Brad Boroff, CISA CRISC Chief Information Security Officer Illinois Department of Revenue

Similar documents
Nebraska CERT Conference

INFORMATION SECURITY GOVERNANCE, RISK & COMPLIANCE CLOUD CONSULTING SERVICES CIO & CISO SERVICES. forebrook

ISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )

INTELLIGENCE DRIVEN GRC FOR SECURITY

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

Certified Information Security Manager (CISM) Course Overview

Information Security Architecture Gap Assessment and Prioritization

CCISO Blueprint v1. EC-Council

Compliance: How to Manage (Lame) Audit Recommendations

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Altius IT Policy Collection Compliance and Standards Matrix

Information Technology General Control Review

University of Texas Arlington Data Governance Program Charter

April Appendix 3. IA System Security. Sida 1 (8)

FDIC InTREx What Documentation Are You Expected to Have?

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Altius IT Policy Collection Compliance and Standards Matrix

CISO as Change Agent: Getting to Yes

Position Description IT Auditor

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

The Business Value of including Cybersecurity and Vendor Risk in ERM

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

Cyber Security Program

ROLE DESCRIPTION IT SPECIALIST

FROM TACTIC TO STRATEGY:

NERC Staff Organization Chart Budget 2019

Combating Cyber Risk in the Supply Chain

Security and Privacy Governance Program Guidelines

NERC Staff Organization Chart Budget 2019

Defensible Security DefSec 101

EXAM PREPARATION GUIDE

Manchester Metropolitan University Information Security Strategy

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

IT risks and controls

IT Audit Process Prof. Liang Yao Week Six IT Audit Planning

NERC Staff Organization Chart Budget 2018

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Building a Resilient Security Posture for Effective Breach Prevention

Data Security Standards

The University of Queensland

Les joies et les peines de la transformation numérique

Threat Control and Containment in Intelligent Networks. Philippe Roggeband - Product Manager, Security, Emerging Markets

Symantec Data Center Transformation

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

Written Statement of. Timothy J. Scott Chief Security Officer The Dow Chemical Company

Enterprise GRC Implementation

Data Governance Central to Data Management Success

Protecting your data. EY s approach to data privacy and information security

Session ID: CISO-W22 Session Classification: General Interest

Helping the C-Suite Define Cyber Risk Appetite. The executive Imperative

Rethinking Information Security Risk Management CRM002

Integrating ITIL and COBIT 5 to optimize IT Process and service delivery. Johan Muliadi Kerta

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

Post-Secondary Institution Data-Security Overview and Requirements

Cybersecurity Today Avoid Becoming a News Headline

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

The Role of IT in HIPAA Security & Compliance

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Managing IT Risk: The ISACA Risk IT Framework. 1 st ISACA Day, Sofia 15 October Charalampos (Haris)Brilakis, CISA

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

The Modern SOC and NOC

ECCouncil EC-Council Certified CISO (CCISO) Download Full Version :

_isms_27001_fnd_en_sample_set01_v2, Group A

Adaptive & Unified Approach to Risk Management and Compliance via CCF

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program

How To Build or Buy An Integrated Security Stack

The Deloitte-NASCIO Cybersecurity Study Insights from

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Position Title: IT Security Specialist

Cyber Resilience. Think18. Felicity March IBM Corporation

Building YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

Digital government toolkit

How to get the Enterprise to Understand the Value of Security

Determining Best Fit for ITIL Implementation

Annexure 08 (Profile of the Project Team)

Best Practices & Lesson Learned from 100+ ITGRC Implementations

PA TechCon. Cyber Wargaming: You ve been breached: Now what? April 26, 2016

A Disciplined Approach to Cyber Security Transformation

The Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA

Introduction to Business Continuity Management

Apex Information Security Policy

Information Security Policy

2 The IBM Data Governance Unified Process

Defense in Depth Security in the Enterprise

National Initiative for Cyber Education (NICE) and the Cybersecurity Workforce Framework: Attract and Retain the Best in InfoSec.

STRATEGIC PLAN

Competency Definition

Transcription:

Brad Boroff, CISA CRISC Chief Information Security Officer Illinois Department of Revenue

Governance is the strategic alignment of operations with the agency such that maximum business value is achieved though the development and maintenance of effective control and compliance, performance management, and risk management. Agency Risk Control Compliance

Monitor Assess Compliance Risk Controllership Manage

Risk Charts the Course: Direction Speed Destination Finish Comprehensive Risk Assessments Goals and Objectives The Agency/Business Consulting Acquisition and Integrations Vision / Forecasting

Controllership Policy Management Access Management Core Technology Standards Project Services Change Management Data & Asset Management The Operation: Fuel Power Storage Alterations Policies Standards Procedures

Compliance Gauging & Monitoring: Performance Inspections Correction Evaluate Measure Self Audit Reporting Adherence Investigations Discipline

Governance Program Building Risk Controllership Compliance Who: Risk Council Risk Champion Controller Global Security Project Services Compliance/Disclosure Audit Staff Office of Compliance What: Strategy Prioritization Risk acceptance Executive Operations Digitization / Tools Policy Management Control Implementation Assess compliance Report adequacy Standardization Performance & Metrics

Report Vision Compliance Risk RISK Monitor Assess Controllership Control Policy

Definition of RISK (Merriam-Webster) 1: possibility of loss or injury : PERIL 2: someone or something that creates or suggests a hazard Probability X Impact = Inherent Risk (No Controls Applied) Inherent Risk X Controllership = Residual Risk (Controls Applied)

Probability X Impact = Inherent Risk (No Controls Applied) H=3 M=2 L=1 H=3 M=2 L=1 IR Inherent Risk X Controllership = Residual Risk (Controls Applied) IR H=1 M=2 L=3 RR

Probability X Impact = Inherent Risk (No Controls Applied) 3 x 3 = 9 Inherent Risk X Controllership = Residual Risk (Controls Applied) 9 x 2 = 18 Control Considerations: 1) Good Policy 2) Intrusion Detection 3) Security Guards 4) Physical Barriers 5) Logical Barriers

Probability X Impact = Inherent Risk (No Controls Applied) 3 x 2 = 6 Inherent Risk X Controllership = Residual Risk (Controls Applied) 6 x 1 = 6 Control Considerations: 1) Good Policy 2) Comprehensive System 3) Research 4) Communication 5) Operations

Probability X Impact = Inherent Risk (No Controls Applied)? x? = Inherent Risk X Controllership = Residual Risk (Controls Applied)? x? =? Control Considerations:

1) ISO 27001 & ISO 27005 2) Cobit 5.0 (includes ValRISK) 3) SP 800-30

Top Ten List: 10) Legacy/Out of Date Processes 9) Rules and Regulations/Policy Management 8) Unauthorized Access (Internal) 7) Integration and Consolidation 6) Change Management 5) End User Controls or Ad-Hoc Solutions 4) Theft of Data 3) Industrial Espionage 2) Virus Attacks or Malware 1) Hacking/Cyber Security

CISO Specialist Risk &Policy Security Operations Compliance and Disclosure DR & Recovery Services Access Admin Infrastructure

Investment: Time Acceptance Change Culture Benefits Structure/Alignment Stability Sustainability Best Practices Effectiveness Auditability Demand Management Tool Optimization Visibility Centralization

Report Vision Compliance Risk Monitor Assess Controllership Control Policy

Proposal to establish Governance Program (12-24 Months to Develop and Implement) Success Factors CISO Internal Audit Sustainable Governance Program Governance Program Management Monitoring and Compliance Mechanisms Establish IT Governance Program Structure & Approach Sr. Management approval of Governance Concept and Implementation Risk Assessments and Analysis Control Management and Framework Activities Management Commitment and Sponsorship Establish Appropriate Program Resourcing Business Engagement & Inclusion Ensuring Con=nuous Improvement Planning and Program Maturity Program Auditabili=y Ini>al Ac>vi>es Obtain Senior IT Leadership CommiCment Determine & Engage internal resources Develop and Deliver Risk Assessment Perform Risk and Control Analysis Control Framework Ac=vi=es

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback