Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Similar documents
Information Security Risk Strategies. By

CCISO Blueprint v1. EC-Council

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Cybersecurity in Higher Ed

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Sirius Security Overview

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Cyber Risks in the Boardroom Conference

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Cybersecurity The Evolving Landscape

CYBER SECURITY AIR TRANSPORT IT SUMMIT

PROFESSIONAL SERVICES (Solution Brief)

DeMystifying Data Breaches and Information Security Compliance

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Security Awareness Compliance Requirements. Updated: 11 October, 2017

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Sage Data Security Services Directory

locuz.com SOC Services

Exploring Emerging Cyber Attest Requirements

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

Risk Assessment: Key to a successful risk management program

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Cybersecurity Auditing in an Unsecure World

CISO as Change Agent: Getting to Yes

Emerging Issues: Cybersecurity. Directors College 2015

Altius IT Policy Collection Compliance and Standards Matrix

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

INTELLIGENCE DRIVEN GRC FOR SECURITY

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Altius IT Policy Collection Compliance and Standards Matrix

ITT Technical Institute. IT360 Networking Security I Onsite Course SYLLABUS

IS305 Managing Risk in Information Systems [Onsite and Online]

The Impact of Cybersecurity, Data Privacy and Social Media

Payment Card Compliance and Challenges

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

COPYRIGHTED MATERIAL. Index

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

The NIST Cybersecurity Framework

How to get the Enterprise to Understand the Value of Security

Framework for Improving Critical Infrastructure Cybersecurity

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

CISO View: Top 4 Major Imperatives for Enterprise Defense

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Is Your Compliance Strategy Putting Your Business at Risk?

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

QuickBooks Online Security White Paper July 2017

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

CACUBO Higher Education Accounting Workshop Top 10 Cyber Security Issues for Higher Education Business Managers. May 2017

NYDFS Cybersecurity Regulations

Why you should adopt the NIST Cybersecurity Framework

Balancing Between Risk and Compliance

Operational Network Security

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Certified Information Security Manager (CISM) Course Overview

SOC for cybersecurity

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Automating the Top 20 CIS Critical Security Controls

Cover Slide. Third Party Risk and the Role of the Cyber Security/IT Risk Officer. Robert Satchmo Anderson

Security Breaches: How to Prepare and Respond

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

FISMA Cybersecurity Performance Metrics and Scoring

Cybersecurity It Matters to SMB

Background FAST FACTS

ISE North America Leadership Summit and Awards

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

Key Customer Issues to Consider Before Entering into a Cloud Services Arrangement

Operations & Technology Seminar. Tuesday, November 8, 2016 Crowne Plaza Monroe, Monroe Township, NJ

CISM Certified Information Security Manager

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

TEL2813/IS2820 Security Management

Designing and Building a Cybersecurity Program

Cybersecurity Session IIA Conference 2018

Information Governance, the Next Evolution of Privacy and Security

CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

What is Penetration Testing?

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Cybersecurity Risk Oversight: the NIST Framework and EU approaches

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

ISACA Arizona May 2016 Chapter Meeting

Security Diagnostics for IAM

Data Compromise Notice Procedure Summary and Guide

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

What It Takes to be a CISO in 2017

Transcription:

Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld

What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice The most important issue is getting the senior leadership to support your vision

Fire Marshal vs Firefighters

Federal Government Focused Federal Information Security Management Act (FISMA) [Law] Risk Management Framework (RMF) for Department of Defense Information Technology (IT) [DoD cyber] Intelligence Community Directive (ICD) 503 [IC cyber] Federal Risk and Authorization Management Program [Cloud] North American Electric Reliability Corporation (NERC) [Energy] General Services Administration (GSA) / Office of Management and Budget (OMB) [Gov cyber] National Institute of Standards and Technology (NIST) [Guide] Executive Order on Cybersecurity / Presidential Policy Directive on Critical Infrastructure Security and Resilience [Framework]

Federal Financial Institutions Examination Council Cybersecurity Assessment Tool The Assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time Assessment is in two parts: Risk - Category: Technologies and Connections Total number of Internet service provider (ISP) connections (including branch connections) Risk Levels Least Minimal Moderate Significant Most No connections Minimal complexity (1 20 connections) Moderate complexity (21 100 connections) Significant complexity (101 200 connections) Substantial complexity (>200 connections) Controls - Maturity Levels Innovative Advanced Intermediate Evolving Baseline

Medical Health Insurance Portability and Accountability Act (HIPAA) Business Federal - Commercial Focused Payment Card Industry (PCI) [credit cards] Gramm Leach Bliley Act (GLBA) [financial institutions] Sarbanes Oxley Act (SOX) [public companies] Statement on Standards for Attestation Engagements (SSAE) 16 Service Organization Control (SOC)1 / 2 / 3

7 Motivations

Standards - Policies / Process / Audit Control Objectives for Information and related Technology (COBIT) by ISACA Factor Analysis of Information Risk (FAIR) Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) by CMU CERT ADversary VIew Security Evaluation (ADVISE) by CMU CyLab Information Assurance Technical Framework (IATF) GTAG 15: Information Security Governance

Standards continued International Organization for Standardization (ISO) National Institute of Standards and Technology (NIST) IT Infrastructure Library (ITIL) [IT focused, light on security] Six Sigma [cost efficiencies] Capability Maturity Model Integration (CMMI) [process]

GRC Governance Policy / Controls (ie IDM) Vendors (connections) Risk Risk Appetite Compliance Law / Regulation Industry Standard General Framework / Standard

Three layers of defense The First Line of Defense: Line Management The Second Line of Defense: Functional / Support Management InfoSec Compliance Risk Register / Radar Self Identified The Third Line of Defense: Internal Audit

Adjacent Functions and Focus Areas Audit Privacy Fraud Loss Prevention Physical Security ediscovery Threat Intelligence Insider Threats Remediation Mergers and Acquisitions (M&A)

DevOps Change Control Documentation Testing Security Peer review Separation of Duties Two person dev teams

Identity Management / Access reviews Quarterly Access Reviews Automation Manager engagement HR engagement Network and Application security Tracking transfers within company Network vs Application access

Plan Prepare, Detect (pre internal, external not public, external public), Respond (contain and remove), Recover (remediate) Roles Leadership, CIO, CISO, Privacy Officer, Legal, Human Resources, Privacy, Risk and Audit Contracted external support PR, Forensics, Legal Determine triggers and thresholds Communications and use of Attorney Client Privilege Exercise Major Event Incident Response (Breach)

16 Techniques

Key Components of a Program Programmatics Strategy (Business, IT and Security) Threat profile Risk profile Special req like 10K cyber statements Metrics / Visualization

Impacts analysis Program Drivers Loss of Intellectual Property (IP) Loss to brand reputation Legal (fines / law suits) Impact of Legislation New reg or laws like PCI 3.1, NERC CIP 5 or NIST Security Framework

Management Drivers Organizational structure Review effectiveness and efficiencies of Information Security Organization Policies and Procedures Security monitoring and incident response plan Investigations (forensics and e-discovery) Business Continuity Plan / Disaster Recovery Plan For companies developing software software assurance process and tools

Leadership Drivers Organization issues Relationship between compliance, audit, privacy, fraud, security (physical and cyber) and business needs Culture of the organization Vulnerability Assessment & Penetration Test program Access management program Mobile device protection program Social Media management program Supply line issues identification

21 Who we are talking to determines what we talk about

Risk Radar / Register Risk Control based Tying it together Talk to resources and impacts Ensure leadership is equipped to make decisions about accepting risk

Impact Sample Risk Radar (based on control weakness) High 4 1 Control 1. Compliance 3 2 2. Training 3. Asset Man 4. SOC 5. Upgrade FW 6 6. Insider Threat 7 8 5 7. Policy Dev 8. Encryption 9. BC/DR 9 10 10. Pen Testing Under $50K Low Probability High $50K to $500K Over $500K

Spider Chart 24

Heat Map / Probability Chart

What's next Your job is to make sure leadership understands the risks and are equipped to make decision on where to accept it Build consensus on criteria, definition, impact ranking and visualization of risk. Implement a plan based on return on impact of risk mitigation

Questions = 42

28

Anatomy of an Attack Installing Backdoors SPAM Direct Attack Exploiting Privilege Elevation Social Engineering Gaining Access Scanning / Probing Foot Printing Denial of Service

STOP. THINK. CONNECT. STOP. Before you use the Internet, take time to understand the risks and learn how to spot potential problems. THINK. Take a moment to be certain the path is clear ahead. Watch for warning signs and consider how your actions online could impact your safety, or your family s. CONNECT. Enjoy the Internet with greater confidence, knowing you ve taken the right steps to safeguard yourself and your computer. Visit http://www.stopthinkconnect.org for more tips on safety online.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback