Les joies et les peines de la transformation numérique Georges Ataya CISA, CGEIT, CISA, CISSP, MSCS, PBA Professor, Solvay Brussels School of Economics and Management Academic Director, IT Management Education Managing Partner, ICT Control NV
Executive Education in Information Security Management Executive Education in IT Management SOLVAY.EDU/IT
Executive Master in IT Management Executive Programme in. CIO Practices. CIO Leadership. IT Business Agility. Enterprise and IT Architecture. IT Sourcing. IT Management Consulting Executive Education in IT Management SOLVAY.EDU/IT
Executive Master in Information Risk and Cybersecurity Executive Programme in. Security Governance. Information Security. Cybersecurity Executive Education in Information Security Management SOLVAY.EDU/IT
Lectured tracks and modules Copyright ICTC.EU 2017 S track Info Security G track IT Governance M track IT Management B track Business Agility A track Activating skills S1 Information Security Management G1 The CIO Foundation M1 Applications Build and Management B1 Enterprise Strategy and Architecture A1 IT Finance and Portfolio Management S2 IT Security Practices G2 IT Governance Workshop M2 IT Services and Run Management B2 Business Transformation A2 Soft Skills for IT professionals S3 Cybersecurity Workshop G3 IT Risk and Legal concerns M3 IT Sourcing Management B3 Digital Agility and Innovation A3 Building Expert Opinion Monday Thursday Wednesday Tuesday Monday 2014 ictc.eu 2017 Georges Ataya
PROGRAMME IN EUROPEAN DATA PROTECTION Leading to certified DPO Solvay.edu/gdpr 6
European Program in Data Protection Next edition starting on March 22 Solvay.edu/gdpr
www.cybersecuritycoalition.be
Awareness Campaigns 2017 Georges Ataya
Free membership for DPO and GDPR professionals Dpocircle.eu.COM
PROGRAM IN EUROPEAN DATA PROTECTION (GDPR) SOLVAY.EDU/GDPR Legal and Management Requirements Risk and Impact Assessment Compliance Transformation Information Security and Privacy Response and Breach Management Define Data Protection objectives and scope Identify the gap in reaching defined protection targets Manage compliance Related transformation Protect and secure architectural components Prepare, React and notify when needed
.COM Actively looking for GDPR experts
13 ICT juillet Control 2015 SA Publications 14 2017 Georges Ataya
Digital transformation is the profound and accelerating transformation of business activities, processes, competencies and models to fully leverage the changes and opportunities of digital technologies and their impact across society in a strategic and prioritized way, with present and future shifts in mind. 15
Focus of IT activities and orientations Infrastructure Application Management Digital Transformation Copyright 2014 Georges Ataya
Digitization will change the traditional retail-banking business model, in some cases radically. The bad news is that change is coming whether or not banks are ready. Source: The rise of the digital bank By Tunde Olanrewaju, Principal in McKinsey s London office
18 2017 Georges Ataya
Source: Leading Digital: Turning Technology into Business Transformation, George Westerman, Didier Bonnet & Andrew McAfee, Harvard Business, Review Press, October 2014 19
Why should we care? 2017 Georges Ataya
21 2017 Georges Ataya
Sources of external threat Intelligence Agencies Criminal Groups Terrorist Groups Activist Groups Armed Forces 22
Regulatory context 23
Business Process Information Services Applications Infrastructure
Enterprise Security Architecture (cont.) Business processes Information Services Applications Infrastructure 25 2017 Georges Ataya
Processus Métier Processus Métier Information Information Services Applications Transformation projects Evolution projects Services Applications Infrastructure Current Infrastructure Future
Levels of security IT Security Security mangement Security program objectives Specific projects Security operations Information Security Essential assets Risks Mitigation Planning Business as usual/run General Security Physical security Safety Fraud, compliancy, etc. * Security aspects 28 2017 Georges Ataya
Cybersecurity processes IDENTIFY PROTECT DETECT RESPOND RECOVER 2015 ICTC.EU 29
Cybersecurity processes Functions Develop and implement IDENTIFY PROTECT DETECT RESPOND RECOVER 30
Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and DETECT the potential impact of events is understood. 2015 ICTC.EU DE.AE-1 DE.AE-2 DE.AE-3 DE.AE-4 DE.AE-5: Incident alert thresholds are established COBIT 5 APO12.06 ISA 62443-2-1:2009 4.2.3.10 NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8 The need for good business practices 31 2017 Georges Ataya
ISO 27002:2013 control blocks 32 2017 Georges Ataya
Bottom-up approach using the SANS CIS top 20 security controls CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for fffhardware and Software CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: Email and Web Browser Protections CSC 8: Malware Defenses CSC 9: Limitation and Control of Network Ports CSC 10: Data Recovery Capability Eliminate the vast majority of organization's vulnerabilities CSC 11: Secure Configurations for Network Devices CSC 12: Boundary Defense CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know CSC 15: Wireless Access Control CSC 16: Account Monitoring and Control CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps CSC 18: Application Software Security CSC 19: Incident Response and Management CSC 20: Penetration Tests and Red Team Exercises The SANS CIS top 20 security controls are based on most frequent recurring finding about security weaknesses in organizations. Implementing those controls is always regarded as good practice from a bottom-up perspective. 33 2017 Georges Ataya
34 2017 Georges Ataya The Ten Most Critical Web Application Security Risks www.owasp.org the free and open software security community Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.
Enablers 2017 Georges Ataya
37 2017 Georges Ataya Building adequate lines of defense source
38 2017 Georges Ataya A MANAGER FOR CYBER SECURITY INCIDENT MANAGEMENT Information Security Governance Information Risk Management & Compliance Information Security Program Development & Management Information Security Incident Management
Georges Ataya Career Summary Expertise Summary Education/ Certification Professor and Academic Director (SBS-EM) Managing Director ICT Control advisory firm Past International Vice President at ISACA Past Partner Ernst & Young Past Deputy International CIO ITT World Directories Previously Project Manager and Senior IT Auditor IT Governance (development of Cobit 4 and COBIT 5) IT Governance and Value governance (co-author VALIT and supervision CGEIT BOK) Information Security Management (Co-author CISM Body of Knowledge) IT Audit and Governance Information security and risk Strategy and Enterprise Architecture and IT Sourcing Master in Computer Science (faculty of Sciences ULB) Postgraduate in Management (Solvay Brussels School ULB) Certified Information Systems Auditor (CISA); Certified Information security Manager (CISM); Certified in Risk and control (CRISC); Certified Information Systems Security Professional (CISSP); Certified in Governance of Enterptise IT (CGEIT) gataya@solvay.edu ataya.info be.linkedin.com/in/ataya