Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

Similar documents
Business Context: Key for Successful Risk Management

Certified Information Security Manager (CISM) Course Overview

INTELLIGENCE DRIVEN GRC FOR SECURITY

Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow

locuz.com SOC Services

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Reinvent Your 2013 Security Management Strategy

Cybersecurity Auditing in an Unsecure World

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

ISACA Arizona May 2016 Chapter Meeting

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

itsmf ITIL V3: Accelerate Success with Tools Maria A Medvedeva, PMP, ITIL Regional Director CA, Inc. itsmf Middle East Board of Directors

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Next Generation Policy & Compliance

SIEM: Five Requirements that Solve the Bigger Business Issues

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Best Practices & Lesson Learned from 100+ ITGRC Implementations

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Consolidation Committee Final Report

FDIC InTREx What Documentation Are You Expected to Have?

IT Strategic Planning: Making Your IT Organization Efficient and Effective

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

HCL GRC IT AUDIT & ASSURANCE SERVICES

HITRUST CSF: One Framework

Manchester Metropolitan University Information Security Strategy

BHConsulting. Your trusted cybersecurity partner

Navigate IT Security with a Framework as Your Guide

Mapping BeyondTrust Solutions to

Sirius Security Overview

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

How to Prepare a Response to Cyber Attack for a Multinational Company.

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Cybersecurity for Service Providers

The Need In today s fast-paced world, the growing demand to support a variety of applications across the data center and help ensure the compliance an

RSA IT Security Risk Management

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

Information Security Risk Strategies. By

Table of Contents. Preface xiii PART I: IT GOVERNANCE CONCEPTS. Chapter 1: Importance of IT Governance for All Enterprises 3

Compliance and Controls Frameworks. Vishal Gupta

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

University of Pittsburgh Security Assessment Questionnaire (v1.7)

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Security Diagnostics for IAM

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

Netwrix Auditor. Visibility platform for user behavior analysis and risk mitigation. Mason Takacs Systems Engineer

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Importance of the Data Management process in setting up the GDPR within a company CREOBIS

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Enabling Security Controls, Supporting Business Results

Cybersecurity Roadmap: Global Healthcare Security Architecture

Security Metrics Framework

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

LESSONS LEARNED IN SMART GRID CYBER SECURITY

SECURITY SERVICES SECURITY

TSC Business Continuity & Disaster Recovery Session

The Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA

Cloud Customer Architecture for Securing Workloads on Cloud Services

CISM Certified Information Security Manager

CCISO Blueprint v1. EC-Council

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Automating for Agility in the Data Center. Purnima Padmanabhan Jeff Evans BMC Software

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Information Security Architecture Gap Assessment and Prioritization

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Defense in Depth Security in the Enterprise

The Business Value of including Cybersecurity and Vendor Risk in ERM

Nebraska CERT Conference

A Methodology to Build Lasting, Intelligent Cybersecurity Programs

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Exploring Emerging Cyber Attest Requirements

UNIFICATION OF TECHNOLOGIES

DOWNLOAD OR READ : THREAT AND VULNERABILITY MANAGEMENT COMPLETE SELF ASSESSMENT GUIDE PDF EBOOK EPUB MOBI

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

GRC Maturity. Benchmarking Your GRC Program. October 2014

The Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation. ISACA All Rights Reserved.

TRIPWIRE VIA PLATFORM PROTECTING YOUR DATA WITH INTEGRATED SECURITY CONTROLS

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Unlocking the Power of the Cloud

Mohammad Shahadat Hossain

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Security. Made Smarter.

Enterprise GRC Implementation

MITIGATE CYBER ATTACK RISK

NERC Staff Organization Chart Budget 2019

Think Like an Attacker

Compliance: How to Manage (Lame) Audit Recommendations

BHConsulting. Your trusted cybersecurity partner

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

Accelerate Your Enterprise Private Cloud Initiative

Information Security and Service Management. Security and Risk Management ISSM and ITIL/ITSM Interrelationship

Transcription:

Aligning IT, Security and Risk Management Programs Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

Challenges to Risk Management & Governance Balancing extensive requirements originating from multiple governing bodies. Balancing legislation and company specific policy. Evolution to support different requirements and new legislation. Prioritizing available funding according to requirements introduced. More importantly fitting into the ERM program

IT Security to risk management mindset Present Vulnerability and Threat centric program Future Risk and data centric programs IT Security Strategy Converged Security Strategy Apply Security controls & Threat protection Forced Enforcement for compliance Securing systems and Information Business risk management Business initiates requirement / Demand Protecting Business Information & Goals

Let s get this right

Risk Management Lifecycle Source: Risk Management Lifecycle, Evan Wheeler

Information Security, Risk & Governance Framework Ahmed Qurram Baig, Copyright, 2012.

Enterprise Security Architecture & Risk Management Ahmed Qurram Baig, Copyright, 2012.

Information security & risk management activities Ahmed Qurram Baig, Copyright, 2012.

Benefits of effective risk management & governance Strategic Alignment Effective Risk Management Convergence & Business Process Assurance Resources Management: Governance provides clarity of roles and responsibilities Governance empower people responsible with authority IT Value Delivery Monitoring & Performance Measurement

IT GRC Strategy Key Challenges: Reactive approach to IT Risk and Compliance isolated risk and compliance initiatives and inability to align with business Lack of multi perspective, 360 degree Risk Awareness noncollaboration and lack of accountability on risk Ingredients for a successful IT GRC Strategy : Support and align with enterprise GRC strategy and architecture Common architecture across IT processes and architecture Integrated IT infrastructure to holistically address the IT GRC needs Essential components of IT GRC Architecture: Source: Forrester Report The GRC Puzzle: Getting All The Pieces To Fit Process Management IT Compliance Policy & Content Management IT Risk and Security Management Business Continuity Management Incident & Remediation Management IT GRC Reporting, Metrics & Dashboard

Metrics Simulation/Analytics Regulations Policies Contracts IT Policies & Procedures IT-GRC Data Policy Mgmt IT-GRC Processes Risk Assessments Requirements IT Asset Library Risks IT Controls IT Audits Vendor Governance Compliance & Controls Incident & Issue Management Storage Servers Network Business Continuity Firewalls Email Identity Technical Manual / Physical Threat & Vulnerability Management Assets Access/Segregation of Duties Configurations Threats & Vulnerabilities Events Enterprise IT

Bottom up Information Security Bottom up IT Risk Bottom up IT Compliance Integrated GRC TVM Integration & Correlation Across Security Operations Security Intelligence Social Media Risk Intelligence Cloud Security Integrations: CMDB, VA, SIEM, DLP, etc. Standardizing Risk Calculations & Analysis Implementing Risk Frameworks ISO, NIST, COBIT, FAIR Integrated Risk Mgmt InfoSec, IT- Ops, Compliance Controls Monitoring & Testing Risk Analytics Harmonized Controls Regulations: PCI, SSAE 16, FDIC, NERC, HIPAA Policy Compliance Acceptance, Training, etc. Control Assessments Linking Policies to Control Objectives Enterprise Risk Management Common Risk & Control Framework Integrated Compliance and Controls Common Platform for Managing Risks & BCP Single Enterprise Platform for ALL GRC Initiatives

Organizations Document References Framework References Questions / Procedures Regulatory Bodies Controls Objectives Risks Areas of Compliance (Regulations, Policies) Requirements Processes Auditable Entities IT Assets IT Asset Classes Suppliers Primary Linkages Products Projects Metrics Secondary Linkages

MetricStream IT GRC Solution Key Benefits Automation and rationalization of risk management processes with support for federated risk analysis within units A common IT risk and control framework, tied to business risks Visibility in risks, risk factors, mitigating controls, metrics and analytics with rich context, and integration with IT and security systems Automated and streamlined issue and remediation management Extensive support for standards & frameworks: ISO, COBIT, FAIR, NIST Advanced Analytics e.g.: Mote Carlo Simulation or Bayesian analysis to prioritize remediation efforts

Risk Reports & Heatmaps

Threat & Security Posture Reports

Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback