1. Trang chủ
  2. » Ngoại Ngữ

Meeting Summary from the ISA ANSI Phase II Workshop Final 2009-8-11

12 3 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 12
Dung lượng 454,5 KB

Nội dung

Meeting Summary from the Kick-Off Meeting of the ISA-ANSI Workshop on Cyber Risk Phase II - Developing a Methodology for CFO/CEO Decision Making in Cyber Risk Mitigation July 31, 2009 9:00 am – 4:15 pm Hosted by: Zurich North America Liberty Plaza New York, NY 10006 33rd Floor Conference Rooms A&B Welcome / Call to Order Fran Schrotter, Senior Vice President and Chief Operating Officer, American National Standards Institute (ANSI), called the meeting to order and welcomed the participants She provided an overview of ANSI as well as insight into the Institute’s top priorities as related to standards panel activities, (e.g homeland security, healthcare, nanotechnology, biofuels, and nuclear) Also, she noted that last year, the financial impact of cyber risk took center stage as ANSI joined forces with ISA to convene a crosssector task force representing more than thirty private and public sector organizations These ISA/ANSI workshop meetings resulted in an action plan targeted at CFOs to help businesses in every sector mitigate the risks associated with cyber attacks Additionally, she reminded participants that as we build upon the excellent work that has already been done, today’s meeting will broaden our direction beyond just CFOs to include business leaders of all kinds Ms Schrotter concluded by acknowledging Larry Clinton, President, Internet Security Alliance (ISA), as the co-organizer of Phase II of this Cyber Risk initiative Larry Clinton, President, Internet Security Alliance (ISA), recognized ANSI for the opportunity to revisit the successful partnership from Phase I of Cyber Risk in addition to his board members, Ty R Sagalow, Chief Innovation Officer, Zurich North America and Joe Buonomo, President, Direct Computer Resources, Inc for assuming leadership roles in kicking-off Phase II of this initiative Also, Mr Clinton stressed the critical need for intertwining security with technology and business to create a coherent approach to overall cyber security Introductions (all) Participants introduced themselves and the organizations that they represented Forty seven participants representing thirty six organizations attended the first workshop of Phase II, five of whom participated via teleconference The complete list of attendees can be found in Attachment Background on the ANSI-HSSP and Workshop Process Karen Hughes, Director of Homeland Security Standards, ANSI, welcomed participants and thanked the Internet Security Alliance (ISA) and the workshop leaders as well as Zurich for providing meeting space and Robinson Lerer & Montgomery for their generous sponsorship She delivered a presentation providing an overview of the ANSI Homeland Security Standards Panel (HSSP), and the traditional Workshop process that it has conducted over the past six years Ms Hughes noted that ANSI formed the Homeland Security Standards Panel (HSSP) in 2003 as a neutral forum where representatives of industry, government, professional societies, trade associations, standards developers, and consortia groups could come together to share knowledge and identify standardization needs to meet U.S homeland security priorities Additionally, she highlighted the Homeland Security Standards Database (HSSD), a one-stop resource for first responders, code developers, and all relevant stakeholders, to identify homeland security related standards and/or projects under development Further information can be obtained at www.hssd.us Background on ISA Cyber Security Activities & Cyber Phase I Larry Clinton, President, Internet Security Alliance (ISA), provided remarks highlighting ISA’s mission and outlined its link to the goal of ISA and ANSI’s joint efforts to address cyber risk from an economic standpoint Additionally, he shared examples of ISA’s commitment to examine cyber security not simply as an information technology issue but rather from an enterprise-wide perspective with an overview of the following five current projects on the horizon for ISA:      Framework to secure IT supply chain Joint program with the National Institute of Standards and Technology (NIST) examining unified communications platforms (e.g Voice over Internet Protocol (VOIP)) Improving the alignment of a legal framework with modern technology (e.g digital media) Developing a social contract to identify a creative solution for government and industry to partner to ensure mutual needs are met related to cyber as an enterprise-wide risk management issue Phase II of The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask Mr Clinton concluded by re-emphasizing his sentiments shared in Phase I noting that ISA is a proponent of the private sector being better positioned to lead the effort for standards setting for cyber security as opposed to relying on the government to take that lead In doing so he referenced the proposed April 2009 Rockefeller-Snowe legislation on Cyber Risk, stressing the need for a social contract between industry and government for cyber security Opening Remarks and Subject Matter Introduction Ty R Sagalow, Chief Innovation Officer, Zurich North America, Workshop Leader, provided opening remarks that framed the Workshop goals and objectives for Phase II of The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask? In setting the stage for the Workshop proceedings, Mr Sagalow stressed that cyber security is not just an issue pertaining to IT departments, but rather should be looked at as an enterprise-wide risk management endeavor Specifically, six key organizational areas dealing with risk include: legal, compliance, business operations and technology teams, external communications, risk management, and human resources management In summary, he stated that the scope of Phase II is intended to take the same discipline as Phase I to establish a methodology to provide guidance through tools and analysis on how to manage cyber risk from a financial point of view Joe Buonomo, President, Direct Computer Resources, Inc., Workshop Leader, provided opening remarks and recognized ANSI and ISA for their leadership as well as Zurich and Robinson Lerer & Montgomery for their generous sponsorship of this Workshop He began by commending the successful efforts of Phase I and noting the importance to revisit this topic in a Phase II effort, especially in light of cyber breaches rising 47% Such breaches not only impact our networks and firewalls, but also our critical infrastructure resulting in tremendous financial setbacks He concluded by stating that Phase II will provide the answer to Phase I questions, including the methodology and approach for best practices Session #1 – Current Landscape The main objective of this session was to:  Provide an overview of current usage of the ISA-ANSI Publication The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask  Outline the current Administration’s priorities as related to Cyber Risk in looking at these issues from an economic vs technical context Larry Clinton, President, Internet Security Alliance (ISA), delivered a presentation addressing the current landscape of cyber security and the economy supported by excerpts from the Price Waterhouse Coopers (PWC) Global Cyber Security Survey He noted a milestone of particular interest to this audience, that for the first time in the United States’ history, the President gave a speech from the White House addressing cyber security Additionally, he cited the President’s Cyber Space Policy Review, May 30, 2009, a comprehensive sixty-day cyber review lead by Melissa Hathaway, former Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils, that underscored the need for linkage between the overall economic situation of our country and cyber security Leaders on Capitol Hill are taking a fairly different approach to cyber security with the introduction of the new administration resulting in a shift from a low level of government interest in cyber security to a much higher level, especially in light of recent breaches within the government Mr Clinton stated that we have moved toward a recognition that not only are government systems at risk, but the entire economy that has been generated by technology is at risk as well An integrated approach as recognized by the administration is necessary; however, a defined approach for implementation is lacking In addition, there is concern as the C-Suite community does not currently reflect and/or acknowledge the real threats and their potential consequences facing their organizations, a communication gap between CIOs and the remaining C-Suite members Mr Clinton noted the aggressive approach to cyber security being adopted by Congress He shared ISA’s position that it may not be possible to establish one set of standards that are robust enough to deal with this ever-evolving problem of cyber security In conclusion, he stated that we are trying to come up with our piece of the puzzle that can be coordinated with and/or integrated into public policy After his presentation, Mr Clinton opened up the discussion to all participants for their input A summary of main points from the dialogue that ensued include: Economic standpoint:  Potential opportunity to draw attention to the economic gains that could be had by improving cyber security and developing a blueprint for helping the economy move forward by viewing cyber security as something that could create business growth vs being a drain on their resources Standardization considerations:  Our opportunity with the new administration is to push the message that we need standards; however, we not need a single governmental determined and mandated standard, but rather such efforts should be driven by the private sector  Such standards should be robust and be able to grow as risks change  It is up to the industry to determine when to standardize  Consideration needs to be given to how to develop a system that keeps up with the technology and whether or not the tools are modernized  The industry standards process is slow How current standards apply to an integrated system has not been identified Educational opportunities:  There is a significant gap in ignorance in the “beltway” mentality and there are individuals involved in cybersecurity who are unaware of what a standard is Education on defining standards vs best practices, guidelines, etc needs to take place  The position taken in Phase I and Phase II is that we need to help the private sector understand the economic consequences of cyber risk and provide guidance to take practical action Session #2 – Framework Fundamentals The main objective of this session was to facilitate a discussion on identifying critical elements that are integral to such a framework document, and that would need to be further investigated for the final Workshop deliverable Ty Sagalow, Chief Innovation Officer, Zurich North America, briefed participants on the objectives, scope, and final deliverable of the ISA/ANSI Phase I Cyber Risk project, The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask? setting the context for the discussion to follow related to the Phase II framework fundamentals Mr Sagalow noted that the objective of the ISA/ANSI Phase II initiative will be to respond to the current Administration’s priorities as related to cyber risk in looking at these issues from an economic vs technical view/context Additionally, Phase II will be inclusive of the considerations necessary for the entire “C-Suite” expanding beyond just the CFO role While Phase I focused on providing questions organizations/CFOs should be asking and providing guidance on the identification and quantification of the financial risk associated with cyber security, Phase II will focus on developing an implementation strategy/process for the Phase I questions Additionally, this initiative will focus on filling out that framework to make better informed decisions related to cyber risk from an economic standpoint Additionally, consensus was reached that the final deliverable from this Workshop will be a publication mirroring the ISA/ANSI 2008 deliverable The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask? aimed at providing methodologies for the “C-Suite” to make better informed decisions related to cyber risk In doing so and in order for this product to provide an added-value, Phase II will seek to provide responses to the Phase I questions in the form of methodologies Such responses must be scalable enough that they are applicable to different types of organizations We can help achieve that goal by ensuring such methodologies and responses are implementable In summary, the objective is two-fold; provide the analytical framework as well as suggest an appropriate course for implementation Following the summary of the Phase II objectives, a discussion ensued focusing on securing an outline for the final deliverable’s structure It was agreed that this deliverable will open with an introduction and include six overall chapters corresponding to each critical organizational component identified in Phase I with the addition of human resources management Each chapter will provide responses to the Phase I questions keeping it short, process-oriented, scalable, practical, and actionable, followed by relevant appendices A summary including the key elements as well as a summary of discussion points is as follows:         Introduction It was agreed that an introduction will precede the six subject matter chapters providing an executive summary introducing the comprehensive unified approach outlined throughout the final deliverable Additionally, it will state the objectives of the Phase II deliverable and serve the purpose of a “risk balance sheet” As this initiative’s end goal is to encourage the C-suite community to integrate all of these various risks, the introduction will clearly identify this concept Chapter - Chief Legal Counsel Chapter - Compliance Officer Chapter - Business Operations and Technology Teams Chapter - External Communications and Crisis Management Teams Chapter - Risk Manager for Corporate Insurance Chapter - Human Resources Management Appendices Mary Beth Allen, President, Allen Associates volunteered to lead the newly created task group The group has been tasked with coordinating with all six task groups covering the aforementioned chapters to recommend appropriate appendices based on their individual content Their focus will include identifying and providing actionable, value-added tools to round out the final deliverable Case Studies: In the process of establishing the Phase II final deliverable outline noted above, workshop participants examined the need for the inclusion of case studies in the appendices While consensus was not reached at the time of this meeting as to whether case studies related to cyber breaches would add value and/or grab the attention of the deliverable’s intended audience, the C-suite community, it was agreed that the appendices task group would review the business case In doing so, this task group will consider the following discussion points raised at this meeting:  One of the biggest issues related to breaches includes money invested in hiding the fact that they occur How can we obtain sufficient data for appropriate analysis?  Anonymity to protect organizations reputations and address liability concerns  Hypothetical case studies  Use of case studies to spell out the economic opportunities related to cyber risk mitigation  Substituting case studies with relevant statistics such as FBI data regularly quoted within the administration  Effectively communicating the intended message to our target audience quickly through the use of numbers and facts that the C-suite can relate to  Credibility is a huge problem in this arena If the intended deliverable is credible and actionable and the case studies presented within are hypothetical, this may compromise the integrity of the intended use of such a tool  There is a lack of data in the public domain Significant data exists related to cyber failures; however, there is a shortage of cases highlighting successes Session #3 – Path Forward The main objectives of this final session were the following:  Identify key tasks for creation of final deliverable (framework document) and confirm participation in necessary follow-on Workshop task groups  Review and modify timeline for completing work  Timetable for task groups to complete initial work and set a date for next Workshop meetings (August 18th and September 29th)  Identify additional stakeholders that should be invited to be part of this Workshop initiative This session opened with an introduction of Task Group leaders who were identified prior to the Phase II Workshop I All categories listed below were included in Phase I with the exception of Human Resources Management, a new addition identified as a need at the conclusion of Phase I Task Group leaders are as follows:  Task Group #1 - Chief Legal Counsel – Lon Berk, Partner, Hunton and Williams        Task Group #2 - Compliance Officer – Arnold Felberbaum, Executive Vice President, SCO, Reed Elsevier Task Group #3 - Business Operations and Technology Teams – Michael Castanga – CISO, U.S Department of Commerce Task Group #4 - External Communications and Crisis Management Teams – Rick Kam, President, ID Experts Task Group #5 - Risk Manager for Corporate Insurance – Harry Oellrich, Reinsurance Agent, Guy Carpenter Task Group #6 - Human Resources Management – Rebecca Webster, Director of Human Resources, Northrop Grumman Task Group #7 – Appendices – Mary Beth Allen, President, Allen Associates Red Team – Ed Stull, Direct Computer Resources, Inc Each Task Group leader delivered a brief presentation and/or remarks introducing the subject matter, providing a refresher on the ten questions published in the final deliverable of Phase I The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask?, and presenting a preliminary action plan for progressing the objectives identified for Phase II Task Group leaders were tasked with preparing an outline for the content of their respective chapters for presentation at Phase II Workshop II The complete list of Task Group Participants can be found in Attachment Additional Workshop participants are welcomed and encouraged to join any of the task groups This session concluded with a discussion setting expectations for Task Group Leader roles and responsibilities, meeting planning and work in between Workshop meetings, and reporting back to the ISA/ANSI leadership Additionally, participants agreed to the following timeline for the path forward for Phase II: July 2009  Convene kick-off Workshop meeting (July 31st)  Reconvene/form appropriate task groups at meeting  Determine additional participants/resources required  Review schedule for remainder of project August 2009  Task groups meet via teleconference  Second Workshop meeting (August 18th) September 2009  Continue work of task groups  Produce first draft of final deliverable and circulate for review (review period September 1-20)  Final Workshop meeting (September 29th)    Review draft deliverable and comments received Identify outstanding issues that need resolution Circulate final draft deliverable October 2009  Address final comments  Submit final draft deliverable to ANSI Communications (October 15th) November 2009  Publication ready for distribution (November 15th) The Task Groups are assigned with reviewing the key questions provided in Phase I and developing appropriate responses aimed at providing methodologies for the C-suite to make better informed decisions related to cyber risk Each chapter will include an introductory paragraph, followed by the key questions included in Phase I, followed by proposed responses from Phase II Each task group is responsible for providing the definition of any key terms they use that are not commonly known These will be included in an appendix to the report The group agreed to the date of August 18th for the next in-person meeting Zurich agreed to host this meeting at the same location At this meeting, task groups will present reports on their work for review and comment by the entire Workshop It is envisioned that the final deliverable will be completed by November 15, 2009 Adjournment Larry Clinton, President, Internet Security Alliance (ISA) thanked Zurich again for providing meeting space and Robinson Lerer & Montgomery for their generous sponsorship by providing refreshments Additionally, Mr Clinton noting that he looked forward to Task Group progress reports at the next meeting of Phase II Workshop II Prior to adjourning the meeting, Mr Sagalow thanked the participants for their active participation and commitment to the second phase of the ISA/ASI Cyber Risk initiative He reminded participants that Phase II Workshop II will take place on Tuesday, August 18th also at Zurich in New York City Sponsorship ANSI and ISA would like to thank RLM for sponsoring this workshop Attachment Organization First Name Last Name Proofspace Regan Adams Carnegie Mellon University Allen Associates ID Experts NIST - U.S Department of Commerce Julia Mary Beth Christine Dan Allen Allen Arevalo Benigni Hunton & Williams Zurich Lon Richard Berk Billson U.S Cyber Consequences Unit Direct Computer Resources, Inc Scott Borg Joe Buonomo U.S Department of Justice Martin Burkhouse University of California, Berkeley Chartis Aaron Burstein Nancy Callahan American National Standards Institute (ANSI) U.S Department of Commerce Jessica Carl Michael Castagna Jones Day Gwendolynne Chen Internet Security Alliance (ISA) Larry Clinton Catalyst Partners LLC U.S Chamber of Commerce Rich Matthew Cooper Eggers QUALCOMM Inc Reed Elsevier Mark Arnold Epstein Felberbaum Ferris & Associates, Inc University of Maryland New World Technology Partners Robinson Lerer & Montgomery John Momodu Robert Ferris Fofana Gardner Anne Granfield Robinson Lerer & Montgomery Michael Gross American National Standards Institute (ANSI) Phillips Nizer LLP American National Standards Institute (ANSI) Karen Hughes Thomas Peggy Jackson Jensen ID Experts Rick Kam Northrop Grumman Mark Leary American National Standards Institute (ANSI) Brian Meincke U.S Securities and Exchange Commission Ralph Mosios Allied World Assurance Company Guy Carpenter & Company, LLC Zurich Michael Murphy Harry Oellrich Ty Sagalow Salare Security LLC Paul Sand American National Standards Institute (ANSI) Financial Services Technology Consortium Direct Computer Resources, Inc Fran Schrotter Dan Schutzer Ed Stull Russell Thomas Direct Computer Resources, Inc Society for Human Resource Management Northrop Grumman Bill Vitiello Lee Webster Rebecca Webster Independent Consultant CNA Insurance James John Wendorf Wurzler Attachment Task Group - Chief Legal Counsel First Name Last Name Richard Billson Aaron Burstein Thomas Jackson Lon Berk* Mary Beth Allen Martin Burkhouse Karen Hughes Organization Zurich UC Berkeley Phillips Nizer LLP Hunton & Williams Allen Associates U.S Department of Justice ANSI Task Group - Compliance Officer First Name Last Name Ralph Mosios Arnold Felberbaum* Mary Beth Allen Martin Burkhouse Dan Benigni Mark Leary Karen Hughes Organization SEC Reed Elsevier Allen Associates U.S Department of Justice NIST Northrop Grumman ANSI Task Group - Business Operations and Technology First Name Last Name Organization John (Marty) Paul Dan Michael Julia John Mary Beth Martin Karen Ferris Sand Schutzer Castagna* Allen Wurzler Allen Burkhouse Hughes Ferris & Associates Salare Security FSTC US Department of Commerce Carnegie Mellon University CAN Insurance Allen Associates U.S Department of Justice ANSI Task Group - External Communications First Name Last Name Nancy Callahan Rick Kam* Christine Arevalo Anne Granfield Michael Gross Rich Cooper John Wurzler Mary Beth Allen Martin Burkhouse Karen Hughes Organization Chartis ID Experts ID Experts RLM RLM Catalyst Partners CNA Insurance Allen Associates U.S Department of Justice ANSI * Indicates task group leader 10 Task Group - Risk Manager for Corporate Insurance First Name Last Name Organization Harrison Oellrich* Guy Carpenter John Ercolani Herbert l Jamison Michael Murphy Darwin National Assurance Nancy Callahan Chartis Brad Gow Zurich Mary Beth Allen Allen Associates Martin Burkhouse U.S Department of Justice Karen Hughes ANSI Task Group - Human Resources First Name Last Name Lee Webster* Rebecca Webster* Mary Beth Allen Martin Burkhouse Karen Hughes Appendices First Name Mary Beth Martin Scott Russell Karen Last Name Allen* Burkhouse Borg Thomas Hughes Organization Society for HR Management Northrop Grumman Allen Associates U.S Department of Justice ANSI Organization Allen Associates U.S Department of Justice U.S Cyber Consequences Unit ANSI 11 * Indicates task group leader 12 ... reports at the next meeting of Phase II Workshop II Prior to adjourning the meeting, Mr Sagalow thanked the participants for their active participation and commitment to the second phase of the ISA/ ASI... progressing the objectives identified for Phase II Task Group leaders were tasked with preparing an outline for the content of their respective chapters for presentation at Phase II Workshop II The complete... executive summary introducing the comprehensive unified approach outlined throughout the final deliverable Additionally, it will state the objectives of the Phase II deliverable and serve the purpose

Ngày đăng: 18/10/2022, 17:28

w