Sytorus Information Security Assessment Overview

Size: px
Start display at page:

Download "Sytorus Information Security Assessment Overview"

Transcription

1 Sytorus Information Assessment Overview

2 Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM) Critical Capability 9 3 Why ISM? 10 4 Overview of the ISM 12 5 Categories and Critical Building Blocks of the ISM 13 Section 4: Our Approach 19 6 The Report 27 Practices, Outcomes and Metrics 27 Senior Management Reporting 28 7 The Benefits 29

3 Section 1: Our Understanding of the Challenge

4 The Challenge IT is often requested by senior management to report on the level of security of IT systems within the organisation This is a challenging question and in order to fully answer this, any organisation should look, not only at the security of its websites and infrastructure, but also at the security governance surrounding the entire business breaches can range from malicious attacks to a lack of security awareness of individuals within organisations A recent report indicates 80% of data protection breaches, for example, were due to intentional non-malicious actions of employees In order to get a full executive view of the security capability of a company it is necessary to assess not only the defensive capabilities of a company at any one time, but the capability of a company to respond in a constantly changing environment Understand how secure the current infrastructure is ie penetration testing review, etc Understand the current information security capability of the organisation, including governance, staff awareness, business continuity, security strategy and security resource management Develop plan for continous improvement which is easily understood and reportable at executive level

5 Section 2: IT-CMF A quick overview of the IT-CMF and its mission statement

6 The IT-CMF The IT-CMF is based on five maturity levels to assess and optimize the value of IT:

7 The IT-CMF, as a Capability Maturity Framework, comprises of over 30 Critical Capabilities, each one of which concerns itself as a fundamental component of IT s role within the enterprise These are in turn, divided under four macro-capabilities, each of which represents the core and common concerns for IT, namely business alignment, budget management, capability delivery and, business value:

8 The IT-CMF is delivered through the form of online assessments, face to face interviews and evidence gathering techniques, for any of these critical capabilities, in order to derive a maturity level for each In turn the data returned is presented in easily understandable and visual forms, with very specific identification of under/over investment and next steps, to drive further maturity and value for each critical capability in scope Comparisons are made against competitors, sectors and similar sized organisations, to determine maturity against peers The fundamental goal of the IT-CMF is to align Business and IT closer together to a point in which IT is wholly optimised not only in support and execution of the Business objectives but even to suppliers and partners

9 Section 3: Information Management (ISM) Critical Capability

10 Why ISM? Information is: Key to business growth and success; An essential business enabler; A valuable business asset Therefore, it is vital that information s availability, integrity and confidentiality be assured This can be threatened by, for example: Theft; Accidental or malicious damage or loss; Disruption of supporting utilities such as power or the network Information continues to be business critical and is increasingly complex to manage for the following reasons: Physical boundaries are disappearing; more business data is transmitted over the internet, accelerated by the widespread adoption of mobile devices Business activity (and related threats) are on a global scale Optimal security implies physical lockdown but that is unacceptable from the business standpoint Hence multiple criteria need to be balanced and feed into decision-making The pace of change continues to accelerate Digitization is having a profound effect on business models, with traditional bricksand-mortar industries being dominated or completely replaced by models that are essentially based on software Companies are moving from the more traditional outsourcing contracts to cloud service providers Information continues to be business critical and is increasingly complex to manage for the following reasons: 72% of organizations report increased risk to information security, based on both external and internal threats

11 Legal and regulatory expectations pertaining to information are also changing with increased complexity arising from organizations operating across multiple jurisdictions; key considerations here are: Has the information been retained longer than it should have been? Does the data follow a defined life-cycle and is it safe to delete it? Does the business have permission to share this data with its partners? Is it permissible for the company to use data supplied by another company? If information security is violated this can result in loss of business operations with associated adverse financial and reputational impacts, which can extend for significant periods of time, particularly should legal actions result from a breach of security Source: Ernst and Young s (2011) Global Information The changing state of information security in 2012 is evident from the following findings: has edged out business continuity as the most important connection between IT risks and reputation Data breaches/ data theft/ cybercrime is identified as the IT risk posing the greatest risk to business (61%) Emerging technologies such as cloud, bring your own device (BYOD) and social media further complicate the issue as these new technologies are less well controlled than other IT threats because organizations have not had time to fully adapt to them Global Reputational Risk and IT Study 2012 IBM / Economic Intelligence Unit The velocity and complexity of change accelerates at a staggering pace: virtualization, cloud computing, social media, mobile, and other new and emerging technologies open the door to a wave of internal and external threats Emerging markets, continuing economic volatility, offshoring and increasing regulatory requirements add complexity to an already complicated information security environment Nearly 80% agree that there is an increasing level of risk from increased external threats, and nearly half agree that internal vulnerabilities are on the rise 31% of respondents have seen increases in the number of security incidents compared to last year Global Information Survey 2012 Ernst & Young The ISF announced their forecast of the top five security threats businesses will face in 2013 Key threats include cyber security, supply chain security, Big Data, data security in the cloud and mobile devices in the workplace Information Forum November 2012

12 Overview of the ISM

13 Categories and Critical Building Blocks of the ISM ISM, as with all other Critical Capabilities (CC) in the IT-CMF, consists of a series of Categories, each of which is composed of a series of Critical Building Blocks (CBB) The purpose of this structure, is to identify the core areas of concern that need to be assessed, and which in turn constitute the means of rating the Capability Maturity of the organisation that utilizes this CC Information is a complex and many nuanced beast, that is only becoming more complex as new technologies, business models, and supplier/client interaction become more advanced Traditionally Information has been seen as the ability for an organisation to lock-down its infrastructure and defend against the possibility of cyber attacks, with little responsibility given beyond the IT department Whilst this approach would have sufficed up until recent years, many things have now changed that require a more holistic approach, across all stakeholders in an organisation For example, consider the degree of IT outsourcing that takes place in your organisation Consider the flow of data between your contracted third parties and any of your business units, and then consider the breadth of security focused business processes that are required to ensure appropriate levels of protection are in place, to hinder or greatly reduce the possibility of a security breach, not only for IT but for all staff who interact with the data Also the days of an entire IT stack sitting quietly in a comms room are now gone, as most organisations have begun the process of shifting large volumes of data and infrastructure out to third parties, be they cloud providers or system integrators The degree of command and control now becomes a core concern for any organisation seeking to minimize its risk appetite, and yet most organisations struggle to clearly articulate and get buy-in on adequate levels of Governance and Risk Management to ensure that this operational reality is under control, from a security perspective Equally consider the more traditional concern of penetration testing, that IT systems are currently protected at an adequate level from external threats We emphasise the word, currently, as the ability to pen test is always a point in time activity, that tells you only what your situation is at that time, and not, necessarily what risk you carried before and what future risk you may yet carry This is purely due

14 to the dynamic nature of external threats and the many and varied ways in which currently secured systems can become quickly vulnerable Again the answer to this lies in the ability for any given organisation to have a holistic approach to its Information strategy and to look beyond simple point in time assessments to a more detailed and whole approach that seeks to measure and monitor all the core areas of concern that direclty relate to risk in this arena This is the purpose of the ISM To measure and verify the current Capability Maturity of all of the core areas of concern that relate to Information The following is a breakdown of the various Categories and Critical Building Blocks that ISM covers We believe that the range is impressive and holistic and can be used to clearly identify the real and present Information risks that your organisation may be carrying in its operational day to day activities: Category Capability Building Block Description Information Strategy Develops, communicates, and supports the organization s information security objectives so they fit the organization s business model and risk appetite Governance Policies, Standards, and Controls Establishes and maintains security policies and controls incorporating relevant security standards, regulatory and legislative security requirements; ensuring they fit the organization s business model and security objectives Roles, Responsibilities, and Accountabilities Identifies and establishes information security roles including allocation and enforcement of security responsibilities Agrees and/ or assigns responsibilities and accountability to allocated resources

15 Communication and Training Disseminates security processes, policies and other relevant information Provides training content in security practices and develops security knowledge and skills Performance Reporting Reports on the levels of compliance achieved, and the effectiveness and efficiency of the security activities Supplier Defines security requirements and expectations pertaining to the procurement and supply of hardware, software, services and data Category Capability Building Block Description Architecture Establishes and applies criteria and practices in designing security solutions with the aim of achieving appropriate cost effective protection Defines security layers to provide depth of defence and configuration management of security features Technical IT Component Defines and implements the measures to protect physical and virtual IT, servers, networks, and end-points such as peripherals and mobile devices Specifies and procures specific security tools/ products and resources Physical Environment Establishes and maintains measures to control access into and protect the physical infrastructure from threats and environmental factors (eg extreme temperatures, flooding, fire)

16 Budget for Provides security related budget criteria This includes concepts such as new equipment must be purchased with specific security features eg virus protection Resource Management Tools and Resources Specifies and procures specific security tools/ products and resources Manages the tools, security solutions and the staff assigned for security purposes Resource Effectiveness Measures value for money from security investments Captures feedback from stakeholders and other sources on the effectiveness of security resource management procedures, tools and activities Category Capability Building Block Description Data Identification and Classifications Defines security classifications and provides guidance for associated protection levels and access control Data Management Access Rights Management Manages the lifecycle of user accounts and certificates, and the granting, denial and revocation of access rights Matches access control procedures to data classifications Life-cycle Management Provides the security expertise and guidance to ensure that data throughout its lifecycle is appropriately available, adequately preserved and/ or destroyed to meet business, regulatory and/ or security requirements

17 Business Continuity Management Business Continuity Planning Incident Management Provides expertise and guidance to ensure that business continuity planning is effective in ensuring data integrity, confidentiality and availability This may include input on backup management, archiving management, and systems recovery policies and procedures Establishes and implements procedures for handling incidents and near incidents Evaluates the nature and impact of incidents Supports protection of the organization by providing feedback and reports on security aspects of incidents Category Capability Building Block Description Threat Profiling Gathers intelligence on threats and vulnerabilities from internal and external sources Identifies and documents the security threat profiles by their potential impact on business objectives and activities Risk Management Risk Assessment Runs assessments to identify, document and quantify/ score security-related risks and their components Assessments include the evaluation of exposure to risks, and measurement of their likely impact Risk Prioritization Prioritizes security risks and risk handling strategies, based on residual risks, acceptable risk levels and changes to the business/ IT environment or operating environment such as outsourcing, mergers and acquisitions

18 Risk Handling Implements risk handling strategies, where risks can be deferred, accepted, mitigated, transferred or eliminated Risk Monitoring Tracks changes to the identified security risks, and validates the effectiveness of risk handling strategies/ controls

19 Section 4: Our Approach

20 As with all other Critical Capabilities, ISM follows a similar, evidence based assessment model:

21 The survey is completed using an online tool:

22 We then follow up with a face to face interview process:

23 The purpose of the face to face interviews is to:

24 The question set we use comprises of 29 detailed focus areas across the categories Below is a sample of questions we ask on Technical We focus on querying the Architecture and IT Component, seeking to identify where on the maturity curve each CBB is This is done through extensive evidence gathering, such as penetration testing methodologies, infrastructure hardening and enterprise system security techniques: CBB Category CBB Question Tooltip Text Technical Architecture How do you establish the security architecture? Establishes and uses approaches for designing security solutions with the aim of achieving appropriate cost effective security Defines security layers to provide depth of defence and configuration management of security features Responsibility for establishing the security architecture layers is assigned on an ad hoc basis Few (if any) security architecture diagrams exist layers and depth of defence are considered in architecture design but this may not always be implemented or provisioned in delivered solutions Configuration management is typically a localized activity within departments or functional groups IT and some business units have a documented shared vision for security layers and most security architecture features are common across these areas Depth of defence and configuration management practices are evident A security architecture framework supporting depth of defence and utilizing configuration management principles has been developed, documented and implemented across the enterprise An effective security framework is used across the extended enterprise The framework is optimized for business efficiency, hardware and software cost management, depth and effectiveness of security measures

25 Technical Technical IT Component IT Component How do you define and implement measures to protect information technology components? How do you ensure security is built into new systems and applications? Defines and implements the measures to protect physical and virtual IT, servers, networks, and endpoints such as peripherals and mobile devices Specifies and procures specific security tools/ products and resources Defines and implements security measures to protect systems and applications and data held therein IT component security is done on an ad hoc basis is defined and built-in or added after the product is built on an ad hoc basis IT component security guidelines are emerging within the IT organization, but only basic security measures are in place is defined and built in using a generic approach or default measures IT and some business units are agreed on detailed and documented IT component security measures, which are implemented across these areas requirements are defined early in the development cycle by IT and business stakeholders and are included in testing IT component security measures are implemented enterprisewide and the measures are tested for compliance with policies and standards requirements are addressed consistently enterprise wide Management of IT component security is optimized across the layers of the security framework requirements are addressed consistently across the extended enterprise

26 A typical swim lane chart for an ISM Assessment is as follows:

27 The Report The ISM report is designed to provide a detailed review with measurable next steps for implementers, whilst providing a comprehensive high level overview for senior management Practices, Outcomes and Metrics For implementers it is essential that a detailed review, with clear and unambiguous suggestions to improving Capability Maturity, is an essential aspect to the report part of an ISM Assessment Throughout the engagement the clear ambition is to identify and document, accurately, the Capability Maturity at its present time, with a breakdown of all findings against each of the CBBs We use a concept known as Practices, Outcomes and Metrics (POMs), to achieve this The POMS is designed to highlight to implementers what steps need to be taken to achieve an improvement in capability For example, an organisation that wanted to achieve a Level 2 in Technical, would need to take the following steps, based on an agreed measurable metric value set, for each CBB: Maturity Level Level 2 Level 2 CBB Category CBB Practices Outcomes Metrics Technical Provide basic architectural security Architecture descriptions Technical IT Component Set defaults to secure or block and open only as needed to enable the business layers and depth of defence, while considered, may not always be implemented or provisioned in delivered solutions However, policies and procedures can be partially aligned with security recommendations Access is restricted to authorised components and access paths through the IT infrastructure % of Policies reviewed for security compliance % of Relevant IT processes reviewed for security alignment % Components with default set to closed # Staff needed to maintain the component security

28 Level 2 Technical Physical Environment Identify and secure locations of critical and sensitive IT infrastructure components, and sensitive information storage locations (eg confidential printed reports) A cross functional appreciation of the need for security is emerging and physical measures are obvious unlike many other measures that are implemented in electronics or software IT and facilitates departments cooperate in physical security provision % Critical systems in secure locations % People with authorised access / All with access Senior Management Reporting For senior management, the report is presented in a visual form, designed to give a clear overview of current and desired Capability Maturity across each category: The primary purpose of executive reports within the IT- CMF, is to provide a clear and unambiguous overview of current Capability Maturity In the case of ISM, this reflects not only the current capability of Technical and Data, but also the capability of Governance, Business Continuity, Resource Management and Risk Mitigation Taken together, this overview will provide senior management with a comprehensive and complete overview on current status and what actions are being implemented to improve Capability Maturity, where relevant, to match with business plans Note: The example, above, is for the Sustainable ICT CC, and is for illustrative purposes

29 The Benefits The purpose of an ISM assessment is to give an organisation a complete and holistic assessment of its current strengths and weaknesses, with relation to information security The ability to demonstrate both current and intended Capability Maturity across a range of categories such as Governance, Technical, Business Continuity etc, is compelling in its exhaustive remit, and will certainly provide answers to a wide range of queries that may be driven from business needs The following is a brief breakdown of the unique benefits that ISM can bring: 1 A truly unique and comprehensive review of current capability around Information, focusing not just on security implementation, but also: a The governance processes and their suitability; b The level of effectiveness of technical security across architecture and components; c The degree of resource capability within the organisation for information security; d The capability of data security management throughout the enterprise; e The effectiveness of business continuity management with respect to information security; f The risk management around information security and how it is monitored, handled and reported; g The alignment of all of the above with business needs and the capability to tightly integrate IT and business goals, going forward, to improve on Capability Maturity 2 An assessment of current security implementations such as penetration testing and infrastructure hardening, with a determination, based on evidence gathering, as to how this aligns within the Capability Maturity spectrum; 3 A clear and precise POMs based approach to improving on Capability Maturity, fundamentally focused on driving value throughout the IT portfolio and bringing a closer alignment with other business units, based on common goals; 4 An unambiguous and easily comprehended visual report metric for senior management, which answers all questions that may arise around the capability of information security throughout the enterprise

Information Security Managing The Risk

Information Security Managing The Risk Information Technology Capability Maturity Model Information Security Managing The Risk Introduction Information Security continues to be business critical and is increasingly complex to manage for the

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

UoB Risk Assessment Methodology

UoB Risk Assessment Methodology [Type here] UoB Risk Assessment Methodology The Risk Assessment Methodology describes how information security risk will be managed, including guidance for assessing, scoring, choosing acceptance or treatment

More information

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY CLOSING THE DOOR TO CYBER ATTACKS Cybersecurity and information security have become key challenges for

More information

Security & Privacy Current cover and Risk Management Services

Security & Privacy Current cover and Risk Management Services Security & Privacy Current cover and Risk Management Services Introduction Technological advancement has enabled greater working flexibility and increased methods of communications. However, new technology

More information

Procuring Penetration Testing Services

Procuring Penetration Testing Services Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat

More information

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and

More information

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government

More information

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0 ADRI Advice on managing the recordkeeping risks associated with cloud computing ADRI-2010-1-v1.0 Version 1.0 29 July 2010 Advice on managing the recordkeeping risks associated with cloud computing 2 Copyright

More information

UF Risk IT Assessment Guidelines

UF Risk IT Assessment Guidelines Who Should Read This All risk assessment participants should read this document, most importantly, unit administration and IT workers. A robust risk assessment includes evaluation by all sectors of an

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Cloud Computing and Records Management

Cloud Computing and Records Management GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response

More information

Cloud Computing Security Considerations

Cloud Computing Security Considerations Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction

More information

The Value of Vulnerability Management*

The Value of Vulnerability Management* The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core

More information

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013 2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

More information

National Cyber Security Policy -2013

National Cyber Security Policy -2013 National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information

More information

Preemptive security solutions for healthcare

Preemptive security solutions for healthcare Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration

More information

Cyber Security - What Would a Breach Really Mean for your Business?

Cyber Security - What Would a Breach Really Mean for your Business? Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber

More information

CYBER RISK SECURITY, NETWORK & PRIVACY

CYBER RISK SECURITY, NETWORK & PRIVACY CYBER RISK SECURITY, NETWORK & PRIVACY CYBER SECURITY, NETWORK & PRIVACY In the ever-evolving technological landscape in which we live, our lives are dominated by technology. The development and widespread

More information

Implementing Practical Information Security Programs

Implementing Practical Information Security Programs Implementing Practical Information Security Programs CISO Summit March 17-19, 2013 Presented by: David Cass, SVP & Chief Information Security Officer, Elsevier Information Security & Data Protection Office

More information

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe 2/1/2012 Assessor: J. Doe Disclaimer This report is provided as is for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information

More information

BUSINESS CONTINUITY POLICY

BUSINESS CONTINUITY POLICY BUSINESS CONTINUITY POLICY Last Review Date Approving Body n/a Audit Committee Date of Approval 9 th January 2014 Date of Implementation 1 st February 2014 Next Review Date February 2017 Review Responsibility

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

FINRA Publishes its 2015 Report on Cybersecurity Practices

FINRA Publishes its 2015 Report on Cybersecurity Practices Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February

More information

Increase insight. Reduce risk. Feel confident.

Increase insight. Reduce risk. Feel confident. Increase insight. Reduce risk. Feel confident. Define critical goals with enhanced visibility then enable security and compliance across your complex IT infrastructure. VIRTUALIZATION + CLOUD NETWORKING

More information

Enterprise Security Architecture for Cyber Security. M.M.Veeraragaloo 5 th September 2013

Enterprise Security Architecture for Cyber Security. M.M.Veeraragaloo 5 th September 2013 Enterprise Security Architecture for Cyber Security M.M.Veeraragaloo 5 th September 2013 Outline Cyber Security Overview TOGAF and Sherwood Applied Business Security Architecture (SABSA) o o Overview of

More information

www.pwc.co.uk Cyber security Building confidence in your digital future

www.pwc.co.uk Cyber security Building confidence in your digital future www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in

More information

Information Security: Business Assurance Guidelines

Information Security: Business Assurance Guidelines Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies

More information

White Paper An Enterprise Security Program and Architecture to Support Business Drivers

White Paper An Enterprise Security Program and Architecture to Support Business Drivers White Paper An Enterprise Security Program and Architecture to Support Business Drivers seccuris.com (866) 644-8442 Contents Introduction... 3 Information Assurance... 4 Sherwood Applied Business Security

More information

EXTREME CYBER SCENARIO PLANNING & ATTACK TREE ANALYSIS

EXTREME CYBER SCENARIO PLANNING & ATTACK TREE ANALYSIS EXTREME CYBER SCENARIO PLANNING & ATTACK TREE ANALYSIS Ian Green Manager, Cybercrime & Intelligence Commonwealth Bank of Australia Session ID: GRC T17 Session Classification: ADVANCED WHY? What keeps you

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program Cyber: The Catalyst to Transform the Security Program Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA A Common Language? Hyper Connected World Rapid IT Evolution Agile Targeted Threat

More information

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES Final Report Prepared by Dr Janet Tweedie & Dr Julie West June 2010 Produced for AGIMO by

More information

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4 State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity INFORMATION RISK MANAGEMENT KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity ADVISORY Contents Agenda: Global trends and BCM

More information

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril. Cyber Security Personal and commercial information is the new commodity of choice for the virtual thief, argues Adrian Leppard, Commissioner for City of London Police, as he sets out the challenges facing

More information

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges Accenture Intelligent Security for the Digital Enterprise Archer s important role in solving today's pressing security challenges The opportunity to improve cyber security has never been greater 229 2,287

More information

Practitioner Certificate in Information Assurance Architecture (PCiIAA)

Practitioner Certificate in Information Assurance Architecture (PCiIAA) Practitioner Certificate in Information Assurance Architecture (PCiIAA) 15 th August, 2015 v2.1 Course Introduction 1.1. Overview A Security Architect (SA) is a senior-level enterprise architect role,

More information

How to ensure control and security when moving to SaaS/cloud applications

How to ensure control and security when moving to SaaS/cloud applications How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk

More information

Information System Audit Guide

Information System Audit Guide Australian Government Department of Defence Information System Audit Guide VERSION 11.1 January 2012 Commonwealth of Australia 2011 Page 1 TABLE OF CONTENTS 1. INTRODUCTION TO ACCREDITATION...4 2. THE

More information

Risk mitigation for business resilience White paper. A comprehensive, best-practices approach to business resilience and risk mitigation.

Risk mitigation for business resilience White paper. A comprehensive, best-practices approach to business resilience and risk mitigation. Risk mitigation for business resilience White paper A comprehensive, best-practices approach to business resilience and risk mitigation. September 2007 2 Contents 2 Overview: Why traditional risk mitigation

More information

Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration

Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration Problem Cloud computing offers massive scalability - in virtual computing power, storage, and applications resources - all at almost

More information

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005 AUDITOR GENERAL S REPORT Protection of Critical Infrastructure Control Systems Report 5 August 2005 Serving the Public Interest Serving the Public Interest THE SPEAKER LEGISLATIVE ASSEMBLY THE PRESIDENT

More information

Business Continuity / Disaster Recovery Context

Business Continuity / Disaster Recovery Context Capability Business Continuity / Disaster Recovery Context What is Business Continuity? The Business Continuity Program Life Cycle Copyright: Virtual Corporation, 1994 2006 Modified U.S. DoD Graphic Normal

More information

Cybersecurity and internal audit. August 15, 2014

Cybersecurity and internal audit. August 15, 2014 Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com

Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com W H I T E P A P E R L a c k o f O p e r a t i o n a l R e s i l i e n c e W i l l U n d e r m i n e E n t e r p r i s e C o m p e t i t i v e n e s s : A S t r a t e g y f o r A v a i l a b i l i t y Sponsored

More information

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT How advancements in automated security testing software empower organizations to continuously measure information

More information

IBM Security QRadar Vulnerability Manager

IBM Security QRadar Vulnerability Manager IBM Security QRadar Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution Highlights Help prevent security breaches by discovering and highlighting high-risk

More information

Enterprise Information Management in IT-CMF

Enterprise Information Management in IT-CMF Enterprise Information Management in IT-CMF Input for IVI EIM workgroup 25 September 2013 Agenda Overview of things we like to improve Detailed proposals for improvements Overview of accumulated decisions

More information

CYBER SECURITY, A GROWING CIO PRIORITY

CYBER SECURITY, A GROWING CIO PRIORITY www.wipro.com CYBER SECURITY, A GROWING CIO PRIORITY Bivin John Verghese, Practitioner - Managed Security Services, Wipro Ltd. Contents 03 ------------------------------------- Abstract 03 -------------------------------------

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

Information Technology Governance. Steve Crutchley CEO - Consult2Comply www.consult2comply.com

Information Technology Governance. Steve Crutchley CEO - Consult2Comply www.consult2comply.com Information Technology Governance Steve Crutchley CEO - Consult2Comply www.consult2comply.com What is IT Governance? Information Technology Governance, IT Governance is a subset discipline of Corporate

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

CYBER SECURITY GUIDANCE

CYBER SECURITY GUIDANCE CYBER SECURITY GUIDANCE With the pervasiveness of information technology (IT) and cyber networks systems in nearly every aspect of society, effectively securing the Nation s critical infrastructure requires

More information

Department of Information and Technology Management

Department of Information and Technology Management INFOTEC Overview Department of Information and Technology Management Introduction The Information and Technology Management Department (INFOTEC) is responsible for providing modern, secure, fit for purpose

More information

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC. Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies

More information

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model Stéphane Hurtaud Partner Governance Risk & Compliance Deloitte Laurent De La Vaissière Director Governance Risk & Compliance

More information

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile

More information

Industrial Defender, Inc.: Recipient of the 2008 Global Risk Management Process Control & SCADA Company of the Year Award

Industrial Defender, Inc.: Recipient of the 2008 Global Risk Management Process Control & SCADA Company of the Year Award F R O S T & S U L L I V A N 2008 Industrial Defender, Inc.: Recipient of the 2008 Global Risk Management Process Control & SCADA Company of the Year Award Todd Nicholson (left), Chief Marketing Officer,

More information

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Cybersecurity Awareness for Executives

Cybersecurity Awareness for Executives SESSION ID: SOP-R04 Cybersecurity Awareness for Executives Rob Sloan Head of Cyber Content and Data Dow Jones @_rob_sloan Session Overview Aim: Provide a high level overview of an effective cybersecurity

More information

Defending against modern cyber threats

Defending against modern cyber threats Defending against modern cyber threats Protecting Critical Assets October 2011 Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Agenda 1. The seriousness of today s situation

More information

the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group

the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group 54 Banking PersPective Quarter 2, 2014 Responsibility for the oversight of information security and

More information

Information Security in Business: Issues and Solutions

Information Security in Business: Issues and Solutions Covenant University Town & Gown Seminar 2015 Information Security in Business: Issues and Solutions A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information

More information

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14

More information

2011 Forrester Research, Inc. Reproduction Prohibited

2011 Forrester Research, Inc. Reproduction Prohibited 1 2011 Forrester Research, Inc. Reproduction Prohibited Information Security Metrics Present Information that Matters to the Business Ed Ferrara, Principal Research Analyst July 12, 2011 2 2009 2011 Forrester

More information

Applying IBM Security solutions to the NIST Cybersecurity Framework

Applying IBM Security solutions to the NIST Cybersecurity Framework IBM Software Thought Leadership White Paper August 2014 Applying IBM Security solutions to the NIST Cybersecurity Framework Help avoid gaps in security and compliance coverage as threats and business requirements

More information

Third-Party Risk Management for Life Sciences Companies

Third-Party Risk Management for Life Sciences Companies April 2016 Third-Party Risk Management for Life Sciences Companies Five Leading Practices for Data Protection By Mindy Herman, PMP, and Michael Lucas, CISSP Audit Tax Advisory Risk Performance Crowe Horwath

More information

Cyber Security: from threat to opportunity

Cyber Security: from threat to opportunity IT ADVISORY Cyber Security: from threat to opportunity www.kpmg.com/nl/cybersecurity From threat to opportunity / Cyber security / 1 FOREWORD OPPORTUNITY-DRIVEN CYBER SECURITY Cyber security (also known

More information

developing your potential Cyber Security Training

developing your potential Cyber Security Training developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company

More information

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave

More information

TOGETHER WE CAN DO MORE

TOGETHER WE CAN DO MORE B3System S.A. is a leading provider of IT system and service management solutions ensuring optimized IT infrastructure performance, availability and security within businesses. The company has been operating

More information

How To Create An Insight Analysis For Cyber Security

How To Create An Insight Analysis For Cyber Security IBM i2 Enterprise Insight Analysis for Cyber Analysis Protect your organization with cyber intelligence Highlights Quickly identify threats, threat actors and hidden connections with multidimensional analytics

More information

Cisco Security Optimization Service

Cisco Security Optimization Service Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

Cisco SAFE: A Security Reference Architecture

Cisco SAFE: A Security Reference Architecture Cisco SAFE: A Security Reference Architecture The Changing Network and Security Landscape The past several years have seen tremendous changes in the network, both in the kinds of devices being deployed

More information

Network Security: Policies and Guidelines for Effective Network Management

Network Security: Policies and Guidelines for Effective Network Management Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. jgkolo@gmail.com, usdauda@gmail.com

More information

Cyber Security & Managing KYC Data

Cyber Security & Managing KYC Data SPECIAL REPORT Cyber Security & Managing KYC Data The views and opinions expressed in this paper are those of the author(s) and do not necessarily reflect the official policy or position of Thomson Reuters.

More information

IT Risk Management: Guide to Software Risk Assessments and Audits

IT Risk Management: Guide to Software Risk Assessments and Audits IT Risk Management: Guide to Software Risk Assessments and Audits Contents Overview... 3 Executive Summary... 3 Software: Today s Biggest Security Risk... 4 How Software Risk Enters the Enterprise... 5

More information

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance 3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security

More information

Information Security Team

Information Security Team Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface

More information

UF IT Risk Assessment Standard

UF IT Risk Assessment Standard UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved

More information

Address C-level Cybersecurity issues to enable and secure Digital transformation

Address C-level Cybersecurity issues to enable and secure Digital transformation Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,

More information

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc. JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President

More information

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk Industrial Cyber Security Risk Manager Proactively Monitor, Measure and Manage Cyber Security Risk With Today s Cyber Threats, How Secure is Your Control System? Today, industrial organizations are faced

More information

Dublin City University

Dublin City University Asset Management Policy Asset Management Policy Contents Purpose... 1 Scope... 1 Physical Assets... 1 Software Assets... 1 Information Assets... 1 Policies and management... 2 Asset Life Cycle... 2 Asset

More information