Les joies et les peines de la transformation numérique

Transcription

1 Les joies et les peines de la transformation numérique Georges Ataya CISA, CGEIT, CISA, CISSP, MSCS, PBA Professor, Solvay Brussels School of Economics and Management Academic Director, IT Management Education Managing Partner, ICT Control NV

2 Executive Education in Information Security Management Executive Education in IT Management SOLVAY.EDU/IT

3 Executive Master in IT Management Executive Programme in. CIO Practices. CIO Leadership. IT Business Agility. Enterprise and IT Architecture. IT Sourcing. IT Management Consulting Executive Education in IT Management SOLVAY.EDU/IT

4 Executive Master in Information Risk and Cybersecurity Executive Programme in. Security Governance. Information Security. Cybersecurity Executive Education in Information Security Management SOLVAY.EDU/IT

5 Lectured tracks and modules Copyright ICTC.EU 2017 S track Info Security G track IT Governance M track IT Management B track Business Agility A track Activating skills S1 Information Security Management G1 The CIO Foundation M1 Applications Build and Management B1 Enterprise Strategy and Architecture A1 IT Finance and Portfolio Management S2 IT Security Practices G2 IT Governance Workshop M2 IT Services and Run Management B2 Business Transformation A2 Soft Skills for IT professionals S3 Cybersecurity Workshop G3 IT Risk and Legal concerns M3 IT Sourcing Management B3 Digital Agility and Innovation A3 Building Expert Opinion Monday Thursday Wednesday Tuesday Monday 2014 ictc.eu 2017 Georges Ataya

6 PROGRAMME IN EUROPEAN DATA PROTECTION Leading to certified DPO Solvay.edu/gdpr 6

7 European Program in Data Protection Next edition starting on March 22 Solvay.edu/gdpr

8

9 Awareness Campaigns 2017 Georges Ataya

10 Free membership for DPO and GDPR professionals Dpocircle.eu.COM

11 PROGRAM IN EUROPEAN DATA PROTECTION (GDPR) SOLVAY.EDU/GDPR Legal and Management Requirements Risk and Impact Assessment Compliance Transformation Information Security and Privacy Response and Breach Management Define Data Protection objectives and scope Identify the gap in reaching defined protection targets Manage compliance Related transformation Protect and secure architectural components Prepare, React and notify when needed

12 .COM Actively looking for GDPR experts

13

14 13 ICT juillet Control 2015 SA Publications Georges Ataya

15 Digital transformation is the profound and accelerating transformation of business activities, processes, competencies and models to fully leverage the changes and opportunities of digital technologies and their impact across society in a strategic and prioritized way, with present and future shifts in mind. 15

16 Focus of IT activities and orientations Infrastructure Application Management Digital Transformation Copyright 2014 Georges Ataya

17 Digitization will change the traditional retail-banking business model, in some cases radically. The bad news is that change is coming whether or not banks are ready. Source: The rise of the digital bank By Tunde Olanrewaju, Principal in McKinsey s London office

18 Georges Ataya

19 Source: Leading Digital: Turning Technology into Business Transformation, George Westerman, Didier Bonnet & Andrew McAfee, Harvard Business, Review Press, October

20 Why should we care? 2017 Georges Ataya

21 Georges Ataya

22 Sources of external threat Intelligence Agencies Criminal Groups Terrorist Groups Activist Groups Armed Forces 22

23 Regulatory context 23

24 Business Process Information Services Applications Infrastructure

25 Enterprise Security Architecture (cont.) Business processes Information Services Applications Infrastructure Georges Ataya

26 Processus Métier Processus Métier Information Information Services Applications Transformation projects Evolution projects Services Applications Infrastructure Current Infrastructure Future

27

28 Levels of security IT Security Security mangement Security program objectives Specific projects Security operations Information Security Essential assets Risks Mitigation Planning Business as usual/run General Security Physical security Safety Fraud, compliancy, etc. * Security aspects Georges Ataya

29 Cybersecurity processes IDENTIFY PROTECT DETECT RESPOND RECOVER 2015 ICTC.EU 29

30 Cybersecurity processes Functions Develop and implement IDENTIFY PROTECT DETECT RESPOND RECOVER 30

31 Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and DETECT the potential impact of events is understood ICTC.EU DE.AE-1 DE.AE-2 DE.AE-3 DE.AE-4 DE.AE-5: Incident alert thresholds are established COBIT 5 APO12.06 ISA : NIST SP Rev. 4 IR-4, IR-5, IR-8 The need for good business practices Georges Ataya

32 ISO 27002:2013 control blocks Georges Ataya

33 Bottom-up approach using the SANS CIS top 20 security controls CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for fffhardware and Software CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: and Web Browser Protections CSC 8: Malware Defenses CSC 9: Limitation and Control of Network Ports CSC 10: Data Recovery Capability Eliminate the vast majority of organization's vulnerabilities CSC 11: Secure Configurations for Network Devices CSC 12: Boundary Defense CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know CSC 15: Wireless Access Control CSC 16: Account Monitoring and Control CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps CSC 18: Application Software Security CSC 19: Incident Response and Management CSC 20: Penetration Tests and Red Team Exercises The SANS CIS top 20 security controls are based on most frequent recurring finding about security weaknesses in organizations. Implementing those controls is always regarded as good practice from a bottom-up perspective Georges Ataya

34 Georges Ataya The Ten Most Critical Web Application Security Risks the free and open software security community Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.

35 Enablers 2017 Georges Ataya

36

37 Georges Ataya Building adequate lines of defense source

38 Georges Ataya A MANAGER FOR CYBER SECURITY INCIDENT MANAGEMENT Information Security Governance Information Risk Management & Compliance Information Security Program Development & Management Information Security Incident Management

39 Georges Ataya Career Summary Expertise Summary Education/ Certification Professor and Academic Director (SBS-EM) Managing Director ICT Control advisory firm Past International Vice President at ISACA Past Partner Ernst & Young Past Deputy International CIO ITT World Directories Previously Project Manager and Senior IT Auditor IT Governance (development of Cobit 4 and COBIT 5) IT Governance and Value governance (co-author VALIT and supervision CGEIT BOK) Information Security Management (Co-author CISM Body of Knowledge) IT Audit and Governance Information security and risk Strategy and Enterprise Architecture and IT Sourcing Master in Computer Science (faculty of Sciences ULB) Postgraduate in Management (Solvay Brussels School ULB) Certified Information Systems Auditor (CISA); Certified Information security Manager (CISM); Certified in Risk and control (CRISC); Certified Information Systems Security Professional (CISSP); Certified in Governance of Enterptise IT (CGEIT) gataya@solvay.edu ataya.info be.linkedin.com/in/ataya