Move & More. Challenges for Information Security. Hansjörg Kalcher (CISO) OMV Aktiengesellschaft. FH St. Pölten, Jänner 2013

Similar documents
01.0 Policy Responsibilities and Oversight

Manchester Metropolitan University Information Security Strategy

_isms_27001_fnd_en_sample_set01_v2, Group A

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Security and Privacy Governance Program Guidelines

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

UK Permanent Salary Index November 2013 Based on registered vacancies and actual placements

Session ID: CISO-W22 Session Classification: General Interest

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

The Common Controls Framework BY ADOBE

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Security and Architecture SUZANNE GRAHAM

HCPC's Risk Assurance Part 1

GDPR Update and ENISA guidelines

BHConsulting. Your trusted cybersecurity partner

Oracle Data Cloud ( ODC ) Inbound Security Policies

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

C106: DEMO OF THE INFORMATION SECURITY MANAGEMENT SYSTEM - ISO: 27001:2005 AWARENESS TRAINING PRESENTATION KIT

Sirius Security Overview

The Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA

ECCouncil EC-Council Certified CISO (CCISO) Download Full Version :

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

QSEC - ISMS and GRC according to international standards and methods WMC GmbH / short presentation QSEC Suiten / Werner Wüpper

locuz.com SOC Services

Effective Strategies for Managing Cybersecurity Risks

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

Watson Developer Cloud Security Overview

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

QSEC - ISMS and GRC according to international standards and methods WMC GmbH / short presentation QSEC Suiten / Werner Wüpper

Access to University Data Policy

ITG. Information Security Management System Manual

POSITION DESCRIPTION

A company built on security

Cloud First Policy General Directorate of Governance and Operations Version April 2017

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Google Cloud & the General Data Protection Regulation (GDPR)

POSITION DESCRIPTION

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Healthcare Security Success Story

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

SECURITY & PRIVACY DOCUMENTATION

Protecting your data. EY s approach to data privacy and information security

ISE North America Leadership Summit and Awards

April Appendix 3. IA System Security. Sida 1 (8)

EU General Data Protection Regulation (GDPR) Achieving compliance

Compliance: How to Manage (Lame) Audit Recommendations

ROLE DESCRIPTION IT SPECIALIST

IT Governance Framework at KIT

Certified Information Systems Auditor (CISA)

Suma Soft s IT Risk & Security Management Solutions for Global Enterprises

Position Description IT Auditor

BHConsulting. Your trusted cybersecurity partner

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

Certified Information Security Manager (CISM) Course Overview

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

CYBER SECURITY AIR TRANSPORT IT SUMMIT

CISO as Change Agent: Getting to Yes

Global Security Consulting Services, compliancy and risk asessment services

WELCOME ISO/IEC 27001:2017 Information Briefing

ISE Canada Executive Forum and Awards

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Ingram Micro Cyber Security Portfolio

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

IT risks and controls

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

NCSF Foundation Certification

Information Security Management System

Information Security Governance and IT Governance

Altius IT Policy Collection Compliance and Standards Matrix

Apex Information Security Policy

Introduction to ISO/IEC 27001:2005

Cyber Security Program

<Document Title> INFORMATION SECURITY POLICY

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

PROTECT YOUR DATA AND PREPARE FOR THE EUROPEAN GENERAL DATA PROTECTION REGULATION

Welcome ControlCase Conference. Kishor Vaswani, CEO

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Designing and Building a Cybersecurity Program

QuickBooks Online Security White Paper July 2017

Altius IT Policy Collection Compliance and Standards Matrix

Level Access Information Security Policy

Automating the Top 20 CIS Critical Security Controls

INFORMATION SECURITY GOVERNANCE, RISK & COMPLIANCE CLOUD CONSULTING SERVICES CIO & CISO SERVICES. forebrook

SECURITY SERVICES SECURITY

Your Trusted Partner in Europe European Business Reliance Centre

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Bringing Cybersecurity to the Boardroom Bret Arsenault

Security Metrics Framework

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

CCISO Blueprint v1. EC-Council

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Transcription:

OMV Aktiengesellschaft Challenges for Information Security Hansjörg Kalcher (CISO) FH St. Pölten, Jänner 2013 Sec_rity is not complete without U! Move & More.

OMV GROUP, ORGANIZATION DISCIPLINES AWARENESS 2 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Business areas within OMV Group Refining & Marketing Exploration & Production Gas & Power Global Solutions an integrated Competence Center within OMV ~ 30 000 employees; ~ 2.100 server; ~ 18.000 clients 3 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Refining & Marketing activities (R&M) Poland 405 215 BAYERNOIL Burghausen Schwechat 541 93 Ukraine 2.528 1 97 102 AT 174 665 1 56 26 59 Arpechim Petrobrazi 95 Turkey ~3.400 2 4 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Exploration & Production activities (E&P) 5 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Corporate Information Security where are we? OMV Executive board CTO CIO Global Solutions Business Partner Corp. /Solution R&M E&P G&P Portfolio Management, IT budgets & cost control IT Strategy & Architecture Information / CISO IT Security, policies, Hansjörg methods, KALCHER standards Alexandru HRITCU Jan SCHUBERT Oliver TURIN Georg WITZACK ISO GS Infrastructure Stefan LEHRNER 6 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013 Corporate "Information Security & Standards Team

OMV GROUP, ORGANIZATION DISCIPLINES AWARENESS 7 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Information Security - Department personnel and responsibilities Key responsibilities: ISMS (manage the enterprise's information security organization) Selective involvement in any key area Communication to CIO, Head of Departments, Stakeholder (Legal, Security, CIA, etc..) Information Security CISO Global Solutions Risk Mgmt Info Sec Manager ISMS Info Sec Manager Policy & Standards Info Sec Manager IT Security Info Sec Manager Global Solutions Info Sec Manager Key responsibilities: Information Security Risk Management (Based on Availability, Confidentiality, Integrity, Legal Compliance) BIA Analysis Service Quality Checks Tracking implementation of defined initiatives Key Key responsibilities: responsibilities: IT Security Projects i.e. ISO Certification, access Mgmt & Technical requirements (focus on confidential data), Encryption Set Up Evaluation to be addressed! (focus PKI) IT Security Audits i.e. NF-admin reduction to a minimum, VPN reduction, penetration tests/health check, Controls to be checked! Key responsibilities: Policy Methods & Standards *) Information Security Awareness (Virtual Training, welcome package training, awareness training on request (Safety Hour, etc ), updates on existing Information Security News (Portal), updates on Training Materials) Key responsibilities: Technical & permanent auditing Technical IT Security support Information Security Mailbox with Information Security approval Trouble Tickets for Information Security RADAR Checklist approval Key responsibilities: execution/gatekeeping of IT Security projects within IT Delivery IT Infrastructure requirement specifications for IT Sec alignment of Information Security topics in all infrastructure departments (ISO 27001)and build up strong link to Corporate Information Security Quality assurance for IS Control Point Controls 8 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Information Security Way forward making sure the information keeps confidential upright and available Doing the right things : Approach Information Risk Management : Reducing the risks based on business needs 9 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Ensure Information Security Risk Management Safeguarding information according to its protection requirements 2012 2013 2014 RISK MANAGEMENT Facts & Figures 2012: 7000 IT technical audits done; 45 Risk Assessments for critical IT Services done 600 measures addressed 150 BIA awareness sessions top management done; 160 detailed BIA interviews done Risk Management Focus 2013 (central computing) MANAGEMENT SYSTEM Business Impact Analysis corporate strategy Level 1 RISK POLICY risk policy, target value POLICY & STANDARDS TECHNICAL INFO SEC Risk Analysis Risk Management Measure Implementation process and information owner state of the art, standards, best practices risk policy, actual state, strategic change actual state, technological and operative change technology, organisation, law, budget, resources, appointments Level 2 BUSINESS IMPACT Level 3 RISK ANALYSIS Level 4 and 5 RISK MANAGEMENT strategic operative Level 6 IMPLEMENTATION protection requirement for information and applications based on supported business processes risk tree structure, risk actual value target-actual deviation GAP analysis package of measures measure prioritisation cost projection and investment plan immediate measures implementation projects 10 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Examples of areas with highest risk 11 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Ensure Information Security Management System Safeguarding information according to its protection requirements 2012 2013 2014 RISK MANAGEMENT Management System Focus 2013 (central computing) MANAGEMENT SYSTEM POLICY & STANDARDS TECHNICAL INFO SEC Plan Do Check Act steering and quality assurance ISO 27001 annual certification support Information Security Awareness increase - Portal - Trainings - Info Screens - Newsletter - Promotion virtual training - Exhibition booth (high level topics, Live Demos, non-technical focus, private focus, etc..) Networking with security relevant organisations (BKA, CERT, AkSiGo, Sec Researchers, Engergy Sector Companies 12 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Ensure Information Security Policy Methods & Standards Safeguarding information according to its protection requirements 2012 2013 2014 RISK MANAGEMENT Policy Methods & Standards Focus 2013 (central computing) MANAGEMENT SYSTEM POLICY & STANDARDS TECHNICAL INFO SEC Standards: Revamping and consolidation of existing IT and security standards in functional alignment with new IT strategy (at present 47 standards to be revised); PCI Assessment: Ensuring successful Payment Card Industry Data Security Standard (PCI DSS) IS Training: Enhancing the Virtual Training Platform regarding both function and content AD-Hoch measures: Responding to short-term emerging legal or business requirements by releasing corresponding regulatory documents (i.e. work instructions) 13 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Ensure Information Security Policy Methods & Standards Examples Defining group wide, high level Standards for Information Security Standards (Examples) Working instructions (Examples) 14 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Ensure Information Security Policy Methods & Standards Best practise Transferring the code of practice from ISO 27k into standardisational guidelines based on a feasible approach by considering business needs and general workability aspects ISO 27002 CODE OF PRACTICE - GIVEN TOPICS OMV CLIENT DEVICE MANAGEMENT STANDARD CONSISTING OF 2 PARTS: Acceptable Use of IT Client Devices Asset Management Classified Information Handling Client Device Security Management IT Security Awareness Malware Protection Management Password Management.. Procedural Standard Technical Standard Covering the procedural settings as required by ISO on high level for the entire OMV client device landscape, including configurationally settings as well as acceptable use. covering the technical standard setup of specific devices, in example for Blackberry devices, Notebooks etc. 15 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Ensure Technical Information Security Safeguarding information according to its protection requirements 2011 2012 2013 RISK MANAGEMENT Technical Information Security Focus 2013 (central computing) MANAGEMENT SYSTEM POLICY & STANDARDS TECHNICAL INFO SEC Project support and implementation e.g.: - Mobile Device Management - Win7 Bit Locker - Unified Access Gateway - Identity & Access Management System - Web Application Firewall - MS Direct Access - Global Vulnerability Management- Reporting and auditing mechanism Organisational interaction with OGS to be enhanced 16 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Ensure Information Security by the PDCA cycle Safeguarding information according to its protection requirements 2011 2012 2013 MANAGEMENT SYSTEM RISK MANAGEMENT POLICY & STANDARDS TECHNICAL INFO SEC RISK MANAGEMENT MANAGEMENT SYSTEM Information- Security POLICY & STANDARDS TECHNICAL INFO SEC MANAGEMENT SYSTEM RISK MANAGEMENT TECHNICAL INFO SEC POLICY & STANDARDS 17 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

OMV GROUP, ORGANIZATION DISCIPLINES AWARENESS 18 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Awareness within OMV Group 19 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Awareness with a virtual training Creating Awareness by empowering the Virtual Training Platform http://vtc.omv.com Interactive course about Information Security, available in the Intranet Possibility to get a certificate Intended to integrate the virtual training mandatorily in the personal performance and development cycle (PDS) 20 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Information Security is more than just IT Security 21 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Information Security Day 2012 22 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Ensure Information Security Safeguarding information according to its protection requirements IT and non-it here was a story about 4 people named Everybody, Somebody, Anybody and Nobody. There was an important job to be done and Everybody was sure that Somebody would do it. Anybody could have done it, but Nobody did it. Now when Somebody got angry about that, because it was Everybody s job, Everybody thought Anybody could do it, but Nobody realized that Everybody would not do it. It ended up that Everybody blamed Somebody when Nobody did what Anybody could have done! Sec_rity is not complete without U! 23 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Finally THANK YOU FOR YOUR ATTENTION! OR IN THE WORDS OF A MAGPIE: 24 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

Questions? 25 OMV Aktiengesellschaft / Information Security / Kalcher Hansjörg, 01/2013

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback