Cybersecurity Session IIA Conference 2018

Similar documents
Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

CCISO Blueprint v1. EC-Council

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Cybersecurity Protecting your crown jewels

Sage Data Security Services Directory

ISE North America Leadership Summit and Awards

What It Takes to be a CISO in 2017

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

Cyber Risks in the Boardroom Conference

locuz.com SOC Services

the SWIFT Customer Security

Cyber Security. It s not just about technology. May 2017

A Global Look at IT Audit Best Practices

Governance Ideas Exchange

Cyber Security: Threat and Prevention

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Cyber Risk and Third Party Risk Management. Lisa Murphy First Horizon National Corporation

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Protecting your data. EY s approach to data privacy and information security

Best Practices in Securing a Multicloud World

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Keys to a more secure data environment

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

TAN Jenny Partner PwC Singapore

2017 Annual Meeting of Members and Board of Directors Meeting

Adaptive & Unified Approach to Risk Management and Compliance via CCF

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

Combating Cyber Risk in the Supply Chain

Cyber Risk Having better conversations on cyber

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

10 FOCUS AREAS FOR BREACH PREVENTION

Canada Life Cyber Security Statement 2018

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Emerging Technologies The risks they pose to your organisations

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Compliance Audit Readiness. Bob Kral Tenable Network Security

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Information Governance, the Next Evolution of Privacy and Security

Supply Chain Integrity and Security Assurance for ICT. Mats Nilsson

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

SOC for cybersecurity

Run the business. Not the risks.

Cybersecurity in Higher Ed

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

DeMystifying Data Breaches and Information Security Compliance

EMPOWER PEOPLE IMPROVE LIVES INSPIRE SUCCESS

How to Prepare a Response to Cyber Attack for a Multinational Company.

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

QuickBooks Online Security White Paper July 2017

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Department of Management Services REQUEST FOR INFORMATION

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

NYDFS Cybersecurity Regulations

Secure Access & SWIFT Customer Security Controls Framework

Cybersecurity Overview

Security Issues and Best Practices for Water Facilities

Staffing Services UnderDefense your source of experienced professionals to solve security staffing challenges today

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Bradford J. Willke. 19 September 2007

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

to Enhance Your Cyber Security Needs

Designing and Building a Cybersecurity Program

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

The Modern SOC and NOC

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

External Supplier Control Obligations. Cyber Security

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

InfoSec Risks from the Front Lines

CYBER FRAUD & DATA BREACHES 16 CPE s May 16-17, 2018

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Strategic threat advisory services

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

Automating the Top 20 CIS Critical Security Controls

BHConsulting. Your trusted cybersecurity partner

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Nine Steps to Smart Security for Small Businesses

TEL2813/IS2820 Security Management

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Session ID: CISO-W22 Session Classification: General Interest

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Physical security advisory services Securing your organisation s future

Securing Digital Transformation

Changing the Game: An HPR Approach to Cyber CRM007

ACM Retreat - Today s Topics:

Transcription:

www.pwc.com/me Cybersecurity Session IIA Conference 2018

Wael Fattouh Partner PwC Cybersecurity and Technology Risk PwC 2

There are only two types of companies: Those that have been hacked, and those that will be. Robert Mueller, FBI Director, PwC 2012 3

What comes to mind when we think of cyber security? PwC 4

PwC 5

But can firewalls, anti-virus software and a well designed network architecture protect you against threats rising from resent IT trends? PwC 6

Trends of 2018 Fintech Internet of things Self driving cars Smart cities Facial recognition Bots Operational technology Drones PwC 7

Brought down Twitter, the Guardian, Netflix, Reddit Dyn was attacked by 100,000 hacked devices Punjab National Bank earlier this week announced that it had been the victim of a $2 M hack The attack strength was estimated at 1.2Tbps PwC 8

So what do you think? PwC 9

Still think this could protect you? Nowadays security looks more like this PwC 10

Asset Management Asset Asset Classificatio Inventory n 1 4 0 4 Reporting Engine Device Access Control User Provisionin g Privileged Identity Managemen t Change Managemen t Recommended FTE FTE Cyber Security Operations Asset Discovery Logging and Monitoring Reporting Log and Repositor Dashboar y ds Aggr. / Correl. Forensic 1 Engine 4 Analysis Network Monitorin g Identity and Access Management Access Certification Password Managemen t Privileged Access Managemen t It s a strategy Having The ability the right to resources quantify to technological manage It's your a blueprint capabilities technology Access Certification Governance Web Access Managemen t User Access Control 1 4 GAP Privileged Access Governance Identity Federation Multi- Factor Authenticati on 10 User Provisionin g 5 Governance Fully Implemented Partially in Place Why has cyber security 30 25 20 15 0 Patch Manageme nt Application Patching Windows OS Patching Firmware Patching Linux OS Patching 5 Not in Place Security Patch ID / 2Prioritize 5 Tools with staff who have received formal training Cyber Defense Management Vulnerabilit y Scanning 2 4 Penetration Testing Database Security Data Loss Prevention 2 4 0 3 1 4 Governance, Risk, and Compliance Risk Compliance 60Vendor Risk Managemen Managemen Managemen t t t 1 5 1 4 501 4 Remediatio Audit n Managemen Managemen 40 t 0 3 1 t 5 Security Patch Config. Exception 1Scanning 4 1Tracking 4 Application Security Dynamic 20 Source Code Security in App. App. the SDLC Testing Testing 2 4 10 0 4 2 4 Hardened Defect Mobile App. Software 0 Managemen Testing Libs. t 0 4 0 3 1 4 Analytics Security Analytics 0 4 Metrics, Dash. and Reporting 1 4 System Manageme nt Anti-Virus / Malware 5 5 Staffing Training Roles and Responsibilities become so complicated and expensive? 2 4 Indicators of Compromis 0 e File 4 Integrity Monitoring 1 3 Endpoint Protection TBD 4 Device Config. Monitoring 1 1 4 PwC 11 25 Yes No Non IT-Sec 30 30 Tools with Defined Roles Threat and Responsibilities Intelligence 57 Because hacking has become so Currently Not Applicable to Implementing easy and TVM cheap and its only getting easier 3 Yes No Unclear

Cybersecurity & privacy A growing challenge Economic Environmental Industry/ Competitors Regulatory Customer Suppliers Cybersecurity & Privacy Global Consumer Service Providers Legal JV/ Partners Geo-political Technology Socio-political *Source: PwC s 2016 Global State of Information Security Survey. PwC 12

Opportunistic Targeted Who is attacking you? Nation State Terrorists Motives/Targets Trade secrets Sensitive business information Emerging technologies Critical infrastructure Public and government systems and services. Critical infrastructure Resources Enormous resources Focus on result rather than cost Considerable amount of resources Potentially large network of supporters Organized Crime Financial / Payment Systems Personally Identifiable Information Payment Card Information Protected Health Information Business Driven by profit/loss Vandals Fame Reputation Minimal financial resource Hacktivists Corporate secrets Sensitive business information Information related to key executives, employees, customers & business partners Minimal financial resources PwC 13

So what can we do? PwC

Know your role Senior Management Board/Audit Committee 1 st 2 nd 3 rd 1 st Line of defense: Functional and line management are responsible for operationalizing risk management and internal controls 2 nd Line of defense: Risk management and compliance functions are responsible for establishing and monitoring policies and standards 3 rd Line of defense: Internal audit is responsible for providing objective assurance and advice on governance, risk, and compliance External Audit and Regulators can be placed in a fourth line of defense outside the organization. IA has the unique ability to effectively coordinate across the first and second lines! PwC 15

Focus on adding value Be Strategic Educate and Inform Comprehensi ve Risk Trusted Advisor Value Add Relevant Relevant Capabilities Dynamic Plans Advisory Reviews PwC 16

IT Risk, Cybersecurity & Privacy Audit Universe (Examples) Change Management and Computer Operations Program / System Change Controls SDLC & Project Management Pre Implementation reviews Data Conversions or System Migrations Capacity Monitoring & Management Outsourcing & Vendor Management Disaster Recovery / Business Continuity IT Cybersecurity and Technical Reviews Vulnerability assessment and penetration testing Security Architecture Platform or OS Security Database Security Identity & Access Management Privileged Access/Break Glass Controls Network Security Remote Access Security Security Patch Management Threat & vulnerability management Data Center Physical Security & Environmental Controls Cyber Security / Cyber Threat & Incident Management Security & Privacy Breach / Incident Response IT Risk, Cybersecurity & Privacy IT Governance Risk assessments Strategy Framework GAP analysis Awareness training Review on policies and procedures Compliance Application control assessment Third party and vendor risk management Data inventory Continuous monitoring process Data Privacy Data Privacy & Compliance with Privacy Laws/Regulations Data Governance Data Loss Prevention M&A Privacy Due Diligence and Compliance Privacy Training and Awareness Privacy Policy Compliance Privacy by Design Projects & Initiatives Privacy Impact Assessments IT Security and Applications Application Key Controls ERP Systems (e.g. Oracle) Segregation of Duties End User Computing PwC 17

Build your Cyber Confidence You can t secure everything Priorities Risk Knowing is half the battle It s not if but when Crisis Connections Their risk is your risk Technology People Fix the basics People matter PwC 18

Cyber Conversations Engaging with the Leadership Third Party Vendors & Cloud Computing Insider Threats Cyber Threat Intelligence Incident Response Management Obtaining leadership level and executive level support for security initiatives is imperative to maintain an effective security program. While risks associated with third parties and cloud computing continue to increase, these conversations are becoming more critical to have Organizations needs to focus on the insider threat along with the cyber threat. Cyber security will have to integrate all threat intelligence sources in a state of perpetual analysis to enhance and safeguard the organization s operations. The organization needs to focus on creating a comprehensive Incident Response Management Program and conducting periodic cyber scenarios testing. Threat & Vulnerability Management Privacy & Data Protection Big Data Analytics for Cybersecurity Mobility & Social Media Competitive Advantage There is a critical need to stay informed about the constantly changing threat environment. Plan and prepare, in order to improve privacy management as it relates to employee and customer information. The organization needs to learn to assess and mitigate the risks along with using big data to enhance threat intelligence mechanisms. Mobile devices, mobile applications, social media, and accelerated product life cycles are just the latest contributors to risk in any organization Leverage security and privacy programs as market competitive advantages through the issuance of SOC 2 and other client facing reports. PwC 19

Final Thoughts You play a leading role in the Risk conversation, be pro-active and be strategic Technology Audit is not an assignment, it s a strategic part of your function use it effectively The growing technology needs of the organization mean a growing need for a technology confident IA function Ask the hard questions. You don t have to be an IT professional to have technology conversations Be ready for a day when there is no distinction between Technology and non-technology audits PwC 20

Questions and comments Key Contact Wael Fattouh Partner, Cybersecurity and IT Risk PwC Middle East Email: Wael.fattouh@pwc.com Mobile: +966 547 533 883 2016 PricewaterhouseCoopers. All rights reserved. PwC 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback