Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain Dr. Shaun Wang, FCAS, CERA
|
|
- Alexia Patterson
- 5 years ago
- Views:
Transcription
1 Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain Dr. Shaun Wang, FCAS, CERA 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 1
2 Cyber Risk Management Project Government University Industry Collaboration Monetary Authority of Singapore Cyber Security Agency Nanyang Technological University SCOR; Aon; MSIG; Lloyd s; TransRe; Geneva Association; Verizon Launched in /13/2018 ULaval 2
3 Traditional Insurance Risk Randomness Law of Large Numbers Diversify through risk transfer Cyber Risk Human Factors Hackers, fishing Strengthen defense reduces risk 04/13/2018 ULaval 3
4 Quantify Cyber Risk Reduction ad function of Security Spend Global cybersecurity spend $100b per annum For a firm, what is the benchmark security budget?how effective? How much risk is reduced? For the eco system, what coordination / policies are needed? This talk is based on my recent paper: Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 4
5 1. Concept of Knowledge Set 04/13/2018 ULaval 5
6 Attack surface knowledge set Knowledge Set is a relative concept: 1) WHO 2) What actually knows should know but not know Unknown unknown 1) How 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 6
7 Knowledge Set & Cyber Breach Probability Given knowledge set Ω, for a given budget z, the firm may select any possible mitigating action within budget. Define Ω Ω: =1. If zero security investment, the firm would have a probability one of being breached. <0, for z>0. 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 7
8 Security Spend Production Frontier 04/13/2018 ULaval 8
9 1) Exponential Power 2) Proportional Hazard Benchmark Spending & Risk Reduction Equation benchmark security budget spend ratio 1 1 3) Wang Transform ln =f(revenue) 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 9
10 Optimal Security Spending A firm s data asset to protect has value R For the Exponential Power and the Proportional Hazard Class, the optimal spending has an upper bound For the Wang Transform Class, the optimal spending has an upper bound 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 10
11 Invest: (1) y in data/information, (2) z in defense/response 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 11
12 04/13/2018 ULaval 12
13 Multiple Areas of Vulnerability data asset route 1 route 2 route 3 Need to secure the full spectrum of areas of vulnerability Neglecting one area of vulnerability can render the overall security investment ineffective or wasteful 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 13
14 Data Segmentation & Multiple Checkpoints ICT System (segments are seperated by firewalls) factor 1 factor 2 Data Asset Data Segment 1 Data Segment 2 Data Segment 3 $$$$$ $$$ $ Multi factor authentication very effective Need protect key ($$$$$) data assets with extra security measures 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 14
15 NIST Framework Function Category ID Asset Management ID.AM Business Environment ID.BE Identify Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Protect Information Protection Processes & Procedures PR.IP Maintenance PR.MA Protective Technology PR.PT Anomalies and Events DE.AE Detect Security Continuous Monitoring DE.CM Detection Processes DE.DP Response Planning RS.RP Communications RS.CO Respond Analysis RS.AN Mitigation RS.MI Improvements RS.IM Recovery Planning RC.RP Recover Improvements RC.IM Communications RC.CO 04/13/2018 ULaval Subcategory ID.BE 1: The organization s role in the supply chain is identified and communicated ID.BE 2: The organization s place in critical infrastructure and its industry sector is identified and communicated ID.BE 3: Priorities for organizational mission, objectives, and activities are established and communicated ID.BE 4: Dependencies and critical functions for delivery of critical services are established ID.BE 5: Resilience requirements to support delivery of critical services are established Informative References COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A , A , A NIST SP Rev. 4 CP 2, SA 12 COBIT 5 APO02.06, APO03.01 NIST SP Rev. 4 PM 8 COBIT 5 APO02.01, APO02.06, APO03.01 ISA : , NIST SP Rev. 4 PM 11, SA 14 ISO/IEC 27001:2013 A , A , A NIST SP Rev. 4 CP 8, PE 9, PE 11, PM 8, SA 14 COBIT 5 DSS04.02 ISO/IEC 27001:2013 A , A , A , A NIST SP Rev. 4 CP 2, 15CP 11, SA 14 15
16 Apply our Knowledge Set to Quantify NIST Risk Management Framework 04/13/2018 ULaval 16
17 Growing size of known unknown? 04/13/2018 ULaval 17
18 In Search for Cost Effective Ways of Reducing Known Unknown SINGAPORE (12 Dec 2017) In a first for a government agency here, 300 white hat hackers will be invited to put the Ministry of Defence s public facing systems to the test, in order to expose vulnerabilities. The rewards will hinge on the number and quality of the vulnerabilities exposed, and are expected to cost significantly less than a commercial cyber security vulnerability assessment programme, which can cost up to S$1 million. In contrast, the new bug bounty initiative is estimated to cost around S$100,000, said Mr Koh, who also heads the CSA. Accessed from online mindef invites hackers to test public facing systems for vulnerabilities 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 18
19 2. Supply Chain Cyber Risk Propogation 04/13/2018 ULaval 19
20 Attack on Vendor Set Up Breach at Target The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malwarelaced phishing attack sent to employees at a Heating, ventilation, and air conditioning (HVAC) firm that did business with the nationwide retailer,... Accessed from attack on vendor set up breach at target/ 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 20
21 Supply chain Propagation Model Let, be the likelihood that a cyber breach into firm i will export to firm j,, (non symmetric) Matrix of propagation coefficients:,,,,,, 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 21
22 Cyber Breach Probability in a Supply Chain Let be security investments by the m firms. We consider only 1 step propagation firm j faces a combined cyber breach probability:, firm j s contributes to the eco system s expected cyber loss:, 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 22
23 Supply Chain Propagation: An Example Consider one large firm with eight small firm contractors Firm j (j=1,2,8) has a small value atrisk $4; firm 9 has a large value at risk $80. Assume that all small firms have an anchor points, $1 with, 0.3, (j=1,,8). The large firm has an anchor point, $5, with, 0.2. The propagation coefficients are, 0.1but, 0, for j=1,,8. firm 3 firm 2 firm 4 firm 1 Firm 9 large firm firm 5 firm 8 firm 6 firm 7 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 23
24 Optimal Security Spend: for the eco system vs. firm itself Standalone spending Eco system Spending j j 1 Small firm $ 1.31 $ % Large firm $10.09 $ % 1) Optimal spend by small firm need to increase +70% in a supply chain setting vs standalone (as compared to +13% for large firm) 2) However, small firms have no incentives to voluntarily do that! This is the problem! 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 24
25 Securing high risk, third party relationships ( 04/13/2018 ULaval 25
26 Knowledge Gap about Security Level of 3 rd Party Vendors 1) Large firms invest $$$$$ to their own cyber security, but are vulnerable to the lack of knowledge for the security level of their suppliers 2) To overcome such knowledge gap, large firms may require suppliers to provide cyber security rating 3) But how good (reliable) is the cybersecurity rating? [similarly how good are the security audits?] 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 26
27 3. Sharpness of Cyber Security Rating 04/13/2018 ULaval 27
28 Cyber Breach Probability in Sigmas 04/13/2018 ULaval 28
29 Gaussian Copula model for security level rating Assume estimated security level u and the true security level v, expressed in sigma values,, follow a bivariate Normal(0,1), with correlation Conditional on the true underlying sigma value, the estimated sigma value has a mean of and volatility of ρ. 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 29
30 Gaussian Copula {true vs observed sigmas} 04/13/2018 ULaval 30
31 For Supply Chain Security: Impose Penalty for Failing Security Rating Impose penalty K if the firm fails prescribed security rating level 1.65) sigma value. (e.g. The firm s total cost as function of security spend z : 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 31
32 Sharpness of Security Rating & Penalty Amount Effect on the Optimal Security Spend z by a firm Reliability of Rating No Penalty (K=$0) Penalty K=$10 Penalty K=$20 Optimal * Optimal * Optimal * 0.95 $6.5 $11.0 $ $6.5 $ 11.0 $ $6.5 $ 9.5 $ $6.5 $9.5 $ $6.5 $8.5 $ $6.5 $8.0 $ /13/2018 ULaval Shaun.Wang@ntu.edu.sg 32
33 We have just started Push the Actuarial Science Frontier: 1. Apply the Knowledge Set concept in Enterprise Risk Management 2. Assemble various sources of data to consumable Information 3. Design mechanisms to enhance resilience of a supply chain Push the insurance and risk management practice frontier: Integrate risk reduction and risk transfer services 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 33
34 Thank You! 04/13/2018 ULaval 34
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More informationCybersecurity Framework Manufacturing Profile
Cybersecurity Framework Manufacturing Profile Keith Stouffer Project Leader, Cybersecurity for Smart Manufacturing Systems Engineering Lab, NIST National Institute of Standards and Technology (NIST) NIST
More informationNIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology
NIST Cybersecurity Testbed for Transportation Systems CheeYee Tang Electronics Engineer National Institute of Standards and Technology National Institute of Standards and Technology (NIST) About NIST NIST
More informationAcalvio Deception and the NIST Cybersecurity Framework 1.1
Acalvio Deception and the NIST Cybersecurity Framework 1.1 June 2018 The Framework enables organizations regardless of size, degree of cybersecurity risk, or cybersecurity sophistication to apply the principles
More informationOpportunities (a.k.a challenges) Interfaces Governance Security boundaries expanded Legacy systems New application Compliance
KY HEALTH & NIST CSF 1115 Waiver Involves legacy systems New development Interfaces between systems with and without sensitive information Changes the security boundaries Opportunities (a.k.a challenges)
More informationThe Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,
The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor, National Institute of Standards and Technology 1 Speaker
More informationSecuring an IT. Governance, Risk. Management, and Audit
Securing an IT Organization through Governance, Risk Management, and Audit Ken Sigler Dr. James L. Rainey, III CRC Press Taylor & Francis Group Boca Raton London New York CRC Press Is an imprint cf the
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity May 2017 cyberframework@nist.gov Why Cybersecurity Framework? Cybersecurity Framework Uses Identify mission or business cybersecurity dependencies
More informationNIST (NCF) & GDPR to Microsoft Technologies MAP
NIST (NCF) & GDPR to Microsoft Technologies MAP Digital Transformation Realized.TM IDENTIFY (ID) Asset Management (ID.AM) The data, personnel, devices, systems, and facilities that enable the organization
More informationCyber Information Sharing
Cyber Information Sharing Renault Ross CISSP, MCSE, CHSS, VCP5 Chief Cybersecurity Business Strategist Ian Schmertzler President Know Your Team Under Pressure Trust Your Eyes Know the Supply Chain Have
More informationDesigning & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)
Designing & Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson Lesson 2 June, 2015 1 Lesson 2: Controls Factory Components Part 1: The Controls Factory Part 2:
More informationusing COBIT 5 best practices?
How to effectively mitigate Risks and ensure effective deployment of IOT using COBIT 5 best practices? CA. Abdul Rafeq, FCA, CISA, CIA, CGEIT Managing Director, Wincer Infotech Limited Past Member, COBIT
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationMapping and Auditing Your DevOps Systems
Mapping and Auditing Your DevOps Systems David Cuthbertson, CEO Square Mile Systems Ltd david.cuthbertson@squaremilesystems.com www.squaremilesystems.com Personal Background Personal Experience Industry
More informationUsing Metrics to Gain Management Support for Cyber Security Initiatives
Using Metrics to Gain Management Support for Cyber Security Initiatives Craig Schumacher Chief Information Security Officer Idaho Transportation Dept. January 2016 Why Metrics Based on NIST Framework?
More informationTrack 4A: NIST Workshop
Track 4A: NIST Workshop National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) GridSecCon October 18, 2016 AGENDA TOPIC PRESENTER(S) DURATION NIST/NCCoE
More informationImproving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More informationNIST Cybersecurity Framework Based Written Information Security Program (WISP)
Cybersecurity Governance (GOV) Title 52.20 21 66A.622 GOV 1 Publishing Cybersecurity Policies & s ID.GV 1 500.02 500.03 66A.622(2)(d) GOV 2 Periodic Review & Update of Cybersecurity Documentation ID.GV
More informationHow to Align with the NIST Cybersecurity Framework
How to Align with the NIST Cybersecurity Framework 1 Title Table of Contents Identify (ID) 4 Protect (PR) 5 Detect (DE) 6 Respond (RS) 7 Recover (RC) 8 visibility detection control 2 SilentDefense Facilitates
More informationOil & Natural Gas Third Party Collaboration IT Security NIST Profile API ITSS Third Party Collaboration IT Security Workgroup
Oil & Natural Gas Third Party Collaboration IT Security NIST Profile API ITSS Third Party Collaboration IT Security Workgroup 12/16/2016 Contents 1 Introduction... 3 2 Approach... 3 2.1 Relevant NIST Categories...
More informationResponsible Care Security Code
Chemical Sector Guidance for Implementing the NIST Cybersecurity Framework and the ACC Responsible Care Security Code ACC Chemical Information Technology Council (ChemITC) January 2016 Legal and Copyright
More informationISO based Written Information Security Program (WISP) (a)(1)(i) & (a)(3)(i) & (ii) & (A) (A)(5)(ii) & (ii)(a)
1 Information Security Program Policy 1.2 Management Direction for Information Security 5.1 1.2.8 1.2.1.1 Publishing An Information Security Policy 5.1.1 500.03 1.1.0 2.1.0-2.2.3 3.1.0-3.1.2 4.1.0-4.2.4
More informationSmart Grid Cybersecurity Committee. July 28, 2017
Smart Grid Cybersecurity Committee July 28, 2017 1 2017 Technical Program Smart Grid Cybersecurity Committee (SGCC) Working Group Meeting 2 Antitrust Guidelines for SEPA Meetings & Conferences The antitrust
More informationAssurance over Cybersecurity using COBIT 5
Assurance over Cybersecurity using COBIT 5 Special thanks to ISACA for supplying material for this presentation. Anthony Noble, VP IT Audit, Viacom Inc. Anthony.noble@viacom.com Disclamer The opinions
More informationCyber Bounty Hunter. Key capabilities of today s. Renault Ross CISSP,MCSE,VCP5,CHSS Distinguished Engineer Chief Security Business Strategist
Key capabilities of today s Cyber Bounty Hunter Renault Ross CISSP,MCSE,VCP5,CHSS Distinguished Engineer Chief Security Business Strategist Copyright 2016 Symantec Corporation 1 2 3 The Cyber Skills Gap
More informationThe CIS Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can
The CIS Critical Security are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state. They
More informationIn support of this, the Coalition intends to host an event bringing together government and private sector leaders and experts to further discuss this
Coalition for Cybersecurity Policy & Law Coalition for Cybersecurity Policy & Law 600 Massachusetts Ave, NW, Washington, DC 20001 February 12, 2018 VIA EMAIL: counter_botnet@list.commerce.gov Evelyn L.
More informationFramework for Improving Critical Infrastructure Cybersecurity
1 Framework for Improving Critical Infrastructure Cybersecurity Standards Certification Education & Training Publishing Conferences & Exhibits Dean Bickerton ISA New Orleans April 5, 2016 A Brief Commercial
More informationBonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology
Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology It s a hot topic!! Executives are asking their CISOs a LOT of questions about it Issues are costly, from a financial and a reputational
More informationCOMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY
COMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY OVERVIEW On February 2013, President Barack Obama issued an Executive Order
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationNIST Framework for Improving Critical Infrastructure Cybersecurity Technical Control Automation
NIST Framework for Improving Critical Infrastructure Cybersecurity Technical Control Automation Automating Cybersecurity Framework Technical Controls with Tenable SecurityCenter Continuous View February
More informationCybersecurity Auditing in an Unsecure World
About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams
More informationChoosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist
Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist Agenda Industry Background Cybersecurity Assessment Tools Cybersecurity Best Practices 2 Cybersecurity
More informationAppendix A. Syllabus. NIST Cybersecurity Foundation. Syllabus. Status: First Draft
Appendix A Syllabus NIST Cybersecurity Foundation Syllabus Status: First Draft Version Status Sign off Date / Names V1.0.0 First Draft Content Group Lead Author: Mark E.S. Bernard Copyright 2018 Secure
More informationCyber Resilience. Think18. Felicity March IBM Corporation
Cyber Resilience Think18 Felicity March 1 2018 IBM Corporation Cyber Resilience Cyber Resilience is the ability of an organisation to maintain its core purpose and integrity during and after a cyber attack
More informationCybersecurity Framework
Catherine Bruder Shareholder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Cybercrime Economic Impact Cybercrime is costing the global economy $575 billion and the
More information2014 Communications Sector Year in Review Cybersecurity Risk Management Framework. Sector Year in Review
2014 Communications Sector Year in Review Cybersecurity Risk Management Framework Sector Year in Review Kathryn Condello, Chair Communications Sector Coordinating Council Five Segments: Broadcast, Cable,
More informationDiscussion Draft of the Preliminary Cybersecurity Framework August 28, 2013
1 Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013 2 3 A Discussion Draft of the Preliminary Cybersecurity Framework for improving critical 4 infrastructure cybersecurity is
More informationMapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective
Mapping Your Requirements to the NIST Cybersecurity Framework Industry Perspective 1 Quest has the solutions and services to help your organization identify, protect, detect, respond and recover, better
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationDear Mr. Games: Please see our submission attached. With kind regards, Aaron
From: Aaron P. Padilla Date: Mon, Apr 10, 2017 at 3:16 PM Subject: API Response to the Proposed Update to the Framework for Improving Critical Infrastructure Cybersecurity To: "cyberframework@nist.gov"
More informationCloud Threat Defense. Cloud Security Buyer s Guide Based on the. NIST Cybersecurity Framework
Cloud Threat Defense Cloud Security Buyer s Guide Based on the NIST Cybersecurity Framework Overview 3 01 - Function: Identify 5 Asset Management Risk Assessment 5 6 02 - Function: Protect 7 Access Control
More informationThink Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe
Think Oslo 2018 Where Technology Meets Humanity Oslo Felicity March Cyber Resilience - Europe Cyber Resilience Cyber Resilience is the ability of an organisation to maintain its core purpose and integrity
More informationCyber. Paul Torres Director KPMG Cyber Practice. October 9, 2018 FOR TRAINING PURPOSE ONLY
Cyber Paul Torres Director KPMG Cyber Practice October 9, 2018 FOR TRAINING PURPOSE ONLY Agenda Cyber fundamentals Typical cybersecurity assessment Cyber Trends Internal audit role in cyber? Wrap up 2
More informationEBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS
EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS HOW SECURE IS YOUR VPN ACCESS? Remote access gateways such as VPNs and firewalls provide critical anywhere-anytime connections to the networks
More informationLESSONS LEARNED IN DEVELOPING CYBERSECURITY FRAMEWORK (CSF) PROFILES WITH INDUSTRY AND THE U.S. COAST GUARD (USCG)
UNCLASSIFIED The United States Coast Guard LESSONS LEARNED IN DEVELOPING CYBERSECURITY FRAMEWORK (CSF) PROFILES WITH INDUSTRY AND THE U.S. COAST GUARD (USCG) Homeland Security UNCLASSIFIED 1 Lessons Learned
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationHow to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model
How to Optimize Cyber Defenses through Risk-Based Governance Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model The Goal: Risk-Based Operationalization Incident Management IT/IS
More informationCybersecurity 201 THE NEXT STEP. Restaurant.org/Cybersecurity
Cybersecurity 201 THE NEXT STEP Restaurant.org/Cybersecurity About This Guide As a restaurant owner, you routinely safeguard things of value to your business. You put cash and receipts in a register or
More informationCYBER SECURITY TAILORED FOR BUSINESS SUCCESS
CYBER SECURITY TAILORED FOR BUSINESS SUCCESS KNOW THE ASIAN CYBER SECURITY LANDSCAPE As your organisation adopts digital transformation initiatives to accelerate your business ahead, understand the cyber
More informationDesigning and Building a Cybersecurity Program
Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016 Designing & Building a Cybersecurity
More information*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Introduction and Bio CyberSecurity Defined CyberSecurity Risks NIST CyberSecurity Framework References *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Chapter 3. Framework Implementation Relationship
More informationUpdates to the NIST Cybersecurity Framework
Updates to the NIST Cybersecurity Framework NIST Cybersecurity Framework Overview and Other Documentation October 2016 Agenda: Overview of NIST Cybersecurity Framework Updates to the NIST Cybersecurity
More informationTinker & The Primes 2017 Innovating Together
Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations Larry Findeiss Bid Assistance Coordinator Oklahoma s Procurement Technical Assistance
More informationBuilding a Resilient Security Posture for Effective Breach Prevention
SESSION ID: GPS-F03B Building a Resilient Security Posture for Effective Breach Prevention Avinash Prasad Head Managed Security Services, Tata Communications Agenda for discussion 1. Security Posture 2.
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationMust Have Items for Your Cybersecurity or IT Budget in 2018
Must Have Items for Your Cybersecurity or IT Budget in 2018 CBAO Regional Meeting Dan Desko (Senior Manager, IT Risk Advisory) Matt Dunn (Senior Security Analyst, IT Risk Advisory) Who is Schneider Downs?
More informationCybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016
Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda Key Risks Incorporating Internal Audit Resources Questions 2 San Francisco
More informationCYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services
0 CYBER SECURITY WORKSHOP NOVEMBER 2, 2016 Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services VIDEO: CAN IT HAPPEN TO ME? 1 2 AGENDA CYBERSECURITY WHY SUCH A BIG DEAL? INFORMATION
More informationTo Audit Your IAM Program
Top Five Reasons To Audit Your IAM Program Best-in-class organizations are auditing their IAM programs - are you? focal-point.com Introduction Stolen credentials are the bread and butter of today s hacker.
More informationCyber Attacks & Breaches It s not if, it s When
` Cyber Attacks & Breaches It s not if, it s When IMRI Team Aliso Viejo, CA Trusted Leader with Solution Oriented Results Since 1992 Data Center/Cloud Computing/Consolidation/Operations 15 facilities,
More informationRobert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group
Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group Presentation Objectives Introductions Cyber security context Cyber security in the maritime sector Developing cybersecurity
More informationTHE CYBERSECURITY LITERACY CONFIDENCE GAP
CONFIDENCE: SECURED WHITE PAPER THE CYBERSECURITY LITERACY CONFIDENCE GAP ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE Despite the fact that most organizations are more aware of cybersecurity risks
More informationK12 Cybersecurity Roadmap
K12 Cybersecurity Roadmap Introduction Jason Brown, CISSP Chief Information Security Officer Merit Network, Inc jbrown@merit.edu @jasonbrown17 https://linkedin.com/in/jasonbrown17 2 Agenda 3 Why Use the
More informationLes joies et les peines de la transformation numérique
Les joies et les peines de la transformation numérique Georges Ataya CISA, CGEIT, CISA, CISSP, MSCS, PBA Professor, Solvay Brussels School of Economics and Management Academic Director, IT Management Education
More informationSecurity Leaders: Manage the Forest Not the Trees. Presented by: Adam Stone Secure Digital Solutions, LLC 15 March :50 pm
Security Leaders: Manage the Forest Not the Trees Presented by: Adam Stone Secure Digital Solutions, LLC 15 March 2018 2:50 pm Copyright 2018 Secure Digital Solutions, LLC All rights reserved. Your Facilitator
More informationInstitute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI
Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 1 CAE Communications and Common Audit Committee
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationHow will cyber risk management affect tomorrow's business?
How will cyber risk management affect tomorrow's business? The "integrated" path towards continuous improvement of information security Cyber Risk as a Balance Sheet Risk exposing Board and C-Levels 2018
More informationNIST Cybersecurity Framework Protect / Maintenance and Protective Technology
NIST Cybersecurity Framework Protect / Maintenance and Protective Technology Presenter Charles Ritchie CISSP, CISA, CISM, GSEC, GCED, GSNA, +6 Information Security Officer IT experience spanning two centuries
More informationThe Key Principles of Cyber Security for Connected and Automated Vehicles. Government
The Key Principles of Cyber Security for Connected and Automated Vehicles Government Contents Intelligent Transport System (ITS) & Connected and Automated Vehicle (CAV) System Security Principles: 1. Organisational
More informationIntelligent Building and Cybersecurity 2016
Intelligent Building and Cybersecurity 2016 Landmark Research Executive Summary 2016, Continental Automated Buildings Association Presentation Contents 1. About CABA, Compass Intelligence & This Research
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationImproving Cybersecurity through the use of the Cybersecurity Framework
Improving Cybersecurity through the use of the Cybersecurity Framework March 11, 2015 Tom Conkle G2, Inc. Agenda Cybersecurity Framework Why it was created What is it Why it matters How do you use it 2
More informationBrussels. Cyber Resiliency Minimizing the impact of breaches on business continuity. Jean-Michel Lamby Associate Partner - IBM Security
Cyber Resiliency Minimizing the impact of breaches on business continuity Jean-Michel Lamby Associate Partner - IBM Security Brussels Think Brussels / Cyber Resiliency / Oct 4, 2018 / 2018 IBM Corporation
More informationDFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com
DFARS Compliance SLAIT Consulting SECURITY SERVICES Mike D Arezzo Director of Security Services Introduction 18+ year career in Information Technology and Security General Electric (GE) as Software Governance
More informationDeMystifying Data Breaches and Information Security Compliance
May 22-25, 2016 Los Angeles Convention Center Los Angeles, California DeMystifying Data Breaches and Information Security Compliance Presented by James Harrison OM32 5/25/2016 3:00 PM - 4:15 PM The handouts
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationCyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.
Cyber Security For Utilities Risks, Trends & Standards IEEE Toronto March 22, 2017 Doug Westlund Senior VP, AESI Inc. Agenda Cyber Security Risks for Utilities Trends & Recent Incidents in the Utility
More informationBusiness continuity management and cyber resiliency
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency Introductions Eric Wunderlich,
More informationChanging the Game: An HPR Approach to Cyber CRM007
Speakers: Changing the Game: An HPR Approach to Cyber CRM007 Michal Gnatek, Senior Vice President, Marsh & McLennan Karen Miller, Sr. Treasury & Risk Manager, FireEye, Inc. Learning Objectives At the end
More information2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along
2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management Today s Speakers Olivia Munro Senior Marketing Specialist Eze Castle Integration Bob Shaw Director, Technical Architecture Eze Castle
More informationHow Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity
How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity Why is the NIST framework important? GOH Seow Hiong Executive Director, Global Policy & Government Affairs, Asia Pacific
More informationCybersecurity & Privacy Enhancements
Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their
More informationDeveloping a Model for Cyber Security Maturity Assessment
Developing a Model for Cyber Security Maturity Assessment Tariq Al-idrissi, Associate Vice President IT, Trent University Ian Thomson, Information Security Officer, Trent University June 20 th, 2018 (8:45am
More informationCybersecurity, safety and resilience - Airline perspective
Arab Civil Aviation Commission - ACAC/ICAO MID GNSS Workshop Cybersecurity, safety and resilience - Airline perspective Rabat, November, 2017 Presented by Adlen LOUKIL, Ph.D CEO, Resys-consultants Advisory,
More information2015 HFMA What Healthcare Can Learn from the Banking Industry
2015 HFMA What Healthcare Can Learn from the Banking Industry Agenda Introduction- Background and Experience Healthcare vs. Banking The Results OCR Audit Results Healthcare vs. Banking The Theories Practical
More informationCybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com
Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding
More informationDEFENSE LOGISTICS AGENCY
DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY Cyber Resilience Integration Mr. Linus Baker DLA Information Operations Director, Cybersecurity 1 Mission Assurance/Cybersecurity Concern
More informationCompliance Review. Practical cybersecurity for advisors: Real threats demand strong compliance. October 2014
Compliance Review Ongoing compliance updates for independent investment advisors October 2014 IN THIS ISSUE I. Introduction...1 II. Regulating cybersecurity...2 III. CFTC releases cybersecurity best practices
More informationRethinking Information Security Risk Management CRM002
Rethinking Information Security Risk Management CRM002 Speakers: Tanya Scott, Senior Manager, Information Risk Management, Lending Club Learning Objectives At the end of this session, you will: Design
More informationMitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment
Mitigating Risk with Ongoing Cybersecurity Risk Assessment Scott Moser CISO Caesars Entertainment CSO50 Presentation Caesars Entertainment Cybersecurity Risk Management Scott Moser Chief Information Security
More informationSecure Product Design Lifecycle for Connected Vehicles
Secure Product Design Lifecycle for Connected Vehicles Lisa Boran Vehicle Cybersecurity Manager, Ford Motor Company SAE J3061 Chair SAE/ISO Cybersecurity Engineering Chair AGENDA Cybersecurity Standards
More informationCybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security
Cybersecurity What Companies are Doing & How to Evaluate Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security Learning Objectives At the end of this presentation, you will be able to: Explain the
More informationNavigate IT Security with a Framework as Your Guide
Navigate IT Security with a Framework as Your Guide October 7 th, 2016 Background George Lazarou 16 years security experience in various roles both technical and non-technical AT&T Labs Research, Army,
More informationTHE POWER OF TECH-SAVVY BOARDS:
THE POWER OF TECH-SAVVY BOARDS: LEADERSHIP S ROLE IN CULTIVATING CYBERSECURITY TALENT SHANNON DONAHUE DIRECTOR, INFORMATION SECURITY PRACTICES 1 IT S A RISK-BASED WORLD: THE 10 MOST CRITICAL UNCERTAINTIES
More informationCybersecurity Today Avoid Becoming a News Headline
Cybersecurity Today 2017 Avoid Becoming a News Headline Topics Making News Notable Incidents Current State of Affairs Common Points of Failure Three Quick Wins How to Prepare for and Respond to Cybersecurity
More information