SA Critical Information Infrastructure Protection (CIIP)

SA Critical Information Infrastructure Protection (CIIP) & Institutional Intelligence Reporting National Treasury Critical Information Infrastructure Protection (CIIP) Craig Rosewarne (Wolfpack: SA Critical Information Infrastructure Protection (CIIP)) (MBA / CISSP / CISM / CVE / ISO 27001 Lead Implementer & Lead Auditor / Certified Lead Incident Response Professional) Jonathan Crisp (BarnOwl: Institutional Intelligence Reporting) Director

Fast Facts Wolfpack Information Risk (Pty) Ltd is a proudly South African company established in 2011 Independent trusted advisors to government and private sector Ongoing commitment to national cyber security community initiatives A level 1 BBBEE contributor

DISRUPTIVE TECHNOLOGIES Cloud / Community / Apps 3

14.3 BILLION 3 TRILLION 4

THE EVOLVING THREAT 1995 – 2005 1 Decade of the Commercial Internet st 2005 – 2015 2nd Decade of the Commercial Internet Motive National Security Espionage, Political Activism Monetary Gain Revenge Curiosity Nation-state Actors / Terrorist Groups - Targeted Attacks Competitors, Hacktivists Organised Crime, Hackers and Crackers using sophisticated tools Insiders, using inside information Script-kiddies or hackers using tools, web-based “how-to’s” Adversary

6

SA NATIONAL CYBERSECURITY STAKEHOLDERS Justice, Crime Prevention and Security (JCPS) Cluster Cybersecurity Response Committee (SSA lead) State Security Agency SA Police Service (SITA) SA National Defence Force (CSIR DPSS / SITA) Justice & Corrections (SIU / NPA) Dept Telecomms & Postal Service (CSH/ NCAC) DST Home Affairs SAPO AGSA DPSA DIRCO SARS National Key Points National, Provincial & Local Government Citizens Children Industry Bodies - SABRIC SAFPS ISPA SACCI Regulators STRATEGIC Compliance violation Fines/Fees DEPARTMENT ATO revoked / INDUSTRY OPERATIONAL Financial Retailers ISPs TMT Manufacturing Academia Healthcare Professional Services Vendors Local & International Partners B2B B2C Informal Traders Customers 7

DEFENDER VS ATTACKER 8

9 CRITICAL INFORMATION INFRASTRUCTURE Telecommunications / IT Water Systems Transport Manufacturing Business Systems Retail Ports Financial Distribution Supply Chain Government Energy Health

SA 2016 CIIP REPORT 10

11 INFORMATION RISK ASSESSMENT 160 POSSIBLE 160 POSSIBLE VULNERABILITIES VULNERABILITIES WERE REVIEWED WERE REVIEWED ACROSS MAJOR RISK ACROSS MAJOR RISK DOMAINS OF THE DOMAINS OF THE ORGANISATION. ORGANISATION. Industrial Control Industrial Control Systems Systems Governance, Risk & Governance, Risk & Compliance Compliance Human Resources Human Resources Asset Management Asset Management Access Control Access Control Systems Acquisition, Development & Systems Acquisition, Development & Maintenance Maintenance IT Security Operations IT Security Operations Supplier Supplier Management Management Physical and Environmental Physical and Environmental Security Security Security Architecture & Design Security Architecture & Design Telecommunications & Networking Telecommunications & Networking Information Security Incident InformationManagement Security Incident Management Cryptography Cryptography Business Continuity & Disaster Business Continuity & Disaster Recovery Recovery 11

REPORT – HIGHLIGHTS 12

SA 2016 CIIP REPORT – HIGHLIGHTS 13

SA 2016 – THE ROAD AHEAD 14

THREAT INTELLIGENCE MONITOR ASSESS RECOMMENDATIONS - AIM TRAINING & AWARENESS HEALTH CHECK IMPROVE 15

ASSESS Information Risk Framework & ISMS Stakeholder Engagement Health Check Phase Information Risk Assessment Priority Roadmap Remediation & Monitoring Phase Simulated Threat Reviews Incident Response Business Benefits & Continual Improvement Phase

IMPROVE REMEDIATION Information Risk Framework & ISMS Stakeholder Engagement Health Check Phase Information Risk Assessment Priority Roadmap Remediation & Monitoring Phase Simulated Threat Reviews Incident Response Business Benefits & Continual Improvement Phase

TRAINING IMPROVE TRAINING & AWARENESS 1.1 Executive / Management (1 hour) 1. INFORMATION RISK BASELINE PROGRAMME 1.2 GRC / IS / IT teams (1-2 days) 1.3 User Awareness Programme (1 - 4 hours) 2. 2. SPECIALIST SPECIALIST PROGRAMMES PROGRAMMES 2.1 Governance, Risk & Compliance Programme 2.4 Vulnerability Management Programme 2.2 Information Security Programme 2.5 Security Operations Programme 2.3 Privacy & Incident Management Programme 2.6 Secure Development Programme

AWARENESS IMPROVE TRAINING & AWARENESS Ex ec Business Requirements Analysis Stakeholder Change Management Create Tailored Awareness Programme Ma na ge me nt Use rs & Thir d Par ties Phase 1: PLAN Phase 2: BUILD Phase 3: RUN

HUMAN VULNERABILITY TESTING

21 MONITOR Threat Intelligence Global & local threat feeds Continuous Monitoring Identify suspicious behaviour Asset Discovery Know your assets MONITOR Vulnerability Assessments Effectively identify vulnerabilities Threat Management Determine threat to your organisation

22 BALANCING RISK & REWARD PROACTIVE Creating stakeholder value More Predictable Business Growth Improved Governance Risk Intelligent Organisation REACTIVE Preserving stakeholder value Risk Unaware V A L U E Fighting Fires Compliance CONFIDENTIAL 20

INSTITUTIONAL INTELLIGENCE REPORTING 23

INSTITUTIONAL INTELLIGENCE REPORTING 24

INSTITUTIONAL INTELLIGENCE REPORTING 25

INSTITUTIONAL INTELLIGENCE REPORTING 26

INSTITUTIONAL INTELLIGENCE REPORTING 27

Wolfpack Information Risk (Pty) Ltd [email protected] www.wolfpackrisk.com Threat Intelligence Advisory Training Awareness FULLY INTEGRATED GOVERNANCE, RISK MANAGEMENT, COMPLIANCE AND AUDIT SOFTWARE www.barnowl.co.za