalent risk scenarios in high-risk jurisdictions: high-risk travel and compliance risk.
Key Risk Scenarios
The project blueprint includes template guidance in Phase 3 to help you build and deploy your own travel guidelines to protect critical assets and support end users before they leave, during their trip, and when they return.
Before you leave
During your trip
When you return
The project blueprint includes template guidance in Phase 3 to help you deploy your own compliance governance controls as a risk mitigation measure.
1. Identify Context |
2. Assess Risks |
3. Execute Response |
|
---|---|---|---|
Phase Steps |
|
|
|
Phase Outcomes |
|
|
|
Business Security Requirements
Identify the context for the global security risk assessment, including risk appetite and risk tolerance.
Jurisdictional Risk Register and Heatmap
Identify critical global assets and the threats they face in high-risk jurisdictions and assess exposure.
Mitigation Plan
Roadmap of initiatives and security controls to mitigate global risks to critical assets. Tools and templates to address key security risk scenarios.
Jurisdictional Risk Register and Heatmap
Use the Jurisdictional Risk Register and Heatmap Tool to capture information security risks to critical assets in high-risk jurisdictions. The tool generates a world chart that illustrates the risks global operations face to help you engage the business and execute a response.
IT Benefits
Assess and remediate information security risk to critical assets in high-risk jurisdictions.
Easily integrate your risk assessment with enterprise risk assessments to improve communication with the business.
Illustrate key information security risk scenarios to make the case for action in terms the business understands.
Business Benefits
Develop mitigation plans to protect staff, devices, and data in high-risk jurisdictions.
Support business growth in high-risk jurisdictions without compromising critical assets.
Mitigate compliance risk to protect your organization’s reputation, avoid fines, and ensure business continuity.
ID |
Metric |
Why is this metric valuable? |
How do I calculate it? |
---|---|---|---|
1. |
Overall Exposure – High-Risk Jurisdictions |
Illustrates the overall exposure of critical assets in high-risk jurisdictions. |
Use the Jurisdictional Risk Register and Heatmap Tool. Calculate the impact times the probability rating for each risk. Take the average. |
2. |
# Risks Identified – High-Risk Jurisdictions |
Informs risk tolerance assessments. |
Use the Jurisdictional Risk Register and Heatmap Tool. |
3. |
# Risks Treated – High-Risk Jurisdictions |
Informs residual risk assessments. |
Use the Jurisdictional Risk Register and Heatmap Tool. |
4. |
Mitigation Cost – High-Risk Jurisdictions |
Informs cost-benefit analysis to determine program effectiveness. |
Use the Jurisdictional Risk Register and Heatmap Tool. |
5. |
# Security Incidents – High-Risk Jurisdictions |
Informs incident trend calculations to determine program effectiveness. |
Draw the information from your service desk or IT service management tool. |
6. |
Incident Remediation Cost – High-Risk Jurisdictions |
Informs cost-benefit analysis to determine program effectiveness. |
Estimate based on cost and effort, including direct and indirect cost such as business disruptions, administrative finds, reputational damage, etc. |
7. |
TRENDS: Program Effectiveness – High-Risk Jurisdictions |
# of security incidents over time. Remediation : Mitigation costs over time |
Calculate based on metrics 5 to 7. |
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
Diagnostics and consistent frameworks are used throughout all four options.
Phase 1
Call #1: Scope project requirements, determine assessment scope, and discuss challenges.
Phase 2
Call #2: Conduct initial risk assessment and determine risk tolerance.
Call #3: Evaluate security pressures in high-risk jurisdictions.
Call #4: Identify risks in high-risk jurisdictions.
Call #5: Assess risk exposure.
Phase 3
Call #6: Treat security risks in high-risk jurisdictions.
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 8 to 12 calls over the course of 4 to 6 months.
Contact your account representative for more information. workshops@infotech.com 1-888-670-8889
Days 1 |
Days 2-3 |
Day 4 |
Day 5 |
|
---|---|---|---|---|
Identify Context |
Key Risk Scenarios |
Build Roadmap |
Next Steps and Wrap-Up (offsite) |
|
Activities |
1.1.1 Determine assessment scope. 1.1.2 Determine business goals. 1.1.3 Identify compliance obligations. 1.2.1 Determine risk appetite. 1.2.2 Conduct pressure analysis. |
2.1.1 Identify assets. 2.1.2 Identify threats. 2.2.1 Assess risk likelihood. 2.2.2 Assess risk impact. |
3.1.1 Identify and assess risk response. 3.1.2 Assess residual risks. 3.2.1 Identify security controls. 3.2.2 Build initiative roadmap. |
5.1 Complete in-progress deliverables from previous four days. 5.2 Set up review time for workshop deliverables and to discuss next steps. |
Deliverables |
|
|
|
|
Stakeholders sometimes ask information security and privacy leaders to produce a list of safe jurisdictions from which to operate. We need to help them see that there are no safe jurisdictions, only relatively risky ones. As you build your security program, deepen the scope of your risk assessments to include risk scenarios critical assets face in different jurisdictions. These risks do not need to rule out operations, but they may require additional mitigation measures to keep staff, data, and devices safe and reduce potential reputational harms.
Traditional approaches to security strategy often omit jurisdictional risks.
Global operations must contend with a more complex security landscape. Secure critical assets in high-risk jurisdictions with a targeted risk assessment.
The two greatest risks are high-risk travel and compliance risk.
You can mitigate them with small adjustments to your security program.
Support High-Risk Travel
When securing travel to high-risk jurisdictions, you must consider personnel safety as well as data and device security. Put measures and guidelines in place to protect them before, during, and after travel.
Mitigate Compliance Risk
Think through data residency requirements, data breach notification, cross-border data transfer, and third-party risks to support business growth and mitigate compliance risks in high-risk jurisdictions to protect your organization’s reputation and avoid hefty fines or business disruptions.
This phase will walk you through the following activities:
This phase involves the following participants:
Activities
1.1.1 Determine assessment scope
1.1.2 Identify enterprise goals in high-risk jurisdictions
1.1.3 Identify compliance obligations
This step involves the following participants:
Outcomes of this step
Focus your risk assessment on the business activities security supports in high-risk jurisdictions and the unique threats they face to bridge gaps in your security strategy.
Work closely with your enterprise risk management function.
Enterprise risk management functions are often tasked with developing risk assessments from composite sources. Work closely with them to complete your own assessment.
Countries at heightened risk of money laundering and terrorism financing are examples of high-risk jurisdictions. The Financial Action Task Force and the U.S. Treasury publish reports three times a year that identify Non-Cooperative Countries or Territories.
Strategic Intelligence
White papers, briefings, reports. Audience: C-Suite, board members
Tactical Intelligence
Internal reports, vendor reports. Audience: Security leaders
Operational intelligence
Indicators of compromise. Audience: IT Operations
Operational intelligence focuses on machine-readable data used to block attacks, triage and validate alerts, and eliminate threats from the network. It becomes outdated in a matter of hours and is less useful for this exercise.
Without a flexible system to account for the risk exposures of different jurisdictions, staff may perceive measures as a hindrance to operations.
Rating |
Description |
---|---|
Low |
Generally secure with adequate physical security. Low violent crime rates. Some civil unrest during significant events. Acts of terrorism rare. Risks associated with natural disasters limited and health threats mainly preventable. |
Moderate |
Periodic civil unrest. Antigovernment, insurgent, or extremist groups active with sporadic acts of terrorism. Staff at risk from common and violent crime. Transport and communications services are unreliable and safety records are poor. Jurisdiction prone to natural disasters or disease epidemics. |
High |
Regular periods of civil unrest, which may target foreigners. Antigovernment, insurgent, or extremist groups very active and threaten political or economic stability. Violent crime rates high, often targeting foreigners. Infrastructure and emergency services poor. May be regular disruption to transportation or communications services. Certain areas off-limits to foreigners. Jurisdictions experiencing natural disasters or epidemics are considered high risk. |
Extreme |
Undergoing active conflict or persistent civil unrest. Risk of being caught up in a violent incident or attack is very high. Authorities may have lost control of significant portions of the country. Lines between criminality and political and insurgent violence are blurred. Foreigners are likely to be denied access to parts of the country. Transportation and communication services are severely degraded or nonexistent. Violence presents a direct threat to staff security. |
Ratings are formulated by assessing several types of risk, including conflict, political/civil unrest, terrorism, crime, and health and infrastructure risks.
1 – 2 hours
Pay close attention to elements of the assessment that are not in scope.
Input |
Output |
|
|
Materials |
Participants |
|
|
Download the Information Security Requirements Gathering Tool
Do you understand the unique business context of operations in high-risk jurisdictions?
Estimated Time: 1-2 hours
Input | Output |
|
|
Materials | Participants |
|
|
Download the Information Security Requirements Gathering Tool
Tab 3, Goals Cascade
Tab 6, Results
If the organization is considering a merger and acquisition project that will expand operations in jurisdictions with different travel risk profiles, the security organization needs to revise the security strategy to ensure the organization can support high-risk travel and mitigate risks to critical assets.
Security leaders are familiar with most conventional regulatory obligations that govern financial, personal, and healthcare data in North America and Europe.
Data privacy concerns, nationalism, and the economic value of data are all driving jurisdictions to adopt data residency and data localization and to shut down the cross-border transfer of data.
The next step requires you to consider the compliance obligations the organization needs to meet to support the business as it expands to other jurisdictions through natural growth, mergers, and acquisitions.
Estimated Time: 1-2 hours
Include:
Input | Output |
|
|
Materials | Participants |
|
|
Download the Information Security Requirements Gathering Tool
Activities
1.2.1 Conduct initial risk assessment
1.2.2 Conduct pressure analysis
1.2.3 Determine risk tolerance
This step involves the following participants:
Outcomes of this step
Identify threats to global assets and capture the security expectations of external stakeholders, including customers, regulators, legislators, and business partners, and determine risk tolerance.
Perform an initial assessment of high-risk jurisdictions to set the context.
Assess:
You should be able to find the information in your existing security strategy. If you don’t have the information, work through the next three steps of the project blueprint.
Jurisdictional risk is often reduced to countries where money laundering and terrorist activities are high. In this blueprint, the term refers to the broader set of information security risks that arise when operating in a foreign country or jurisdiction.
Security leaders who support operations in many countries need to take additional steps to mitigate security risks to critical assets. The goal of the next two exercises is to analyze the threat landscape and security pressures unique to high-risk jurisdictions, which will inform the construction of key scenarios in Phase 2. These five scenarios are most prevalent in high-risk jurisdictions. Keep them in mind as you go through the exercises in this section.
1-3 hours
Input | Output |
|
|
Materials | Participants |
|
|
For more information on how to complete the risk assessment questionnaire, see Step 1.2.1 of Build an Information Security Strategy.
1-3 hours
For more information on how to complete the pressure analysis questionnaire, see Step 1.3 of Build an Information Security Strategy.
Input | Output |
|
|
Materials | Participants |
|
|
A low security pressure means that your stakeholders do not assign high importance to information security. You may need to engage stakeholders with the right key risk scenarios to illustrate jurisdictional risk and generate support for new security controls.
Download the Information Security Pressure Analysis Tool
A formalized risk tolerance statement can help:
The role of security professionals is to identify and analyze key risk scenarios that may prevent the organization from reaching its goals.
1-3 hours
For more information on how to complete the risk tolerance questionnaire, see Step 1.4 of Build an Information Security Strategy.
Input | Output |
|
|
Materials | Participants |
|
|
Download the Information Security Pressure Analysis Tool
This phase will walk you through the following activities:
This phase involves the following participants:
Activities
2.1.1 Identify assets
2.1.2 Identify threats
This step involves the following participants:
Outcomes of this step
For a deeper dive into building a risk management program, see Info-Tech’s core project blueprints on risk management:
Build an IT Risk Management Program
Combine Security Risk Management Components Into One Program
Risk scenarios are further distilled into a single sentence or risk statement that communicates the essential elements from the scenario.
Threat |
Exploits an |
Asset |
Using a |
Method |
Creating an |
Effect |
An actor capable of harming an asset |
Anything of value that can be affected and results in loss |
Technique an actor uses to affect an asset |
How loss materializes |
|||
Examples: Malicious or untrained employees, cybercriminal groups, malicious state actors |
Examples: Systems, regulated data, intellectual property, people |
Examples: Credential compromise, privilege escalation, data exfiltration |
Examples: Loss of data confidentiality, integrity, or availability; impact on staff health & safety |
Risk scenarios are concise, four to six sentence narratives that describe the core elements of forecasted adverse events. Use them to engage stakeholders with the right questions and guide them to make informed decisions about how to address and treat security risks in high-risk jurisdictions.
The next slides review five key risk scenarios prevalent in high-risk jurisdictions. Use them as examples to develop your own.
For instance, in the US, these lists might include countries that are:
When securing travel to high-risk jurisdictions, you must consider personnel safety as well as data and device security.
The diagram presents high-risk jurisdictions based on US governmental sources (2021) listed on this slide.
Likelihood: Medium
Impact: Medium
Malicious state actors, cybercriminals, and competitors can threaten staff, devices, and data during travel to high-risk jurisdictions. Device theft or compromise may occur while traveling through airports, accessing hotel computer and phone networks, or in internet cafés or other public areas. Threat actors can exploit data from compromised or stolen devices to undermine the organization’s strategic, economic, or competitive advantage. They can also infect compromised devices with malware that delivers malicious payloads once they reconnect with home networks.
Threat Actor:
Assets:
Effect:
Methods:
Data privacy concerns, nationalism, and the economic value of data are all driving jurisdictions to adopt data residency, breach notification, and cross-border data transfer regulations. As 2021 wound down to a close, nearly all the world’s 30 largest economies had some form of data regulation in place. The regulatory landscape is shifting rapidly, which complicates operations as organizations grow into new markets or engage in merger and acquisition activities.
Global operations require special attention to data-residency requirements, data breach notification requirements, and cross-border data transfer regulations to mitigate compliance risk.
Likelihood: Medium
Impact: High
Rapid changes in the privacy and security regulatory landscape threaten organizations’ ability to meet their compliance obligations from local legal and regulatory frameworks. Organizations risk reputational damage, administrative fines, criminal charges, and loss of market share. In extreme cases, organizations may lose their license to operate in high-risk jurisdictions. Shifts in the regulatory landscape can involve additional requirements for data residency, cross-border data transfer, data breach notification, and third-party risk management.
Threat Actor:
Asset:
Effect:
Methods:
The Ponemon Institute set out to understand the financial consequences that result from insider threats and gain insight into how well organizations are mitigating these risks.
In the context of this research, insider threat is defined as:
On average, the total cost to remediate insider threats in 2021 was US$15.4 million per incident.
In all regions, employee or contractor negligence occurred most frequently. Organizations in North America and in the Middle East and Africa were most likely to experience insider threat incidents in 2021.
The diagram represents the average number of insider incidents reported per organization in 2021. The results are analyzed in four regions (Ponemon Institute, 2022)
Likelihood: Low to Medium
Impact: High
Malicious insiders, negligent employees, and credential thieves can exploit inside access to information systems to commit fraud, steal confidential or commercially valuable information, or sabotage computer systems. Insider threats are difficult to identify, especially when security is geared toward external threats. They are often familiar with the organization’s data and intellectual property as well as the methods in place to protect them. An insider may steal information for personal gain or install malicious software on information systems. They may also be legitimate users who make errors and disregard policies, which places the organization at risk.
Threat Actor:
Asset:
Effects:
Methods:
The CISA Shields Up site, SANS Storm Center site, and MITRE ATT&CK group site provide helpful and timely information to understand APT risks in different jurisdictions.
The following threat actors are currently associated with cyberattacks affiliated with the Russian government.
Activity Group |
Risks |
---|---|
Known as Fancy Bear, this threat group has been tied to espionage since 2004. They compromised the Hillary Clinton campaign, amid other major events. |
|
APT29 (SVT) |
Tied to espionage since 2008. Reportedly compromised the Democratic National Committee in 2015. Cited in the 2021 SolarWinds compromise. |
Buhtrap/RTM Group |
Group focused on financial targets since 2014. Currently known to target Russian and Ukrainian banks. |
Gamaredon |
Operating in Crimea. Aligned with Russian interests. Has previously targeted Ukrainian government officials and organizations. |
DEV-0586 |
Carried out wiper malware attacks on Ukrainian targets in January 2022. |
UNC1151 |
Active since 2016. Linked to information operation campaigns and the distribution of anti-NATO material. |
Conti |
Most successful ransomware gang of 2021, with US$188M revenue. Supported Russian invasion of Ukraine, threatening attacks on allied critical infrastructure. |
Likelihood: Low to Medium
Impact: High
Advanced persistent threats are state actors or state-sponsored affiliates with the means to avoid detection by anti-malware software and intrusion detection systems. These highly-skilled and persistent malicious agents have significant resources with which to bypass traditional security controls, establish a foothold in the information technology infrastructure, and exfiltrate data undetected. APTs have the resources to adapt to a defender’s efforts to resist them over time. The loss of system integrity and data confidentiality over time can lead to financial losses, business continuity disruptions, and the destruction of critical infrastructure.
Threat Actor:
Asset:
Effects:
Methods:
Countries where commercial surveillance tools have been deployed (“Global Spyware Market Index,” Top10VPN, 2021)
Adware
Software applications that display advertisements while the program is running.
Keyboard Loggers
Applications that monitor and record keystrokes. Malicious agents use them to steal credentials and sensitive enterprise data.
Trojans
Applications that appear harmless but inflict damage or data loss to a system.
Mobile Spyware
Surveillance applications that infect mobile devices via SMS or MMS channels, though the most advanced can infect devices without user input.
State actors and their affiliates use system monitors to track browsing habits, application usage, and keystrokes and capture information from devices’ GPS location data, microphone, and camera. The most advanced system monitor spyware, such as NSO Group’s Pegasus, can infect devices without user input and record conversations from end-to-end encrypted messaging systems.
Likelihood: Low to Medium
Impact: Medium
Malicious agents can deploy malware on end-user devices with commercial tools available off the shelf to secretly monitor the digital activity of users. Attacks exploit widespread vulnerabilities in telecommunications protocols. They occur through email and text phishing campaigns, malware embedded in untested applications, and sophisticated zero-click attacks that deliver payloads without requiring user interactions. Attacks target sensitive as well as mundane information. They can be used to track employee activities, investigate criminal activity, or steal credentials, credit card numbers, or other personally identifiable information.
Threat Actor:
Asset:
Effects:
Methods:
The risk register will capture a list of critical assets and their vulnerabilities, the threats that endanger them, and the adverse effect your organization may face.
Download the Jurisdictional Risk Register and Heatmap Tool
1 – 2 hours
Threat | Exploits an | Asset | Using a | Method | Creating an | Effect |
Inputs for risk scenario identification
Input | Output |
|
|
Materials | Participants |
|
|
Threat | Exploits an | Asset | Using a | Method | Creating an | Effect |
Inputs for risk scenario identification
Category |
Actions |
Motivation |
Sophistication |
---|---|---|---|
Nation-states |
Cyberespionage, cyberattacks |
Geopolitical |
High. Dedicated resources and personnel, extensive planning and coordination. |
Proxy organizations |
Espionage, destructive attacks |
Geopolitical, Ideological, Profit |
Moderate. Some planning and support functions and technical expertise. |
Cybercrime |
Theft, fraud, extortion |
Profit |
Moderate. Some planning and support functions and technical expertise. |
Hacktivists |
Disrupt operations, attack brands, release sensitive data |
Ideological |
Low. Rely on widely available tools that require little skill to deploy. |
Insiders |
Destruction or release of sensitive data, theft, exposure through negligence |
Incompetence, Discontent |
Internal access. Acting on their own or in concert with any of the above. |
1 – 2 hours
Threat | Exploits an | Asset | Using a | Method | Creating an | Effect |
Inputs for risk scenario identification
Input | Output |
|
|
Materials | Participants |
|
|
1 – 2 hours
For example:
Threat | Exploits an | Asset | Using a | Method | Creating an | Effect |
Risk Scenario: High-Risk Travel
State actors and cybercriminals can threaten staff, devices, and data during travel to high-risk jurisdictions. Device theft or compromise may occur while traveling through airports, accessing hotel computer and phone networks, or in internet cafés or other public areas. Threat actors can exploit data from compromised or stolen devices to undermine the organization’s strategic, economic, or competitive advantage. They can also infect compromised devices with malware that delivers malicious payloads once they reconnect with home networks.
Risk Statement
Cybercriminals compromise end-user devices during travel to high-risk jurisdictions, jeopardizing staff safety and leading to loss of sensitive data.
Risk Scenario: Compliance Risk
Rapid changes in the privacy and security regulatory landscape threaten an organization’s ability to meet its compliance obligations from local legal and regulatory frameworks. Organizations that fail to do so risk reputational damage, administrative fines, criminal charges, and loss of market share. In extreme cases, organizations may lose their license to operate in high-risk jurisdictions. Shifts in the regulatory landscape can involve additional requirements for data residency, cross-border data transfer, data breach notification, and third-party risk management.
Risk Statement
Rapid changes in the privacy and security regulations landscape threaten our ability to remain compliant, leading to reputational and financial loss.
Download the Jurisdictional Risk Register and Heatmap Tool
Activities
2.2.1 Identify existing controls
2.2.2 Assess likelihood and impact
This step involves the following participants:
Outcomes of this step
Likelihood of Occurrence X Likelihood of Impact = Risk Severity
Likelihood of occurrence: How likely the risk is to occur.
Likelihood of impact: The likely impact of a risk event.
Risk severity: The significance of the risk.
Evaluate risk severity against the risk tolerance thresholds and the cost of risk response.
Existing controls were put in place to avoid, mitigate, or transfer key risks your organization faced in the past. Without considering existing controls, you run the risk of overestimating the likelihood and impact of the risk scenarios your organization faces in high-risk jurisdictions.
For instance, the ability to remote-wipe corporate-owned devices will reduce the potential impact of a device lost or compromised during travel to high-risk jurisdictions.
As you complete the risk assessment for each scenario, document existing controls that reduce their inherent likelihood and impact.
6-10 hours
Input | Output |
|
|
Materials | Participants |
|
|
Download the Jurisdictional Risk Register and Heatmap Tool.
Expected cost calculations may not be practical. Determining robust likelihood and impact values to produce cost estimates can be challenging and time consuming. Use severity-level assessments as a first pass to make the case for risk mitigation measures and take your lead from stakeholders.
Use the Jurisdictional Risk Register and Heatmap Tool to capture and analyze your data.
6-10 hours
Input | Output |
|
|
Materials | Participants |
|
|
Download the Jurisdictional Risk Register and Heatmap Tool.
Stakeholders will likely ask you to explain some of the numbers you assigned to likelihood and impact assessments. Pointing to an assessment methodology will give your estimates greater credibility.
The goal is to develop robust intersubjective estimates of the likelihood and impact of a risk scenario.
We assigned a 50% likelihood rating to a risk scenario. Were we correct?
Assess the truth of the following statements to test likelihood assessments. In this case, do these two statements seem true?
This phase will walk you through the following activities:
This phase involves the following participants:
Activities
3.1.1 Identify and assess risk response
This step involves the following participants:
Outcomes of this step
Identify
Identify risk responses.
Predict
Predict the effectiveness of the risk response, if implemented, by estimating the residual likelihood and impact of the risk.
Calculate
The tool will calculate the residual severity of the risk after applying the risk response.
The first part of the phase outlines project activities. The second part elaborates on high-risk travel and compliance risk, the two key risk scenarios we are following throughout the project. Use the Jurisdictional Risk Register and Heatmap Tool to capture your work.
Input | Output |
|
|
Materials | Participants |
|
|
Download the Jurisdictional Risk Register and Heatmap Tool
Activities
3.2.1 Develop a travel policy
3.2.2 Develop travel procedures
3.2.3 Design high-risk travel guidelines
This step involves the following participants:
Outcomes of this step
This section provides guidance on the most prevalent risk scenarios identified in Phase 2 and provides a more in-depth examination of the two most prevalent ones, high-risk travel and compliance risk. Determine the appropriate response to each risk scenario to keep global risks to critical assets aligned with the organization’s risk tolerance.
Before you leave
During your trip
When you return
Higher Education: Camosun College
Interview: Evan Garland
Situation
The director of the international department at Camosun College reached out to IT security for additional support. Department staff often traveled to hostile environments. They were concerned malicious agents would either steal end-user devices or compromise them and access sensitive data. The director asked IT security for options that would better protect traveling staff, their devices, and the information they contain.
Challenges
First, controls would need to admit both work and personal use of corporate devices. Staff relied exclusively on work devices for travel to mitigate the risk of personal device theft. Personal use of corporate devices during travel was common. Second, controls needed to strike the right balance between friction and effortless access. Traveling staff had only intermittent access to IT support. Restrictive controls could prevent them from accessing their devices and data altogether.
Solution
IT consulted staff to discuss light-touch solutions that would secure devices without introducing too much complexity or compromising functionality. They then planned security controls that involved user interaction and others that did not and identified training requirements.
Results
Controls with user interaction |
Controls without user interaction |
|
|
The most effective solution will take advantage of existing risk management policies, processes, and procedures at your organization.
Input | Output |
|
|
Materials | Participants |
|
|
Security plans are key country documents that outline the security measures and procedures in place and the responsibilities and resources required to implement them. Security plans should be established in high-risk jurisdictions where your organization has a regular, significant presence. Security plans must remain relevant and accessible documents that address the specific risks that exist in that location, and, if appropriate, are specific about where the measures apply and who they apply to. Plans should be updated regularly, especially following significant incidents or changes in the operating environment or activities.
Critical information – One-page summary of pertinent information for easy access and quick reference (e.g. curfew times, no-go areas, important contacts).
Overview – Purpose and scope of the document, responsibilities for security plan, organization’s risk attitude, date of completion and review date, and a summary of the security strategy and policy.
Current Context – Summary of current operating context and overall security situation; main risks to staff, assets, and operations; and existing threats and risk rating.
Procedures – Simple security procedures that staff should adhere to in order to prevent incidents and how to respond should problems arise. Standard operating procedures (SOPs) should address key risks identified in the assessment.
Security levels – The organization's security levels/phases, with situational indicators that reflect increasing risks to staff in that context and location and specific actions/measures required in response to increasing insecurity.
Incident reporting – The procedures and responsibilities for reporting security-related incidents; for example, the type of incidents to be reported, the reporting structure, and the format for incident reporting.
Ratings are formulated by assessing several types of risk, including conflict, political/civil unrest, terrorism, crime, and health and infrastructure risks.
Rating | Description (Examples) | Recommended Action |
Low | Generally secure with adequate physical security. Low violent crime rates. Some civil unrest during significant events. Acts of terrorism rare. Risks associated with natural disasters limited and health threats mainly preventable. | Basic personal security, travel, and health precautions required. |
Moderate | Periodic civil unrest. Antigovernment, insurgent, or extremist groups active with sporadic acts of terrorism. Staff at risk from common and violent crime. Transport and communications services are unreliable and safety records are poor. Jurisdiction prone to natural disasters or disease epidemics. | Increased vigilance and routine security procedures required. |
High | Regular periods of civil unrest, which may target foreigners. Antigovernment, insurgent, or extremist groups very active and threaten political or economic stability. Violent crime rates high and targeting of foreigners is common. Infrastructure and emergency services poor. May be regular disruption to transportation or communications services. Certain areas off-limits to foreigners. Jurisdictions experiencing a natural disaster or a disease epidemic are considered high risk. | High level of vigilance and effective, context-specific security precautions required. |
Extreme | Undergoing active conflict or persistent civil unrest. Risk of being caught up in a violent incident or attack is very high. Civil authorities may have lost control of significant portions of the country. Lines between criminality and political and insurgent violence are blurred. Foreigners are likely to be denied access to significant parts of the country. Transportation and communication services are severely degraded or non-existent. Violence presents a direct threat to staff security. | Stringent security precautions essential and may not be sufficient to prevent serious incidents. Program activities may be suspended and staff withdrawn at very short notice. |
Input | Output |
|
|
Materials | Participants |
|
|
Address all types of travel, detail security measures, and outline what the organization expects of travelers before, during, and after their trip
Introduction |
Clarifies who the procedures apply to. Highlights any differences in travel security requirements or support provided to staff, consultants, partners, and official visitors. |
---|---|
Travel risk ratings |
Explains the travel or country risk rating system, how staff access the information, the different categories and indicators, and their implications. |
Roles and responsibilities |
Clarifies the responsibilities of travelers, their line managers or contact points, and senior management regarding travel security and how this changes for destinations with higher risk ratings. |
Travel authorization |
Stipulates who in the organization authorizes travel, the various compliance measures required, and how this changes for destinations with higher risk ratings. |
Travel risk assessment |
Explains when travel risk assessments are required, the template that should be used, and who approves the completed assessments. |
Travel security procedures should specify what happens when staff add personal travel to their work trip to cover issues such as insurance, check-in, actual travel times, etc.
Pre-travel briefings |
Outlines the information that must be provided to travelers prior to departure, the type of briefing required and who provides it, and how these requirements change as risk ratings increase. |
---|---|
Security training |
Explain security training required prior to travel. This may vary depending on the country’s risk rating. Includes information on training waiver system, including justifications and authorization. |
Traveler profile forms |
Travelers should complete a profile form, which includes personal details, emergency contacts, medical details, social media footprint, and proof-of-life questions (in contexts where there are abduction risks). |
Check-in protocol |
Specifies who travelers must maintain contact with while traveling and how often, as well as the escalation process in case of loss of contact. The frequency of check-ins should reflect the increase in the risk rating for the destination. |
Emergency procedures |
Outlines the organization's emergency procedures for security and medical emergencies. |
Input | Output |
|
|
Materials | Participants |
|
|
Download the Digital Safety Guidelines for International Travel template
Activities
3.3.1 Identify data localization obligations
3.3.2 Integrate obligations into IT system design
3.3.3 Document data processing activities
3.3.4 Choose the right mechanism
3.3.5 Implement the appropriate controls
3.3.6 Identify data breach notification obligations
3.3.7 Integrate data breach notification into incident response
3.3.8 Identify vendor security and data protection requirements
3.3.9 Build due diligence questionnaire
3.3.10 Build appropriate data processing agreement
This step involves the following participants:
Outcomes of this step
Likelihood: Medium to High
Impact: High
Data Residency
Gap Controls
Heatmap of Global Data Residency Regulations
Examples of Data Residency Requirements
Country |
Data Type |
Local Storage Requirements |
---|---|---|
Australia |
Personal data – heath record |
My Health Records Act 2012 |
China |
Personal information — critical information infrastructure operators |
Cybersecurity law |
Government cloud data |
Opinions of the Office of the Central Leading Group for Cyberspace Affairs on Strengthening Cybersecurity Administration of Cloud Computing Services for Communist Party and Government Agencies |
|
India |
Government email data |
The Public Records Act of 1993 |
Indonesia |
Data held by electronic system operator for the public service |
Regulation 82 concerning “Electronic System and Transaction Operation” |
Germany |
Government cloud service data |
Criteria for the procurement and use of cloud services by the federal German administration |
Russia |
Personal data |
The amendments of Data Protection Act No. 152 FZ |
Vietnam |
Data held by internet service providers |
The Decree on Management, Provision, and Use of Internet Services and Information Content Online (Decree 72) |
US |
Government cloud service data |
Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018) |
1-2 hours
Jurisdiction |
Relevant Regulations |
Local Storage Requirements |
Date Type |
---|---|---|---|
Input | Output |
|
|
Materials | Participants |
|
|
Download the Guidelines for Compliance With Local Security and Privacy Laws Template
1-2 hours
Item |
Consideration |
Answer |
Supporting Document |
---|---|---|---|
1 |
Have you identified business services that process data that will be subject to localization requirements? |
||
2 |
Have you identified IT systems associated with the business services mentioned above? |
||
3 |
Have you established a data inventory (i.e. data types, business purposes) for the IT systems mentioned above? |
||
4 |
Have you established a data flow diagram for the data identified above? |
||
5 |
Have you identified the types of data that should be stored locally? |
||
6 |
Have you confirmed whether a copy of the data locally stored will satisfy the obligations? |
||
7 |
Have you confirmed whether an IT redesign is needed or whether modifications (e.g. adding a server) to the IT systems would satisfy the obligations? |
||
8 |
Have you confirmed whether access from another jurisdiction is allowed? |
||
9 |
Have you identified how long the data should be stored? |
Input | Output |
|
|
Materials | Participants |
|
|
Download the Guidelines for Compliance With Local Security and Privacy Laws Template
Likelihood: Medium to High
Impact: High
Gap Controls
Which cross-border transfer mechanism should I choose?
Transfer Mechanism |
Advantages |
Disadvantages |
---|---|---|
Standard Contractual Clauses (SCC) |
|
|
Binding Corporate Rules (BCRs) |
|
|
Code of Conduct |
|
|
Certification |
|
|
Consent |
|
|
1-2 hours
Input |
Output |
|
|
Materials |
Participants |
|
|
Download the Guidelines for Compliance With Local Security and Privacy Laws Template
1-2 hours
Data Transfer Mechanism | Pros | Cons | Final Decision |
---|---|---|---|
SCC | |||
BCR | |||
Code of Conduct | |||
Certification | |||
Consent |
Input | Output |
|
|
Materials | Participants |
|
|
Download the Guidelines for Compliance With Local Security and Privacy Laws Template
1-3 hours
# | Core Components | Status | Note |
---|---|---|---|
1 | Purpose and scope | ||
2 | Effect and invariability of the Clauses | ||
3 | Description of the transfer(s) | ||
4 | Data protection safeguards | ||
5 | Purpose limitation | ||
6 | Transparency | ||
7 | Accuracy and data minimization | ||
8 | Duration of processing and erasure or return of data | ||
9 | Storage limitation | ||
10 | Security of processing | ||
11 | Sensitive data | ||
12 | Onward transfers | ||
13 | Processing under the authority of the data importer | ||
14 | Documentation and compliance | ||
15 | Use of subprocessors | ||
16 | Data subject rights | ||
17 | Redress | ||
18 | Liability | ||
19 | Local laws and practices affecting compliance with the Clauses | ||
20 | Noncompliance with the Clauses and termination | ||
21 | Description of data processing activities, such as list of parties, description of transfer, etc. | ||
22 | Technical and organizational measures |
Input | Output |
|
|
Materials | Participants |
|
|
Download the Guidelines for Compliance With Local Security and Privacy Laws Template
Likelihood: High
Impact: Medium to High
Data Breach
Gap Controls
Examples of Data Breach Notification Obligations
Location |
Regulation/ Standard |
Reporting Obligation |
---|---|---|
EU |
GDPR |
72 hours |
China |
PIPL |
Immediately |
US |
HIPAA |
No later than 60 days |
Canada |
PIPEDA |
As soon as feasible |
Global |
PCI DSS |
|
Summary of US State Data Breach Notification Statutes
1-2 hours
Region | Regulation/Standard | Reporting Obligation |
---|---|---|
Input | Output |
|
|
Materials | Participants |
|
|
Download the Guidelines for Compliance With Local Security and Privacy Laws Template
1-2 hours
# | Phase | Considerations | Status | Notes |
---|---|---|---|---|
1 | Prepare | Ensure the appropriate resources are available to best handle an incident. | ||
2 | Detect | Leverage monitoring controls to actively detect threats. | ||
3 | Analyze | Distill real events from false positives. | ||
4 | Contain | Isolate the threat before it can cause additional damage. | ||
5 | Eradicate | Eliminate the threat from your operating environment. | ||
6 | Recover | Restore impacted systems to a normal state of operations. | ||
7 | Report | Report data breaches to relevant regulators and data subjects if required. | ||
8 | Post-Incident Activities | Conduct a lessons-learned post-mortem analysis. |
Input | Output |
|
|
Materials | Participants |
|
|
Download the Guidelines for Compliance With Local Security and Privacy Laws Template
Likelihood: High
Impact: Medium to High
Third-Party Risk
End-to-End Third-Party Security and Privacy Risk Management
Examples of Vendor Security Management Requirements
Region |
Law/Standard |
Section |
---|---|---|
EU |
General Data Protection Regulation (GDPR) |
Article 28 (1) |
Article 46 (1) |
||
US |
Health Insurance Portability and Accountability Act (HIPAA) |
§164.308(b)(1) |
US |
New York Department of Financial Services Cybersecurity Requirements |
500.11(a) |
Global |
ISO 27002:2013 |
15.1.1 |
15.1.2 |
||
15.1.3 |
||
15.2.1 |
||
15.2.2 |
||
US |
NIST 800-53 |
SA-12 |
SA-12 (2) |
||
US |
NIST Cybersecurity Framework |
ID-SC-1 |
ID-SC-2 |
||
ID-SC-3 |
||
ID-SC-4 |
||
Canada |
OSFI Cybersecurity Guidelines |
4.25 |
4.26 |
1-2 hours
Region | Law/Standard | Section | Requirements |
---|---|---|---|
Input | Output |
|
|
Materials | Participants |
|
|
Download the Guidelines for Compliance With Local Security and Privacy Laws Template
1-2 hours
Perform internal due diligence prior to selecting a service provider.
# | Question | Vendor Request | Vendor Comments |
---|---|---|---|
1 | Document Requests | ||
2 | Asset Management | ||
3 | Governance | ||
4 | Supply Chain Risk Management | ||
5 | Identify Management, Authentication, and Access Control |
Input | Output |
|
|
Materials | Participants |
|
|
Download the Guidelines for Compliance With Local Security and Privacy Laws Template
1-2 hours
# | Core Components | Status | Note |
---|---|---|---|
1 | Processing of personal data | ||
2 | Scope of application and responsibilities | ||
3 | Processor's obligations | ||
4 |
Controller's obligations |
||
5 | Data subject requests | ||
6 | Right to audit and inspection | ||
7 | Subprocessing | ||
8 | Data breach management | ||
9 | Security controls | ||
10 | Transfer of personal data | ||
11 | Duty of confidentiality | ||
12 | Compliance with applicable laws | ||
13 | Service termination | ||
14 | Liability and damages |
Input | Output |
|
|
Materials | Participants |
|
|
Download the Guidelines for Compliance With Local Security and Privacy Laws Template
By following Info-Tech’s methodology for securing global operations, you have:
You have gone through a deeper analysis of two key risk scenarios that affect global operations:
If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation.
Contact your account representative for more information.
workshop@infotech.com1-888-670-8889
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
The following are sample activities that will be conducted by Info-Tech analysts with your team:
Identify High-Risk Jurisdictions
Develop requirements to identify high-risk jurisdictions.
Build Risk Scenarios
Build risk scenarios to capture assets, vulnerabilities, threats, and the potential effect of a compromise.
Ken Muir
CISO
LMC Security
Premchand Kurup
CEO
Paramount Computer Systems
Preeti Dhawan
Manager, Security Governance
Payments Canada
Scott Wiggins
Information Risk and Governance
CDPHP
Fritz Y. Jean Louis
CISO
Globe and Mail
Eric Gervais
CIO
Ovivo Water
David Morrish
CEO
MBS Techservices
Evan Garland
Manager, IT Security
Camosun College
Jacopo Fumagalli
CISO
Axpo
Dennis Leon
Governance and Security Manager
CPA Canada
Tero Lehtinen
CIO
Planmeca Oy
2022 Cost of Insider Threats Global Report.” Ponemon Institute, NOVIPRO, 9 Feb. 2022. Accessed 25 May 22.
“Allianz Risk Barometer 2022.” Allianz Global Corporate & Specialty, Jan. 2022. Accessed 25 May 22.
Bickley, Shaun. “Security Risk Management: a basic guide for smaller NGOs”. European Interagency Security Forum (EISF), 2017. Web.
“Biden Administration Warns against spyware targeting dissidents.” New York Times, 7 Jan 22. Accessed 20 Jan 2022.
Boehm, Jim, et al. “The risk-based approach to cybersecurity.” McKinsey & Company, October 2019. Web.
“Cost of a Data Breach Report 2021.” IBM Security, July 2021. Web.
“Cyber Risk in Asia-Pacific: The Case for Greater Transparency.” Marsh & McLennan Companies, 2017. Web.
“Cyber Risk Index.” NordVPN, 2020. Accessed 25 May 22
Dawson, Maurice. “Applying a holistic cybersecurity framework for global IT organizations.” Business Information Review, vol. 35, no. 2, 2018, pp. 60-67.
“Framework for improving critical infrastructure cybersecurity.” National Institute of Standards and Technology, 16 Apr 2018. Web.
“Global Cybersecurity Index 2020.” International Telecommunication Union (ITU), 2021. Accessed 25 May 22.
“Global Risk Survey 2022.” Control Risks, 2022. Accessed 25 May 22.
“International Travel Guidance for Government Mobile Devices.” Federal Mobility Group (FMG), Aug. 2021. Accessed 18 Nov 2021.
Kaffenberger, Lincoln, and Emanuel Kopp. “Cyber Risk Scenarios, the Financial System, and Systemic Risk Assessment.” Carnegie Endowment for International Peace, September 2019. Accessed 11 Jan 2022.
Koehler, Thomas R. Understanding Cyber Risk. Routledge, 2018.
Owens, Brian. “Cybersecurity for the travelling scientist.” Nature, vol. 548, 3 Aug 2017. Accessed 19 Jan. 2022.
Parsons, Fintan J., et al. “Cybersecurity risks and recommendations for international travellers.” Journal of Travel Medicine, vol. 1, no. 4, 2021. Accessed 19 Jan 2022.
Quinn, Stephen, et al. “Identifying and estimating cybersecurity risk for enterprise risk management.” National Institute of Standards and Technology (NIST), Interagency or Internal Report (IR) 8286A, Nov. 2021.
Quinn, Stephen, et al. “Prioritizing cybersecurity risk for enterprise risk management.” NIST, IR 8286B, Sept. 2021.
“Remaining cyber safe while travelling security recommendations.” Government of Canada, 27 April 2022. Accessed 31 Jan 2022.
Stine, Kevin, et al. “Integrating cybersecurity and enterprise risk management.” NIST, IR 8286, Oct. 2020.
Tammineedi, Rama. “Integrating KRIs and KPIs for effective technology risk management.” ISACA Journal, vol. 4, 1 July 2018.
Tikk, Eneken, and Mika Kerttunen, editors. Routledge Handbook of International Cybersecurity. Routledge, 2020.
Voo, Julia, et al. “National Cyber Power Index 2020.” Belfer Center for Science and International Affairs, Harvard Kennedy School, Sept. 2020. Web.
Zhang, Fang. “Navigating cybersecurity risks in international trade.” Harvard Business Review, Dec 2021. Accessed 31 Jan 22.
Likelihood: Medium to High
Impact: High
Gap Controls
For more holistic approach, you can leverage our Reduce and Manage Your Organization’s Insider Threat Risk blueprint.
You can’t just throw tools at a human problem. While organizations should monitor critical assets and groups with privileged access to defend against malicious behavior, good management and supervision can help detect attacks and prevent them from happening in the first place.
Industry | Actors | Risks | Tactics | Motives |
---|---|---|---|---|
State and Local Government |
|
|
|
|
Information Technology |
|
|
|
|
Healthcare |
|
|
|
|
Finance and Insurance |
|
|
|
|
Source: Carnegie Mellon University Software Engineering Institute, 2019
Likelihood: Medium to High
Impact: High
Gap Controls
Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Effective anti-malware, diligent patching and vulnerability management, and strong human-centric security are essential.
Detect: There are two types of companies – those who have been breached and know it, and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs.
Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape.
Respond: Organizations can’t rely on ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook to reduce incident remediation time and effort.
Lock down your organization. Among other tactics, control administrative privileges, leverage threat intelligence, use IP whitelisting, adopt endpoint protection and two-factor authentication, and formalize incident response measures.
Information alone is not actionable. A successful threat intelligence program contextualizes threat data, aligns intelligence with business objectives, and then builds processes to satisfy those objectives. Actively block indicators and act upon gathered intelligence.
Create organizational situational awareness around security initiatives to drive adoption of foundational security measures: network hardening, threat intelligence, red-teaming exercises, and zero-day mitigation, policies, and procedures.
Security extends beyond your organization. Ensure your organization has a comprehensive view of your organizational threat landscape and a clear understanding of the security posture of any managed service providers in your supply chain.
Conduct security awareness and training. Teach end users how to recognize current cyberattacks before they fall victim – this is a mandatory first line of defense.
As misinformation is a major attack vector for malicious actors, follow only reliable sources for cyberalerts and actionable intelligence. Aggregate information from these reliable sources.
The CISA Shields Up site provides the latest cyber risk updates on the Russia-Ukraine conflict and should provide the most value in staying informed.