Meeting Summary from the Kick-Off Meeting of the ISA-ANSI Workshop on Cyber Risk Phase II - Developing a Methodology for CFO/CEO Decision Making in Cyber Risk Mitigation July 31, 2009 9:
Trang 1Meeting Summary from the Kick-Off Meeting of the ISA-ANSI Workshop on Cyber Risk Phase II - Developing a Methodology for CFO/CEO Decision Making in Cyber Risk Mitigation
July 31, 2009
9:00 am – 4:15 pm Hosted by:
Zurich North America
1 Liberty Plaza
New York, NY 10006
33rd Floor Conference Rooms A&B
Welcome / Call to Order
Fran Schrotter, Senior Vice President and Chief Operating Officer, American National Standards Institute (ANSI), called the meeting to order and welcomed the participants She provided an overview
of ANSI as well as insight into the Institute’s top priorities as related to standards panel activities, (e.g homeland security, healthcare, nanotechnology, biofuels, and nuclear) Also, she noted that last year, the financial impact of cyber risk took center stage as ANSI joined forces with ISA to convene a cross-sector task force representing more than thirty private and public cross-sector organizations These
ISA/ANSI workshop meetings resulted in an action plan targeted at CFOs to help businesses in every sector mitigate the risks associated with cyber attacks Additionally, she reminded participants that as
we build upon the excellent work that has already been done, today’s meeting will broaden our
direction beyond just CFOs to include business leaders of all kinds Ms Schrotter concluded by acknowledging Larry Clinton, President, Internet Security Alliance (ISA), as the co-organizer of Phase
II of this Cyber Risk initiative
Larry Clinton, President, Internet Security Alliance (ISA), recognized ANSI for the opportunity to revisit the successful partnership from Phase I of Cyber Risk in addition to his board members, Ty R
Sagalow, Chief Innovation Officer, Zurich North America and Joe Buonomo, President, Direct
Computer Resources, Inc for assuming leadership roles in kicking-off Phase II of this initiative Also,
Mr Clinton stressed the critical need for intertwining security with technology and business to create a coherent approach to overall cyber security
Introductions (all)
Participants introduced themselves and the organizations that they represented Forty seven
participants representing thirty six organizations attended the first workshop of Phase II, five of whom
participated via teleconference The complete list of attendees can be found in Attachment 1
Background on the ANSI-HSSP and Workshop Process
Karen Hughes, Director of Homeland Security Standards, ANSI, welcomed participants and thanked the Internet Security Alliance (ISA) and the workshop leaders as well as Zurich for providing meeting space and Robinson Lerer & Montgomery for their generous sponsorship She delivered a
presentation providing an overview of the ANSI Homeland Security Standards Panel (HSSP), and the
traditional Workshop process that it has conducted over the past six years
Trang 2Ms Hughes noted that ANSI formed the Homeland Security Standards Panel (HSSP) in 2003 as a neutral forum where representatives of industry, government, professional societies, trade
associations, standards developers, and consortia groups could come together to share knowledge and identify standardization needs to meet U.S homeland security priorities Additionally, she
highlighted the Homeland Security Standards Database (HSSD), a one-stop resource for first
responders, code developers, and all relevant stakeholders, to identify homeland security related standards and/or projects under development Further information can be obtained at www.hssd.us
Background on ISA Cyber Security Activities & Cyber Phase I
Larry Clinton, President, Internet Security Alliance (ISA), provided remarks highlighting ISA’s mission and outlined its link to the goal of ISA and ANSI’s joint efforts to address cyber risk from an economic standpoint Additionally, he shared examples of ISA’s commitment to examine cyber security not simply as an information technology issue but rather from an enterprise-wide perspective with an overview of the following five current projects on the horizon for ISA:
Framework to secure IT supply chain
Joint program with the National Institute of Standards and Technology (NIST) examining unified communications platforms (e.g Voice over Internet Protocol (VOIP))
Improving the alignment of a legal framework with modern technology (e.g digital media)
Developing a social contract to identify a creative solution for government and industry to partner to ensure mutual needs are met related to cyber as an enterprise-wide risk
management issue
Phase II of The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask
Mr Clinton concluded by re-emphasizing his sentiments shared in Phase I noting that ISA is a
proponent of the private sector being better positioned to lead the effort for standards setting for cyber security as opposed to relying on the government to take that lead In doing so he referenced the proposed April 2009 Rockefeller-Snowe legislation on Cyber Risk, stressing the need for a social contract between industry and government for cyber security
Opening Remarks and Subject Matter Introduction
Ty R Sagalow, Chief Innovation Officer, Zurich North America, Workshop Leader, provided opening
remarks that framed the Workshop goals and objectives for Phase II of The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask? In setting the stage for the Workshop proceedings, Mr
Sagalow stressed that cyber security is not just an issue pertaining to IT departments, but rather should be looked at as an enterprise-wide risk management endeavor Specifically, six key
organizational areas dealing with risk include: legal, compliance, business operations and technology teams, external communications, risk management, and human resources management In summary,
he stated that the scope of Phase II is intended to take the same discipline as Phase I to establish a methodology to provide guidance through tools and analysis on how to manage cyber risk from a financial point of view
Joe Buonomo, President, Direct Computer Resources, Inc., Workshop Leader, provided opening remarks and recognized ANSI and ISA for their leadership as well as Zurich and Robinson Lerer & Montgomery for their generous sponsorship of this Workshop He began by commending the
successful efforts of Phase I and noting the importance to revisit this topic in a Phase II effort,
especially in light of cyber breaches rising 47% Such breaches not only impact our networks and firewalls, but also our critical infrastructure resulting in tremendous financial setbacks He concluded
2
Trang 3by stating that Phase II will provide the answer to Phase I questions, including the methodology and approach for best practices
Session #1 – Current Landscape
The main objective of this session was to:
Provide an overview of current usage of the ISA-ANSI Publication The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask
Outline the current Administration’s priorities as related to Cyber Risk in looking at these issues from an economic vs technical context
Larry Clinton, President, Internet Security Alliance (ISA), delivered a presentation addressing the current landscape of cyber security and the economy supported by excerpts from the Price
Waterhouse Coopers (PWC) Global Cyber Security Survey He noted a milestone of particular interest to this audience, that for the first time in the United States’ history, the President gave a speech from the White House addressing cyber security Additionally, he cited the President’s Cyber
Space Policy Review, May 30, 2009, a comprehensive sixty-day cyber review lead by Melissa
Hathaway, former Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils, that underscored the need for linkage between the overall economic situation of our country and cyber security Leaders on Capitol Hill are taking a fairly different approach to cyber security with the introduction of the new administration resulting in a shift from a low level of
government interest in cyber security to a much higher level, especially in light of recent breaches within the government
Mr Clinton stated that we have moved toward a recognition that not only are government systems at risk, but the entire economy that has been generated by technology is at risk as well An integrated approach as recognized by the administration is necessary; however, a defined approach for
implementation is lacking In addition, there is concern as the C-Suite community does not currently reflect and/or acknowledge the real threats and their potential consequences facing their
organizations, a communication gap between CIOs and the remaining C-Suite members
Mr Clinton noted the aggressive approach to cyber security being adopted by Congress He shared ISA’s position that it may not be possible to establish one set of standards that are robust enough to deal with this ever-evolving problem of cyber security In conclusion, he stated that we are trying to come up with our piece of the puzzle that can be coordinated with and/or integrated into public policy After his presentation, Mr Clinton opened up the discussion to all participants for their input A summary of main points from the dialogue that ensued include:
Economic standpoint:
Potential opportunity to draw attention to the economic gains that could be had by improving cyber security and developing a blueprint for helping the economy move forward by viewing cyber security as something that could create business growth vs being a drain on their resources
Standardization considerations:
Our opportunity with the new administration is to push the message that we need standards; however, we do not need a single governmental determined and mandated standard, but rather such efforts should be driven by the private sector
Such standards should be robust and be able to grow as risks change
It is up to the industry to determine when to standardize
Consideration needs to be given to how to develop a system that keeps up with the
Trang 4technology and whether or not the tools are modernized
The industry standards process is slow How current standards apply to an integrated system has not been identified
Educational opportunities:
There is a significant gap in ignorance in the “beltway” mentality and there are individuals involved in cybersecurity who are unaware of what a standard is Education on defining standards vs best practices, guidelines, etc needs to take place
The position taken in Phase I and Phase II is that we need to help the private sector
understand the economic consequences of cyber risk and provide guidance to take practical action
Session #2 – Framework Fundamentals
The main objective of this session was to facilitate a discussion on identifying critical elements that are
integral to such a framework document, and that would need to be further investigated for the final Workshop deliverable
Ty Sagalow, Chief Innovation Officer, Zurich North America, briefed participants on the objectives,
scope, and final deliverable of the ISA/ANSI Phase I Cyber Risk project, The Financial Impact of
Cyber Risk – 50 Questions Every CFO Should Ask? setting the context for the discussion to follow
related to the Phase II framework fundamentals
Mr Sagalow noted that the objective of the ISA/ANSI Phase II initiative will be to respond to the
current Administration’s priorities as related to cyber risk in looking at these issues from an economic
vs technical view/context Additionally, Phase II will be inclusive of the considerations necessary for the entire “C-Suite” expanding beyond just the CFO role While Phase I focused on providing
questions organizations/CFOs should be asking and providing guidance on the identification and quantification of the financial risk associated with cyber security, Phase II will focus on developing an implementation strategy/process for the Phase I questions Additionally, this initiative will focus on filling out that framework to make better informed decisions related to cyber risk from an economic standpoint
Additionally, consensus was reached that the final deliverable from this Workshop will be a publication
mirroring the ISA/ANSI 2008 deliverable The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask? aimed at providing methodologies for the “C-Suite” to make better informed
decisions related to cyber risk In doing so and in order for this product to provide an added-value, Phase II will seek to provide responses to the Phase I questions in the form of methodologies Such responses must be scalable enough that they are applicable to different types of organizations We can help achieve that goal by ensuring such methodologies and responses are implementable In summary, the objective is two-fold; provide the analytical framework as well as suggest an appropriate course for implementation
Following the summary of the Phase II objectives, a discussion ensued focusing on securing an outline for the final deliverable’s structure It was agreed that this deliverable will open with an introduction and include six overall chapters corresponding to each critical organizational component identified in Phase I with the addition of human resources management Each chapter will provide responses to the Phase I questions keeping it short, process-oriented, scalable, practical, and actionable, followed
by relevant appendices
A summary including the key elements as well as a summary of discussion points is as follows:
Introduction
4
Trang 5It was agreed that an introduction will precede the six subject matter chapters providing an executive summary introducing the comprehensive unified approach outlined throughout the final deliverable Additionally, it will state the objectives of the Phase II deliverable and serve the purpose of a “risk balance sheet” As this initiative’s end goal is to encourage the C-suite community to integrate all of these various risks, the introduction will clearly identify this concept
Chapter 1 - Chief Legal Counsel
Chapter 2 - Compliance Officer
Chapter 3 - Business Operations and Technology Teams
Chapter 4 - External Communications and Crisis Management Teams
Chapter 5 - Risk Manager for Corporate Insurance
Chapter 6 - Human Resources Management
Appendices
Mary Beth Allen, President, Allen Associates volunteered to lead the newly created task group The group has been tasked with coordinating with all six task groups covering the aforementioned chapters to recommend appropriate appendices based on their individual content Their focus will include identifying and providing actionable, value-added tools to round out the final deliverable
Case Studies:
In the process of establishing the Phase II final deliverable outline noted above, workshop participants examined the need for the inclusion of case studies in the appendices While consensus was not reached at the time of this meeting as to whether case studies related to cyber breaches would add value and/or grab the attention of the deliverable’s intended audience, the C-suite community, it was agreed that the appendices task group would review the business case In doing so, this task group will consider the following discussion points raised at this meeting:
One of the biggest issues related to breaches includes money invested in hiding the fact that they occur How can we obtain sufficient data for appropriate analysis?
Anonymity to protect organizations reputations and address liability concerns
Hypothetical case studies
Use of case studies to spell out the economic opportunities related to cyber risk mitigation
Substituting case studies with relevant statistics such as FBI data regularly quoted within the administration
Effectively communicating the intended message to our target audience quickly through the use of numbers and facts that the C-suite can relate to
Credibility is a huge problem in this arena If the intended deliverable is credible and
actionable and the case studies presented within are hypothetical, this may compromise the integrity of the intended use of such a tool
There is a lack of data in the public domain Significant data exists related to cyber failures; however, there is a shortage of cases highlighting successes
Session #3 – Path Forward
The main objectives of this final session were the following:
Identify key tasks for creation of final deliverable (framework document) and confirm participation
in necessary follow-on Workshop task groups
Review and modify timeline for completing work
Timetable for task groups to complete initial work and set a date for next Workshop meetings (August 18th and September 29th)
Identify additional stakeholders that should be invited to be part of this Workshop initiative
This session opened with an introduction of Task Group leaders who were identified prior to the Phase
II Workshop I All categories listed below were included in Phase I with the exception of Human
Trang 6Resources Management, a new addition identified as a need at the conclusion of Phase I Task Group leaders are as follows:
Task Group #1 - Chief Legal Counsel – Lon Berk, Partner, Hunton and Williams
Task Group #2 - Compliance Officer – Arnold Felberbaum, Executive Vice President, SCO,
Reed Elsevier
Task Group #3 - Business Operations and Technology Teams – Michael Castanga –
CISO, U.S Department of Commerce
Task Group #4 - External Communications and Crisis Management Teams – Rick Kam,
President, ID Experts
Task Group #5 - Risk Manager for Corporate Insurance – Harry Oellrich, Reinsurance
Agent, Guy Carpenter
Task Group #6 - Human Resources Management – Rebecca Webster, Director of Human
Resources, Northrop Grumman
Task Group #7 – Appendices – Mary Beth Allen, President, Allen Associates
Red Team – Ed Stull, Direct Computer Resources, Inc
Each Task Group leader delivered a brief presentation and/or remarks introducing the subject matter,
providing a refresher on the ten questions published in the final deliverable of Phase I The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask?, and presenting a preliminary action
plan for progressing the objectives identified for Phase II Task Group leaders were tasked with preparing an outline for the content of their respective chapters for presentation at Phase II Workshop
II The complete list of Task Group Participants can be found in Attachment 2 Additional Workshop participants are welcomed and encouraged to join any of the task groups
This session concluded with a discussion setting expectations for Task Group Leader roles and responsibilities, meeting planning and work in between Workshop meetings, and reporting back to the ISA/ANSI leadership Additionally, participants agreed to the following timeline for the path forward for Phase II:
July 2009
Convene kick-off Workshop meeting (July 31st)
Reconvene/form appropriate task groups at meeting
Determine additional participants/resources required
Review schedule for remainder of project
August 2009
Task groups meet via teleconference
Second Workshop meeting (August 18th)
September 2009
Continue work of task groups
Produce first draft of final deliverable and circulate for review (review period September 1-20)
Final Workshop meeting (September 29th)
Review draft deliverable and comments received
Identify outstanding issues that need resolution
Circulate final draft deliverable
October 2009
Address final comments
Submit final draft deliverable to ANSI Communications (October 15th)
November 2009
Publication ready for distribution (November 15th)
6
Trang 7The Task Groups are assigned with reviewing the key questions provided in Phase I and developing appropriate responses aimed at providing methodologies for the C-suite to make better informed decisions related to cyber risk Each chapter will include an introductory paragraph, followed by the key questions included in Phase I, followed by proposed responses from Phase II Each task group is responsible for providing the definition of any key terms they use that are not commonly known These will be included in an appendix to the report
The group agreed to the date of August 18th for the next in-person meeting Zurich agreed to host this meeting at the same location At this meeting, task groups will present reports on their work for review and comment by the entire Workshop It is envisioned that the final deliverable will be completed by November 15, 2009
Adjournment
Larry Clinton, President, Internet Security Alliance (ISA) thanked Zurich again for providing meeting space and Robinson Lerer & Montgomery for their generous sponsorship by providing refreshments Additionally, Mr Clinton noting that he looked forward to Task Group progress reports at the next meeting of Phase II Workshop II
Prior to adjourning the meeting, Mr Sagalow thanked the participants for their active participation and commitment to the second phase of the ISA/ASI Cyber Risk initiative He reminded participants that Phase II Workshop II will take place on Tuesday, August 18th also at Zurich in New York City
Sponsorship
ANSI and ISA would like to thank RLM for sponsoring this workshop
Trang 8Attachment 1
Carnegie Mellon University Julia Allen
NIST - U.S Department of
U.S Cyber Consequences
Unit
Direct Computer Resources,
U.S Department of Justice Martin Burkhouse
University of California,
American National Standards
Institute (ANSI)
U.S Department of Commerce Michael Castagna
Internet Security Alliance (ISA) Larry Clinton
U.S Chamber of Commerce Matthew Eggers
Ferris & Associates, Inc John Ferris
New World Technology
Robinson Lerer & Montgomery Anne Granfield
8
Trang 9Robinson Lerer & Montgomery Michael Gross
American National Standards
American National Standards
Institute (ANSI)
American National Standards
U.S Securities and Exchange
Allied World Assurance
Guy Carpenter & Company,
LLC
American National Standards
Financial Services Technology
Direct Computer Resources,
Direct Computer Resources,
Society for Human Resource
Trang 10Attachment 2 Task Group 1 - Chief Legal Counsel
Martin Burkhouse U.S Department of Justice
Task Group 2 - Compliance Officer
Martin Burkhouse U.S Department of Justice
Task Group 3 - Business Operations and Technology
John (Marty) Ferris Ferris & Associates
Michael Castagna* US Department of Commerce
Martin Burkhouse U.S Department of Justice
Task Group 4 - External Communications
Martin Burkhouse U.S Department of Justice
* Indicates task group leader
10