ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

Similar documents
4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

ISO Professional Services Guide to Implementation and Certification AND

Healthcare HIPAA and Cybersecurity Update

Defense in Depth Security in the Enterprise

Combating Cyber Risk in the Supply Chain

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Cyber Risks in the Boardroom Conference

EU General Data Protection Regulation (GDPR) Achieving compliance

Training and Certifying Security Testers Beyond Penetration Testing

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Using international standards to improve US cybersecurity

Bringing Cybersecurity to the Boardroom Bret Arsenault

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

ISO in the world today

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

Data Security Standards

SWIFT Customer Security Programme

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

NYDFS Cybersecurity Regulations

Global Security Consulting Services, compliancy and risk asessment services

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

CYBERSECURITY AND THE MIDDLE MARKET

Securing Your Digital Transformation

01.0 Policy Responsibilities and Oversight

Rethinking Information Security Risk Management CRM002

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

Cybersecurity and Hospitals: A Board Perspective

Cyber Attacks & Breaches It s not if, it s When

Cybersecurity in Higher Ed

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

Cyber Fraud What can you do about it?

Security in India: Enabling a New Connected Era

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

NIS, GDPR and Cyber Security: Convergence of Cyber Security and Compliance Risk

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

Cybersecurity and Data Protection Developments

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

Avanade s Approach to Client Data Protection

The Role of the Data Protection Officer

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

An Overview of ISO/IEC family of Information Security Management System Standards

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Predstavenie štandardu ISO/IEC 27005

Cybersecurity Session IIA Conference 2018

Defensible Security DefSec 101

Background FAST FACTS

You knew the job was dangerous when you took it! Defending against CS malware

2015 VORMETRIC INSIDER THREAT REPORT

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

CISO as Change Agent: Getting to Yes

STEVE GOODING JUNE 15, 2018

Must Have Items for Your Cybersecurity or IT Budget in 2018

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

PROFESSIONAL SERVICES (Solution Brief)

Hacker Academy UK. Black Suits, White Hats!

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

THE ACCENTURE CYBER DEFENSE SOLUTION

Cybowall Solution Overview

Sales Presentation Case 2018 Dell EMC

NCSF Foundation Certification

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Protecting vital data with NIST Framework

Enhance your Information Security Strategy with ISO 27001:2013

SOLUTION BRIEF Virtual CISO

Securing Digital Transformation

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

Cybersecurity Guidance for Small Firms Thursday, November 8 9:00 a.m. 10:00 a.m.

Cybersecurity Auditing in an Unsecure World

How will cyber risk management affect tomorrow's business?

The Realities of Data Security and Compliance: Compliance Security

Uncovering the Risk of SAP Cyber Breaches

Cybersecurity and the Board of Directors

CISO View: Top 4 Major Imperatives for Enterprise Defense

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Driving Global Resilience

CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

An Overview of TOGAF Version 9.1

Angela McKay Director, Government Security Policy and Strategy Microsoft

Policy Session 4 Identifying Risk: An abundance of Potential Shock Waves

Awareness and training programs OPTUS MACQUARIE UNIVERSITY CYBER SECURITY HUB

PROTECTING BRANDS IN CYBERSPACE

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Cybersecurity, safety and resilience - Airline perspective

TEL2813/IS2820 Security Management

Data Sheet The PCI DSS

Transcription:

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO 27001 FRAMEWORK AUGUST 19, 2015

Agenda Coalfire Overview Threat Landscape What is ISO Why ISO ISO Cycle Q&A 2

Presenters Michael Fuller Michael has more than 20 years of business experience in Technology, Operations, Product Development, Marketing, Sales and Finance. He has been a consultant with Coalfire for the past two years and before Coalfire he was Co-Founder and Chief Compliance Officer at CRE Secure Payments, a venture-capital backed company, specializing in securing ecommerce transactions over the internet. In his many previous roles he has worked for Apple Inc, Time Warner and Cox Enterprises Autotrader.com, as well as several global interactive advertising agencies. Michael has worked in 13 countries around the world, has two teenage daughters and holds a Bachelor s Degree in Earth Science from Macquarie University in Sydney, Australia.

Customer Success Story: Identity International, multi-business unit, multi-channel specialty retailer. Challenge Extend successful security / compliance program beyond the cardholder environment, and reduce cyber risk across the enterprise. Approach Develop ISMS, pursue ISO certification Results 40% of security gaps closed within the first six months of the program (including all critical findings); cross-functional participation and support. 4

THREAT LANDSCAPE Our Environment is Changing 5

Cyber Incidents Are On the Rise In 2013, the FBI notified over 3,000 U.S. companies including money center banks, major defense contractors, and leading retailers that they had been the victims of cyber intrusions IBM estimates that over half a billion records of personally identifiable information (names, credit card information, social security numbers, etc.) were stolen in 2014 77% of companies detected a security event in the past 12 months(1) Organizations on average detect 135 cybersecurity incidents each year(1) 7% of U.S. organizations lost $1 million or more and 19% of organizations lost at least $50k in 2013 due to cybercrime incidents(1) 84% of survey respondents believe the number of cyber attacks will increase (2) 75% of survey respondents expect cloud security budgets to increase dramatically(3) 1) Source: PWC, Managing Cyber Risks in an Interconnected World, Sept. 30, 2014 (2) Source: BAE Systems, Business and the Cyber Threat: the Rise of Digital Criminality, February 2014 (3) Source: IBM, 3rd Annual CISO Study, December 2014

Large Data Breaches Over the past 18 months, dozens of major cybersecurity breaches have been announced, collectively affecting hundreds of millions of people.

Increased Government Oversight Over the past 12 months, several Federal, state, and international government agencies have announced specific cybersecurity policies.

Cyber Risk is Now a Matter Corporate Governance Cybersecurity is a management issue, not a technology issue Boards need to understand legal implications of corporate risk Boards need access to cybersecurity expertise at timely and regular intervals Directors should set expectations that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget

Cyber Risk Management Process Source: NIST Cybersecurity Framework v1.0

ISO 27001 ISO 27001 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO 27002 best practice guidance. This is a widely-recognized international security standard in which many companies in the US are showing significant interest. Certification in the standard requires: Systematic evaluation of information security risks, taking into account the impact of company threats and vulnerabilities Design and implementation of a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks. Adoption of an overarching management process to ensure that the information security controls meet the organizations information security needs on an ongoing basis

About ISO 27001 Total worldwide certificates now excess of 20000, with East Asia/Pacific and Europe dominating the pack.

ISO in the US Total growth in US certificates has been consistent, with 566 being issued in 2013.

By Industry Rank Industrial Sectors # Certs 1 Information Technology 5059 2 Other Services 849 3 Construction 396 4 Transport, storage and communication 322 5 Electrical and optical equipment 289 Total number of certifications issued in 2013 by industry sector (data approximate estimate by ISO/IEC) By far, the largest industry sector seeking certification every year has been Information Technology

So why ISO The ISO 27001 Standard provides the company with a solid yet flexible framework for the effective management of a rigorous, ongoing security program. The Information Security Management System (ISMS) required under the standard, defines how the company perpetually manages security in a holistic, comprehensive way. The Standard can apply to any type or size of business, big or small and is not hampered by adherence to externally driven forces such is the case for PCI. Which means the design of the ISMS can be driven entirely by the business needs of the particular company or business. Companies can adopt the standard as the blueprint for its information security program and choose whether they wish to go for full certification or not. Certification by an independent organization accredited as an official Certification Body (CB) such as Coalfire ISO, provides external validation that the organization conforms to the requirements of the international standard. ISO certification is recognized in over 60 countries around the world, in all membership countries of the International Accreditation Forum (IAF)

ISO 27001 Advantages A powerful combination ISO 27001 is not driven solely by external considerations as are standards like PCI Compliance and HIPAA. The combination of the business - driven, risk based management framework of 27001, and the cross over with IT controls required for business and other applicable compliance needs, provides the client with a powerful, organization - wide approach that can be more deeply integrated into client business goals and objectives. Wide applicability. ISO 27001 can be valuable as an operating framework for a small company laying the groundwork for information security in their business, or complex Fortune 500 s designing a sophisticated Risk based management framework for all information security in the company. The standard can be applied to virtually any business vertical, and wherever businesses have a concern about the security of information within the organization whether it relates to internal business assets or external customer information. Building Blocks ISO 27001 provides the blueprint for a risk-based information security management framework that is different from most of the compliance standards currently in use in the US as its scope can be designed entirely by the client based on business needs. The Standard provides rigorous guidance for the management of information security but does not mandate the specific IT controls required.

ISO 27001 Cycle Gap Analysis ISO 27001 Action Plan ISO 27001 Training Formation of ISMS Domain and Control Area Analysis Process Documentation Documentation Review Update and Revise Processes Training on Defined Processes Implementation of Defined Processes Asset Risk Assessment Perform Asset Risk Assessment Identify and Implement Controls Internal Audit Training Internal Audit Readiness Internal Audit Report Closure of findings Certification

ISO 27001 Certification - Cycle Three Year Cycle commencing from initial certification audit First year Initial Certification is in Two Stages: Stage one audit explanation Stage two audit Explanation One year out Surveillance Audit 1 Second year out Surveillance Audit 2 Third Year Full certification audit again, stage one and two.

Wrap-Up Coalfire Overview Threat Landscape What is ISO Why ISO ISO Cycle Q&A

Questions Michael Fuller Director, Coalfire 404-702-2558 Michael.fuller@coalfire.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback