Building Blocks for Effective Compliance Risk Assessment (Cyber) Brian McGrath Rohan Singla
|
|
- Esther Park
- 6 years ago
- Views:
Transcription
1 Building Blocks for Effective Compliance Risk Assessment (Cyber) Brian McGrath Rohan Singla
2 Risk Assessment Agenda & Timing Topic Timing Facilitator's address 9:00 to 9:05 Risk Assessment Overview 9:05 to 9:45 Cyber Risk Assessments 9:45 to 10:30 Break 10:30 to 10:45 Initial Q&As 10:45 to 10:55 Case Studies 10:55 to 11:10 Model Answers 11:10 to 11:30 Final Q&A and Close 11:30 to 12:00
3 Building Blocks for Effective Compliance: Risk Assessment Brian McGrath
4 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System
5 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System
6 Role and Context Risk Assessment is essentially about Measuring a Risk Risk being the effect of uncertainty on objectives
7 Role and Context
8 Role and Context Have to set the context: How to assess? The risk of flooding in the room The risk of a power failure in the building The risk of internal fraud The risk of a being non-compliant with Regulation The risks of new Regulatory Requirement
9 Role and Context Risk Management Process: Risk Identification Risk Assessment Risk Mitigation and Control Risk Reporting
10 Role and Context Risk Assessment Prioritisation Remediation, Action, Management
11 Role and Context Risk Assessments can be conducted at different levels within a firm. Strategic / Organisational Level Executive Team / Business Unit Level Team Leader Process / Task Level Process Owner Stakeholder linked with the level Board Regulators Shareholders
12 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System
13 Assessment Types Risk Assessment Types exist for all Types of Risk: Credit Risk Reputational Risk Regulatory Risk Operational Risk Insurance Risk
14 Assessment Types Risk Assessment Approaches Top-Down Overview Executive / Board Level, across whole organisation or business line Bottom-Up Scenario Analysis Risk & Control Self Assessment Conducted from the lowest level of the organisation Low Frequency, High Impact Events New Product Risk Assessments Risk Assessing new products or services particular importance in the Regulatory / Conduct Risk context Change Risk Assessments Change in processes, structures, organisation Before and After examination
15 Assessment Types Thematic Risk Assessments Business Continuity AML Regulation / Legislative Code Vendor / Outsourcing Risk Assessment Cyber Risk Assessment Overview (Risk) Assessment of the impact of being unable to conduct business Business Line, Customer, Portfolio, Product, Delivery Channel Risk Assessment per Regulation as it applies to an Institution (Risk) Assessing a Vendor or a 3rd Party Agent More on this later
16 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System
17 Assessment Scoring Measuring a Risk The effect of uncertainty on objectives IMPACT PROBABILILTY LIKELIHOOD CONTEXT (What is the objective?)
18 Assessment Scoring An Assessment Scale is required: LIKELIHOOD Frequent CONTEXT (What is the objective?) Rare Low High IMPACT
19 Assessment Scoring Context Serving Customers: Financial Operations Customers Regulators Quantitative Qualitative Context of the specific organisation Historical Basis
20 Likelihood Assessment Scoring Financial < 50,000 Regulatory Reputational Operational Regulatory reportable issue Local Press Coverage Non critical service disrupted Impact $50,000 to $250,000 Regulator overseen remediation National Press Coverage Critical Service Disrupted < 5 hours $>250,000 Risk Mitigation Plan / Regulatory Fine International Press Coverage Critical Service Disrupted >5 hours Extremely Likely Reasonably Likely Very Rare 1 2 3
21 Assessment Scoring Have created a spectrum of Risk Apply (useful) labels: Low Medium High Minor Moderate Major Team Business Unit Group
22 Assessment Scoring Scores, arising from Assessment need to be applied: Typically on an Inherent and Residual Basis Inherent / Gross Basis The Risk, without controls, protection, mitigants Residual / Net Basis The Risk, with (current) controls, protection, mitigants
23 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System
24 Risk Assessment Process Re-Cap Risk Identification Risk Assessment Risk Mitigation and Control Risk Reporting Self-Assessment Facilitated Workshop(s) Questionnaire / Interviews Roundtable Process Mapping
25 Risk Assessment Process Process Mapping Particularly common approach to the risk assessment of operational processes 1. Identify process for risk assessment 2. Process Owners, stakeholders map out process:
26 Risk Assessment Process Process Mapping 3. Identification of the risks within the process Risk #1 Risk #2
27 Risk Assessment Process Process Mapping 4. Inherent Risk Score 5. Control Articulation 6. Residual Score Risk #1 Inherent Risk Score Controls Residual Score Risk #2 Inherent Risk Score Controls Residual Score
28 Risk Assessment Process Overall Consistency Risk / Control Catalogues Set approach to Risk / Control Articulation Regular Reviews Periodic Reviews Re-Assessment Sign-off / Assertions / Confirmations Trigger Events Changes in Environment Significant Events : Internal and External
29 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System
30 Features Risk #1 Inherent Risk Score Controls Residual Score To the list of Risks, Controls and Scores, need to add: Context Business Unit, Process, Product, Division Risk Owner Remediation Points Categorisations Person, typically in Management, with responsibility for the Risk usually linked Product / Process Owner. Critical for Strategic / Cross-Enterprise Risks. Connect the Risk Assessment, with the Risks with over exposure, controls not operating correctly. Categories of Risk Types, Control Types Drive out Actions Particularly useful in large organisation
31 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System
32 Risk Assessment Presentation Risk Assessments are collated and aggregated for Management. Traffic Light / Red Amber Green system is useful to display and highlight key areas of attention.
33 Risk Assessment Presentation Defining the R.A.G Red Amber Green Top 20% of the risk population Risks requiring immediate remediation Risks requiring Senior Management review and approval Risks with recent financial impacts Middle 40% of the risk population Risks which require regular and constant monitoring / testing Risks requiring Middle Management review and approval Risks with historical financial exposure Bottom 40% of the risk population Risks which require periodic evaluation Risks requiring Team Leader / Team Management review and approval Risks with no historical financial exposure
34 Risk Assessment Presentation Risk HeatMaps Impact Quarter on Quarter Trend Stable Increase Decrease Likelihood
35 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System
36 Risk Assessment & System Over time, Risk Assessments will evolve, and the tools and processes to support will also evolve. The requirements of such tools and processes will develop overtime: Manage Robustly Share Data Maintain Lots of Data Maintain Data
37 Risk Assessments & Systems Purpose Built SharePoint Access Excel
38 Risk Assessments & Systems System Features System Features Real Time Accessibility Audit Trail & Historical Records Stability and Security Reporting Capabilities Benefits Continuous Maintenance Change Management & Trend Analysis Robust IT support & Confidential Records Analysis & Quality Outputs Workflow Assist regular processes
39 CHANGING RISK ENVIRONMENT AND RISK ASSESSMENT PITFALLS
40 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System
41 Pitfalls Death by Excel Spreadsheet Simplified Approach Rationalised System to support Plan / Map out future state
42 Pitfalls Risk #10 Process Mapping: Risk #1 Risk #2 Risk #9 Risk #6 Risk #7 Risk #3 Risk #8 Risk #4 Risk #5
43 Pitfalls Inconsistency of Use Bias Risk Rating / Topics Likelihood Impact Centralised Quality Assurance / Review Cycle of Reviews Peer Comparison Reviews Substantiation of Ratings
44 Pitfalls In-action following the Risk Assessments Remediation is a key objective Maintain a remediation log + focus and visibility on progress Report remediation requirements to management
45 Cyber Security: Risk Assessment Rohan Singla
46 Agenda Introduction to Cyber Security What is the problem? Current Irish trends: denial of service cyber extortion customer attacks How should you respond? What are other companies doing?
47 INTRODUCTION TO CYBER SECURITY
48 Introduction to cyber security Cyber attacks on banks have increased dramatically over the last decade exposing: Sensitive personal and business information Disrupting critical operations High costs on the economy (estimated to be 800 million in Ireland)
49 Introduction to cyber security Cyber security is the ability to protect or defend an organisation's online systems and technology from attack R = T X V X C
50 Introduction to cyber security The economy depends on a stable, safe, and resilient online environment A vast array of networks allows us to: Communicate and travel Power our homes Run our economy Provide government services
51 Introduction to cyber security 10 years ago, they looked like this
52 Introduction to cyber security Now they look like this
53 WHAT IS THE PROBLEM?
54 Increasing issues
55 Focus
56 2015 Irish regulator focus
57 Increasing impact on financial services Rogue employees Data breaches Theft of customer information Organised crime Denial of service Financial crime Reputational damage Regulatory fines Financial loss Reduced shareholder value Loss of competitive advantage Drop in share price Lack of customer trust Operational downtime Cyber security demonstrates regulatory compliance and good governance and is expected by customers, partners and shareholders
58 WHAT'S HAPPENING CURRENTLY?
59 Carbanak the biggest bank heist ever
60 Denial of service for cash
61 DD4BC the professionals
62
63 Irish financial services organisation targeted Day 1 2:00PM: Received from DD4BC seeking 6,000 in 24 hours to avoid systems outage Day 1 4:00PM: Systems offline after large flood of traffic. Attack stops after 5 minutes. Day 1 6:00PM: Datacentre provider says it will take 3 days to put defences in place Day 2 2:00PM: Further from DD4BC extending deadline by 24 hours
64 Cyber extortion in Ireland
65 Cyber extortion in Ireland The issue: large amount of data unavailable no malware alerts scramble to restore files no idea how it happened The response: forensic investigation malware identified as cryptolocker.e Anti virus did not identify it until 4 days after attack call centre staff member had clicked link while surfing for new furniture
66 Customer attacks in Ireland Malware based: s from known individuals forwarded from CFO to controller 900,000 transferred in 8 hours Social engineering: grooming of finance staff 8-9 month lead time helpful demeanour 600,000 in one incident in Northern Ireland Corporate customers increasingly aggressive in recovery
67 Social engineering There s a sucker born every minute Phineas T. Barnum
68 Phishing etc. Phishing Pharming Vishing Spear Phishing Trojan Phishing Baiting
69 Old fashioned credit card theft
70
71 Simple data theft: Typical scenario Member of staff obtains a job with a competitor / organisation in the same sector Copies data accessible to them onto a USB Pen / web-mails via Gmail / copies it to Dropbox etc. Does something stupid so the theft is detected. Motivation? Stupidity, Greed, Anger.
72 Data theft USB Pen or Thumb Drive Portable Hard Drive. MP3 Players, Digital Cameras, Memory Cards, PDAs CD / DVD. Web-mail Printing Remote Access
73 Data theft risk factors Sudden resignation / departure of staff Departure of staff to commercial competitors Departure of staff to start their own business or other enterprises Staff with access to sensitive data involved in disciplinary or relationship issues Staff leaving under redundancy Staff in personal relationships with persons in competing organisations Staff in personal relationships with journalists Companies undergoing financial or industrial relations problems
74 Hacking there s nothing like advertising!
75 Political hacking
76 Personal data theft
77 But don't forget...
78 HOW SHOULD YOU RESPOND?
79 Cyber Risk Assessment Approach Develop Cyber Risk Framework Understand Current State Gap Assessment Recommendations and Reporting Define cyber security Define cyber crime & risks Customize cyber security frameworks (e.g. ISO 27001, NIST etc.) to your organisation requirements Identify focus areas Review existing documentation Interview stakeholders Review previous assessment work completed CBI thematic reviews Identify gaps in each of the focus areas Identify security implications of each gap Prioritise the gaps based on their impact and effort to remediate Develop specific recommendations to remediate the identified gaps Prioritised recommendations Cyber Security Framework to assess Interviews with Key stakeholders Existing Documentation: Review Prioritized Gaps, Implications, and Recommendations for: Cyber Risk Assessment report Cyber Threat Intelligence Cyber Incident Response Cyber Governance Previous reviews: Security management program assessment
80 What are the SEC saying? Assess: information & technology used threats & vulnerabilities controls & processes governance & management Develop cyber security strategy: access control encryption data loss prevention monitoring backups incident response plan Implement: polices procedures training
81 Central Bank of Ireland themed reviews Approach: questionnaires on site assessment fund managers investment firms stockbrokers banking next Focused on: risk management board awareness & involvement cyber policies and procedures access management
82 WHAT ARE COMPANIES DOING?
83 Cyber security universe Prepare Cyber security risk and threat assessment Security process or technical assessments Security policy development Third party cyber security assurance Protect Security architecture Security technology implementation Security process design and implementation Identity and access management Privacy and data protection Data classification Enterprise application integrity Business continuity and disaster recovery Penetration testing PCI DSS React Security operations and monitoring Security and data breach incident response Change Security program strategy and planning Security governance Security awareness
84 Cyber security areas of concern Roles and responsibilities are clearly defined Governance, Risk Appetite & Management level reports are in place (KRI/KPI) and cover cyber security incidents and breaches The company complies with relevant regulation/ legislation Policies & standards articulate and support company s cyber security objectives Incident management processes and business continuity exercises include cyber security Information Asset Register is in place Formal risk acceptance and insurance covers unmitigated risks Effective assurance of control design and operation in place, especially for controls based at third parties Awareness Human firewall training in place Certifications to meet the company s cyber security requirements
85 Initial Q&A
86 Case Studies
87 Case Studies A Retail Bank (or Credit Union) Lending and Deposit Taking. Seeks methodology to Risk Assess Changes in Processes. The Retail Bank operates in two jurisdictions. i. What could the Risk Assessment Type be? ii.what could the Risk Assessment Criteria be? iii.what would be the challenges in implementing? iv.what could the features of the Risk Assessment Template look like? v.what could the features of the Risk Assessment Template look like?
88 Case Study Cyber Security A small tier financial services company was notified by a government agency that a cyber attack on their computer network had occurred. Computer systems compromised contained payment card data, as well as other Personally Identifiable Information (PII) regarding the bank s customers, was stored and transmitted in the environment. i. What would you have done different to avoid such breaches or minimise the impact? ii. What are the different risks at this stage i.e. after the compromise? iii.what steps can be taken now to remediate or stop the attack? iv.what next steps would you recommend after the breach has been stopped and remediated? v.what are the ramifications? Who is affected by this incident and who is responsible for it within the affected company?
89 Model Answers
90 Final Q&A
91 Close
DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1
Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com
More informationBusiness continuity management and cyber resiliency
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency Introductions Eric Wunderlich,
More informationCyber Attack: Is Your Business at Risk?
15 July 2017 Cyber Attack: Is Your Business at Risk? Stanley Wong Regional Head of Financial Lines, Asia Pacific Agenda Some common misconceptions by SMEs around cyber protection Cyber Claims and Industry
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationINTELLIGENCE DRIVEN GRC FOR SECURITY
INTELLIGENCE DRIVEN GRC FOR SECURITY OVERVIEW Organizations today strive to keep their business and technology infrastructure organized, controllable, and understandable, not only to have the ability to
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationFFIEC Cyber Security Assessment Tool. Overview and Key Considerations
FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain
More informationCybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security
Cybersecurity What Companies are Doing & How to Evaluate Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security Learning Objectives At the end of this presentation, you will be able to: Explain the
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More information10 Cybersecurity Questions for Bank CEOs and the Board of Directors
4 th Annual UBA Bank Executive Winter Conference February, 2015 10 Cybersecurity Questions for Bank CEOs and the Board of Directors Dr. Kevin Streff Founder, Secure Banking Solutions 1 Board of Directors
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationCanada Life Cyber Security Statement 2018
Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability
More informationCYBER INSURANCE: MANAGING THE RISK
CYBER INSURANCE: MANAGING THE RISK LEON FOUCHE PARTNER & NATIONAL CYBERSECURITY LEAD BDO AUSTRALIA MEMBER OF THE GLOBAL CYBERSECURITY LEADERSHIP GROUP ii CYBER INSURANCE: MANAGING THE RISK There s no doubt
More informationInsider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm
Insider Threat Program: Protecting the Crown Jewels Monday, March 2, 2:15 pm - 3:15 pm Take Away Identify your critical information Recognize potential insider threats What happens after your critical
More informationCybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016
Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda Key Risks Incorporating Internal Audit Resources Questions 2 San Francisco
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationBradford J. Willke. 19 September 2007
A Critical Information Infrastructure Protection Approach to Multinational Cyber Security Events Bradford J. Willke 19 September 2007 Overview A framework for national Critical Information Infrastructure
More informationSage Data Security Services Directory
Sage Data Security Services Directory PROTECTING INFORMATION ASSETS ENSURING REGULATORY COMPLIANCE FIGHTING CYBERCRIME Discover the Sage Difference Protecting your business from cyber attacks is a full-time
More informationHow will cyber risk management affect tomorrow's business?
How will cyber risk management affect tomorrow's business? The "integrated" path towards continuous improvement of information security Cyber Risk as a Balance Sheet Risk exposing Board and C-Levels 2018
More informationCYBER RESILIENCE & INCIDENT RESPONSE
CYBER RESILIENCE & INCIDENT RESPONSE www.nccgroup.trust Introduction The threat landscape has changed dramatically over the last decade. Once the biggest threats came from opportunist attacks and preventable
More informationData Protection. Plugging the gap. Gary Comiskey 26 February 2010
Data Protection. Plugging the gap Gary Comiskey 26 February 2010 Data Protection Trends in Financial Services Financial services firms are deploying data protection solutions across their enterprise at
More informationIT risks and controls
Università degli Studi di Roma "Tor Vergata" Master of Science in Business Administration Business Auditing Course IT risks and controls October 2018 Agenda I IT GOVERNANCE IT evolution, objectives, roles
More informationTSC Business Continuity & Disaster Recovery Session
TSC Business Continuity & Disaster Recovery Session Mohamed Ashmawy Infrastructure Consulting Pursuit Hewlett-Packard Enterprise Saudi Arabia Mohamed.ashmawy@hpe.com Session Objectives and Outcomes Objectives
More informationCybersecurity and Nonprofit
Cybersecurity and Nonprofit 2 2 Agenda Cybersecurity and Non Profits Scenario #1 Scenario #2 What Makes a Difference Cyber Insurance and How it Helps Question and Answer 3 3 Cybersecurity and Nonprofit
More informationNYDFS Cybersecurity Regulations
SPEAKERS NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com March 9, 2017 The Privacy Team at Hunton & Williams Over 30 privacy
More informationPCI Compliance. What is it? Who uses it? Why is it important?
PCI Compliance What is it? Who uses it? Why is it important? Definitions: PCI- Payment Card Industry DSS-Data Security Standard Merchants Anyone who takes a credit card payment 3 rd party processors companies
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationCybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City
1 Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City The opinions expressed are those of the presenters and are not those of the Federal Reserve Banks, the
More informationInformation Security Incident
Good Practice Guide Author: A Heathcote Date: 22/05/2017 Version: 1.0 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body
More informationGuidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17
GUIDELINES ON SECURITY MEASURES FOR OPERATIONAL AND SECURITY RISKS UNDER EBA/GL/2017/17 12/01/2018 Guidelines on the security measures for operational and security risks of payment services under Directive
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationReinvent Your 2013 Security Management Strategy
Reinvent Your 2013 Security Management Strategy Laurent Boutet 18 septembre 2013 Phone:+33 6 25 34 12 01 Email:laurent.boutet@skyboxsecurity.com www.skyboxsecurity.com What are Your Key Objectives for
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationCyber Security and Data Protection: Huge Penalties, Nowhere to Hide
Q3 2016 Security Matters Forum Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide Alan Calder Founder & Executive Chair IT Governance Ltd July 2016 www.itgovernance.co.uk Introduction
More informationCyber fraud and its impact on the NHS: How organisations can manage the risk
Cyber fraud and its impact on the NHS: How organisations can manage the risk Chair: Ann Utley, Preparation Programme Manager, NHS Providers Arno Franken, Cyber Specialist, RSM Sheila Pancholi, Partner,
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationIncident Response. Tony Drewitt Head of Consultancy IT Governance Ltd
Incident Response Tony Drewitt Head of Consultancy IT Governance Ltd www.itgovernance.co.uk IT Governance Ltd: GRC One-Stop-Shop Thought Leaders Specialist publisher Implementation toolkits ATO Consultants
More informationChanging the Game: An HPR Approach to Cyber CRM007
Speakers: Changing the Game: An HPR Approach to Cyber CRM007 Michal Gnatek, Senior Vice President, Marsh & McLennan Karen Miller, Sr. Treasury & Risk Manager, FireEye, Inc. Learning Objectives At the end
More informationIT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18
Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationCYBER SECURITY AND THE PENSIONS INDUSTRY Karen Tasker 1 February 2018
CYBER SECURITY AND THE PENSIONS INDUSTRY Karen Tasker 1 February 2018 What s the relevance for pension schemes? What do cyber risks look like? What should Trustees be doing? Cyber risk means any risk of
More informationPS 176 Removable Media Policy
PS 176 Removable Media Policy December 2013 Version 2.0 Statement of legislative compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010; Data
More informationThe Data Breach: How to Stay Defensible Before, During & After the Incident
The Data Breach: How to Stay Defensible Before, During & After the Incident Alex Ricardo Beazley Insurance Breach Response Services Lynn Sessions Baker Hostetler Partner Michael Bazzell Computer Security
More informationChoosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist
Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist Agenda Industry Background Cybersecurity Assessment Tools Cybersecurity Best Practices 2 Cybersecurity
More informationBalancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld
Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationKeys to a more secure data environment
Keys to a more secure data environment A holistic approach to data infrastructure security The current fraud and regulatory landscape makes it clear that every firm needs a comprehensive strategy for protecting
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationCyber Resilience. Think18. Felicity March IBM Corporation
Cyber Resilience Think18 Felicity March 1 2018 IBM Corporation Cyber Resilience Cyber Resilience is the ability of an organisation to maintain its core purpose and integrity during and after a cyber attack
More informationAdaptive & Unified Approach to Risk Management and Compliance via CCF
SESSION ID: SOP-W08 Adaptive & Unified Approach to Risk Management and Compliance via CCF Vishal Kalro Manager, Risk Advisory & Assurance Services (RAAS) Adobe @awish11 Disclaimer All the views presented
More informationHow To Build or Buy An Integrated Security Stack
SESSION ID: PDIL-W03 How To Build or Buy An Integrated Security Stack Jay Leek CISO Blackstone Haddon Bennett CISO Change Healthcare Defining the problem 1. Technology decisions not reducing threat 2.
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More informationVANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER
VANGUARD INSURANCE INDUSTRY WHITEPAPER Achieving PCI DSS Compliance with Vanguard Integrity Professionals Software & Professional Services Vanguard is the industry leader in z/os Mainframe Software to
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationWHITE PAPERS. INSURANCE INDUSTRY (White Paper)
(White Paper) Achieving PCI DSS Compliance with Vanguard Integrity Professionals Software & Professional Services Vanguard is the industry leader in z/os Mainframe Software to ensure enterprise compliance
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationCyber Security Strategy
Cyber Security Strategy Committee for Home Affairs Introduction Cyber security describes the technology, processes and safeguards that are used to protect our networks, computers, programs and data from
More informationDIGITAL ACCOUNTANCY FORUM CYBER SESSION. Sheila Pancholi Partner, Technology Risk Assurance
DIGITAL ACCOUNTANCY FORUM CYBER SESSION Sheila Pancholi Partner, Technology Risk Assurance Section 1: The background World s biggest data breaches 10 years ago 2007 2006 accidentally published hacked inside
More informationAre we breached? Deloitte's Cyber Threat Hunting
Are we breached? Deloitte's Cyber Threat Hunting Brochure / report title goes here Section title goes here Have we been breached? Are we exposed? How do we proactively detect an attack and minimize the
More informationPosition Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED
Position Description Computer Network Defence (CND) Analyst Position purpose: Directorate overview: The CND Analyst seeks to discover, analyse and report on sophisticated computer network exploitation
More informationSFC strengthens internet trading regulatory controls
SFC strengthens internet trading regulatory controls November 2017 Internet trading What needs to be done now? For many investors, online and mobile internet trading is now an everyday interaction with
More informationThe Key Principles of Cyber Security for Connected and Automated Vehicles. Government
The Key Principles of Cyber Security for Connected and Automated Vehicles Government Contents Intelligent Transport System (ITS) & Connected and Automated Vehicle (CAV) System Security Principles: 1. Organisational
More informationTable of Contents. Sample
TABLE OF CONTENTS... 1 CHAPTER 1 INTRODUCTION... 4 1.1 GOALS AND OBJECTIVES... 5 1.2 REQUIRED REVIEW... 5 1.3 APPLICABILITY... 5 1.4 ROLES AND RESPONSIBILITIES SENIOR MANAGEMENT AND BOARD OF DIRECTORS...
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationRansomware A case study of the impact, recovery and remediation events
Ransomware A case study of the impact, recovery and remediation events Palindrome Technologies 100 Village Court Suite 102 Hazlet, NJ 07730 www.palindrometech.com Peter Thermos President & CTO Tel: (732)
More informationOperational Risk Management: Major Processes and Assignments
Operational Risk Management: Major Processes and Assignments Gabriel Andrade Deputy-Head of the Risk Management Department 19 September 2017 Cambridge Agenda 1. ORM Framework Operational Risk Operational
More informationRisk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23
Risk: Security s New Compliance Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23 Agenda Market Dynamics Organizational Challenges Risk: Security s New Compliance
More informationFlorida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government
Florida Government Finance Officers Association Staying Secure when Transforming to a Digital Government Agenda Plante Moran Introductions Technology Pressures and Challenges Facing Government Technology
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationDeMystifying Data Breaches and Information Security Compliance
May 22-25, 2016 Los Angeles Convention Center Los Angeles, California DeMystifying Data Breaches and Information Security Compliance Presented by James Harrison OM32 5/25/2016 3:00 PM - 4:15 PM The handouts
More informationIndustrial control systems
Industrial control systems Attractive targets for cyber-attacks A five-point strategy for a secure environment The risk of a cyber-attack is real and continues to rise Cyber threats to industrial control
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationEnhance Your Cyber Risk Awareness and Readiness. Singtel Business
Singtel Business Product Factsheet Brochure Managed Cyber Security Defense Readiness Services Assessment Enhance Your Cyber Risk Awareness and Readiness Much focus is on knowing one s enemy in today s
More informationCybersecurity, safety and resilience - Airline perspective
Arab Civil Aviation Commission - ACAC/ICAO MID GNSS Workshop Cybersecurity, safety and resilience - Airline perspective Rabat, November, 2017 Presented by Adlen LOUKIL, Ph.D CEO, Resys-consultants Advisory,
More informationCybersecurity and Examinations
Tim Segerson, Deputy Director NCUA E&I Cybersecurity and Examinations October 6, 2016 Chicago, IL Connected Devices Declining costs + increased bandwidth + powerful algorithms will spur a new information
More informationInfosec Europe 2009 Business Strategy Theatre. Giving Executives the Security Management Information that they Really Need
Infosec Europe 2009 Business Strategy Theatre Giving Executives the Security Management Information that they Really Need Simon Marvell Managing Director simon.marvell@acuityrm.com Agenda 1. What financial
More informationA Framework for Managing Crime and Fraud
A Framework for Managing Crime and Fraud ASIS International Asia Pacific Security Forum & Exhibition Macau, December 4, 2013 Torsten Wolf, CPP Head of Group Security Operations Agenda Introduction Economic
More informationManaging Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow
Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant
More informationInternet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin
Internet of Things Internet of Everything Presented By: Louis McNeil Tom Costin Agenda Session Topics What is the IoT (Internet of Things) Key characteristics & components of the IoT Top 10 IoT Risks OWASP
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationCyber Security Incident Response Fighting Fire with Fire
Cyber Security Incident Response Fighting Fire with Fire Arun Perinkolam, Senior Manager Deloitte & Touche LLP Professional Techniques T21 CRISC CGEIT CISM CISA AGENDA Companies like yours What is the
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationInformation Security Data Classification Procedure
Information Security Data Classification Procedure A. Procedure 1. Audience 1.1 All University staff, vendors, students, volunteers, and members of advisory and governing bodies, in all campuses and locations
More informationGetting Started with Cybersecurity
2 Incidents per week: Since 2016, U.S. K-12 school districts have experienced more than two cyber incidents per week on average. Fastest growing cyber incidents in K12 schools Most common cyber incidents
More informationIoT & SCADA Cyber Security Services
RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationInterpreting the FFIEC Cybersecurity Assessment Tool
Interpreting the FFIEC Cybersecurity Assessment Tool Wayne H. Trout, CISA, CRISC, CBCA, CBRA, CBRITP NCUA Supervisor, Critical Infrastructure and Cybersecurity What We ll Cover Cyber risk management Cybersecurity
More informationSecure your company s Crown Jewels. workshop
Secure your company s Crown Jewels 1 Your company s Crown Jewels The most valuable data, intellectual property (IP) and trade secrets form the heart of an organization s identity. The theft, misuse or
More informationThink Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe
Think Oslo 2018 Where Technology Meets Humanity Oslo Felicity March Cyber Resilience - Europe Cyber Resilience Cyber Resilience is the ability of an organisation to maintain its core purpose and integrity
More informationCrises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.
Crises Control Cloud Security Principles Transputec provides ICT Services and Solutions to leading organisations around the globe. As a provider of these services for over 30 years, we have the credibility
More informationSECURITY SERVICES SECURITY
SECURITY SERVICES SECURITY SOLUTION SUMMARY Computacenter helps organisations safeguard data, simplify compliance and enable users with holistic security solutions With users, data and devices dispersed
More informationSecurity Awareness Training Courses
Security Awareness Training Courses Trusted Advisor for All Your Information Security Needs ZERODAYLAB Security Awareness Training Courses 75% of large organisations were subject to a staff-related security
More informationIntegrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise
February 11 14, 2018 Gaylord Opryland Resort and Convention Center, Nashville #DRI2018 Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise Tejas Katwala CEO
More informationCybersecurity and the Board of Directors
Cybersecurity and the Board of Directors Key Findings from BITS/FSR Meetings OVERVIEW Board directors are increasingly required to engage in cybersecurity risk management yet some may need better education
More information