CISOs Share Advice on Managing Both Information Security & Risk

Size: px
Start display at page:

Download "CISOs Share Advice on Managing Both Information Security & Risk"

Transcription

1 CISOs Share Advice on Managing Both Information Security & Risk Learn how CISOs from top companies are tackling their new dual role of information security & risk management WISEGATE COMMUNITY VIEWPOINTS

2 Introduction The role of chief information security officers (CISOs) is expanding and their influence in organizations is increasing, but so are their challenges and responsibilities. The CISO s role is shifting from a focus on information security programs to a holistic risk management approach from fire-fighting security breaches to anticipating fires before they start. Leaders of forward-thinking organizations understand the need for more pervasive risk awareness and are far more focused on enterprise-wide education, collaboration, and communications. These organizations are likely to employ CISOs who can take systemic approaches to security issues that span legal, business operations, finance, and human resources. In a recent Wisegate roundtable discussion, CISOs across industries confirmed their shifting role and offered a number of major takeaways for CISOs and other IT security professionals grappling with increasing responsibility.» CISOs are being asked to take responsibility for risk management and privacy policy in addition to information security, presenting numerous challenges. With dual responsibility comes dual reporting requirements; CISOs are increasingly reporting to the chief risk officer or chief compliance officer in addition to the chief information officer.» However, there is a tension between risk management, which involves balancing risk with resources, with implementing an information security program, which focuses on securing information. There is also a tension between the need to identify risks an enterprise confronts and the legal requirement to have plausible deniability if a breach occurs. CISOs will need to deal with these tensions, as well as others, in order to carry out their increased responsibilities successfully.» As CISOs assume responsibility for risk management, some useful risk assessment methodologies include OCTAVE Allegro, as well as NIST and ISO standards. Some useful risk manage tools cited by Wisegate members include HP OpenPages, Archer, Rsam, Oracle s GRC product, Modulo, LockPath, and Third Defense, as well as less comprehensive tools such as Excel and SharePoint. CISOs Share Advice on Managing Both Information Security & Risk 2

3 Expanding Responsibilities The Wisegate members agree that CISOs are increasingly asked to provide input, and even be responsible for, risk management in addition to information security. According to a poll conducted by Wisegate,, close to 100% of participants said they have combined responsibilities. Executive leaders are asking CISOs to be strategic thinkers as well as IT administrators. Future CISOs will need to understand and influence business risk decisions and be involved with everything from developing privacy policies to preparing disaster recovery plans. As one Wisegate member commented: I'm responsible for global information security and, recently, my responsibilities were expanded to include risk management and disaster recovery. While I've managed both of those functions in the past, I have to say it's been about five years since I have been responsible for either one of those roles. So, I'm just kind of getting back in to the nuances of risk management and disaster recovery in addition to information security. The dual responsibility often comes with new organizational reporting requirements and new challenges. CISOs are increasingly reporting to the chief risk officer or chief compliance officer in addition to the chief information officer. As one member notes, he reports to both the chief information officer (CIO) and chief risk officer at his organization: My CISO role has really expanded. Actually, I'm a direct report to the CIO and the chief risk officer, and I predicted about two years ago that eventually I would end up being fully reporting just to the chief risk officer because of the responsibilities that my organization has given me. That hasn't happened yet, but it certainly is moving that way. I'm getting less and less into the security architecture and engineering, and more into the privacy compliance framework. I have records management. I head business continuity planning and disaster recovery. And another Wisegate member stated: We built a global privacy program during 2011 and we handed it off to our compliance group. And I'm starting to see some interesting reporting recommendations popping up as well The chief compliance officer and the CEO for our bank unit have both expressed some indication that maybe reporting to the CIO isn't where I should be. So, I expect some movement there as well. Wisegate Community Viewpoints 3

4 As part of this shift in CISO responsibilities, organizations are spending more on risk management. A recent Wisegate poll asked members, Can you please comment on whether you see spending on security/risk management initiatives trending in parallel to your overall IT spend, or is there more/less focus on funding security/risk management initiatives when compared to overall IT spend? While 60% of Wisegate members said they expected no change, a full 40% said they expected increase spending on security/risk management, with no members expecting a decline in spending on security/risk management. When asked what is driving a move to a risk-based approach, Wisegate members cited compliance requirements as the primary driver. What are the top two drivers for your information security/risk management program? Even though compliance is the top driver, CISOs acknowledged that it s just a starting point. One CISO commented: Having patient information, HIPAA and HITECH are daily conversations around here. But having management understand the value of going beyond these compliance requirements to reduce our overall operations risk was invaluable to the continued support of our security office. CISOs Share Advice on Managing Both Information Security & Risk 4

5 Growing Tensions As noted by a number of Wisegate members, there is a tension between risk management, which involves balancing risks with resources, and implementing an information security program, which focuses on securing the information. My risk team is very focused on risk, but they are frequently on the side of the business. So, while they look at the risk information, they're also looking at likelihood of exposure using risk calculations to determine whether or not the loss of particular pieces of information would be substantial to the organization, whereas my security team very obviously focuses on the need to keep things as locked down as possible and any risk or any acceptance of the risks to information could lead to Armageddon. Some members have resolved the tension by integrating the two functions and training the information security team to think in terms of risk. One CISO observed: We have to apply risk assessment to everything else that's going on that the business is trying to do. I think you have to evolve all your people to understand risk management philosophy and help them understand the trade-off here. Another noted: We decided back in 2007 to completely scrap our existing information security program, really took almost nothing forward that existed at that time. We've thrown it all out, and we rebuilt the program based around the concepts of our risk management program. There are not two teams; today's information security professional also has to be a risk management professional The program we built under security risk management has now become the framework we're using for enterprise risk management. So, if anything, we ended up creating a grassroots campaign in the company towards enterprise risk management using security as the model to lead the way. There is also a tension between the need to identify all risks an enterprise confronts and the legal requirement to have plausible deniability if something happens, such as breach. One CISO described how his legal team was concerned about the risk register he was using to assess and manage risk. The legal department was concerned that in a legal proceeding the opposing side could obtain the risk register and use it against the company. Wisegate Community Viewpoints 5

6 Other members stressed that risk assessments have to be performed, so the key is to keep the legal team informed but not let them dictate risk assessment processes and procedures. We all know as information security people that in order to do our jobs effectively, we can't be copying our attorneys on every communication. We need the freedom to operate within all the different departments of our organizations where data may be moving. I make sure that the legal teams have an appreciation for what it takes for an information security officer to be effective and that they have the option to work with us and to guide us on what types of things need to be covered, what types of things need to be kept out of electronic documentation, and that there's a partnership between risk management and legal. Risk Assessment Methodologies and Tools As CISOs increasingly assume responsibility for risk management, they are turning to risk assessment methodologies and tools to help them meet the challenges. Which risk assessment methodologies does your organization use? CISOs Share Advice on Managing Both Information Security & Risk 6

7 As one Wisegate member related: We're using an OCTAVE Allegro methodology that uses Monte Carlo simulations to figure out the level of risk and to weed out, outline our situations, and focus on the median area of risk that gives us medium and high issues. During the discussion, some CISOs related that they use risk registers as a way to track risks. Maintaining an enterprise risk register that is focused around risk to information and regularly tracking that program and making it part of the corporate scorecard has been a key initiative for me. During the roundtable, Wisegate members identified the following governance, risk management, and compliance (GRC) tools as useful in meeting the challenges of risk management: HP OpenPages, RSA Archer, Rsam, Oracle s GRC product, Modulo, LockPath, and Third Defense. Our enterprise risk organization uses HP OpenPages to record our risk. Within the security space, we've deployed Archer. And we have a risk library within Archer where we've identified information risk issues and we also log and record remediation plans and progress against remediation. GRC tools enable CISOs to create and map policies to regulations and compliance requirements, assess whether risk management controls are in place, and ease risk assessment and mitigation. These tools vary widely one size does not fit all. The tools need to be customized to fit the needs of a particular organization, as one Wisegate member explained: We've been Archer users for years and years, and what I've learned about the platform is you get out what you put in.i know Archer out of the box pretty much works for nobody. We all tend to modify and write our own tool. Not every organization has the resources to invest in a comprehensive GRC tool like Archer. Some use less expensive tools such as Excel and SharePoint, although these tools make it harder to maintain proper audit trails and can become unmanageable. Wisegate Community Viewpoints 7

8 I've built a system within SharePoint where we have registers with risk classification, data built in, reporting built in, and tags to prioritize the information. It is all of the information risk management data in the company, and it ends up plugging into a spreadsheet with enterprise risk management group users to manage their risk. So it's not very sophisticated. One CISO describes the organization s system for triaging risk: We've established a triage practice, so no matter what security request comes in, no matter how it comes in phone call, walk by there is an engagement process that we're actually plugged into, life cycles, systems due on life cycle, and project management life cycles. We need a security team to be able to triage that so we can very quickly do a low, medium, and high risk assessment. From there we have a risk assessment process, so for medium and high triage assessments, we'll go into a deeper dive for risk assessment. Managing the Evolution: Tips for Success During the discussion, members offered the following insights on how they are managing their new responsibilities and promoting change within their respective organizations: I think we have evolved all our people to think, not no. No is not the answer. It's how. How do we enable the business to do what they're trying to do in a safe manner or a safe manner as possible? Learn how to deal with an imperfect science. It's all about time and money. All that said the business is not omnipotent either. The business can have bad ideas. The business cannot be fully informed with an IT decision and it's our job to really fully inform them of the consequences of what they're about to do, good or bad. I have worked fairly hard on getting the key stakeholders that aren't always in IT to understand that they own various risks and that there's a partnership there, that they can expect me as the CISO to bring certain risks to them and that they become aware of risks consistently from me. CISOs Share Advice on Managing Both Information Security & Risk 8

9 In Closing From the Wisegate roundtable discussion, it is apparent that CISOs will need skills that go far beyond information security. They are being asked to take on a lot more responsibility for the security of their organization, including risk management and privacy. To be successful, CISO will need to master C-level skills, such as communication, business, and leadership skills, in addition to their IT administration knowledge. Wisegate is the invitation-only community where senior IT professionals meet to openly exchange knowledge and solve problems with their peers. It is Wisegate s ambitious mission to make our members job less stressful and more productive by providing the forum professionals need to collaborate and share experiences with a closed community of highly qualified IT peers. By enforcing strict membership guidelines, which exclude vendors from joining, Wisegate is able to provide members with unmatched access to senior-level IT professionals and quality content. Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership. 300 Beardsley Lane, Suite C201 Austin, Texas PHONE Wisegate. All rights reserved. Wisegate Community Viewpoints 9

Introduction. Success Tips for GRC Projects

Introduction. Success Tips for GRC Projects Info Security & Compliance Project Success Tips from Veteran Security Execs What Technology Vendors Don t Tell You and Project Pitfalls to Avoid W I S E G AT E C O M M U N I T Y V I E W P O I N T S 300

More information

Moving From Compliance to Risk-Based Security: CISOs Reveal Practical Tips

Moving From Compliance to Risk-Based Security: CISOs Reveal Practical Tips Moving From Compliance to Risk-Based Security: CISOs Reveal Practical Tips CISO members of Wisegate discuss effective ways to start and maintain a successful risk-based security program WISEGATE COMMUNITY

More information

INFORMATION SECURITY STRATEGIC PLAN

INFORMATION SECURITY STRATEGIC PLAN INFORMATION SECURITY STRATEGIC PLAN UNIVERSITY OF CONNECTICUT INFORMATION SECURITY OFFICE 4/20/10 University of Connecticut / Jason Pufahl, CISSP, CISM 1 1 MISSION STATEMENT The mission of the Information

More information

Using Enterprise Governance, Risk, And Compliance (EGRC) Tools For Improved Management Of Security And Privacy. June 23, 2015

Using Enterprise Governance, Risk, And Compliance (EGRC) Tools For Improved Management Of Security And Privacy. June 23, 2015 Using Enterprise Governance, Risk, And Compliance (EGRC) Tools For Improved Management Of Security And Privacy June 23, 2015 What is egrc? A management system for compliance requirements, policies, risk

More information

Domain 5 Information Security Governance and Risk Management

Domain 5 Information Security Governance and Risk Management Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

IT Governance, Risk, and Compliance Survey, 2014

IT Governance, Risk, and Compliance Survey, 2014 IT Governance, Risk, and Compliance Survey, 2014 Thank you for participating in this ECAR survey of IT governance, risk, and compliance (GRC). EDUCAUSE has made IT GRC a strategic initiative for 2014,

More information

Role Based Access Control: How-to Tips and Lessons Learned from IT Peers

Role Based Access Control: How-to Tips and Lessons Learned from IT Peers Role Based Access Control: How-to Tips and Lessons Learned from IT Peers Wisegate community members discuss key considerations and practical tips for managing a successful RBAC program WISEGATE COMMUNITY

More information

A CIO s Cloud Decision and 7 Lessons Learned From Peers

A CIO s Cloud Decision and 7 Lessons Learned From Peers A CIO s Cloud Decision and 7 Lessons Learned From Peers Find out what advice Wisegate members gave their fellow CIO about moving core applications to the cloud WISEGATE COMMUNITY VIEWPOINTS Introduction

More information

Organizational Structure What Works

Organizational Structure What Works Organizational Structure What Works Evan Wheeler Director, Omgeo Session ID: PROF-001 Session Classification: Professional Development Once you have gotten past the first few months, you will be presented

More information

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES Aligning information with business and operational objectives ESSENTIALS Leverage EMC Consulting as your trusted advisor to move your and compliance

More information

CISOs Discuss Best Ways to Gain Budget and Buy-in for Security

CISOs Discuss Best Ways to Gain Budget and Buy-in for Security CISOs Discuss Best Ways to Gain Budget and Buy-in for Security Learn how veteran security leaders strategically manage budgets and sell leadership on the importance of security WISEGATE COMMUNITY VIEWPOINTS

More information

IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE

IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE 1 IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE ANSWERS AND PRACTICAL TIPS FROM THE IT GOVERNANCE AUDIT PROFESSIONALS JOHAN LIDROS, PRESIDENT EMINERE GROUP KATE MULLIN, CISO, HEALTH

More information

Enterprise Security Governance, Risk and Compliance System. Category: Enterprise IT Management Initiatives. Initiation date: June 15, 2013

Enterprise Security Governance, Risk and Compliance System. Category: Enterprise IT Management Initiatives. Initiation date: June 15, 2013 Enterprise Security Governance, Risk and Compliance System Category: Enterprise IT Management Initiatives Initiation date: June 15, 2013 Completion date: November 15, 2013 Nomination submitted by: Samuel

More information

Information Security in Business: Issues and Solutions

Information Security in Business: Issues and Solutions Covenant University Town & Gown Seminar 2015 Information Security in Business: Issues and Solutions A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information

More information

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper A BUSINESS CASE FOR BEHAVIORAL ANALYTICS White Paper Introduction What is Behavioral 1 In a world in which web applications and websites are becoming ever more diverse and complicated, running them effectively

More information

Organizational Alignment is Key to Big Data Success

Organizational Alignment is Key to Big Data Success JANUARY 2013 Interview with Randy Bean (NewVantage Partners) Organizational Alignment is Key to Big Data Success REPRINT NUMBER 54307 MIT SLOAN MANAGEMENT REVIEW Organizational Alignment is Key to Big

More information

The RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief

The RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief The RSA Solution for Cloud Security and Compliance A GRC foundation for VMware infrastructure security and compliance Solution Brief The RSA Solution for Cloud Security and Compliance enables end-user

More information

RSA ARCHER OPERATIONAL RISK MANAGEMENT

RSA ARCHER OPERATIONAL RISK MANAGEMENT RSA ARCHER OPERATIONAL RISK MANAGEMENT 87% of organizations surveyed have seen the volume and complexity of risks increase over the past five years. Another 20% of these organizations have seen the volume

More information

State of Cloud Survey GLOBAL FINDINGS

State of Cloud Survey GLOBAL FINDINGS 2011 State of Cloud Survey GLOBAL FINDINGS CONTENTS Executive Summary... 4 Methodology... 6 Finding 1: Cloud security is top goal and top concern.................................. 8 Finding 2: IT staff

More information

State of Cloud Survey SOUTH AFRICA FINDINGS

State of Cloud Survey SOUTH AFRICA FINDINGS 2011 State of Cloud Survey SOUTH AFRICA FINDINGS CONTENTS Executive Summary... 4 Methodology... 6 Finding 1: Cloud security is top goal and top concern.................................. 8 Finding 2: IT

More information

fs viewpoint www.pwc.com/fsi

fs viewpoint www.pwc.com/fsi fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a

More information

Is Chief Customer Officer in Your Future?

Is Chief Customer Officer in Your Future? feature / jan 2012 Is Chief Customer Officer in Your Future? Are you ready to take a seat at the C-suite table? Build the competencies to lead customer-oriented change. by Susan Hash, Contact Center Pipeline

More information

CISOs Share Top 10 Tips for Managing Vendors

CISOs Share Top 10 Tips for Managing Vendors CISOs Share Top 10 Tips for Managing Vendors Learn How Security Veterans Deal with Vendor Hype, Budgets and Relationships WISEGATE COMMUNITY VIEWPOINTS 222303 Ranch Road 620 South #135-165 Austin, Texas

More information

The Value of Vulnerability Management*

The Value of Vulnerability Management* The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda

More information

Don t Get Left in the Dust: How to Evolve from CISO to CIRO

Don t Get Left in the Dust: How to Evolve from CISO to CIRO SESSION ID: CXO-W04 Don t Get Left in the Dust: How to Evolve from CISO to CIRO JC-JC James Christiansen VP Information Risk Management Accuvant jchristiansen@accuvant.com Bradley J. Schaufenbuel, CISSP

More information

CLASSIFICATION SPECIFICATION FORM

CLASSIFICATION SPECIFICATION FORM www.mpi.mb.ca CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information

More information

Governance Simplified

Governance Simplified Information Security Governance Simplified From the Boardroom to the Keyboard TODD FITZGERALD, cissp; cisa, cism Foreword by Tom Peltier CRC Press Taylor & Francis Croup Boca Raton London NewYork CRC Press

More information

Information Security Program

Information Security Program Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security

More information

Governance, Risk, and Compliance (GRC) White Paper

Governance, Risk, and Compliance (GRC) White Paper Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:

More information

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data

More information

TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) 1. Reporting Function. The Applications Consultant reports directly to the CIO

TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) 1. Reporting Function. The Applications Consultant reports directly to the CIO TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) Consultant - Enterprise Systems & Applications 1. Reporting Function. The Applications Consultant reports directly to the CIO 2. Qualification and Experience

More information

From Information Management to Information Governance: The New Paradigm

From Information Management to Information Governance: The New Paradigm From Information Management to Information Governance: The New Paradigm By: Laurie Fischer Overview The explosive growth of information presents management challenges to every organization today. Retaining

More information

Key Trends, Issues and Best Practices in Compliance 2014

Key Trends, Issues and Best Practices in Compliance 2014 Key Trends, Issues and Best Practices in Compliance 2014 What Makes This Survey Different Research conducted by independent third party Clients and non-clients 301 executive decision makers 35 qualitative

More information

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015 Name of Approver: Mary Ann Blair Date of Approval: 23- FEB- 2015 Date of Review: 22- FEB- 2015 Effective Date: 23- FEB- 2015 Name of Reviewer: John Lerchey Table of Contents Table of Contents... 2 Introduction...

More information

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc. JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President

More information

Opportunity. for Greater Relevance LEVERAGING ENTERPRISE RISK MANAGEMENT: By Janice M. Abraham, Robert Baird, and Frank Neugebauer

Opportunity. for Greater Relevance LEVERAGING ENTERPRISE RISK MANAGEMENT: By Janice M. Abraham, Robert Baird, and Frank Neugebauer LEVERAGING ENTERPRISE RISK MANAGEMENT: Opportunity for Greater Relevance By Janice M. Abraham, Robert Baird, and Frank Neugebauer Enterprise Risk Management (ERM) gained a foothold in higher education

More information

In Partnership with. 2013 PROCUREMENT & STRATEGIC SOURCING DATA SURVEY Facts & Analysis

In Partnership with. 2013 PROCUREMENT & STRATEGIC SOURCING DATA SURVEY Facts & Analysis In Partnership with 2013 PROCUREMENT & STRATEGIC SOURCING DATA SURVEY Facts & Analysis 2013 Consero Group LLC www.consero.com March 18, 2013 INTRODUCTION 2013 Chief Procurement Officer Data Survey Last

More information

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach by Philippe Courtot, Chairman and CEO, Qualys Inc. Information Age Security Conference - London - September 25

More information

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance The RSA Solution for Cloud Security and Compliance The RSA Solution for Cloud Security and Compliance enables enduser organizations and service providers to orchestrate and visualize the security of their

More information

Security. aspen advisors. An Often Overlooked Meaningful Use Requirement. July 2011

Security. aspen advisors. An Often Overlooked Meaningful Use Requirement. July 2011 Security An Often Overlooked Meaningful Use Requirement July 2011 aspen advisors Table of Contents Why Perform a Risk Analysis?... 1 How to Conduct a Risk Analysis?... 1 When to do a Risk Analysis?...

More information

Server Management-Scans & Patches

Server Management-Scans & Patches THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES Server Management-Scans & Patches Report No. 14-11 OFFICE OF INTERNAL AUDITS THE UNIVERSITY OF TEXAS - PAN AMERICAN 1201 West

More information

14 October 2015 ISACA Curaçao Conference By: Paul Helmich

14 October 2015 ISACA Curaçao Conference By: Paul Helmich Governance, Risk & Compliance A practical approach 14 October 2015 ISACA Curaçao Conference By: Paul Helmich Topics today What is GRC? How much of all the GRC literature, tools, etc. do I need to study

More information

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming

More information

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE ABSTRACT Changing regulatory requirements, increased attack surfaces and a need to more efficiently deliver access to the business

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

Transcript - Episode 2: When Corporate Culture Threatens Data Security

Transcript - Episode 2: When Corporate Culture Threatens Data Security Transcript - Episode 2: When Corporate Culture Threatens Data Security Guest: Phil Huggins, Vice President, Stroz Friedberg Welcome to Episode 2 of the Business of Truth podcast by Stroz Friedberg, "When

More information

TenStep Project Management Process Summary

TenStep Project Management Process Summary TenStep Project Management Process Summary Project management refers to the definition and planning, and then the subsequent management, control, and conclusion of a project. It is important to recognize

More information

Internal Auditing: Assurance, Insight, and Objectivity

Internal Auditing: Assurance, Insight, and Objectivity Internal Auditing: Assurance, Insight, and Objectivity WHAT IS INTERNAL AUDITING? INTERNAL AUDITING business people all around the world are familiar with the term. But do they understand the value it

More information

SRM Security Resource Management

SRM Security Resource Management SRM Security Resource Management A Framework to Support Communications and Boost IT Security - Ken Leeser, President, Kaliber Data Security Copyright Kaliber 2013 trite 2 trite: adjective lacking in freshness

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

Logically Securing a Public Cloud Service

Logically Securing a Public Cloud Service SESSION ID: CIN-W07 Logically Securing a Public Cloud Service Tim Mather CISO Cadence Design Systems @mather_tim Disclaimer: AWS (Amazon Web Services) is referenced in this presentation extensively, only

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

PRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART 12 501(b) AND BANK MANAGEMENT

PRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART 12 501(b) AND BANK MANAGEMENT PRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART 12 501(b) AND BANK MANAGEMENT RESOURCES PROVIDED THROUGH APRIL 2001 Slides Narration In the last presentation, you learned about some of the general responsibilities

More information

Vermont Enterprise Architecture Framework (VEAF) Identity & Access Management (IAM) Abridged Strategy Level 0

Vermont Enterprise Architecture Framework (VEAF) Identity & Access Management (IAM) Abridged Strategy Level 0 Vermont Enterprise Architecture Framework (VEAF) Identity & Access Management (IAM) Abridged Strategy Level 0 EA APPROVALS EA Approving Authority: Revision

More information

NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES

NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES September, 2015 Derek E. Brink, CISSP, Vice President and Research Fellow IT Security and IT GRC Report Highlights p2 p4 p6 p7 SMBs need to adopt a strategy

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response Cybersecurity and Hospitals What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response This resources was prepared exclusively for American Hospital Association members by Mary

More information

compliance through Integrated solutions for effective compliance management Solution Brief

compliance through Integrated solutions for effective compliance management Solution Brief compliance through RSA SECURITY MANAGEMENT Integrated solutions for effective compliance management Solution Brief WHEN WILL COMPLIANCE GET EASIER? The increasingly complex and stringent compliance environment

More information

Application Security in the Software Development Lifecycle

Application Security in the Software Development Lifecycle Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO

More information

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program Cyber: The Catalyst to Transform the Security Program Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA A Common Language? Hyper Connected World Rapid IT Evolution Agile Targeted Threat

More information

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA

More information

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013 Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices April 10, 2013 Today's Agenda: Key Topics Defining IT Governance IT Governance Elements & Responsibilities

More information

IT GOVERNANCE WITH ROBERT GOODSELL, MANAGING DIRECTOR JOE BRUTSCHE, DIRECTOR

IT GOVERNANCE WITH ROBERT GOODSELL, MANAGING DIRECTOR JOE BRUTSCHE, DIRECTOR IT GOVERNANCE WITH ROBERT GOODSELL, MANAGING DIRECTOR JOE BRUTSCHE, DIRECTOR PwC April 4, 2013 Agenda The challenge IT Governance defined IT Governance components Next steps Questions THE CHALLENGE The

More information

Utica College. Information Security Plan

Utica College. Information Security Plan Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles

More information

Key Components of a Risk-Based Security Plan

Key Components of a Risk-Based Security Plan Key Components of a Risk-Based Security Plan How to Create a Plan That Works Authors: Vivek Chudgar Principal Consultant Foundstone Professional Services Jason Bevis Director Foundstone Professional Services

More information

Multi-Factor Authentication: Do I Need It, and How Do I Get Started? [And If I Do Need It, Why Aren't Folks Deploying It?]

Multi-Factor Authentication: Do I Need It, and How Do I Get Started? [And If I Do Need It, Why Aren't Folks Deploying It?] Multi-Factor Authentication: Do I Need It, and How Do I Get Started? [And If I Do Need It, Why Aren't Folks Deploying It?] Joe St Sauver, Ph.D. (joe@internet2.edu) Internet2 Global Summit, Denver Colorado

More information

Meaningful Use and Security Risk Analysis

Meaningful Use and Security Risk Analysis Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?

More information

Italy. EY s Global Information Security Survey 2013

Italy. EY s Global Information Security Survey 2013 Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information

More information

New InfoSec Leader The First 90 Days. John Bruce CEO

New InfoSec Leader The First 90 Days. John Bruce CEO New InfoSec Leader The First 90 Days John Bruce CEO Agenda Introduction Co3 Systems Role of the CISO Three critical changes Suggestions Page 2 of 39 The next challenge in security PRODUCTS PREVENTION DETECTION

More information

Information Security Program CHARTER

Information Security Program CHARTER State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information

More information

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP Auditing your institution's cybersecurity incident/breach response plan Objectives > Provide an overview of incident/breach response plans and their intended benefits > Describe regulatory/legal requirements

More information

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire Compliance, Security and Risk Management Relationship Advice Andrew Hicks, Director Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control panel on

More information

REALIZING MAXIMUM BENEFITS FROM GOVERNANCE, RISKS AND COMPLIANCE (GRC) TOOLS

REALIZING MAXIMUM BENEFITS FROM GOVERNANCE, RISKS AND COMPLIANCE (GRC) TOOLS IT GOVERNANCE SUMMIT OCTOBER, 2015 REALIZING MAXIMUM BENEFITS FROM GOVERNANCE, RISKS AND COMPLIANCE (GRC) TOOLS Presented by Ralph Ugbodu CGEIT, CISA, CRISC, CISSP, CFE, EDRP, ISO 27001 Lead Auditor, COBIT5.

More information

July 6, 2015. Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263

July 6, 2015. Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263 July 6, 2015 Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263 Re: Security Over Electronic Protected Health Information Report 2014-S-67

More information

Achieving Security through Compliance

Achieving Security through Compliance Achieving Security through Compliance Policies, plans, and procedures Table of Contents This white paper was written by: McAfee Foundstone Professional Services Overview...3 The Rock Foundation...3 Governance...3

More information

Intelligent Vendor Risk Management

Intelligent Vendor Risk Management Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach

More information

Information Security Office. Server Vulnerability Management Standards

Information Security Office. Server Vulnerability Management Standards Information Security Office Server Vulnerability Management Standards Revision History Revision Revised By Summary of Revisions Section(s) / Date Page(s) Revised 6/1/2013 S. Gucwa Initial Release All Approvals

More information

How to Define SIEM Strategy, Management and Success in the Enterprise

How to Define SIEM Strategy, Management and Success in the Enterprise How to Define SIEM Strategy, Management and Success in the Enterprise Security information and event management (SIEM) projects continue to challenge enterprises. The editors at SearchSecurity.com have

More information

Module 6 Essentials of Enterprise Architecture Tools

Module 6 Essentials of Enterprise Architecture Tools Process-Centric Service-Oriented Module 6 Essentials of Enterprise Architecture Tools Capability-Driven Understand the need and necessity for a EA Tool IASA Global - India Chapter Webinar by Vinu Jade

More information

ADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles and Responsibilities

ADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles and Responsibilities Policy Title: Information Security Roles Policy Type: Administrative Policy Number: ADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles Approval Date: 05/28/2014 Revised Responsible Office:

More information

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and

More information

What Is A Security Program? How Do I Build A Successful Program?

What Is A Security Program? How Do I Build A Successful Program? What Is A Security Program? How Do I Build A Successful Program? White Paper A Security Program is like building a house, the standards provide you with a list of parts needed to build the house and a

More information

Fundamentals of Information Governance:

Fundamentals of Information Governance: Fundamentals of Information Governance: More than just records management PETER KURILECZ CRM CA IGP Hard as I try, I simply cannot make myself understand how Information Governance isn t just a different

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Managing Cloud Data Security in Regulated Industries for 2016

Managing Cloud Data Security in Regulated Industries for 2016 Managing Cloud Data Security in Regulated Industries for 2016 November, 2015 Table of Contents I. Introduction: Security challenges in regulated industries...1 II. Cloud adoption rates by industries...1

More information

Whitepaper: 7 Steps to Developing a Cloud Security Plan

Whitepaper: 7 Steps to Developing a Cloud Security Plan Whitepaper: 7 Steps to Developing a Cloud Security Plan Executive Summary: 7 Steps to Developing a Cloud Security Plan Designing and implementing an enterprise security plan can be a daunting task for

More information

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity Cyber ROI A practical approach to quantifying the financial benefits of cybersecurity Cyber Investment Challenges In 2015, global cybersecurity spending is expected to reach an all-time high of $76.9

More information

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013 IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends

More information

Cloud Services Overview

Cloud Services Overview Cloud Services Overview John Hankins Global Offering Executive Ricoh Production Print Solutions May 23, 2012 Cloud Services Agenda Definitions Types of Clouds The Role of Virtualization Cloud Architecture

More information

FIVE PRACTICAL STEPS

FIVE PRACTICAL STEPS WHITEPAPER FIVE PRACTICAL STEPS To Protecting Your Organization Against Breach How Security Intelligence & Reducing Information Risk Play Strategic Roles in Driving Your Business CEOs, CIOs, CTOs, AND

More information

Computer Forensics for Business Leaders: Building Robust Policies and Processes Transcript

Computer Forensics for Business Leaders: Building Robust Policies and Processes Transcript Computer Forensics for Business Leaders: Building Robust Policies and Processes Transcript Part 1: Why Policy Is Key Stephanie Losi: Welcome to CERT's podcast series: Security for Business Leaders. The

More information

Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security

Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security Russ Dietz Vice President & Chief Technology Officer Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security By Russ Dietz Vice President & Chief

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

What can HITRUST do for me?

What can HITRUST do for me? What can HITRUST do for me? Dr. Bryan Cline CISO & VP, CSF Development & Implementation Bryan.Cline@HITRUSTalliance.net Jason Taule Chief Security & Privacy Officer Jason.Taule@FEIsystems.com Introduction

More information

RSA SECURITY MANAGEMENT. An Integrated approach to risk, operations and incident management. Solution Brief

RSA SECURITY MANAGEMENT. An Integrated approach to risk, operations and incident management. Solution Brief RSA SECURITY MANAGEMENT An Integrated approach to risk, operations and incident management Solution Brief THE PROBLEM WITH TACTICAL SECURITY MANAGEMENT What are your organization s most pressing IT security

More information

Why you should adopt the NIST Cybersecurity Framework

Why you should adopt the NIST Cybersecurity Framework www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential

More information

Changing the Enterprise Security Landscape

Changing the Enterprise Security Landscape Changing the Enterprise Security Landscape Petr Hněvkovský Presales Consultant, ArcSight EMEA HP Enterprise Security Products 2012 Hewlett-Packard Development Company, L.P. The information contained herein

More information

State of South Carolina Initial Security Assessment

State of South Carolina Initial Security Assessment State of South Carolina Initial Security Assessment Deloitte & Touche LLP Date: May 1, 2013 Our services were performed in accordance with the Statement on Standards for Consulting Services that is issued

More information

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Operational Risk Management - The Next Frontier The Risk Management Association (RMA) Operational Risk Management - The Next Frontier The Risk Management Association (RMA) Operational risk is not new. In fact, it is the first risk that banks must manage, even before they make their first

More information