Compliance: How to Manage (Lame) Audit Recommendations

Similar documents
Certified Information Security Manager (CISM) Course Overview

Building a Resilient Security Posture for Effective Breach Prevention

Cybersecurity Auditing in an Unsecure World

locuz.com SOC Services

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Security Policies and Procedures Principles and Practices

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

The Deloitte-NASCIO Cybersecurity Study Insights from

Cybersecurity, safety and resilience - Airline perspective

Position Title: IT Security Specialist

INTELLIGENCE DRIVEN GRC FOR SECURITY

Introduction to ISO/IEC 27001:2005

Agenda. TÜV Secure it GmbH short introduction. Risk Analysis Case Study. Certification Procedure. w w w. t u v. c o m 2/ 18. TÜV Secure it GmbH 2003

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

01.0 Policy Responsibilities and Oversight

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Security and Architecture SUZANNE GRAHAM

CISM Certified Information Security Manager

Manchester Metropolitan University Information Security Strategy

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

CCISO Blueprint v1. EC-Council

Adaptive & Unified Approach to Risk Management and Compliance via CCF

IBM Security Vaš digitalni imuni sistem. Dejan Vuković Security BU Leader South East Europe IBM Security

ITG. Information Security Management System Manual

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Effective Strategies for Managing Cybersecurity Risks

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

A Practical Approach to Implement a Risk Based ISMS

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

_isms_27001_fnd_en_sample_set01_v2, Group A

IT123: SABSA Foundation Training

Frameworks and Standards

Suma Soft s IT Risk & Security Management Solutions for Global Enterprises

Security and Privacy Governance Program Guidelines

Incident Response. Is Your CSIRT Program Ready for the 21 st Century?

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Cyber Security Program

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

ISO 27001:2013 certification

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Nebraska CERT Conference

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

A new approach to Cyber Security

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Continuous protection to reduce risk and maintain production availability

ISO/IEC Information technology Security techniques Code of practice for information security management

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

CISO as Change Agent: Getting to Yes

MEETING ISO STANDARDS

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Objectives of the Security Policy Project for the University of Cyprus

Information Technology General Control Review

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

BUILD YOUR CYBERSECURITY SKILLS WITH TRASYS INTERNATIONAL

Certified Cyber Security Specialist

SALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually

falanx Cyber ISO 27001: How and why your organisation should get certified

DEFINITIONS AND REFERENCES

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

CIRT: Requirements and implementation

Information Security Management System

Security Audit What Why

The Common Controls Framework BY ADOBE

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Critical Information Infrastructure Protection Law

Risk Advisory Academy Training Brochure

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

13th Florence Rail Forum: Cyber Security in Railways Systems. Immacolata Lamberti Andrea Pepato

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

State of South Carolina Interim Security Assessment

PROTECT YOUR DATA AND PREPARE FOR THE EUROPEAN GENERAL DATA PROTECTION REGULATION

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program

Business continuity management and cyber resiliency

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Next Generation Policy & Compliance

John Snare Chair Standards Australia Committee IT/12/4

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

GDPR Update and ENISA guidelines

Fintech District. The First Testing Cyber Security Platform. In collaboration with CISCO. Cloud or On Premise Platform

Cyber Security Stress Test SUMMARY REPORT

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Protect Your Organization from Cyber Attacks

FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY

Certified Information Systems Auditor (CISA)

Mohammad Shahadat Hossain

Brad Boroff, CISA CRISC Chief Information Security Officer Illinois Department of Revenue

MITIGATE CYBER ATTACK RISK

Predstavenie štandardu ISO/IEC 27005

Complying with RBI Guidelines for Wi-Fi Vulnerabilities

Combating Cyber Risk in the Supply Chain

E-guide CISSP Prep: 4 Steps to Achieve Your Certification

IT risks and controls

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

Transcription:

Compliance: How to Manage (Lame) Audit Recommendations Brian V. Cummings Tata Consultancy Services Ltd brian.cummings@tcs.com Tuesday, August 9, 2011 1:30 p.m. Session 9221

Security & Compliance Risk Landscape Presentation addresses the management of Audit recommendations from the perspective of the CISO Hacking, Phishing, Social Engineering Sophisticated, automated, stealthy Information warfare and competition is real and not confined to critical infrastructure. International and Inter-Enterprise Information Theft RISK Sophisticated, automated, and stealthy by organized crime, ad hoc criminals, corporate CyberX Activities enterprises, and international X = Crime, Terrorism, Warfare intelligence agencies with varying motivations, but all employing highly skilled hackers. Employees Loose lips and careless security behaviors Internal Fraud and Abuse Still acknowledged as the most prevalent and serious threat. Legal and regulatory action Privacy laws, regulations, sanctions, and penalties can jeopardize enterprise viability - 1 -

Security & Compliance Risk Landscape Hacking, Phishing, Social Engineering Sophisticated, automated, stealthy Information warfare and competition is real and not confined to critical infrastructure. International and Inter-Enterprise Information Theft RISK Internal Fraud and Abuse Still acknowledged as the most prevalent and serious threat. Sophisticated, automated, and stealthy by organized crime, ad hoc criminals, corporate enterprises, and international intelligence agencies with varying motivations, but all employing highly skilled hackers. CyberX Activities X = Crime, Terrorism, Warfare Employees Loose lips and careless security behaviors Legal and regulatory action Auditors Irrelevant, time-diluting recommendations Privacy laws, regulations, sanctions, and penalties can jeopardize enterprise viability - 2 -

What do you do? What can you do? If everyone in an entity is not pulling in the same direction, then you won t get to where you need to be as fast as you need to be there. Business Alignment Good Information Security Practices ISMS Certification Protection, Enablement, Compliance, Productivity - 3 -

What do you do? What can you do? If everyone in an entity is not pulling in the same direction, then you won t get to where you need to be as fast as you need to be there. Audit Comment to CISO: Make sure that all Ethernet ports are disabled if they are not in use to avoid unauthorized intrusion from the Intranet. Beleaguered CISO - 4 -

What is wrong with that Audit Recommedation? Is it addressed to the person who has the authority to do something about it? Is it addressed to the person who can implement and operationalize it? What is the real risk relative to other risks the entity may face? Is it consistent with the security objectives of the entity and the current plan and budget? Is it feasible (solutions, budget, resources)? - 5 -

- 6 - What about your Auditor?

What about your Auditor? Is your auditor a bully? Is your auditor knowledgeable? Is your auditor on the right page? What is your organization s attitude toward audit recommendations? - 7 -

How to manage (all of) your auditors InfoSec Framework Strategy Maturity Level InfoSec Roadmap Strategic Plan Tactical Plan Budget Risk Management Process Risk Assessment Risk Priorities Take charge and leverage the things you should be doing anyway to help manage your auditors - 8 -

How to manage (all of) your auditors InfoSec Framework Set/Lead Program Vision and Strategy InfoSec Roadmap Set/Lead InfoSec Planning Risk Management Program Subordinate decisions to a Risk Management process - 9 -

Information Security Framework Business Alignment Overall program strategy Target Maturity level Vision Visibility What resources, assets to you have? How important are they? What are the risks? Sustainability Accountability Policy Standards Procedures Automation Ownership? Funding? Implementer? Operator? Assurer? - 10 -

Enterprise Security Architecture Assess requirements/ components with ESA SEIM/ Forensics Assess and Categorize Systems CIA Information Classification Incident Management Change/ Release Management Monitor Security Controls Configuration Management Authorize System Security Life Cycle Security testing and scanning Select Security Controls Threat Management Implement Security Controls Key Blue- Security Life Cycle Green-ITIL/ Security Process Vulnerability Management Assess security controls Secure SDLC Orange -ESA - 11 - Compliance 11

InfoSec Roadmap - Strategic Program Domain Governance 2011 2012 2013 2014 2015 Compliance Networks Servers Desk Top Applications Multi-Year Planned Milestones Data/Database SIEM Insider Threat Physical & Environmental - 12 -

InfoSec Roadmap - Strategic Program Domain Governance Compliance Networks Servers Desk Top Applications Data/Database SIEM Insider Threat Physical & Environmental 1 2011 2012 2013 2014 2015 2 3 4 1 2 3 4 1 2 3 4 Or, if you can, plan by H1 H2 Year - 13 -

InfoSec Roadmap - Tactical 2011 2012 2013 Program Domain 1 2 3 4 1 2 3 4 1 2 3 4 H1 H2 Year Governance Compliance Networks Servers Desk Top Applications Data/Database SIEM For Current Year, planned and budgeted milestones, allowing for long term projects. Insider Threat Physical & Environmental - 14 -

Risk Management Program Requirements Business Legal / Contractual Security Asset Identification & Valuation Risk Assessment Threat & Vulnerability Assessment Selection of Controls (ISO 27001) Implementation of Controls Information Security Management System (ISMS) - 15 -

- 16 - Auditor Buy-In

Auditor Buy-In First Best Thing To Do Second Best Thing To Do Get Auditor Input and Approval Audit Briefing Paper - 17 -

Summary: Manage Your Auditors Establish a collaborative relationship Leverage your good practices (or establish same) Communicate frequently - 18 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback