using COBIT 5 best practices?
|
|
- Imogen Chase
- 6 years ago
- Views:
Transcription
1 How to effectively mitigate Risks and ensure effective deployment of IOT using COBIT 5 best practices? CA. Abdul Rafeq, FCA, CISA, CIA, CGEIT Managing Director, Wincer Infotech Limited Past Member, COBIT 5.0 Task Force, ISACA, USA 21 st Jan. 2018, Dubai
2 Some queries? Have you downloaded COBIT 5? Are you current user of COBIT5? Have you deployed IOT in your enterprise? If yes, in what way? What is your primary objective for attending this presentation? 2
3 Learning Objectives Impact of all-pervasive deployment of Internet of Things (IoT) on existing paradigm of risk, security, controls, assurance and governance. What are the solutions from IT professionals to ensure effective deployment of IOT from strategic and holistic perspective? How IT professionals (Risk, Security, Control, Compliance and Assurance) can update their skills to provide effective IOT-enabled solutions to meet enterprise objectives? How to use time-tested approach of global best practices and guides such as COBIT? 3
4 Agenda 1. COBIT 5: Eternal philosophy, Timeless Principles, Holistic Approach and Best Practices 2. Risk Management: Perennial need for enterprises of digital era and integrated approach 3. Cybersecurity: Threats, Counter-measures, best-practices and frameworks 4. IOT: Components, Risks and Benefits for enterprises of fully connected digital world 5. Security Challenges of IoT-enabled Solutions for enterprises and professionals 6. How to integrate COBIT 5 best practices for effective deployment of IOT? 4
5 1. COBIT 5: Eternal philosophy, Timeless Principles, Holistic Approach and Best Practices 5
6 COBIT 5 COBIT 5 COBIT 5 COBIT 5 6
7 Some Tips for learning COBIT Concepts & Practice Practical Usage Select & Customise Actionable Insights Tools not just Text Application not just certification Micro not just macro Skills not just knowledge Techniques not just content Templates not just Principles Specifics not just philosophy Action not just decisions 7
8 COBIT Sutras of Success Understand vocabulary Understand processes, key flows and systems Simple standard structure Underlying Logic and flow Chunk it down to components Get perspectives right to get insights right 8
9 COBIT 5 Principles 9
10 COBIT Enablers 2012 ISACA. All Rights Reserved.
11 COBIT 5 Process Reference Model 2012 ISACA. All Rights Reserved. 11
12 2. Risk Management: Perennial need for enterprises of digital era and integrated approach 12
13 Risk Management in COBIT 5 Source: COBIT 5, figure ISACA All rights reserved. 13
14 Risk Management in COBIT 5 (cont.) All enterprise activities have associated risk exposures resulting from environmental threats that exploit enabler vulnerabilities EDM03 Ensure risk optimisation ensures that the enterprise stakeholders approach to risk is articulated to direct how risks facing the enterprise will be treated. APO12 Manage risk provides the enterprise risk management (ERM) arrangements that ensure that the stakeholder direction is followed by the enterprise. All other processes include practices and activities that are designed to treat related risk (avoid, reduce/mitigate/control, share/transfer/accept). 14
15 3. Cybersecurity: Threats, Counter-measures, best-practices and frameworks 15
16 COBIT 5 for Information Security COBIT 5 for Information Security is an extended view of COBIT 5 that explains each component of COBIT 5 from an information security perspective. Additional value for information security constituents is created through additional explanations, activities, processes and recommendations. The COBIT 5 for Information Security deliverable provides a view of information security governance and management that will provide security professionals detailed guidance for using COBIT 5 as they establish, implement and maintain information security in the business policies, processes and structures of an enterprise. 16
17 Understanding Business Domain Business Processes Regulatory requirements Business Objectives Organization Structure Technology Deployed 17
18 Understanding Risk Cycle Risk Security Business Objectives Assurance Control 18
19 COBIT, Risks, Security and IoT COBIT Governance and Management Best Practices Information Security and Cyber Security Business Objectives of deploying IOT Assurance IOT Security 19
20 NIST Cybersecurity Framework Framework for Improving Critical Infrastructure Cybersecurity, version 1.0, the National Institute of Standards and Technology (NIST), February 12, o A response to the President s Executive Order 13636, Improving Critical Infrastructure Cybersecurity on February 12, Critical infrastructure: systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. a voluntary risk-based Cybersecurity Framework a set of industry standards and best practices to help organizations manage cybersecurity risks The Framework is technology neutral. 20
21 Core: Cybersecurity Framework Component What processes and assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? Function Category ID Asset Management ID.AM Business Environment ID.BE Governance ID.GV Identify Risk Assessment ID.RA Risk Management Strategy ID.RM Protect Detect Respond Recover Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Information Protection Processes & Procedures PR.IP Maintenance PR.MA Protective Technology PR.PT Anomalies and Events DE.AE Security Continuous Monitoring DE.CM Detection Processes DE.DP Response Planning RS.RP Communications RS.CO Analysis RS.AN Mitigation RS.MI Improvements RS.IM Recovery Planning RC.RP Improvements RC.IM Communications RC.CO 21
22 Core Cybersecurity Framework Component Function Category ID Asset Management ID.AM Business Environment ID.BE Identify Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Protect Information Protection Processes & Procedures PR.IP Maintenance PR.MA Protective Technology PR.PT Anomalies and Events DE.AE Detect Security Continuous Monitoring DE.CM Detection Processes DE.DP Response Planning RS.RP Communications RS.CO Respond Analysis RS.AN Mitigation RS.MI Improvements RS.IM Recovery Planning RC.RP Recover Improvements RC.IM Communications RC.CO Subcategory ID.BE-1: The organization s role in the supply chain is identified and communicated ID.BE-2: The organization s place in critical infrastructure and its industry sector is identified and communicated ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated ID.BE-4: Dependencies and critical functions for delivery of critical services are established ID.BE-5: Resilience requirements to support delivery of critical services are established Informative References COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A , A , A NIST SP Rev. 4 CP-2, SA-12 COBIT 5 APO02.06, APO03.01 NIST SP Rev. 4 PM-8 COBIT 5 APO02.01, APO02.06, APO03.01 ISA : , NIST SP Rev. 4 PM-11, SA- 14 ISO/IEC 27001:2013 A , A , A NIST SP Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 COBIT 5 DSS04.02 ISO/IEC 27001:2013 A , A , A , A NIST SP Rev. 4 CP-2, CP- 11, SA
23 23
24 Cyber Security Framework: 7-Step Process Step 1: Prioritize and Scope Step 2: Orient Step 3: Create a Current Profile Step 4: Conduct a Risk Assessment Step 5: Create a Target Profile Step 6: Determine, Analyze, and Prioritize Gaps Step 7: Implementation Action Plan 24
25 4. IOT: Components, Risks and Benefits for enterprises of fully connected digital world 25
26 Information Security Office of Budget and Finance Education Partnership Solutions What is IoT? The Internet of Things (IoT) is the network of physical objects devices, vehicles, buildings and other items embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data.
27 Definition of IOT The Internet of Things (IoT) is the network of physical objects or things embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data. the essence of IoT resides in the source of the data, which are the sensors. Those smart devices generate data about activities, events, and influencing factors that provide visibility into performance and support decision processes across a variety of industries and consumer channels. 27
28 What is included in IOT IoT includes anyone or anything carrying embedded software that enables interaction with other animate or inanimate objects across networks, including the Internet. Interaction entails sharing and processing information to influence decision-making and/or actions with or without human intervention. 28
29 Where is IoT? Information Security It s everywhere! Office of Budget and Finance Education Partnership Solutions Smart Appliances Wearable Tech Healthcare
30 Driving Forces of IoT 1. Sensor Technology Tiny, Cheap, Variety 2. Cheap Miniature Computers 3. Low Power Connectivity 4. Capable Mobile Devices 5. Power of the Cloud
31 1. Sensor Technology Accelerometer (4mm diameter) Force Sensor (0.1N 10N) Pulse Sensor $25
32 2. Cheap Mini Computers Key Parameters Lily Tiny Guess the Price? Flash: 8 Kbytes Pin Count: 8 Max. Operating Freq: 20 MHz CPU: 8-bit AVR Max I/O Pins: 6 Ext Interrupts: 6 SPI: 1 I2C: aspx?tab=parameters
33 3. Low Power Connectivity Bluetooth Smart (4.0) (Up to 2 years with a single Coin-cell battery)
34 4. Capable Mobile Devices Quad Core 1.5 GHz 128 GB Internal Memory 3 GB RAM 16 MP Camera 2160p@30fps video WiFI, GPS, BLE
35 5. Power of the Cloud
36 IoT: a network of converging networks Internet : IPv6 GPS Mobility Data matrix ONS Sensors RFID, tags & readers ad hoc networks 36
37 Connectivity of IoT
38 ABCD s of IoT Applications Big Data Analytics Connectivity and Communication Devices that are smart! Photos Libelium, Google Image Search
39 IoT Application Segments
40 IoT Evolution
41 [Source: ]
42 Business Opportunities Capabilities Monitor Benefits Improved Performance Control Reduced Costs Optimize Create Innovative Products Autonomous New Revenue Streams
43 IoT Challenges Fragmented industry Security and Privacy of data Managing vast amounts of data Finding the right business model Copyright RIOT 2015 All Rights Reserved
44 Key Challenges of deploying IoT Integrating data from multiple sources Automating the collection of data Analyzing data to effectively identify actionable insights Only by addressing all three can organizations turn raw data into information and actionable insights.
45 5. Security Challenges of IoT-enabled Solutions for enterprises and professionals 45
46 Information Security Office of Budget and Finance Does IoT add additional risks? Are highly portable devices captured during vulnerability scans? Where is your network perimeter? Are consumer devices being used in areas like health care where reliability is critical? Do users install device management software on other computers? Is that another attack vector?
47 Attacking IoT Information Security Office of Budget and Finance Education Partnership Solutions Default, weak, and hardcoded credentials Difficult to update firmware and OS Lack of vendor support for repairing vulnerabilities Vulnerable web interfaces (SQL injection, XSS) Coding errors (buffer overflow) Clear text protocols and unnecessary open ports DoS / DDoS Physical theft and tampering
48 Threat vs. Opportunity Information Security Office of Budget and Finance If misunderstood and misconfigured IoT poses risk to our data, privacy, and safety If understood and secured IoT will enhance communications, lifestyle, and delivery of services
49 Security Best Practices for IOT Trust: Allow only designated people/services device or data access Identity: Validate the identity of people, services, and things Privacy: Ensure device, personal & sensitive data is kept private Protection: Protect devices and users from harm Safety: Provide safety for devices, infrastructure and people Security: Maintain security of data, devices, people, etc.
50 6. How to integrate COBIT 5 best practices for effective deployment of IOT? 50
51 Technology Stack of IOT by IOT World Forum: reference model 51
52 IOT Jobs: what is the role we can play 52
53 Role of IT professionals in IOT Be clear about what IoT is and where it manifests itself. Consider the shift of control from people to code. Understand the fusion of roles for engineers and IT professionals, the interdependency of those who create mechanical devices and those who program them to become smart devices. Adapt to changing roles in response to IoT. Manage the well-known cyber security skill deficit. Balance the potential of innovation with safety. Promote and enhance professional capability to advise, design, implement and support IoT. Identify risk, apply proper security and provide assurance to realize positive outcomes and address the risk of unintended effects. 53
54 Tenets of Good IoT Governance 1. Build security and control by design from the start. 2. Test controls and look for vulnerabilities by creating and testing use cases and misuse cases. 3. Educate everyone that building security alongside functionality by design is essential for IoT. 4. Engage experienced IT security and assurance personnel who understand cyber and IoT potential, risk and benefits. 5. Replace the isolation of specialists working in silos with collaboration across specialties so that security professionals work alongside IT engineers, architects, data managers, developers and business experts. 54
55 Key issues of IoT 1. Understand that IoT relies on data and the use of data. 2. Understand the business environment (i.e., strategic and business objectives). 3. Confirm that key decision makers understand the business environment and supply-chain behavior. 4. Identify the client/customer at the end of the supply chain. 5. Require the enterprise to define IoT based on take-aways 1 to 4. 55
56 Understand how IoT works? 1. Understand that each IoT device is a computer in its own right. 2. Understand that IoT tends to function as the automated equivalent of an end user. 3. Understand that IoT relies on and uses data. 4. Understand the purpose of sensors. 5. Recognize that data and sensors combine to make IoT a powerful and valuable resource. 6. Understand the relationship of hardware, firmware and software to IoT. 56
57 Understand how IoT works? 7. Understand how IoT interacts with big data, artificial intelligence, machine learning and the cloud. 8. Learn from relevant experts how IoT devices operate. 9. Understand how IoT devices work when they are connected to LANS/WANS/the Internet and how they work when not connected. 10. Recognize that IoT reflects a fusion of engineering and IT and that both disciplines must work together. 57
58 Understand how IoT is deployed 1. Determine whether the enterprise is a creator or consumer of IoT devices. 2. Clarify the strategic thinking behind the production and use of IoT. Does its production reflect market demand or technological push? 3. Determine if there is an inventory of IoT devices. 4. Identify where IoT devices exist. 5. Determine whether IoT interacts with clients/customers, and if so, how the interaction occurs. 6. Determine whether the enterprise understands the similarities and differences among health, safety and security. 58
59 IoT Security issues Insufficient holistic knowledge and experience to judge risk Lack of IoT technical experts Insufficient understanding of interrelated technologies Lack of IoT security specialists Lack of optimal project-management skills 59
60 Issues and challenges of IoT for business and IT professionals Lack of understanding of the basic attributes of IoT devices. Management of basic IoT attributes is magnified in complexity by the vast number of components that each device can use. Managing IoT devices alongside more conventional IT systems will be a challenge. Lack of transparency into IoT devices functionality, data and responses can make it difficult to determine correct management actions. Any protection that controls offer at the time of the device s installation may become obsolete as the device receives, stores and transmits more data over time. Gap not only between IoT development and security, but also between IoT engineering and security. 60
61 Risk in IoT 1. Understand that good, basic security is lacking in most off-the-shelf IoT devices. 2. Start with the risk assessments and methodology already in use and apply them to IoT devices, considering the following take-aways in this list. 3. Apply the ISACA nine questions that cover device use, access to data and risk management. 4. Avoid using IoT devices that have hardcoded, non-changeable passwords. 5. Change default passwords in IoT devices. 6. Maintain an asset inventory of all IoT devices. 7. Understand that devices featuring always on network connectivity increase the likelihood of attack. 8. Monitor IoT behavior to distinguish normal from abnormal behaviors. 9. Be aware of and check for stealth IoT because it potentially undermines controls. 61
62 9 Questions: Practitioners should ask 62
63 Think Think worst case scenario Everything in and connected to IoT is, by default, available to all; everything needs protection from harm and every hacker who attempts to breach controls is a criminal. How to perform IoT risk assessment Focus on Assess Categorize Focus on impacts, not likelihoods Cyberbreaches are a matter of when, not if. Emphasizing impact over likelihood will help spur development of all necessary proactive and reactive responses to threats. Assess the impact of each malfunctioning device Include its physical and virtual environments, the data it uses and produces and the expected range of actions taken by IoT in response to the data. Categorize severity of impacts Categories should include disastrous, disruptive and damaging. Identify For each category, identify scenarios Scenarios help clarify risk and identify relevant controls and responses to reduce potential damage. 63
64 Good Governance Responses for IoT 1. Governance foundations are dedicated to enhancing good behavior and relationships among people. IoT creates a parallel universe of autonomous devices whose behavior and relationships need to be governed in a complementary way. 2. IoT requires more focus on ethics for ethical outcomes, which means more ethical policies, projects and processes. 3. Profits are the main outcome that markets seek, so good governance is necessary to rein in excesses that can harm the enterprise and society. 4. In the absence of legislation and common standards, an organizational IoT governance framework needs to be promoted. 5. COBIT 5 provides a useful framework to improve overall governance. 64
65 Applying COBIT 5 to Governance of IoT 1. Carry out and review IT risk assessments at a technical level and evaluate the impact on the business. 2. Apply and/or modify controls, the bulk of which will be privacy, security and safety controls. 3. Obtain assurance on an ongoing basis from executives and from external third parties. 4. Obtain and act on independent assurance from internal and external audit. COBIT 5 offers tools that cover the governance of enterprise IT (GEIT), risk management, information security, audit and assurance and regulatory compliance. 65
66 66
67 Dos and Don ts of IOT 67
68 Tips for effective IoT deployment Risk must evaluated holistically to ensure that business value is maximised while risk is minimised. Risk assessment has to be collaborative effort among all stakeholders, including business teams, compliance, operations, information security, privacy and all other pertinent areas. Identify the new complex risks and problems. Plan in advance and implement from holistic and strategic perspective 68
69 ISACA Whitepapers on IoT 69
70 Thank You.. Any Questions?
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More informationThe Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,
The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor, National Institute of Standards and Technology 1 Speaker
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity May 2017 cyberframework@nist.gov Why Cybersecurity Framework? Cybersecurity Framework Uses Identify mission or business cybersecurity dependencies
More informationAcalvio Deception and the NIST Cybersecurity Framework 1.1
Acalvio Deception and the NIST Cybersecurity Framework 1.1 June 2018 The Framework enables organizations regardless of size, degree of cybersecurity risk, or cybersecurity sophistication to apply the principles
More informationKnowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain Dr. Shaun Wang, FCAS, CERA
Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain Dr. Shaun Wang, FCAS, CERA 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 1 Cyber Risk Management Project Government University
More informationSecuring an IT. Governance, Risk. Management, and Audit
Securing an IT Organization through Governance, Risk Management, and Audit Ken Sigler Dr. James L. Rainey, III CRC Press Taylor & Francis Group Boca Raton London New York CRC Press Is an imprint cf the
More informationNIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology
NIST Cybersecurity Testbed for Transportation Systems CheeYee Tang Electronics Engineer National Institute of Standards and Technology National Institute of Standards and Technology (NIST) About NIST NIST
More informationCybersecurity Framework Manufacturing Profile
Cybersecurity Framework Manufacturing Profile Keith Stouffer Project Leader, Cybersecurity for Smart Manufacturing Systems Engineering Lab, NIST National Institute of Standards and Technology (NIST) NIST
More informationNIST (NCF) & GDPR to Microsoft Technologies MAP
NIST (NCF) & GDPR to Microsoft Technologies MAP Digital Transformation Realized.TM IDENTIFY (ID) Asset Management (ID.AM) The data, personnel, devices, systems, and facilities that enable the organization
More informationImproving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationOpportunities (a.k.a challenges) Interfaces Governance Security boundaries expanded Legacy systems New application Compliance
KY HEALTH & NIST CSF 1115 Waiver Involves legacy systems New development Interfaces between systems with and without sensitive information Changes the security boundaries Opportunities (a.k.a challenges)
More informationDesigning & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)
Designing & Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson Lesson 2 June, 2015 1 Lesson 2: Controls Factory Components Part 1: The Controls Factory Part 2:
More informationCyber Information Sharing
Cyber Information Sharing Renault Ross CISSP, MCSE, CHSS, VCP5 Chief Cybersecurity Business Strategist Ian Schmertzler President Know Your Team Under Pressure Trust Your Eyes Know the Supply Chain Have
More informationTrack 4A: NIST Workshop
Track 4A: NIST Workshop National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) GridSecCon October 18, 2016 AGENDA TOPIC PRESENTER(S) DURATION NIST/NCCoE
More informationFramework for Improving Critical Infrastructure Cybersecurity
1 Framework for Improving Critical Infrastructure Cybersecurity Standards Certification Education & Training Publishing Conferences & Exhibits Dean Bickerton ISA New Orleans April 5, 2016 A Brief Commercial
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams
More informationUsing Metrics to Gain Management Support for Cyber Security Initiatives
Using Metrics to Gain Management Support for Cyber Security Initiatives Craig Schumacher Chief Information Security Officer Idaho Transportation Dept. January 2016 Why Metrics Based on NIST Framework?
More informationCOMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY
COMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY OVERVIEW On February 2013, President Barack Obama issued an Executive Order
More informationThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce
More informationLes joies et les peines de la transformation numérique
Les joies et les peines de la transformation numérique Georges Ataya CISA, CGEIT, CISA, CISSP, MSCS, PBA Professor, Solvay Brussels School of Economics and Management Academic Director, IT Management Education
More informationResponsible Care Security Code
Chemical Sector Guidance for Implementing the NIST Cybersecurity Framework and the ACC Responsible Care Security Code ACC Chemical Information Technology Council (ChemITC) January 2016 Legal and Copyright
More informationIoT & SCADA Cyber Security Services
RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au
More informationNIST Cybersecurity Framework Based Written Information Security Program (WISP)
Cybersecurity Governance (GOV) Title 52.20 21 66A.622 GOV 1 Publishing Cybersecurity Policies & s ID.GV 1 500.02 500.03 66A.622(2)(d) GOV 2 Periodic Review & Update of Cybersecurity Documentation ID.GV
More informationAssurance over Cybersecurity using COBIT 5
Assurance over Cybersecurity using COBIT 5 Special thanks to ISACA for supplying material for this presentation. Anthony Noble, VP IT Audit, Viacom Inc. Anthony.noble@viacom.com Disclamer The opinions
More informationHow to Align with the NIST Cybersecurity Framework
How to Align with the NIST Cybersecurity Framework 1 Title Table of Contents Identify (ID) 4 Protect (PR) 5 Detect (DE) 6 Respond (RS) 7 Recover (RC) 8 visibility detection control 2 SilentDefense Facilitates
More informationISO based Written Information Security Program (WISP) (a)(1)(i) & (a)(3)(i) & (ii) & (A) (A)(5)(ii) & (ii)(a)
1 Information Security Program Policy 1.2 Management Direction for Information Security 5.1 1.2.8 1.2.1.1 Publishing An Information Security Policy 5.1.1 500.03 1.1.0 2.1.0-2.2.3 3.1.0-3.1.2 4.1.0-4.2.4
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationInternet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin
Internet of Things Internet of Everything Presented By: Louis McNeil Tom Costin Agenda Session Topics What is the IoT (Internet of Things) Key characteristics & components of the IoT Top 10 IoT Risks OWASP
More informationMapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective
Mapping Your Requirements to the NIST Cybersecurity Framework Industry Perspective 1 Quest has the solutions and services to help your organization identify, protect, detect, respond and recover, better
More informationOverview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 PPD-21: CI Security and Resilience On February 12, 2013, President Obama signed Presidential Policy Directive
More informationMapping and Auditing Your DevOps Systems
Mapping and Auditing Your DevOps Systems David Cuthbertson, CEO Square Mile Systems Ltd david.cuthbertson@squaremilesystems.com www.squaremilesystems.com Personal Background Personal Experience Industry
More informationCyber Bounty Hunter. Key capabilities of today s. Renault Ross CISSP,MCSE,VCP5,CHSS Distinguished Engineer Chief Security Business Strategist
Key capabilities of today s Cyber Bounty Hunter Renault Ross CISSP,MCSE,VCP5,CHSS Distinguished Engineer Chief Security Business Strategist Copyright 2016 Symantec Corporation 1 2 3 The Cyber Skills Gap
More informationCyber Resilience. Think18. Felicity March IBM Corporation
Cyber Resilience Think18 Felicity March 1 2018 IBM Corporation Cyber Resilience Cyber Resilience is the ability of an organisation to maintain its core purpose and integrity during and after a cyber attack
More informationIn support of this, the Coalition intends to host an event bringing together government and private sector leaders and experts to further discuss this
Coalition for Cybersecurity Policy & Law Coalition for Cybersecurity Policy & Law 600 Massachusetts Ave, NW, Washington, DC 20001 February 12, 2018 VIA EMAIL: counter_botnet@list.commerce.gov Evelyn L.
More informationInternet of Things Toolkit for Small and Medium Businesses
Your Guide #IoTatWork to IoT Security #IoTatWork Internet of Things Toolkit for Small and Medium Businesses Table of Contents Introduction 1 The Internet of Things (IoT) 2 Presence of IoT in Business Sectors
More informationThe CIS Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can
The CIS Critical Security are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state. They
More informationSYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security
SYMANTEC: SECURITY ADVISORY SERVICES Symantec Security Advisory Services The World Leader in Information Security Knowledge, as the saying goes, is power. At Symantec we couldn t agree more. And when it
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services http://www.cloud-council.org/deliverables/cloud-customer-architecture-for-securing-workloads-on-cloud-services.htm Webinar April 19,
More informationMEJORES PRACTICAS EN CIBERSEGURIDAD
MEJORES PRACTICAS EN CIBERSEGURIDAD Roberto Hernández Rojas Valderrama, CISA, CISM, CGEIT, CRISC, ITIL Foundation ISO 27001 LA, PMP, CFSP Presidente ISACA Capítulo Ciudad de México OBJETIVO Revisar el
More informationPosition Title: IT Security Specialist
Position Title: IT Security Specialist SASRIA SOC LIMITED Sasria, a state-owned company, is the only short-term insurer in South Africa that provides affordable voluntary cover against special risks such
More informationRe: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1
January 19, 2018 VIA EMAIL: cyberframework@nist.gov Edwin Games National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899 Re: McAfee s comments in response
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationFramework for Improving Critical Infrastructure Cybersecurity. and Risk Approach
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 and Risk Approach June 9, 2016 cyberframework@nist.gov Executive Order: Improving Critical Infrastructure
More informationEngaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,
Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager, Deloitte & Touche LLP 1 Speaker Introduction Sanjeev
More informationBonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology
Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology It s a hot topic!! Executives are asking their CISOs a LOT of questions about it Issues are costly, from a financial and a reputational
More informationImproving Cybersecurity through the use of the Cybersecurity Framework
Improving Cybersecurity through the use of the Cybersecurity Framework March 11, 2015 Tom Conkle G2, Inc. Agenda Cybersecurity Framework Why it was created What is it Why it matters How do you use it 2
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationCOURSE BROCHURE CISA TRAINING
COURSE BROCHURE CISA TRAINING What is CISA? The CISA, Certified Information Systems Auditor, is a professional designation which provides great benefits and increased influence for an individual within
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationRethinking Information Security Risk Management CRM002
Rethinking Information Security Risk Management CRM002 Speakers: Tanya Scott, Senior Manager, Information Risk Management, Lending Club Learning Objectives At the end of this session, you will: Design
More informationDHS Cybersecurity: Services for State and Local Officials. February 2017
DHS Cybersecurity: Services for State and Local Officials February 2017 Department of Established in March of 2003 and combined 22 different Federal departments and agencies into a unified, integrated
More informationDATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE
DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE EXECUTIVE SUMMARY ALIGNING CYBERSECURITY WITH RISK The agility and cost efficiencies
More information*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Introduction and Bio CyberSecurity Defined CyberSecurity Risks NIST CyberSecurity Framework References *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Chapter 3. Framework Implementation Relationship
More informationGeneral Framework for Secure IoT Systems
General Framework for Secure IoT Systems National center of Incident readiness and Strategy for Cybersecurity (NISC) Government of Japan August 26, 2016 1. General Framework Objective Internet of Things
More informationCybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com
Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding
More informationAddressing the elephant in the operating room: a look at medical device security programs
Addressing the elephant in the operating room: a look at medical device security programs Ernst & Young LLP Presenters Michael Davis Healthcare Leader Baltimore +1 410 783 3740 michael.davis@ey.com Esther
More informationChoosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist
Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist Agenda Industry Background Cybersecurity Assessment Tools Cybersecurity Best Practices 2 Cybersecurity
More informationUpdates to the NIST Cybersecurity Framework
Updates to the NIST Cybersecurity Framework NIST Cybersecurity Framework Overview and Other Documentation October 2016 Agenda: Overview of NIST Cybersecurity Framework Updates to the NIST Cybersecurity
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationDiscussion Draft of the Preliminary Cybersecurity Framework August 28, 2013
1 Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013 2 3 A Discussion Draft of the Preliminary Cybersecurity Framework for improving critical 4 infrastructure cybersecurity is
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationCloud Threat Defense. Cloud Security Buyer s Guide Based on the. NIST Cybersecurity Framework
Cloud Threat Defense Cloud Security Buyer s Guide Based on the NIST Cybersecurity Framework Overview 3 01 - Function: Identify 5 Asset Management Risk Assessment 5 6 02 - Function: Protect 7 Access Control
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationNIST Framework for Improving Critical Infrastructure Cybersecurity Technical Control Automation
NIST Framework for Improving Critical Infrastructure Cybersecurity Technical Control Automation Automating Cybersecurity Framework Technical Controls with Tenable SecurityCenter Continuous View February
More informationNext Generation Policy & Compliance
Next Generation Policy & Compliance Mason Karrer, CISSP, CISA GRC Strategist - Policy and Compliance, RSA Core Competencies C33 2013 Fall Conference Sail to Success CRISC CGEIT CISM CISA Introductions...
More informationEUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE
EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE Overview all ICT Profile changes in title, summary, mission and from version 1 to version 2 Versions Version 1 Version 2 Role Profile
More informationDr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt
Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA The African Internet Governance Forum - AfIGF2017 5 Dec 2017, Egypt Agenda Why? Threats Traditional security? What to secure?
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationOil & Natural Gas Third Party Collaboration IT Security NIST Profile API ITSS Third Party Collaboration IT Security Workgroup
Oil & Natural Gas Third Party Collaboration IT Security NIST Profile API ITSS Third Party Collaboration IT Security Workgroup 12/16/2016 Contents 1 Introduction... 3 2 Approach... 3 2.1 Relevant NIST Categories...
More informationMission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS
Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS Stephanie Poe, DNP, RN-BC CNIO, The Johns Hopkins Hospital and Health System Discussion Topics The Age of Acceleration Cyber
More informationSecurity and resilience in Information Society: the European approach
Security and resilience in Information Society: the European approach Andrea Servida Deputy Head of Unit European Commission DG INFSO-A3 Andrea.servida@ec.europa.eu What s s ahead: mobile ubiquitous environments
More informationCybersecurity in Government
Cybersecurity in Government Executive Development Course: Digital Government Ng Lup Houh, Principal Cybersecurity Specialist Cybersecurity Group 03 April 2018 Agenda Cyber Threats & Vulnerabilities Cyber
More informationInformation Security Continuous Monitoring (ISCM) Program Evaluation
Information Security Continuous Monitoring (ISCM) Program Evaluation Cybersecurity Assurance Branch Federal Network Resilience Division Chad J. Baer FNR Program Manager Chief Operational Assurance Agenda
More informationEXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.
EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT An Insight Cyber White Paper Copyright Insight Cyber 2018. All rights reserved. The Need for Expert Monitoring Digitization and external connectivity
More informationAccelerate Your Enterprise Private Cloud Initiative
Cisco Cloud Comprehensive, enterprise cloud enablement services help you realize a secure, agile, and highly automated infrastructure-as-a-service (IaaS) environment for cost-effective, rapid IT service
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationMedical Device Cybersecurity: FDA Perspective
Medical Device Cybersecurity: FDA Perspective Suzanne B. Schwartz MD, MBA Associate Director for Science and Strategic Partnerships Office of the Center Director (OCD) Center for Devices and Radiological
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationTHE POWER OF TECH-SAVVY BOARDS:
THE POWER OF TECH-SAVVY BOARDS: LEADERSHIP S ROLE IN CULTIVATING CYBERSECURITY TALENT SHANNON DONAHUE DIRECTOR, INFORMATION SECURITY PRACTICES 1 IT S A RISK-BASED WORLD: THE 10 MOST CRITICAL UNCERTAINTIES
More informationCISM Certified Information Security Manager
CISM Certified Information Security Manager Firebrand Custom Designed Courseware Logistics Start Time Breaks End Time Fire escapes Instructor Introductions Introduction to Information Security Management
More informationBPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.
BPS Suite and the OCEG Capability Model Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS Contents Introduction... 2 GRC activities... 2 BPS and the Capability Model for GRC...
More informationEuropean Union Agency for Network and Information Security
Critical Information Infrastructure Protection in the EU Evangelos Ouzounis Head of Secure Infrastructure and Services Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European Union Agency
More informationTexas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13
Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13 I. Vision A highly reliable and secure bulk power system in the Electric Reliability Council of Texas
More informationFDA & Medical Device Cybersecurity
FDA & Medical Device Cybersecurity Closing Keynote, February 19, 2017 Suzanne B. Schwartz, M.D., MBA Associate Director for Science & Strategic Partnerships Center for Devices and Radiological Health US
More informationCybersecurity for Service Providers
Cybersecurity for Service Providers Alexandro Fernandez, CISSP, CISA, CISM, CEH, ECSA, ISO 27001LA, ISO 27001 LI, ITILv3, COBIT5 Security Advanced Services February 2018 There are two types of companies:
More informationstandards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices
standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices mike.garcia@cisecurity.org The big three in their own words ISO 27000: family of standards to help organizations
More informationMay 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations
May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose
More informationCritical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.
Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach. By Christopher Ganizani Banda ICT Development Manager Malawi Communications Regulatory Authority 24-26th July,2016 Khartoum,
More informationINTELLIGENCE DRIVEN GRC FOR SECURITY
INTELLIGENCE DRIVEN GRC FOR SECURITY OVERVIEW Organizations today strive to keep their business and technology infrastructure organized, controllable, and understandable, not only to have the ability to
More informationCyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. In today s escalating cyber risk environment, you need to make sure you re focused on the right priorities by
More informationCybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security
Cybersecurity What Companies are Doing & How to Evaluate Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security Learning Objectives At the end of this presentation, you will be able to: Explain the
More informationThe Key Principles of Cyber Security for Connected and Automated Vehicles. Government
The Key Principles of Cyber Security for Connected and Automated Vehicles Government Contents Intelligent Transport System (ITS) & Connected and Automated Vehicle (CAV) System Security Principles: 1. Organisational
More informationCybersecurity. Securely enabling transformation and change
Cybersecurity Securely enabling transformation and change Contents... Cybersecurity overview Business drivers Cybersecurity strategy and roadmap Cybersecurity in practice CGI s cybersecurity offering Why
More informationRobert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group
Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group Presentation Objectives Introductions Cyber security context Cyber security in the maritime sector Developing cybersecurity
More information