Information Security Forum Hvad er nyt fra ISF?

Transcription

1 Information Security Forum Hvad er nyt fra ISF? v. Christian Kjær, ISF Chapter Agent Danmark Sikkerhed & Revision 7. September

2 Agenda Kort introduktion til Information Security Forum Hvad interesserer ISF s Medlemmer lige nu? Threat Horizon 2020 The leading, global authority on information security and information risk management 2

3 What is the ISF? An international association of ~450 leading global organisations, which... Addresses key issues in information risk management through research and collaboration Develops practical implementable tools and guidance Is an independent, not-for-profit organisation, driven & owned by its Members Facilitates networking within its membership The leading, global authority on information security and information risk management 3

4 By the Members For the Members All development of reports, tools and knowledge is driven by member requests and based on best practice of the Members: Forward working programme Member queries Solution development workshops All reports, tools and knowledge provided by the ISF are available for unrestricted use by anyone within a Member organisation: No limit on number of ISF Live users Share and promote Copy Paste (an acknowledgement is appreciated) Integrate into organisation s own standards, procedures and methods 4

5 What does the ISF deliver? ISF Live Webcasts Local Chapter meetings Nordic Spring Conference Annual World Congress Standard of Good Practice Benchmark IRAM2 ICS Security Programme Supplier Security Evaluation Embedding Security into Agile Dev t. Data Leakage Prevention Threat Intelligence: React and Prepare Securing Collaboration Platforms Securing Mobile Apps Aligning Information Risk Management with Operational Risk Management Protecting the Crown Jewels Security Architecture Application Security Framework Engaged Reporting: Fact and Fortitude Quantitative Techniques in info.risk analysis 5

6 Hvad interesserer ISF s Medlemmer lige nu? ISF Research in Development August 2018 Building Tomorrow s Security Workforce Q Delivering an Effective Cyber Security Exercise Q Establishing a Business-driven Security Assurance Programme Q Building a Successful Security Operations Centre Q GDPR Control Framework not started Cloud Security not started 6

7 THREAT HORIZON 2020 FOUNDATIONS START TO SHAKE 7

8 Methodology 8

9 Threat Horizon 2020: Three themes 9

10 Conflict looms Nation states and terrorist groups will increasingly weaponise the cyber domain, launching attacks on critical national infrastructure that cause widespread destruction and chaos. Organisations will suffer the collateral damage. 10

11 Cyber and physical attacks combine to shatter business resilience Physical and cyber attacks will be deployed simultaneously. These new forms of hybrid attacks will cause unprecedented damage. Implications: cities will become no-go zones; normal business will come to a halt. Key actions: 1. Update crisis management plans to cater for a wider range of extreme eventualities 2. Conduct scenario planning and training exercises to test business resilience 11

12 Technology outpaces controls Developments in smart technology will create new possibilities for organisations of all kinds but they will also create opportunities for attackers and adversaries by reducing the effectiveness of existing controls. 12

13 Quantum arms race undermines the digital economy The next generation of computer technology will be able to crack encryption in a matter of hours or minutes. Implications: information and transactions of all kinds will suddenly become vulnerable. Key actions: 1. Identify critical assets that could be targets 2. Invest in and be prepared to move to encryption methods that can withstand quantum computing for these assets 3. Understand the risk implications and ensure protection is in line with risk appetite The 10 biggest national markets for e-commerce sales,

14 Pressure skews judgement Existing controls and methods of managing information risk will be put under severe stress by an avalanche of new technologies, regulations and pressures on employees. Organisations will face losses from poor decision making. 14

15 New regulations increase the risk and compliance burden The number and complexity of new and forthcoming regulations will stretch compliance resources and mechanisms to breaking point. Implications: some regulations will increase the likelihood of an information breach; others will increase the impact. Key actions: 1. Communicate the need to balance compliance needs with business risk 2. Ensure board members and senior stakeholders are aware of their responsibilities 15

16 Where next? Aligning Cyber Security and Business Strategy 16

17 Using Threat Horizon: ISF Threat Radar Review threats in Threat Horizon reports and determine their applicability Identify additional threats Assess the potential impact and ability to manage each threat and plot accordingly on the radar Explain the threats to business leaders Determine how the threats can be addressed. 17

18 Requirements for security, privacy and risk professionals: Work with the business to: Consider the issues associated with storing and processing mission critical information assets in the context of the 2018 to 2020 threat landscape Re-assess the risks to your organisation and its information (identify roles and responsibilities) Revise cyber security arrangements Identify the roles, responsibilities and security processes that apply for new technology, e.g. IoT and RPA, etc. across the enterprise Define the cyber resilience approach for managing data to account for threat actors and enterprise risk profile include cross border movement of data and third parties! Focus on people Help organisation understand how the human firewall can be the strongest not weakest link in the security chain Build in accountability and oversight, from the boardroom down Prepare for the future Think Resilience not Security Conduct a high level examination of the varying legal requirements of different jurisdictions and implement a process for remaining current - help your organisation understand how to respond to regulators and data subjects 18

19 Questions? CHRISTIAN KJÆR ISF Chapter Agent - Denmark Christian.Kjaer@securityforum.org Christian.Kjaer@pwc.com Web: 19