Effective Cloud Governance

Similar documents
Certified Information Security Manager (CISM) Course Overview

K12 Cybersecurity Roadmap

TACOMA PUBLIC UTILITIES CYBERSECURITY PROGRAM NIAC WORKSHOP JUNE 2017

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

Ingram Micro Cyber Security Portfolio

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Implementing IT Governance

Cybersecurity Today Avoid Becoming a News Headline

CISO as Change Agent: Getting to Yes

Understanding Security Metrics to Drive Business and Security Results

Business Continuity Risk Management IT Service Continuity

Hearing Voices: The Cybersecurity Pro s View of the Profession

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Business Context: Key for Successful Risk Management

Using ITIL to Measure Your BCP

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Using Metrics to Gain Management Support for Cyber Security Initiatives

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Assessing Your Incident Response Capabilities Do You Have What it Takes?

MIS Week 9 Host Hardening

Tips for Passing an Audit or Assessment

Cybersecurity: Achieving Prevailing Practices. Session 229, March 8 Mark W. Dill, Partner and Principal Consultant,

Auditing the Cloud. Paul Engle CISA, CIA

Reinvent Your 2013 Security Management Strategy

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

ISO 22301: An Overview of BCM Implementation Process. Presenter: Dejan Kosutic

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Art of Performing Risk Assessments

FISMA Cybersecurity Performance Metrics and Scoring

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

ITSM20F_Umang. Number: ITSM20F Passing Score: 800 Time Limit: 120 min File Version: 4.0. Exin ITSM20F

HITRUST CSF: One Framework

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Establishing a Credible Cybersecurity Program. September 2016

CYSE 411/AIT 681 Secure Software Engineering Topic #3. Risk Management

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

Cyber Update Mr. Paul Phillips AFLCMC/WNSA (937) May 17

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

FDIC InTREx What Documentation Are You Expected to Have?

NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

ICS Security Rapid Digital Risk Assessment

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

THE LIFE AND TIMES OF CYBERSECURITY PROFESSIONALS

Les joies et les peines de la transformation numérique

standards and so the text is not to be used for commercial purposes, gain or as a source of profit. Any changes to the slides or incorporation in

ISO 22301: An Overview of BCM Implementation Process. Presenter: Dejan Kosutic

COBIT 5 Assessor Certification Course

The NextGen cyber crime battlefield. Why organizations will always lose this battle

MSQ3-8 - MOC UPDATING YOUR SQL SERVER SKILLS TO MICROSOFT SQL SERVER 2014

Business Continuity Planning

TRAINING WEEK COURSE OUTLINE May RADISSON HOTEL TRINIDAD Port of Spain, Trinidad, W.I.

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

Inverting Risk Management for Ethical Hacking. SecureWorld Expo 09

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

REPORT 2015/186 INTERNAL AUDIT DIVISION

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

ACM Retreat - Today s Topics:

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

TIPS FOR AUDITING CYBERSECURITY

Brussels. Cyber Resiliency Minimizing the impact of breaches on business continuity. Jean-Michel Lamby Associate Partner - IBM Security

How to Prepare a Response to Cyber Attack for a Multinational Company.

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Compliance Audit Readiness. Bob Kral Tenable Network Security

EXIN Specialist in IT Service Management based on ISO/IEC Preparation Guide

itsm003 v.3.0 NISTCSF.COM NICE Training Curriculum & Workforce Planning Program

NIST CyberSecurity Framework+ Brian Ventura SANS Community Instructor ISSA Portland, Director of Education Information Security Architect, City of

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

External Supplier Control Obligations. Cyber Security

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Cyber Security Standards Developments

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3

Mapping BeyondTrust Solutions to

The Center for Internet Security

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Exploring Emerging Cyber Attest Requirements

MEJORES PRACTICAS EN CIBERSEGURIDAD

SDLC Maturity Models

Welcome to Tomorrow... Today

Building a Resilient Security Posture for Effective Breach Prevention

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

MSCE-11 - MOC HYBRID CLOUD AND DATACENTER MONITORING WITH OPERATIONS MANAGEMENT SUITE (OMS)

CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

READ ME for the Agency ATO Review Template

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

ITIL 2011 Overview - 1 Day (English and French)

Cybersecurity Auditing in an Unsecure World

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Transcription:

Effective Cloud Governance Ruoli, Interfaccia, Indicatori Paolo Ottolino CISSP-ISSAP CISM CISA ISO/IEC 27001 OPST PRINCE2 PMP ITIL

Agenda Italy Chapter 1. Introduzione ed Obiettivi 2. IT Governance: Interfacce 3. Cloud IT: Governance Indicators 4. Cloud Governance: Indicators & Implementation

Introduzione ed Obiettivi 1/2 L'IT si sta evolvendo nel Cloud, sia privato sia pubblico, in forma di servizi IT. Allo scopo di poter continuare a gestire l'it (e per non pagare eventuali suoi malfunzionamenti), c'e' bisogno di istruire un nuovo sistema di IT Governance, capace di indirizzare: - ruoli differenti: Acquirer and Provider - misurazioni accurate: Indicators - chiare penalizzazioni/scontistiche: Contracts La sessione presenta il modello "Effective Cloud Governance", costruito sui seguenti concetti: 1) "If You Can t Measure It, You Can t Manage It" [Peter Drucker] 2) L'Acquirer deve accrescere il commitment del Provider, attraverso la definizione di opportuni Service Level anche nel contratto di servizi 3) entrambi Acquirer and Provider devono condividere il modello di IT Governance model (cfr. NIST Cybersecurity framework 1.1, ID.SC-3)

Introduzione ed Obiettivi 2/2 Un Effective Cloud Governance Model deve essere basato su indicatori, divisi per fasi (es. quelle del CobiT), ruoli ed indicatori: Cycle Customer Provider Indicators Description Direct Appraise Assess KPI Required Efficiency Create Validate Design KGI Attended Goals Protect Manage Implement KRI Risk Level Execute Control Execute SLA Service Level Monitor Govern Maintain KMI Service Direction

IT Governance: fast recap 1/2 IT Governance using ITGI Framework

IT Governance: fast recap 2/2 IT Governance Life Cycle

IT Governance: Interfacce 1/2 Governance Phases & Indicator Types Control: Acquirer Interface Execution: Provider Direct Appraise KPI Assess Create Validate KGI Design Protect Manage KRI Implement Execute Control SLA Execute Monitor Govern KMI Maintain Service

IT Governance: Interfacce 2/2 Interface Types Cloud Interface Contract Control: Acquirer Private (Same company) Execution: Provider Service Underpinning Formal Public (Different company) Control: Acquirer Service Execution: Provider

Cloud IT Governance: metrics 1/3 Approach to Indicator Identification Issue: Metrics are needed to know what you need to focus on Problem: You don t know what you don t know! Goal: Metrics must be focused on specific things you want to measure

Cloud IT Governance: metrics 2/3 Approach to Indicator Identification Keep the metrics reproducible Develop rigorous, objective definitions Build indicator framework tied to Governance phases Keep the metrics manageable Leverage existing automated sources of data Make practical decisions to narrow scope as needed Keep the metrics verificable Tie to effective cyber processes Avoid incentivizing covert measurement Provide an increased level of transparency

Cloud IT Governance: metrics 3/3 Requirements to Indicator Identification S. Payne, A Guide to Security Metrics NIST SP 800-53 Rev 3 SP 800-55 Rev 1, Sections 5.0-6.0 SP 800-100, Section 7.0 (summarizes 800-55) CIS Security Metrics

IT Governance: Payne Seven Steps 1. Define the metrics program goal(s) and objectives 2. Decide which metrics to generate 3. Develop strategies for generating the metrics 4. Establish benchmarks and targets 5. Determine how the metrics will be reported 6. Create an action plan and act on it, and 7. Establish a formal program review/refinement cycle

IT Governance: NIST1/2 Integrated Program

IT Governance: NIST2/2 Collecting and Analyzing Data

IT Governance: CIS Security Metrics 1/2 Definitions Well-defined and documented Reasonably broad in scope (incident, vulnerability, patch, application, CM, financial) Actionable, for the most part Not too big (20 metrics)

IT Governance: CIS Security Metrics 2/2 Functions Function Management Perspective Incident How well do we detect, Management accurately identify, handle, and recover from security incidents? Vulnerability How well do we manage Management the exposure of the organization to vulnerabilities by identifying and mitigating known vulnerabilities? Patch Management How well are we able to maintain the patch state of our systems? Application Security Can we rely on the security model of business applications to operate as intended? Defined Metrics Mean Time to Incident Discovery Number of Incidents Mean Time Between Security Incidents Mean Time to Incident Recovery Vulnerability Scanning Coverage Percent of Systems with No Known Severe Vulnerabilities Mean Time to Mitigate Vulnerabilities Number of Known Vulnerabilities Patch Policy Compliance Patch Management Coverage Mean Time to Patch Number of Applications Percent of Critical Applications Risk Assessment Coverage Security Testing Coverage Cloud Governance MID NAI MBI MIR VSC PCS PTL - PPC PCS PTL - - - VSC Configuration Management Financial Metrics How do changes to system configurations affect the security of the organization? What is the level and purpose of spending on information security? Mean Time to Complete Changes Percent of Changes with Security Reviews Percent of Changes with Security Exceptions IT Security Spending as % of IT Budget IT Security Budget Allocation MCC RMO SOE - -

IT Governance Implementation 1/7 Governance Indicators by Areas ------ Security ----- Identity Resilience Vulnerability Incident Organization Direct STO LCE MCC IMC RTO Create VSC MIR RMO 2FA RPO Protect PCS NAI SOE MCP SRC Execute PTL MID LCL TUP MTR Monitor PPC MBI LCR PAU MBF

IT Governance Implementation 2/7 Governance Indicators about Security (Vulnerability) ------ Security ----- Vulnerability Security Testing Objectives (STO) how much time from one pen test to another Vulnerability Scan Coverage (VSC) percentage of system VA is performed upon Platform Compliance Score (PCS) percentage of system configuration meeting best-practice standards Patch Latency (PTL) time between a patch's release and your successful deployment of that patch Patch Policy Compliance (PPC) percentage of system patching meeting patch policy

IT Governance Implementation 3/7 Governance Indicators about Security (Incident) ------ Security ----- Incident Log Correlation Effectiveness (LCE) percentage of incidents identified by correlation Mean Time for Incident Recovery (MIR) time from incident discovery to recovery Number of Annual Incident (NAI) how many incident per year Mean Time for Incident Discovery (MID) time occurring from incident and its discovery Meantime Between Incident (MBI) incident rates: how often these occur

IT Governance Implementation 4/7 Governance Indicators about Security (Organization) ------ Security ----- Organization Meantime to Complete Change (MCC) how much time from change issue to implementation Risk Management Objective (RMO) percentage of suggested countermeasure implemented Security Objective Exception (SOE) percentage of change with exception Log Collection Latency (LCL) delay from event and trasmission of log to central SIEM Log Correlation (LCR) average number of correlation rule per system

IT Governance Implementation 5/7 Governance Indicators about Identity Identity Identity Management Coverage (IMC) proportion of account (privileged and unprivileged) vaulted and managed Two Factor Authentication percentage (2FA) percentage of user that should use 2FA for accessing the systems Meantime to Certified Privileged Account (MCP) time a Privileged Account is certified Time for User Provisioning average (TUP) how long a new user waits to get access to the resources they need Privileged Account average per User (PAU) amount of «duties» owned by a user (SoD)

IT Governance Implementation 6/7 Governance Indicators about Resilience Resilience Recovery Time Objective (RTO) maximum time needed for recover the service Recovery Point Objective (RPO) time the transaction occurred before accident could not be recovered System Recovery Coverage (SRC) percentage of systems covered by BC/DR Meantime To Repair (MTR) average time to recover the service Meantime Between Failure (MBF) average time from a failure to another one

IT Governance Implementation 6/7 Putting all Together

Grazie! Paolo Ottolino CISSP-ISSAP CISM CISA ISO/IEC 27001 OPST PRINCE2 PMP ITIL paolo.ottolino@isc2chapter-italy

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback