INFORMATION SECURITY ARCHITECTURE & RISK MANAGEMENT ADEYEMI DINA & SHITTU O. SHITTU

Size: px
Start display at page:

Download "INFORMATION SECURITY ARCHITECTURE & RISK MANAGEMENT ADEYEMI DINA & SHITTU O. SHITTU"

Transcription

1 INFORMATION SECURITY ARCHITECTURE & RISK MANAGEMENT ADEYEMI DINA & SHITTU O. SHITTU

2 HIGHLIGHTS WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER IT S ALL ABOUT BUSINESS RISKS SECURITY ARCHITECTURE FOR THE BUSINESS WORLD RISK MANAGEMENT IN SECURITY ARCHITECTURE SAFETY AND SECURITY? QUIZ FOR THE END QUESTIONS

3 HIGHLIGHTS WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER IT S ALL ABOUT BUSINESS RISKS SECURITY ARCHITECTURE FOR THE BUSINESS WORLD RISK MANAGEMENT IN SECURITY ARCHITECTURE A WORD FOR THE MOTIVATED

4 INFORMATION SECURITY - HIGH-LEVEL CONCEPTS INFORMATION SECURITY (IS) IS DESIGNED TO PROTECT THE CONFIDENTIALITY, INTEGRITY AND AVAILABILITY OF COMPUTER SYSTEM DATA FROM THOSE WITH MALICIOUS INTENTIONS INFORMATION SECURITY - THE PRACTICE OF PROTECTING INFORMATION FROM UNAUTHORIZED ACCESS, USE, DISCLOSURE, DISRUPTION, MODIFICATION, PERUSAL, INSPECTION, RECORDING OR DESTRUCTION. IT IS A GENERAL TERM USED REGARDLESS OF THE FORM THE DATA MAY TAKE (E.G. ELECTRONIC, PHYSICAL) - WIKIPEDIA INFORMATION SECURITY IS THE COLLECTION OF TECHNOLOGIES, STANDARDS, POLICIES AND MANAGEMENT PRACTICES THAT ARE APPLIED TO INFORMATION TO KEEP IT SECURE. OPEN UNIVERSITY INFORMATION SECURITY IS THE SET OF BUSINESS PROCESSES THAT PROTECTS INFORMATION ASSETS REGARDLESS OF HOW THE INFORMATION IS FORMATTED OR WHETHER IT IS BEING PROCESSED, IS IN TRANSIT OR IS BEING STORED INFORMATION SECURITY IS THE COLLECTION OF TECHNOLOGIES, STANDARDS, POLICIES AND MANAGEMENT PRACTICES THAT ARE APPLIED TO INFORMATION TO KEEP IT SECURE.

5 WHY DOES IT MATTER? - ANY OF THESE LOOK FAMILIAR?

6 RECENT SECURITY ISSUES Period Threats / Attacks Vulnerabilities Impact Yahoo! hack Not disclosed 273 million reportedly hacked, specific number of affected accounts not disclosed DDoS attack on Bitcoin Code integrity No specific breach published; Jan Mar 2014 NTP DDoS Vulnerability uncovered DDoS attack on UK Ministry of Justice Not disclosed No breach Sophisticated attack on Neiman Marcus retail infrastructure Missed detections (or insufficient data exfiltration detection capability) Heartbleed vulnerability published Credit card information of 350,000 individuals stolen. Chinese individuals hacked into US companies Not disclosed Not published Public utility control system hacked in the US Brute-forced employees login passwords Not disclosed Apr Jun 2014 Evernote subjected to DDoS attack Not disclosed Service disruption to 100 million Evernote users P.F. Chang s restaurants cardholder data infrastructure compromised Not disclosed Credit and debit card information from 33 restaurants stolen and reportedly sold online Organisers of Brazil 2014 World cup DDoS ed Not disclosed Disruption to numerous brad July Sep 2014 Bash / ShellShock vulnerability released; affecting millions of devices worldwide Sony pictures hack Not fully disclosed Disruption of movie production, movie revenue and employee/talent relations Oct Dec 2014 Sony PlayStation and Microsoft Xbox attacked for days over the Christmas holiday OpenSSL vulnerability released, affecting millions of software and hardware devices Not disclosed Microsoft and Sony unable to serve millions of customers worldwide

7

8 HIGHLIGHTS WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER IT S ALL ABOUT BUSINESS RISKS SECURITY ARCHITECTURE FOR THE BUSINESS WORLD RISK MANAGEMENT IN SECURITY ARCHITECTURE A WORD FOR THE MOTIVATED

9 TO THE BUSINESS ; WHAT IS RISK? THE EFFECT OF UNCERTAINTY ON OBJECTIVES (ISO 31000) EFFECT IS A POSITIVE OR NEGATIVE DEVIATIONS FROM WHAT IS EXPECTED UNCERTAINTY EXISTS WHENEVER THE KNOWLEDGE OR UNDERSTANDING OF AN EVENT, CONSEQUENCE OR LIKELIHOOD IS INADEQUATE OR INCOMPLETE Information Asset Threat Vulnerability

10 POSITIVE PERSPECTIVE THE EFFECT OF UNCERTAINTY ON OBJECTIVES (ISO 31000) EFFECT IS A POSITIVE OR NEGATIVE DEVIATIONS FROM WHAT IS EXPECTED UNCERTAINTY EXISTS WHENEVER THE KNOWLEDGE OR UNDERSTANDING OF AN EVENT, CONSEQUENCE OR LIKELIHOOD IS INADEQUATE OR INCOMPLETE Information Asset Opportunity Strength

11 HIGHLIGHTS WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER IT S ALL ABOUT BUSINESS RISKS SECURITY ARCHITECTURE FOR THE BUSINESS WORLD RISK MANAGEMENT IN SECURITY ARCHITECTURE A WORD FOR THE MOTIVATED

12 SECURITY ARCHITECTURE - HIGH-LEVEL CONCEPTS SECURITY ARCHITECTURE - ARTIFACTS THAT DESCRIBE HOW THE SECURITY CONTROLS/COUNTERMEASURES/SAFEGUARDS ARE POSITIONED AND HOW THEY RELATE TO THE OVERALL SYSTEMS ARCHITECTURE FOR THE PURPOSE TO MAINTAINING THE SYSTEM'S QUALITY ATTRIBUTES OF CONFIDENTIALITY, INTEGRITY AND AVAILABILITY. WIKIPEDIA THE DESIGN ARTIFACTS THAT DESCRIBE HOW THE SECURITY CONTROLS (= SECURITY COUNTERMEASURES) ARE POSITIONED, AND HOW THEY RELATE TO THE OVERALL IT ARCHITECTURE. THESE CONTROLS SERVE THE PURPOSE TO MAINTAIN THE SYSTEM S QUALITY ATTRIBUTES, AMONG THEM CONFIDENTIALITY, INTEGRITY, AVAILABILITY, ACCOUNTABILITY AND ASSURANCE. OPENSECURITYARCHITECTURE.ORG SECURITY ARCHITECTURE IS A UNIFIED SECURITY DESIGN THAT ADDRESSES THE NECESSITIES AND POTENTIAL RISKS INVOLVED IN A CERTAIN SCENARIO OR ENVIRONMENT. IT ALSO SPECIFIES WHEN AND WHERE TO APPLY SECURITY CONTROLS. THE DESIGN PROCESS IS GENERALLY REPRODUCIBLE. TECHOPEDIA ENTERPRISE INFORMATION SECURITY ARCHITECTURE (EISA) IS THE PRACTICE OF APPLYING A COMPREHENSIVE AND RIGOROUS METHOD FOR DESCRIBING A CURRENT AND/OR FUTURE STRUCTURE AND BEHAVIOUR FOR AN ORGANIZATION'S SECURITY PROCESSES, INFORMATION SECURITY SYSTEMS, PERSONNEL AND ORGANIZATIONAL SUB- UNITS, SO THAT THEY ALIGN WITH THE ORGANIZATION'S CORE GOALS AND STRATEGIC DIRECTION. - WIKIPEDIA

13 IT IS ABOUT POSITIONING DISTINCTION AND AUTHENTICITY AND THE THINGS WE CARE ABOUT

14 NIRVANA ARCHITECTURE NO ARCHITECTS NEEDED Common business security problem. Business security aspiration Security Architecture bridges the gap

15 THE MIND OF A SECURITY ARCHITECT Principles Risk-based and policy-driven Policy-based access to services Ease of use / low friction Data access control Service minimisation Limit what your system say Audit Logging and Monitoring Principles (continued) Secure by design Defense-in-depth Segregation of trust domains Secure down to the weakest link Protection against insider and outsider attacks Trust levels Least Privilege Separation of duties

16 AN ARCHITECTURE DEVELOPMENT METHODOLOGY Focus of secure business technology outcomes; - not just security tools Characterise system by defining data, classification, criticality, components and interfaces Ensure continuous security monitoring through integration with Security Logging and Monitoring and contract management Identify threats, vulnerabilities and pairs that result in risk to the system and data. Identify high priority risks for management and control. Leverage Threat Modelling techniques. Present implemented solution to risk owner for acceptance of residual risks. Gain authorisation for production / go-live Assess design and implementation of controls and security architecture for residual risks (Design review / Vuln Scan / Pen Test) Select appropriate controls to treat high priority risks. Determine architecture and design principles and patterns leverage available security building blocks in the proposed security architecture foundations/model.

17 SYSTEM CHARACTERISATION UNDERSTAND THE BUSINESS PROCESS, APPLICATION SYSTEM AND COMPONENTS WHAT TYPE/CLASSIFICATION OF DATA IS INVOLVED WHAT ARE THE SYSTEM BOUNDARIES WHAT ARE THE INTERFACES TO/FROM THE SYSTEM AND WITHIN THE COMPONENTS OF THE SYSTEM WHO HAS RISK DECISION ON THE CRITICALITY OF THE SYSTEM WHO HAS RISK DECISION OF THE IMPACT OF SECURITY RISK ON DATA LOSS, UNAUTHORISED DISCLOSURE AND UNAUTHORISED MODIFICATION WHAT IS THE BUSINESS IMPACT OF ANY OF THESE SECURITY CONCERNS? WHAT ARE THE KNOWN WEAKNESSES, BUGS AND TECHNICAL SECURITY VULNERABILITIES (IF IT IS AN EXISTING SYSTEM) CURRENT BUSINESS RISK POSTURE OF THE SYSTEM

18 RISK ASSESSMENT ONE OF RISK MANAGEMENT ESTIMATE POTENTIAL DAMAGE TO THE SYSTEM IN THE EVENT OF THREAT MATERIALISING BUSINESS IMPACT ASSESSMENT IDENTIFY THREAT AND ESTIMATE LIKELIHOOD OF MATERIALISING THREAT MODELLING IDENTIFY VULNERABILITIES, WEAKNESSES AND ISSUES WITH THE SYSTEM (OR POTENTIAL ONES) AND LIKELIHOOD OF THEM BEING EXPLOITED ISSUES IDENTIFICATION / SECURITY ASSESSMENT USE THREAT-VULNERABILITY PAIRING TO DETERMINE MOST LIKELY RISK EVENT THAT COULD MATERIALISE RISK SCORING PRIORITISE THE RISK ACCORDING TO THEIR LEVELS RISK PRIORITISATION QUANTIFY RISKS AND REVIEW WITH STAKEHOLDERS RISK QUANTIFICATION / COST BUDGETING

19 SELECTION OF CONTROLS PLUS ARCHITECTURE & DESIGN FOLLOW ORGANISATION DEFINED SECURITY GUIDELINES AND POLICIES (ACCESS CONTROL, PASSWORD MANAGEMENT, REGULATORY COMPLIANCE, BUSINESS VALUES ETC) SELECT CONTROLS FROM DEFINED CONTROLS CATALOGUE, OR FROM INDUSTRY STANDARDS SUCH AS NIST AND ISO 27001/2) LEVERAGE SECURITY ARCHITECTURE BUILDING BLOCKS (FROM BEST PRACTICE FRAMEWORKS SUCH AS SABSA) REUSE EXISTING SECURITY SERVICES, RATHER THAN BUILD NEW ONES (REUSE BEFORE BUY BEFORE BUILD) BE CREATIVE (USING THE MIND OF A SECURITY ARCHITECT )

20 IMPLEMENTATION ASSESSMENT, AUTHORISATION AND CONTINUOUS MONITORING Design reviews, build/code reviews, source code analysis, vulnerability assessment, security testing (application / penetration testing) plus remediations to acceptable risk levels Risk acceptance criteria e.g. accepts vulnerabilities with Common Vulnerability Scoring System (CVSS) of less than 4.0 to maintain PCI DSS compliance; address all DoS vulnerabilities on critical systems that require high-availability; approval to go live with the system and the cycle begins again Feeds of security events and logs to security information and event management (SIEM) tools, horizon scanning of threat intelligence and monitoring of exploits against accepted risk posture which may require revision of system characterisation.

21 WHEN IS SECURITY ARCHITECTURE COMPLETE? WHEN SECURITY ARCHITECTS & SECURITY RISK SPECIALIST (AND OTHER ARCHITECTS) ARE NO LONGER NEEDED START LOOKING FOR ANOTHER JOB Bridging the gap

22 HIGHLIGHTS WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER IT S ALL ABOUT BUSINESS RISKS SECURITY ARCHITECTURE FOR THE BUSINESS WORLD RISK MANAGEMENT IN SECURITY ARCHITECTURE A WORD FOR THE MOTIVATED

23 RISK MANAGEMENT - HIGH-LEVEL CONCEPTS RISK MANAGEMENT IS THE PROCESS OF IDENTIFYING THE CRITICALITY OF AN ASSET, IDENTIFYING RISK, IDENTIFYING CONTROLS THAT ARE APPLICABLE BEARING IN MIND THE CRITICALITY OF THE ASSET, PROBABILITY OF OCCURRENCE, IMPACT AND COST OF APPLYING CONTROLS. RISK IS ASSESSED AS BOTH A PROBABILITY OF OCCURRENCE AND A MAGNITUDE OF EFFECT OR THE PRODUCT OF THE TWO. STRATEGY IS TO ACCEPT, AVOID, REDUCE OR TRANSFER RISK. SECURITY RISK MANAGEMENT - A PROCESS FOR IDENTIFYING, PRIORITIZING AND MANAGING INFORMATION SECURITY RISK TO AN ACCEPTABLE LEVEL WITHIN AN ORGANIZATION RISK MANAGEMENT IS A COMPREHENSIVE PROCESS THAT REQUIRES ORGANIZATIONS TO: (I) FRAME RISK (I.E., ESTABLISH THE CONTEXT FOR RISK-BASED DECISIONS); (II) ASSESS RISK; (III) RESPOND TO RISK ONCE DETERMINED; AND (IV) MONITOR RISK ON AN ONGOING BASIS USING EFFECTIVE ORGANIZATIONAL COMMUNICATIONS AND A FEEDBACK LOOP FOR CONTINUOUS IMPROVEMENT IN THE RISK-RELATED ACTIVITIES OF ORGANIZATIONS. NIST (800-39) RISK MANAGEMENT IS AN ACTIVITY DIRECTED TOWARDS ASSESSMENT, MITIGATION, AND MONITORING OF RISKS TO AN ORGANIZATION. INFORMATION SECURITY RISK MANAGEMENT IS A MAJOR SUBSET OF THE ENTERPRISE RISK MANAGEMENT PROCESS, WHICH INCLUDES BOTH THE ASSESSMENT OF INFORMATION SECURITY RISKS TO THE INSTITUTION AS WELL AS THE DETERMINATION OF APPROPRIATE MANAGEMENT ACTIONS AND ESTABLISHED PRIORITIES FOR MANAGING AND IMPLEMENTING CONTROLS TO PROTECT AGAINST THOSE RISKS. - CONFLUENCE

24 RISK MANAGEMENT AN OVERVIEW

25 ESSENTIAL RISK MANAGEMENT RISK PRIORITISATION Start risk Start risk prioritization Conduct summary ry- level risk prioritization Summary level risk prioritization Review with stakeholders Conduct detailed- level risk prioritization Detailed level risk prioritization End of risk prioritization

26 CONDUCTING SUMMARY-LEVEL RISK PRIORITIZATION High.. Likely ly one or more impacts expected within one year Medium m.. Probable le impact m expected within two to three years Low. Not probable le impact not expected to occur within three years THE SUMMARY-LEVEL PRIORITIZATION INCLUDES THE FOLLOWING: 1. DETERMINE IMPACT LEVEL 2. ESTIMATE SUMMARY-LEVEL PROBABILITY 3. COMPLETE THE SUMMARY-LEVEL RISK LIST 4. REVIEW WITH STAKEHOLDERS

27 IMPLEMENTING CONTROLS 4 Measuring Program Assessing Risk Effectiveness 1 3 Implementing Controls 2 Seek a holistic approach ac Organize by Defense se-in in- n-depth Conducting Decision Support

28 A GENERIC ASSET RISK ASSESSMENT APPROACH Identification & Classification Business Impact Assessment Risk Assessment Remediation Identify Data Assets Information Risk Assessment Perform Business Impact Identify Business Processes Assessment (of data assets, IT Application Risk Assessment Define Remediation Activities applications) Identify IT Applications Record Risks (using bow ties) PHASE 1 PHASE 2 PHASE 3 PHASE 4

29 IT SECURITY ARCHITECTURE RELATIONAL ENTITY

30 HIGHLIGHTS WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER IT S ALL ABOUT BUSINESS RISKS SECURITY ARCHITECTURE FOR THE BUSINESS WORLD RISK MANAGEMENT IN SECURITY ARCHITECTURE SAFETY VS SECURITY

31

32

33 SAFETY ENFOLDS, ITS INTERNAL, SAFETY IS A FEELING SECURITY SURROUNDS AND COULD BE EXTERNAL I.E. AN OVERACHIEVING UMBRELLA PROTECTING OUR SAFETY SECURITY AS A SAFEGUARD PERCEPTION IS REALITY 100% SECURITY IS NIRVANA SAFETY VS SECURITY?

34 QUESTIONS

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002 ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION

More information

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:

More information

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not

More information

IoT & SCADA Cyber Security Services

IoT & SCADA Cyber Security Services RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au

More information

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS

More information

External Supplier Control Obligations. Cyber Security

External Supplier Control Obligations. Cyber Security External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place

More information

Business continuity management and cyber resiliency

Business continuity management and cyber resiliency Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency Introductions Eric Wunderlich,

More information

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

The SANS Institute Top 20 Critical Security Controls. Compliance Guide The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise

More information

Security and Architecture SUZANNE GRAHAM

Security and Architecture SUZANNE GRAHAM Security and Architecture SUZANNE GRAHAM Why What How When Why Information Security Information Assurance has been more involved with assessing the overall risk of an organisation's technology and working

More information

Effective Strategies for Managing Cybersecurity Risks

Effective Strategies for Managing Cybersecurity Risks October 6, 2015 Effective Strategies for Managing Cybersecurity Risks Larry Hessney, CISA, PCI QSA, CIA 1 Everybody s Doing It! 2 Top 10 Cybersecurity Risks Storing, Processing or Transmitting Sensitive

More information

The Common Controls Framework BY ADOBE

The Common Controls Framework BY ADOBE The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.

More information

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X 4016 Points * = Can include a summary justification for that section. FUNCTION 1 - INFORMATION SYSTEM LIFE CYCLE ACTIVITIES Life Cycle Duties No Subsection 2. System Disposition/Reutilization *E - Discuss

More information

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Transforming Security from Defense in Depth to Comprehensive Security Assurance Transforming Security from Defense in Depth to Comprehensive Security Assurance February 28, 2016 Revision #3 Table of Contents Introduction... 3 The problem: defense in depth is not working... 3 The new

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

RiskSense Attack Surface Validation for IoT Systems

RiskSense Attack Surface Validation for IoT Systems RiskSense Attack Surface Validation for IoT Systems 2018 RiskSense, Inc. Surfacing Double Exposure Risks Changing Times and Assessment Focus Our view of security assessments has changed. There is diminishing

More information

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP) SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP) Adaptive Cybersecurity at the Speed of Your Business Attackers Evolve. Risk is in Constant Fluctuation. Security is a Never-ending Cycle.

More information

Cyber Protections: First Step, Risk Assessment

Cyber Protections: First Step, Risk Assessment Cyber Protections: First Step, Risk Assessment Presentation to: Presented to: Mark LaVigne, Deputy Director NYSAC November 21, 2017 500 Avery Lane Rome, NY 13441 315.338.5818 www.nystec.com In this presentation

More information

TSC Business Continuity & Disaster Recovery Session

TSC Business Continuity & Disaster Recovery Session TSC Business Continuity & Disaster Recovery Session Mohamed Ashmawy Infrastructure Consulting Pursuit Hewlett-Packard Enterprise Saudi Arabia Mohamed.ashmawy@hpe.com Session Objectives and Outcomes Objectives

More information

Automating the Top 20 CIS Critical Security Controls

Automating the Top 20 CIS Critical Security Controls 20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises

More information

Risk Assessment. The Heart of Information Security

Risk Assessment. The Heart of Information Security Risk Assessment The Heart of Information Security Overview Warm-up Quiz Why do we perform risk assessments? The language of risk - definitions The process of risk assessment Risk Mitigation Triangle Lessons

More information

Trustwave Managed Security Testing

Trustwave Managed Security Testing Trustwave Managed Security Testing SOLUTION OVERVIEW Trustwave Managed Security Testing (MST) gives you visibility and insight into vulnerabilities and security weaknesses that need to be addressed to

More information

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government The Key Principles of Cyber Security for Connected and Automated Vehicles Government Contents Intelligent Transport System (ITS) & Connected and Automated Vehicle (CAV) System Security Principles: 1. Organisational

More information

THE POWER OF TECH-SAVVY BOARDS:

THE POWER OF TECH-SAVVY BOARDS: THE POWER OF TECH-SAVVY BOARDS: LEADERSHIP S ROLE IN CULTIVATING CYBERSECURITY TALENT SHANNON DONAHUE DIRECTOR, INFORMATION SECURITY PRACTICES 1 IT S A RISK-BASED WORLD: THE 10 MOST CRITICAL UNCERTAINTIES

More information

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_

More information

Standard: Risk Assessment Program

Standard: Risk Assessment Program Standard: Risk Assessment Program Page 1 Executive Summary San Jose State University (SJSU) is highly diversified in the information that it collects and maintains on its community members. It is the university

More information

QuickBooks Online Security White Paper July 2017

QuickBooks Online Security White Paper July 2017 QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a

More information

Oracle Data Cloud ( ODC ) Inbound Security Policies

Oracle Data Cloud ( ODC ) Inbound Security Policies Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...

More information

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria Ian Speller CISM PCIP MBCS Head of Corporate Security at Sopra Steria Information Risk in the Real World Realistic security management on a tight budget Or some things I have done to make the security

More information

Corporate Information Security Policy

Corporate Information Security Policy Overview Sets out the high-level controls that the BBC will put in place to protect BBC staff, audiences and information. Audience Anyone who has access to BBC Information Systems however they are employed

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.

More information

SYSTEMS ASSET MANAGEMENT POLICY

SYSTEMS ASSET MANAGEMENT POLICY SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security

More information

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government Florida Government Finance Officers Association Staying Secure when Transforming to a Digital Government Agenda Plante Moran Introductions Technology Pressures and Challenges Facing Government Technology

More information

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose

More information

GUIDELINES ON MARITIME CYBER RISK MANAGEMENT

GUIDELINES ON MARITIME CYBER RISK MANAGEMENT E 4 ALBERT EMBANKMENT LONDON SE1 7SR Telephone: +44 (0)20 7735 7611 Fax: +44 (0)20 7587 3210 GUIDELINES ON MARITIME CYBER RISK MANAGEMENT MSC-FAL.1/Circ.3 5 July 2017 1 The Facilitation Committee, at its

More information

Choosing the Right Security Assessment

Choosing the Right Security Assessment A Red Team Whitepaper Choosing the Right Security Navigating the various types of Security s and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding

More information

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect NOTHING IS WHAT IT SIEMs: COVER PAGE Simpler Way to Effective Threat Management TEMPLATE Dan Pitman Principal Security Architect Cybersecurity is harder than it should be 2 SIEM can be harder than it should

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

Rethinking Information Security Risk Management CRM002

Rethinking Information Security Risk Management CRM002 Rethinking Information Security Risk Management CRM002 Speakers: Tanya Scott, Senior Manager, Information Risk Management, Lending Club Learning Objectives At the end of this session, you will: Design

More information

CYBER RESILIENCE & INCIDENT RESPONSE

CYBER RESILIENCE & INCIDENT RESPONSE CYBER RESILIENCE & INCIDENT RESPONSE www.nccgroup.trust Introduction The threat landscape has changed dramatically over the last decade. Once the biggest threats came from opportunist attacks and preventable

More information

University of Pittsburgh Security Assessment Questionnaire (v1.7)

University of Pittsburgh Security Assessment Questionnaire (v1.7) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided

More information

Vulnerability Assessments and Penetration Testing

Vulnerability Assessments and Penetration Testing CYBERSECURITY Vulnerability Assessments and Penetration Testing A guide to understanding vulnerability assessments and penetration tests. OVERVIEW When organizations begin developing a strategy to analyze

More information

Ensuring System Protection throughout the Operational Lifecycle

Ensuring System Protection throughout the Operational Lifecycle Ensuring System Protection throughout the Operational Lifecycle The global cyber landscape is currently occupied with a diversity of security threats, from novice attackers running pre-packaged distributed-denial-of-service

More information

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Enhancing the Cybersecurity of Federal Information and Assets through CSIP TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3

More information

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations VARONIS COMPLIANCE BRIEF NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) 800-53 FOR FEDERAL INFORMATION SYSTEMS CONTENTS OVERVIEW 3 MAPPING NIST 800-53 CONTROLS TO VARONIS SOLUTIONS 4 2 OVERVIEW

More information

How to Create, Deploy, & Operate Secure IoT Applications

How to Create, Deploy, & Operate Secure IoT Applications How to Create, Deploy, & Operate Secure IoT Applications TELIT WHITEPAPER INTRODUCTION As IoT deployments accelerate, an area of growing concern is security. The likelihood of billions of additional connections

More information

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project

More information

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045 Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence that

More information

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities

More information

Security Controls in Service Management

Security Controls in Service Management Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Security

More information

The Honest Advantage

The Honest Advantage The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents

More information

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business

More information

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

EXABEAM HELPS PROTECT INFORMATION SYSTEMS WHITE PAPER EXABEAM HELPS PROTECT INFORMATION SYSTEMS Meeting the Latest NIST SP 800-53 Revision 4 Guidelines SECURITY GUIDELINE COMPLIANCE There has been a rapid increase in malicious insider threats,

More information

SECURITY & PRIVACY DOCUMENTATION

SECURITY & PRIVACY DOCUMENTATION Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive

More information

Protecting your data. EY s approach to data privacy and information security

Protecting your data. EY s approach to data privacy and information security Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share

More information

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK KEY BENEFITS AT A GLANCE Ensure your journey to the cloud is secure and convenient, without compromising either. Drive business agility

More information

CISM Certified Information Security Manager

CISM Certified Information Security Manager CISM Certified Information Security Manager Firebrand Custom Designed Courseware Logistics Start Time Breaks End Time Fire escapes Instructor Introductions Introduction to Information Security Management

More information

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT

More information

To Audit Your IAM Program

To Audit Your IAM Program Top Five Reasons To Audit Your IAM Program Best-in-class organizations are auditing their IAM programs - are you? focal-point.com Introduction Stolen credentials are the bread and butter of today s hacker.

More information

Information Security Policy

Information Security Policy April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING

More information

Objectives of the Security Policy Project for the University of Cyprus

Objectives of the Security Policy Project for the University of Cyprus Objectives of the Security Policy Project for the University of Cyprus 1. Introduction 1.1. Objective The University of Cyprus intends to upgrade its Internet/Intranet security architecture. The University

More information

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements

More information

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1 Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com

More information

Google Cloud & the General Data Protection Regulation (GDPR)

Google Cloud & the General Data Protection Regulation (GDPR) Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to

More information

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10 IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10 Christian Espinosa, Alpine Security www.alpinesecurity.com 1 Objectives Learn about penetration testing Learn what to consider when selecting

More information

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE WHITEPAPER RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE CONTENTS Executive Summary........................................ 3 Transforming How We Think About Security.......................... 4 Assessing

More information

SECURITY SERVICES SECURITY

SECURITY SERVICES SECURITY SECURITY SERVICES SECURITY SOLUTION SUMMARY Computacenter helps organisations safeguard data, simplify compliance and enable users with holistic security solutions With users, data and devices dispersed

More information

Manchester Metropolitan University Information Security Strategy

Manchester Metropolitan University Information Security Strategy Manchester Metropolitan University Information Security Strategy 2017-2019 Document Information Document owner Tom Stoddart, Information Security Manager Version: 1.0 Release Date: 01/02/2017 Change History

More information

NCSF Foundation Certification

NCSF Foundation Certification NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity

More information

What is ISO ISMS? Business Beam

What is ISO ISMS? Business Beam 1 Business Beam Contents 2 Your Information is your Asset! The need for Information Security? About ISO 27001 ISMS Benefits of ISO 27001 ISMS 3 Your information is your asset! Information is an Asset 4

More information

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045 Critical Security Control Solution Brief Version 6 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable,

More information

A company built on security

A company built on security Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for

More information

TEL2813/IS2621 Security Management

TEL2813/IS2621 Security Management TEL2813/IS2621 Security Management James Joshi Associate Professor Lecture 4 + Feb 12, 2014 NIST Risk Management Risk management concept Goal to establish a relationship between aggregated risks from information

More information

Protect Your Organization from Cyber Attacks

Protect Your Organization from Cyber Attacks Protect Your Organization from Cyber Attacks Leverage the advanced skills of our consultants to uncover vulnerabilities our competitors overlook. READY FOR MORE THAN A VA SCAN? Cyber Attacks by the Numbers

More information

An ICS Whitepaper Choosing the Right Security Assessment

An ICS Whitepaper Choosing the Right Security Assessment Security Assessment Navigating the various types of Security Assessments and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding the available

More information

Security analysis and assessment of threats in European signalling systems?

Security analysis and assessment of threats in European signalling systems? Security analysis and assessment of threats in European signalling systems? New Challenges in Railway Operations Dr. Thomas Störtkuhl, Dr. Kai Wollenweber TÜV SÜD Rail Copenhagen, 20 November 2014 Slide

More information

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion

More information

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf

More information

Designing and Building a Cybersecurity Program

Designing and Building a Cybersecurity Program Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016 Designing & Building a Cybersecurity

More information

Cloud Security Standards Supplier Survey. Version 1

Cloud Security Standards Supplier Survey. Version 1 Cloud Security Standards Supplier Survey Version 1 Document History and Reviews Version Date Revision Author Summary of Changes 0.1 May 2018 Ali Mitchell New document 1 May 2018 Ali Mitchell Approved Version

More information

Defensible and Beyond

Defensible and Beyond TELUS Defensible and Beyond Mike Vamvakaris Director and Head of Cyber Security Consulting November 2017 Digital transformation brings many benefits Communication and Collaboration Autonomous and Artificial

More information

RiskSense Attack Surface Validation for Web Applications

RiskSense Attack Surface Validation for Web Applications RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment

More information

EXAMINATION [The sum of points equals to 100]

EXAMINATION [The sum of points equals to 100] Student name and surname: Student ID: EXAMINATION [The sum of points equals to 100] PART I: Meeting Scheduling example Description: Electronic meeting Scheduling system helps meeting initiator to schedule

More information

ITG. Information Security Management System Manual

ITG. Information Security Management System Manual ITG Information Security Management System Manual This manual describes the ITG Information Security Management system and must be followed closely in order to ensure compliance with the ISO 27001:2005

More information

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016 For Discussion Purposes Only Technical Reference [Draft] DRAFT CIP-013-1 Cyber Security - Supply Chain Management November 2, 2016 Background On July 21, 2016, the Federal Energy Regulatory Commission

More information

Cyber risk management into the ISM Code

Cyber risk management into the ISM Code Building trust. Shaping Safety No. Subject: Cyber risk management into the ISM Code To: insb auditors/managing companies IMO Resolution incorporates maritime cyber risk management into the ISM Code making

More information

Continuous protection to reduce risk and maintain production availability

Continuous protection to reduce risk and maintain production availability Industry Services Continuous protection to reduce risk and maintain production availability Managed Security Service Answers for industry. Managing your industrial cyber security risk requires world-leading

More information

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced

More information

Infosec Europe 2009 Business Strategy Theatre. Giving Executives the Security Management Information that they Really Need

Infosec Europe 2009 Business Strategy Theatre. Giving Executives the Security Management Information that they Really Need Infosec Europe 2009 Business Strategy Theatre Giving Executives the Security Management Information that they Really Need Simon Marvell Managing Director simon.marvell@acuityrm.com Agenda 1. What financial

More information

A Practical Approach to Implement a Risk Based ISMS

A Practical Approach to Implement a Risk Based ISMS A Practical Approach to Implement a Risk Based ISMS Pascal Reiniger Chief Information Security Officer Kanton Basel-Stadt Zürich Security Interest Group Switzerland 07.11.2017 Agenda 1. Introduction 2.

More information

Tool-Supported Cyber-Risk Assessment

Tool-Supported Cyber-Risk Assessment Tool-Supported Cyber-Risk Assessment Security Assessment for Systems, Services and Infrastructures (SASSI'15) Bjørnar Solhaug (SINTEF ICT) Berlin, September 15, 2015 1 Me Bjørnar Solhaug Bjornar.Solhaug@sintef.no

More information

What is Penetration Testing?

What is Penetration Testing? What is Penetration Testing? March 2016 Table of Contents What is Penetration Testing?... 3 Why Perform Penetration Testing?... 4 How Often Should You Perform Penetration Testing?... 4 How Can You Benefit

More information

NEN The Education Network

NEN The Education Network NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected

More information

Checklist: Credit Union Information Security and Privacy Policies

Checklist: Credit Union Information Security and Privacy Policies Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC

More information

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective Mapping Your Requirements to the NIST Cybersecurity Framework Industry Perspective 1 Quest has the solutions and services to help your organization identify, protect, detect, respond and recover, better

More information

10 FOCUS AREAS FOR BREACH PREVENTION

10 FOCUS AREAS FOR BREACH PREVENTION 10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual

More information

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 and Risk Approach June 9, 2016 cyberframework@nist.gov Executive Order: Improving Critical Infrastructure

More information

IT risks and controls

IT risks and controls Università degli Studi di Roma "Tor Vergata" Master of Science in Business Administration Business Auditing Course IT risks and controls October 2018 Agenda I IT GOVERNANCE IT evolution, objectives, roles

More information

National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018

National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018 Office of the Legislative Auditor State of Minnesota National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018 Christopher Buse Deputy Legislative Auditor Boot Camp

More information

CYBER SECURITY TAILORED FOR BUSINESS SUCCESS

CYBER SECURITY TAILORED FOR BUSINESS SUCCESS CYBER SECURITY TAILORED FOR BUSINESS SUCCESS KNOW THE ASIAN CYBER SECURITY LANDSCAPE As your organisation adopts digital transformation initiatives to accelerate your business ahead, understand the cyber

More information

Understanding IT Audit and Risk Management

Understanding IT Audit and Risk Management Understanding IT Audit and Risk Management Presentation overview Understanding different types of Assessments Risk Assessments IT Audits Security Assessments Key Areas of Focus Steps to Mitigation We need

More information