Cyber Security and the Board of Directors

Size: px
Start display at page:

Download "Cyber Security and the Board of Directors"

Transcription

1 Helping clients build operational capability in cyber security. A DELTA RISK VIEWPOINT Cyber Security and the Board of Directors An essential responsibility in financial services

2 About Delta Risk is a global provider of strategic advice, cyber security, and risk management services to commercial and government clients. We believe that an organization s approach to cyber security should be planned, managed, and executed within a tailored and organization-specific program. We help guide organizations to succeed in today s cyber environment by building on the people, processes, and technology they already have All rights reserved.

3 Cyber security belongs as an agenda item in every boardroom. A spate of high profile, high impact cyber breaches at some of the largest financial institutions in the United States has focused attention on something that cyber security professionals have long taken as an article of faith: that boards of directors need to take an active role in the management of cyber risk. Yet there are several factors that tend to prevent effective engagement in cyber security risk at the board level. These factors define the challenge that banks and other financial institutions can no longer ignore: Financial services leaders rarely have an independent understanding of cyber security. Board members do not have to be cyber experts, but they do need an understanding of the issues at the leadership level. The newness of the field, its still-arcane nature, and the complexity of the issues it presents make cyber expertise unusual among those likely to serve as financial services board members. Cyber security risks do not fit well in financial services risk management frameworks and approaches. Different from other types of risk, particularly in its dynamism, its potential impact, and how it is managed, cyber security risk is often the red-headed stepchild of the risk management world. Integrating cyber risk is a problem at both the theoretical and practical levels, and it presents a challenge in financial services where risk management is so central to operations. Cyber security is frequently seen as a technology problem for the IT department to solve. Although there is a strong technology component to cyber security, the management of cyber risks is much larger. For banks, as information organizations, information security intersects with every part of the business. It has policy, legal, compliance, human resources, customer relationship management, public relations, and many other components, to say nothing of its potential to directly affect the brand and the bottom line. There is a communications gap between business leaders and cyber security practitioners. While the business leadership is frequently not well versed in cyber security, cyber security professionals often do not have a sufficient understanding of the priorities and decision models of the organization s business leaders. And they generally do not speak the language of business leaders. This communications gap works against the effective management of cyber security. Page 1

4 What To Do Although the proper degree of board involvement in cyber issues depends on many factors, there are four key areas that boards should focus on: Ensuring that board members themselves receive cyber security training that is appropriate to their level and role. Incorporating cyber security into the organization s Statement of Risk Appetite. Driving the implementation of a cyber risk management program that integrates with the institution s broader enterprise management of all risks, such as financial risk (e.g., market, liquidity, credit), compliance risk, and other operational risks (e.g., fraud, litigation, reporting, safety, physical security). Fostering a cyber security culture throughout the institution. Well known to boards of directors in financial services is the fact that regulatory requirements are increasingly putting cyber security and privacy from governance through operations on the board agenda. 1 Beyond regulatory compliance, however, cyber security and privacy are business needs in their own right and demand attention. Board-appropriate Training As with other risks, the management of cyber security risk is best driven from the top. To do this effectively board members must have a leadership-level understanding of the cyber landscape, at least as it directly affects their business and their industry. This leadership-level understanding will allow the gut feel faculty of senior business leaders to come into play to sense risk and to know the questions with which to challenge management. What sort of training would give board members the understanding they uniquely need? Key topics for board members to be conversant with include: the interplay of compliance with security; the relationship between cyber security and privacy; the evolving legal and regulatory landscape; the management of cyber risks; cyber incident response; and the big picture of cyber security at the policy and political levels both domestically and internationally. A seminar format that explores these topics is often best because it fosters dialog, though other approaches may be more fitting in individual cases. Statement of Risk Appetite The Statement of Risk Appetite, defined and required for banks by the Basel II accords, has been widely adopted throughout the financial services sector. The Statement is a key channel for the board of directors to communicate the organization s risk boundaries and the rationale behind them. Despite the broad embrace of the Statement of Risk Appetite, these statements typically are silent on cyber risks. This is a missed opportunity. Articulating the organization's stance on cyber security risks in a formal statement at the board level is a key step in making the management of cyber risks integral to the 1 The Gramm-Leach-Bliley Act, for example, requires the protection of customer financial data, and these requirements are further specified in implementing regulations. Other regulations in the financial sector seek to address system testing requirements, business continuity and recovery planning, and the cyber risks that have potential systemic impact. Overall, cyber security as an operational risk has become a specific focus of the financial oversight agencies. Page 2

5 organization s operations, and it can also provide the context for ongoing dialog with senior management. Crafting the language of the cyber portion of the Statement is a tricky but healthy undertaking because it focuses the board on crystallizing the topics that matter most. A cyber-inclusive Statement of Risk Appetite should be concise yet specific and should: Articulate the business value of information. The Statement should broadly identify the information that is most valuable to the organization based on business considerations, legal and compliance requirements, the financial impact of denial, disclosure, loss, or other exploitation of that information, and other factors. Establish priorities on protecting information and information resources. Corollary to identifying the information with the most business value is clarifying expectations on how it is to be protected. Broad statements can be applied here, such as This category of information shall be protected with the most stringent security controls and the highest degree of operational oversight. The Statement of Risk Appetite can also be used to establish specific risk-oriented requirements that are tied directly to business strategy. For example, up-time requirements for consumer online banking (e.g., on-line banking is available to our customers 99.9% of time throughout the year. ) or other business services may be appropriate. This statement of priorities would ride above policies that the organization may (and should) establish for the classification and categorization of information within the enterprise. Set performance expectations for cyber security. Another consideration, depending on the structure of the Statement, is to use it as a mechanism for the board to clearly communicate its core expectations for the performance of the organization s senior executives on matters of cyber security and privacy. For example, it might state that management is expected to develop and implement a comprehensive organization-wide cyber security risk management program that systematically addresses cyber risks from policy through operations within the Risk Appetite Framework 2 [or other broad risk management framework depending on the organization]. Establishing such expectations is foundational to the board s oversight role with respect to the cyber security program and the management of cyber risks. Communicate expectations about cyber metrics. The board should also direct the establishment and reporting of metrics. Cyber security-specific key performance indicators (KPIs) and key risk indicators (KRIs) can give the board a fact-based sense of the cyber risk posture and inform its decision-making process. By including cyber in the Statement of Risk Appetite, the board sends a clear message that cyber security and privacy risks are on the same footing as other operational risk exposures. 2 The multi-national Financial Stability Board defines Risk Appetite Framework as: The overall approach, including policies, processes, controls, and systems through which risk appetite is established, communicated, and monitored. It includes a risk appetite statement, risk limits, and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the RAF. The RAF should consider material risks to the financial institution, as well as to the institution s reputation vis-à-vis policyholders, depositors, investors and customers. The RAF aligns with the institution s strategy. (FSB, Principles for an Effective Risk Appetite Framework, November 2013). Page 3

6 Integrate Cyber Risk Management As an operational risk (which are those risks arising from failed internal processes, people, or systems, or from external events) cyber security has much in common with the other types of risk in this category such as physical security, fraud, and safety. The board should expect the organization s executive leadership to integrate cyber security risk management with other operational risks as well as with the other risk domains important to financial services such as credit, market, and liquidity. The value of such integration is easy to see though difficult to realize due to many factors including the fact that cyber risks are difficult to measure. And though financial institutions are at the forefront of risk data aggregation, it still remains a challenge. Two keys to integrating cyber risk with the other risk domains are: Example Cyber Risk and Performance Indicators Lagging (KPIs) Status of security controls Current policy deviations (e.g., ports and protocols, access controls, devices, passwords, etc) Vulnerability scanning results Risk assessment results Root Cause Analysis results Project schedule variances Disaster Recovery test results Malware event rate Mean-Time-to-Discovery of malicious attacks Indicators of compromise Leading (KRIs) New classes of threats Data on current attacks on vendors, trading partners, and other industry players Analysis of statesponsored hacker capabilities Evidence of ongoing surveillance of the enterprise network Analysis of social network data associated with known hackers or hacker personas. Developing cyber-related metrics that can be included in the risk aggregation data model. Looking forward, the ability to automate the collection of these metrics will be increasingly important. Incorporating cyber security into scenario-driven stress testing and other self-assessments, which due to regulatory mandates and other influences are increasingly becoming part of risk management frameworks. Together these factors can provide a basis for quantifying the business impact of cyber risks. Sources of the cyber security risk message include the following four categories of information: Top risk exposures and how they relate to the Statement of Risk Appetite (possibly in graphical, quantitative, or dashboard formats). Potential future exposures (probably in narrative form) based on strategic threat intelligence analysis. Key Risk Indicators (KRIs) metrics that provide an early warning of increasing risk exposures. Well designed KRIs are leading indicators of risk. Predictive threat intelligence analysis is the most likely source of KRIs. They could also be derived from analysis of other risks that may intersect with cyber security and privacy. For example, the cyber security risk posture of outsourcing providers, other partner companies and vendors, and acquisition targets can present future risks as these entities get connected to the enterprise network. Risk Management Key Performance Indicators (KPIs). KPIs are usually lagging indicators of whatever process they measure. The KPI idea can be applied to cyber security risk management by developing cyber-related status metrics that are appropriate at the board level. See inset box. Page 4

7 Cyber security risk also needs to be communicated horizontally across business units and functions, as well as within the cyber security domain itself. This will enable process links that are important because true integration demands that risk information be embedded into the workflow that drives the operation. Foster a Culture of Cyber Security A culture of cyber security advances a risk management mindset throughout the organization, from front office to back office, and across the business units and all functional areas from human resources to marketing. However, a board cannot normally create a culture, at least not quickly. Comprised as it is of the authentic viewpoints, values, behaviors, and legacy of the people in the organization, culture has to be nurtured. What does a culture of cyber security look like? Observables include the degree of awareness and attention paid to cyber security in the day-to-day work routine: Everyone working in the organization (employees, consultants, contract workers, third-party vendors) should be aware that cyber security presents risks and should also know what specific behaviors are called for. All employees (including the executives) should have a high sensitivity to phishing and other social engineering methods because the unwitting can quite easily become an inside agent for a serious threat actor. Similarly, all employees should be aware of the security risks associated with their private online activities, such as indiscreet use of social media, use of public clouds for proprietary information, and mixing company data with private data on mobile devices. Most organizations address these concerns in security policies and acceptable use policies, and enforce them through technical and management controls, but the vigilance of users is fundamental. Cyber security and privacy should be priorities in all parts of the business, for all of the organization s people, and in all its processes. Regular cyber threat and risk awareness training should be delivered to all employees, and management should ensure that it the training is effective through spot-check inspections. Incident response procedures should be exercised regularly and employees should know what to report and how to report it. Third parties working for the organization or providing products and services should be required to agree to conform to the organization s security- and privacy-related policies and procedures. All leaders, including (and especially) those whose primary roles are not in cyber security should visibly take ownership of cyber security. Paying attention to cyber security in the daily workflow should be a "front of mind" issue for everyone in the organization, including the leaders. There is clearly great business value in having a strong cyber security culture, one in which cyber security is taught and practiced and enters into decision-making. The board can foster this culture by keeping the issue visible and expecting the active involvement of senior executives to drive cyber security as a priority. Key Take-Aways Cyber security and privacy are of critical importance to all financial services institutions. Despite highly visible cyber security incidents, such as widespread denial of service attacks and data breaches affecting nonpublic personal information, the potential outcome of inadequate attention to cyber security is often not truly appreciated until it is experienced. Four key activities should be priorities for boards of directors: Page 5

8 Providing for cyber security training specifically for board members Incorporating cyber security into the Statement of Risk Appetite Integrating cyber security with enterprise risk management Establishing a culture of cyber security throughout the organization. Delta Risk can help If your organization is challenged with establishing a board-level approach to cyber security, Delta Risk may be able to help. With our independent and objective focus on cyber strategy, policy, and operations, we can help you think through the ideas presented in this Viewpoint as they apply to your organization, understand and prioritize your cyber security challenges, and devise and implement tailored approaches to address them. Page 6

9 Contact Information To discuss these ideas please contact us at Delta Risk offices: San Antonio, Texas 106 St. Mary's Street, Suite 428 San Antonio, TX Washington, DC 4600 N Fairfax Dr., Suite 906 Arlington, VA

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

What Directors need to know about Cybersecurity?

What Directors need to know about Cybersecurity? What Directors need to know about Cybersecurity? W HAT I S C YBERSECURITY? PRESENTED BY: UTAH BANKERS ASSOCIATION AND JON WALDMAN PARTNER, SENIOR IS CONSULTANT - SBS 1 Contact Information Jon Waldman Partner,

More information

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, 2000. CEO EDS Corporation

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, 2000. CEO EDS Corporation GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, 2000 Issue Chair: Issue Sherpa: Dick Brown CEO EDS Corporation Bill Poulos EDS Corporation Tel: (202) 637-6708

More information

Cybersecurity. Are you prepared?

Cybersecurity. Are you prepared? Cybersecurity Are you prepared? First Cash, then your customer, now YOU! What is Cybersecurity? The body of technologies, processes, practices designed to protect networks, computers, programs, and data

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

The Elephant in the ORM Room Cyber Security and Operational Risk Management in Financial Services

The Elephant in the ORM Room Cyber Security and Operational Risk Management in Financial Services Helping clients build operational capability in cyber security. A DELTA RISK VIEWPOINT The Elephant in the ORM Room Cyber Security and Operational Risk Management in Financial Services About Delta Risk

More information

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming

More information

Principles for An. Effective Risk Appetite Framework

Principles for An. Effective Risk Appetite Framework Principles for An Effective Risk Appetite Framework 18 November 2013 Table of Contents Page I. Introduction... 1 II. Key definitions... 2 III. Principles... 3 1. Risk appetite framework... 3 1.1 An effective

More information

Information Technology

Information Technology Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level

More information

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Best Practices in ICS Security for System Operators. A Wurldtech White Paper Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

The Path Ahead for Security Leaders

The Path Ahead for Security Leaders The Path Ahead for Security Leaders Executive Summary What You Will Learn If you asked security leaders five years ago what their primary focus was, you would likely get a resounding: securing our operations.

More information

Cybersecurity and internal audit. August 15, 2014

Cybersecurity and internal audit. August 15, 2014 Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices

More information

The transformation of IT Risk Management. kpmg.com

The transformation of IT Risk Management. kpmg.com The transformation of IT Risk Management kpmg.com The transformation of IT Risk Management The role of IT Risk Management Scope of IT risk management Examples of IT risk areas of focus How KPMG can help

More information

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk Industrial Cyber Security Risk Manager Proactively Monitor, Measure and Manage Cyber Security Risk With Today s Cyber Threats, How Secure is Your Control System? Today, industrial organizations are faced

More information

fs viewpoint www.pwc.com/fsi

fs viewpoint www.pwc.com/fsi fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a

More information

Educa&onal Event Spring 2015. Cyber Security - Implications for Records Managers Art Ehuan

Educa&onal Event Spring 2015. Cyber Security - Implications for Records Managers Art Ehuan Educa&onal Event Spring 2015 Cyber Security - Implications for Records Managers Art Ehuan Risk to Corporate Information The protection of mission dependent intellectual property, or proprietary data critical

More information

Cyber security: everybody s imperative. A guide for the C-suite and boards on guarding against cyber risks

Cyber security: everybody s imperative. A guide for the C-suite and boards on guarding against cyber risks Cyber security: everybody s imperative A guide for the C-suite and boards on guarding against cyber risks Secure Enhance risk-prioritized controls to protect against known and emerging threats, and comply

More information

Internal audit value optimization for insurance organizations

Internal audit value optimization for insurance organizations Internal audit value optimization for insurance organizations Webinar May 13, 2015 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

More information

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model Stéphane Hurtaud Partner Governance Risk & Compliance Deloitte Laurent De La Vaissière Director Governance Risk & Compliance

More information

Cyber threat intelligence and the lessons from law enforcement. kpmg.com/cybersecurity

Cyber threat intelligence and the lessons from law enforcement. kpmg.com/cybersecurity Cyber threat intelligence and the lessons from law enforcement kpmg.com/cybersecurity Introduction Cyber security breaches are rarely out of the media s eye. As adversary sophistication increases, many

More information

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS 1 As regulators around the world move to tighten compliance requirements for financial institutions, improvement in cyber security controls will become

More information

Into the cybersecurity breach

Into the cybersecurity breach Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing

More information

RSA ARCHER OPERATIONAL RISK MANAGEMENT

RSA ARCHER OPERATIONAL RISK MANAGEMENT RSA ARCHER OPERATIONAL RISK MANAGEMENT 87% of organizations surveyed have seen the volume and complexity of risks increase over the past five years. Another 20% of these organizations have seen the volume

More information

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response

More information

Continuous Network Monitoring

Continuous Network Monitoring Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment

More information

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015 Internal audit of cybersecurity Presentation to the Atlanta IIA Chapter January 2015 Agenda Executive summary Why is this topic important? Cyber attacks: increasing complexity arket insights: What are

More information

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape White Paper Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape Financial services organizations have a unique relationship with technology: electronic data and transactions

More information

Remarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the

Remarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the Remarks by Carolyn G. DuChene Deputy Comptroller Operational Risk at the Bank Safety and Soundness Advisor Community Bank Enterprise Risk Management Seminar Washington, D.C. October 22, 2012 Good afternoon,

More information

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief RSA Solution Brief RSA envision Platform Real-time Actionable Information, Streamlined Incident Handling, Effective Measures RSA Solution Brief The job of Operations, whether a large organization with

More information

Law Firms and Cyber Security

Law Firms and Cyber Security Helping clients build operational capability in cyber security. A DELTA RISK VIEWPOINT Law Firms and Cyber Security A hacker s dream and a lawyer s nightmare About Delta Risk is a global provider of strategic

More information

Data Governance. Unlocking Value and Controlling Risk. Data Governance. www.mindyourprivacy.com

Data Governance. Unlocking Value and Controlling Risk. Data Governance. www.mindyourprivacy.com Data Governance Unlocking Value and Controlling Risk 1 White Paper Data Governance Table of contents Introduction... 3 Data Governance Program Goals in light of Privacy... 4 Data Governance Program Pillars...

More information

NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES

NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES September, 2015 Derek E. Brink, CISSP, Vice President and Research Fellow IT Security and IT GRC Report Highlights p2 p4 p6 p7 SMBs need to adopt a strategy

More information

The Next Generation of Security Leaders

The Next Generation of Security Leaders The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish

More information

RETHINKING CYBER SECURITY Changing the Business Conversation

RETHINKING CYBER SECURITY Changing the Business Conversation RETHINKING CYBER SECURITY Changing the Business Conversation October 2015 Introduction: Diane Smith Michigan Delegate Higher Education Conference Speaker Board Member 2 1 1. Historical Review Agenda 2.

More information

Cybersecurity Awareness for Executives

Cybersecurity Awareness for Executives SESSION ID: SOP-R04 Cybersecurity Awareness for Executives Rob Sloan Head of Cyber Content and Data Dow Jones @_rob_sloan Session Overview Aim: Provide a high level overview of an effective cybersecurity

More information

State of South Carolina Policy Guidance and Training

State of South Carolina Policy Guidance and Training State of South Carolina Policy Guidance and Training Policy Workshop Small Agency Threat and Vulnerability Management Policy May 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy

More information

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE ABSTRACT Changing regulatory requirements, increased attack surfaces and a need to more efficiently deliver access to the business

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

Cyber Risks in the Boardroom

Cyber Risks in the Boardroom Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing

More information

CISM ITEM DEVELOPMENT GUIDE

CISM ITEM DEVELOPMENT GUIDE CISM ITEM DEVELOPMENT GUIDE Updated January 2015 TABLE OF CONTENTS Content Page Purpose of the CISM Item Development Guide 3 CISM Exam Structure 3 Writing Quality Items 3 Multiple-Choice Items 4 Steps

More information

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015 Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015 Topics Introduction Cyber Security Auditing Program Discuss an effective and compliant Cyber Security Auditing Program from

More information

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program Cyber: The Catalyst to Transform the Security Program Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA A Common Language? Hyper Connected World Rapid IT Evolution Agile Targeted Threat

More information

Obtaining Enterprise Cybersituational

Obtaining Enterprise Cybersituational SESSION ID: SPO-R06A Obtaining Enterprise Cybersituational Awareness Eric J. Eifert Sr. Vice President Managed Security Services DarkMatter Agenda My Background Key components of the Cyber Situational

More information

12/11/15. Evolving Cybersecurity Risks. Agenda. The current cyber risk landscape Overview. Results on EY s Global Information Security Survey

12/11/15. Evolving Cybersecurity Risks. Agenda. The current cyber risk landscape Overview. Results on EY s Global Information Security Survey Evolving Cybersecurity Risks Results on EY s Global Information Security Survey Agenda Market insights: What are we seeing? Factoring cybersecurity into your planning and risk appetite Marketplace response

More information

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012 GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental

More information

Remarks by. Thomas J. Curry Comptroller of the Currency. At the. Bank Information Technology Training Conference. Atlanta.

Remarks by. Thomas J. Curry Comptroller of the Currency. At the. Bank Information Technology Training Conference. Atlanta. Remarks by Thomas J. Curry Comptroller of the Currency At the Bank Information Technology Training Conference Atlanta October 2, 2012 Good morning everyone. Thank you, Carolyn, for your gracious introduction,

More information

Integrated Risk Management. Balancing Risk and Budget

Integrated Risk Management. Balancing Risk and Budget Integrated Risk Management The Current Risk Landscape Organizations which depend upon information systems are challenged by serious threats that can exploit both known and unknown vulnerabilities in systems.

More information

Getting real about cyber threats: where are you headed?

Getting real about cyber threats: where are you headed? Getting real about cyber threats: where are you headed? Energy, utilities and power generation companies that understand today s cyber threats will be in the best position to defeat them June 2011 At a

More information

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government

More information

RISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655

RISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655 FOUR KEYS TO CREATING A VENDOR RISK MANAGEMENT PROGRAM THAT WORKS HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655 FOUR KEYS TO CREATING A VENDOR RISK MANAGEMENT PROGRAM THAT WORKS

More information

Enterprise Risk Management in a Highly Uncertain World. A Presentation to the Government-University- Industry Research Roundtable June 20, 2012

Enterprise Risk Management in a Highly Uncertain World. A Presentation to the Government-University- Industry Research Roundtable June 20, 2012 Enterprise Risk Management in a Highly Uncertain World A Presentation to the Government-University- Industry Research Roundtable June 20, 2012 CRO Council Introduction Mission The North American CRO Council

More information

Third-Party Risk Management for Life Sciences Companies

Third-Party Risk Management for Life Sciences Companies April 2016 Third-Party Risk Management for Life Sciences Companies Five Leading Practices for Data Protection By Mindy Herman, PMP, and Michael Lucas, CISSP Audit Tax Advisory Risk Performance Crowe Horwath

More information

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR 29 2013

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR 29 2013 Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR 29 2013 Sempra Energy s gas and electric utilities collaborate with industry leaders and a wide range of

More information

Insurance and Cyber Security Risk

Insurance and Cyber Security Risk Helping clients build operational capability in cyber security. A DELTA RISK VIEWPOINT Insurance and Cyber Security Risk Bringing cyber security under the umbrella About Delta Risk is a global provider

More information

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

More information

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT How advancements in automated security testing software empower organizations to continuously measure information

More information

The Value of Vulnerability Management*

The Value of Vulnerability Management* The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda

More information

Intelligence Driven Security

Intelligence Driven Security Intelligence Driven Security RSA Advanced Cyber Defense Workshop Shane Harsch Senior Solutions Principal, RSA 1 Agenda Approach & Activities Operations Intelligence Infrastructure Reporting & Top Findings

More information

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014 A Wake-Up Call? Fight Back Against Cybercrime Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014 1 Coalfire Background Leading Information Security Consulting Firm Offices: Atlanta,

More information

Effective risk management

Effective risk management Effective risk management Our holistic and disciplined risk management program is designed to mitigate risks at all levels of our business in order to protect our clients interests. 2 Vanguard > Effective

More information

Cyber and Data Risk What Keeps You Up at Night?

Cyber and Data Risk What Keeps You Up at Night? Legal Counsel to the Financial Services Industry Cyber and Data Risk What Keeps You Up at Night? December 10, 2014 Introduction & Overview Today s Discussion: Evolving nature of data and privacy risks

More information

CYBER SECURITY, A GROWING CIO PRIORITY

CYBER SECURITY, A GROWING CIO PRIORITY www.wipro.com CYBER SECURITY, A GROWING CIO PRIORITY Bivin John Verghese, Practitioner - Managed Security Services, Wipro Ltd. Contents 03 ------------------------------------- Abstract 03 -------------------------------------

More information

Defining the Gap: The Cybersecurity Governance Study

Defining the Gap: The Cybersecurity Governance Study Defining the Gap: The Cybersecurity Governance Study Sponsored by Fidelis Cybersecurity Independently conducted by Ponemon Institute LLC Publication Date: June 2015 Ponemon Institute Research Report Defining

More information

Developing National Frameworks & Engaging the Private Sector

Developing National Frameworks & Engaging the Private Sector www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012

More information

Managing cyber risks with insurance

Managing cyber risks with insurance www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive

More information

Strategic Plan On-Demand Services April 2, 2015

Strategic Plan On-Demand Services April 2, 2015 Strategic Plan On-Demand Services April 2, 2015 1 GDCS eliminates the fears and delays that accompany trying to run an organization in an unsecured environment, and ensures that our customers focus on

More information

Fostering Incident Response and Digital Forensics Research

Fostering Incident Response and Digital Forensics Research Fostering Incident Response and Digital Forensics Research Bruce J. Nikkel bruce.nikkel@ubs.com September 8, 2014 Abstract This article highlights different incident response topics with a focus on digital

More information

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges Accenture Intelligent Security for the Digital Enterprise Archer s important role in solving today's pressing security challenges The opportunity to improve cyber security has never been greater 229 2,287

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

www.pwc.co.uk Cyber security Building confidence in your digital future

www.pwc.co.uk Cyber security Building confidence in your digital future www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in

More information

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

Where insights lead Cybersecurity and the role of internal audit: An urgent call to action

Where insights lead Cybersecurity and the role of internal audit: An urgent call to action Where insights lead Cybersecurity and the role of internal audit: An urgent call to action The threat from cyberattacks is significant and continuously evolving. One estimate suggests that cybercrime could

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations

More information

State Governments at Risk: The Data Breach Reality

State Governments at Risk: The Data Breach Reality State Governments at Risk: The Data Breach Reality NCSL Legislative Summit August 5, 2015 Doug Robinson, Executive Director National Association of State Chief Information Officers (NASCIO) About NASCIO

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War Vulnerability Risk Management 2.0 Best Practices for Managing Risk in the New Digital War In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90 minutes. This consistent

More information

Governance, Risk, and Compliance (GRC) White Paper

Governance, Risk, and Compliance (GRC) White Paper Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Cloud Assurance: Ensuring Security and Compliance for your IT Environment Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware

More information

IBM Security Intelligence Strategy

IBM Security Intelligence Strategy IBM Security Intelligence Strategy Delivering Insight with Agility October 17, 2014 Victor Margina Security Solutions Accent Electronic 12013 IBM Corporation We are in an era of continuous breaches Operational

More information

CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES

CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES How can you better prepare and respond to cyber risks? ACE developed Loss Mitigation Services to help policyholders understand and gauge various areas

More information

Critical Controls for Cyber Security. www.infogistic.com

Critical Controls for Cyber Security. www.infogistic.com Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability

More information

Managing the Ongoing Challenge of Insider Threats

Managing the Ongoing Challenge of Insider Threats CYBERSECURITY IN THE FEDERAL GOVERNMENT Managing the Ongoing Challenge of Insider Threats A WHITE PAPER PRESENTED BY: May 2015 PREPARED BY MARKET CONNECTIONS, INC. 11350 RANDOM HILLS ROAD, SUITE 800 FAIRFAX,

More information

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial

More information

Cybersecurity: A View from the Boardroom

Cybersecurity: A View from the Boardroom An Executive Brief from Cisco Cybersecurity: A View from the Boardroom In the modern economy, every company runs on IT. That makes security the business of every person in the organization, from the chief

More information

I D C A N A L Y S T C O N N E C T I O N

I D C A N A L Y S T C O N N E C T I O N I D C A N A L Y S T C O N N E C T I O N Robert Westervelt Research Manager, Security Products T h e R o l e a nd Value of Continuous Security M o nitoring August 2015 Continuous security monitoring (CSM)

More information

White Paper An Enterprise Security Program and Architecture to Support Business Drivers

White Paper An Enterprise Security Program and Architecture to Support Business Drivers White Paper An Enterprise Security Program and Architecture to Support Business Drivers seccuris.com (866) 644-8442 Contents Introduction... 3 Information Assurance... 4 Sherwood Applied Business Security

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's: Security.01 Penetration Testing.02 Compliance Review.03 Application Security Audit.04 Social Engineering.05 Security Outsourcing.06 Security Consulting.07 Security Policy and Program.08 Training Services

More information

National Cyber Security Policy -2013

National Cyber Security Policy -2013 National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information

More information

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper Best Practices in ICS Security for Device Manufacturers A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

Combating a new generation of cybercriminal with in-depth security monitoring

Combating a new generation of cybercriminal with in-depth security monitoring Cybersecurity Services Combating a new generation of cybercriminal with in-depth security monitoring 1 st Advanced Data Analysis Security Operation Center The Challenge Don t leave your systems unmonitored.

More information

Current IBAT Endorsed Services

Current IBAT Endorsed Services Current IBAT Endorsed Services Managed Network Intrusion Prevention and Detection Service SecureWorks provides proactive management and real-time security event monitoring and analysis across your network

More information

RSA, The Security Division of EMC. Zamanta Anguiano Sales Manager RSA

RSA, The Security Division of EMC. Zamanta Anguiano Sales Manager RSA RSA, The Security Division of EMC Zamanta Anguiano Sales Manager RSA The Age of the Hyperextended Enterprise BUSINESS ISSUES IMPACT Innovation Collaboration Exploding Information Supply Chain Customer

More information

CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg.

CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg. Introduction CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg.com June 2015 Companies which adopt CSR or sustainability 1

More information