Adaptive & Unified Approach to Risk Management and Compliance via CCF

Similar documents
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

CCISO Blueprint v1. EC-Council

Cybersecurity Session IIA Conference 2018

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Continuous protection to reduce risk and maintain production availability

Cybersecurity Protecting your crown jewels

Quality Assurance and IT Risk Management

The Center for Internet Security

Rethinking Information Security Risk Management CRM002

Cyber Resilience - Protecting your Business 1

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Best Practices in Securing a Multicloud World

Proactive Approach to Cyber Security

The Common Controls Framework BY ADOBE

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Designing and Building a Cybersecurity Program

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Compliance: How to Manage (Lame) Audit Recommendations

A Survival Guide to Continuity of Operations. David B. Little Senior Principal Product Specialist

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Changing the Game: An HPR Approach to Cyber CRM007

How To Build or Buy An Integrated Security Stack

The Resilient Incident Response Platform

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Gujarat Forensic Sciences University

Cybersecurity Roadmap: Global Healthcare Security Architecture

Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program

TSC Business Continuity & Disaster Recovery Session

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Nebraska CERT Conference

Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

What It Takes to be a CISO in 2017

Business continuity management and cyber resiliency

Copyright 2016 EMC Corporation. All rights reserved.

RSA Advanced Cyber Defence Summit

SYMANTEC DATA CENTER SECURITY

INTELLIGENCE DRIVEN GRC FOR SECURITY

Mastering The Endpoint

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

locuz.com SOC Services

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Embedding Privacy by Design

Will you be PCI DSS Compliant by September 2010?

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Run the business. Not the risks.

The New Era of Cognitive Security

Industrial control systems

To Audit Your IAM Program

Cyber Threat Intelligence Debbie Janeczek May 24, 2017

SOLUTION BRIEF Virtual CISO

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

10 FOCUS AREAS FOR BREACH PREVENTION

Cyber Protections: First Step, Risk Assessment

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

ISE North America Leadership Summit and Awards

Practical Guide to Securing the SDLC

CISO as Change Agent: Getting to Yes

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Security Incident Management in Microsoft Dynamics 365

Healthcare Security Success Story

GDPR Update and ENISA guidelines

Security and Privacy Governance Program Guidelines

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Protecting your data. EY s approach to data privacy and information security

Enhance Your Cyber Risk Awareness and Readiness. Singtel Business

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

BHConsulting. Your trusted cybersecurity partner

Cyber Resilience. Think18. Felicity March IBM Corporation

Protecting your next investment: The importance of cybersecurity due diligence

Cyber Security. It s not just about technology. May 2017

TRACKVIA SECURITY OVERVIEW

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

Cybersecurity Auditing in an Unsecure World

SDLC Maturity Models

TRUE SECURITY-AS-A-SERVICE

Staffing Services UnderDefense your source of experienced professionals to solve security staffing challenges today

Cyber Security: It s all about TRUST

Certified Information Security Manager (CISM) Course Overview

A new approach to Cyber Security

SECOPS: NAVIGATE THE NEW LANDSCAPE FOR PREVENTION, DETECTION AND RESPONSE

Onapsis: The CISO Imperative Taking Control of SAP

How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Security Audit What Why

Combating Cyber Risk in the Supply Chain

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

MITIGATE CYBER ATTACK RISK

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

Transcription:

SESSION ID: SOP-W08 Adaptive & Unified Approach to Risk Management and Compliance via CCF Vishal Kalro Manager, Risk Advisory & Assurance Services (RAAS) Adobe @awish11

Disclaimer All the views presented here are my own and not of the organization with which I am employed or was employed with. The material presented here is for educational purpose only and is up to the discretion of the participant as to how to make best use of it. 2

Agenda Setting The Stage & Reality Check Eureka - Adaptive and Unified Approach via. CCF Future Is NOW Q&A 3

Setting The Stage & Reality Check

Sightings Source PWC s Information Security Breaches Survey 2015 90% of large organizations had a security breach up from 81% year a go 32% of the respondents in 2015 haven t carried out any form of security risk assessment 26% of the respondents don t evaluate how effective their security expenditure is What comes to your MIND? IRS sued over data breach that affected 330,000 people To battle Cyber attacks CEO s need to act more like Military Hackers drop Zero days opens FireEye fire sale Airport Computer System Outages Reported Nationwide In Spite Of Networks Being Designed With 99.99 % Availability There Are System Outages & Downtime In An Event Of A Breach, It Takes Longer Then Expected To Contain The Situation Millions Of $$ s Spent On Security & Compliance Fail To Provide A Reasonable Assurance Source SOPHOS Security Threats Trend 2015 IoT attacks move from PoC to mainstream More major flaws in widely-used software that had escaped notice by the security industry over the past 15 years Regulatory landscape forces greater disclosure and liability Global skill gap continues to increase, with incident response and education a key focus 5

1980 Business has Changed... Physical security Over the counter Cash Natural Disasters Corporate Espionage 1990 BCP People & Process Retail & Cash DC s, HSP s e-commerce Steps in Third Party People & Process Malwares, Virus,, Physical thefts 2002 Retail & CC, DC e-commerce Cloud Providers DC s, HSP s Cash 2013 E-commerce Money Wallets CC & DC BOYD IoT System Availability Legal & Regulatory Data Security & so has the Risk Landscape 6 Hacktivism Cloud APT Compliance to safeguard the customer BOYD GRC Zero Days IoT

Heartbleed Code reuse Programming errors in popular OpenSSL library Why What Unauthorized access to Webserver memory 17% webservers world wide vulnerable Security & Privacy compromised Equilibrium A well orchestrated and functional Incident Response process Robust asset management program Religiously followed system hardening process Security should be the soul of SDLC 7

Reality Check - Compliance vs. Security Satisfy the Legal & Regulatory Requirements Common Myth IPS, IDS, Adaptive Defence Advanced Threat Protection Overhead and do the minimum required Compliance Security Vulnerability Assessments & Penetration Testing More of a documentation and check box effort Incident Response Forensic Investigation Progressive Mind Shift Compliance Security Compliance as an enabler, motivator and budget driver for Security Security best practices lead to successful Compliance All round minimum Security can be achieved by Compliance Compliance, a periodic Security health review by means of audit 8

Security Assurance Core Competency & Priority Information Security is a core competency for any service Era of just trust us is over we need assurance! Vendor Priority Protecting Customers and their data Security, data privacy & sovereignty are prerequisites Compliance accelerates the Sales and has become a Competitive Advantage Risk Management Compliance Security Assurance 9

Eureka - Adaptive And Unified Approach via. CCF 10

Man know thyself; then thou shalt know the Universe & God - Pythagoras 11

Common Control s Framework (CCF) Risk Assessment 12

Roadmap To Assurance via CCF Risk Assessment Identify the threats and key risks - Regulatory - Security Common Controls Framework (CCF) - Privacy - Business Identifying the scope, BU s, services Select from CCF the IS Standards, Security, Privacy requirements Scoping Current State assessment Identifying the gaps vis-à-vis the compliance requirements Gap Assessment Gaps/Noncompliance Gaps/Noncompliance Remediation Remediation action plan Fixing the gaps Audit & Certification Internal Assessment & Audit External Certification Continuous Monitoring Self Assessment Internal reviews Champion meet CAB Meetings 13

Making CCF An Ongoing Journey Continuous Monitoring Periodic Self Assessment (SA) Champions Meet CAB Meetings Reviews Risk, process and control SA Knowledge sharing Participants from all functions Audits and gap assessments Incorporate technology & design changes Discuss the changes, new developments Assess the scope & applicability of change Review the CCF program Gaps to be reported & fixed, if any Identify solutions Review & approve changes Report to the executive management Gaps, inputs, security intelligence, industry updates etc. feed into CCF

CCF Conceptual Model Corporate IT Landscape AWS Cloud Internal IT Cloud/DC CCF Configuration Mgmt Access Controls Operations Mgmt. Asset Mgmt. Incident Mgmt. Physical Security Change Mgmt. Cloud Ops IT Ops SDLC Engineering/Development Teams Security Governance Business Continuity Mgmt. Corporate Level Governance Controls Data Privacy Human Resource 15

Leverage GRC Technology For Sustainable CCF Compliance 17

Building Blocks of A Successful CCF Program Executive Support Representation from All Departments CCF - CAB CCF - PMO CCF GRC Program FAITH, Commitment & Intent 17

Future is Now

0 Is The Key Know Thyself Develop a high level blueprint of key businesses, IT Operations, different teams, process workflows etc. This Blueprint will be your CCF Conceptual Model Conduct Risk Assessment to identify key risks and threats Make a list of Compliance Standards that your organization needs/wants to comply with Regulatory, Legal, Customer safeguard, Value proposition etc. Depending upon your business some may be a mandate, some maybe good to have, some may be required by end of next year and so on Put a timeline to each of these requirements 19

Step After 0 Develop your own Common Controls Framework (CCF) Take a piecemeal approach, don t rush to build it in a day. Leverage your current Policies, Procedures, Technology & Controls to develop your own CCF. CCF should cut across all business functions, IT & related operations, teams etc. Output of Risk Assessment should feed into CCF Setup a CCF CAB and have representations from all key departments IT, Legal, Security, Engineering, Business, Marketing & Sales etc. Make CCF into an intelligent self sustaining program. 20

Strategizing, Implementing And Continuing Mission: Secured & Compliant environment Continuously adapt to changes & fortify against new threats Timelines: Milestone 1 - By end of Q1 FY Milestone 2 By end of Q2 FY. Goal Stage I Stage 2 Stage X Achievements: Inherent security Safe and compliant environment Continuous Monitoring Cost & Effort reduction Actions driven by strategy Where are we today? Strategy: Identify and prioritize Piecemeal object driven approach Include all and exclude none Time 21

Benefits Of A Matured CCF Program Secure & Compliant Environment Risk Management & Compliance = reasonable Security Assurance Self Adaption To Changes And Protection Against New Threats Redundant Security Programs And Investments Minimized Lot Of $$$$$$ s Saved Legal, Regulatory And Compliance Requirements Satisfied Edge Over Competitors And Makes A Better Business Proposition 22

Thank You! Q&A Catch me if you want to, at - vishal.kalro@icloud.com @awish11 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback