CISOs Share Advice on Managing Both Information Security & Risk
|
|
- Tobias Gaines
- 8 years ago
- Views:
Transcription
1 CISOs Share Advice on Managing Both Information Security & Risk Learn how CISOs from top companies are tackling their new dual role of information security & risk management WISEGATE COMMUNITY VIEWPOINTS
2 Introduction The role of chief information security officers (CISOs) is expanding and their influence in organizations is increasing, but so are their challenges and responsibilities. The CISO s role is shifting from a focus on information security programs to a holistic risk management approach from fire-fighting security breaches to anticipating fires before they start. Leaders of forward-thinking organizations understand the need for more pervasive risk awareness and are far more focused on enterprise-wide education, collaboration, and communications. These organizations are likely to employ CISOs who can take systemic approaches to security issues that span legal, business operations, finance, and human resources. In a recent Wisegate roundtable discussion, CISOs across industries confirmed their shifting role and offered a number of major takeaways for CISOs and other IT security professionals grappling with increasing responsibility.» CISOs are being asked to take responsibility for risk management and privacy policy in addition to information security, presenting numerous challenges. With dual responsibility comes dual reporting requirements; CISOs are increasingly reporting to the chief risk officer or chief compliance officer in addition to the chief information officer.» However, there is a tension between risk management, which involves balancing risk with resources, with implementing an information security program, which focuses on securing information. There is also a tension between the need to identify risks an enterprise confronts and the legal requirement to have plausible deniability if a breach occurs. CISOs will need to deal with these tensions, as well as others, in order to carry out their increased responsibilities successfully.» As CISOs assume responsibility for risk management, some useful risk assessment methodologies include OCTAVE Allegro, as well as NIST and ISO standards. Some useful risk manage tools cited by Wisegate members include HP OpenPages, Archer, Rsam, Oracle s GRC product, Modulo, LockPath, and Third Defense, as well as less comprehensive tools such as Excel and SharePoint. CISOs Share Advice on Managing Both Information Security & Risk 2
3 Expanding Responsibilities The Wisegate members agree that CISOs are increasingly asked to provide input, and even be responsible for, risk management in addition to information security. According to a poll conducted by Wisegate,, close to 100% of participants said they have combined responsibilities. Executive leaders are asking CISOs to be strategic thinkers as well as IT administrators. Future CISOs will need to understand and influence business risk decisions and be involved with everything from developing privacy policies to preparing disaster recovery plans. As one Wisegate member commented: I'm responsible for global information security and, recently, my responsibilities were expanded to include risk management and disaster recovery. While I've managed both of those functions in the past, I have to say it's been about five years since I have been responsible for either one of those roles. So, I'm just kind of getting back in to the nuances of risk management and disaster recovery in addition to information security. The dual responsibility often comes with new organizational reporting requirements and new challenges. CISOs are increasingly reporting to the chief risk officer or chief compliance officer in addition to the chief information officer. As one member notes, he reports to both the chief information officer (CIO) and chief risk officer at his organization: My CISO role has really expanded. Actually, I'm a direct report to the CIO and the chief risk officer, and I predicted about two years ago that eventually I would end up being fully reporting just to the chief risk officer because of the responsibilities that my organization has given me. That hasn't happened yet, but it certainly is moving that way. I'm getting less and less into the security architecture and engineering, and more into the privacy compliance framework. I have records management. I head business continuity planning and disaster recovery. And another Wisegate member stated: We built a global privacy program during 2011 and we handed it off to our compliance group. And I'm starting to see some interesting reporting recommendations popping up as well The chief compliance officer and the CEO for our bank unit have both expressed some indication that maybe reporting to the CIO isn't where I should be. So, I expect some movement there as well. Wisegate Community Viewpoints 3
4 As part of this shift in CISO responsibilities, organizations are spending more on risk management. A recent Wisegate poll asked members, Can you please comment on whether you see spending on security/risk management initiatives trending in parallel to your overall IT spend, or is there more/less focus on funding security/risk management initiatives when compared to overall IT spend? While 60% of Wisegate members said they expected no change, a full 40% said they expected increase spending on security/risk management, with no members expecting a decline in spending on security/risk management. When asked what is driving a move to a risk-based approach, Wisegate members cited compliance requirements as the primary driver. What are the top two drivers for your information security/risk management program? Even though compliance is the top driver, CISOs acknowledged that it s just a starting point. One CISO commented: Having patient information, HIPAA and HITECH are daily conversations around here. But having management understand the value of going beyond these compliance requirements to reduce our overall operations risk was invaluable to the continued support of our security office. CISOs Share Advice on Managing Both Information Security & Risk 4
5 Growing Tensions As noted by a number of Wisegate members, there is a tension between risk management, which involves balancing risks with resources, and implementing an information security program, which focuses on securing the information. My risk team is very focused on risk, but they are frequently on the side of the business. So, while they look at the risk information, they're also looking at likelihood of exposure using risk calculations to determine whether or not the loss of particular pieces of information would be substantial to the organization, whereas my security team very obviously focuses on the need to keep things as locked down as possible and any risk or any acceptance of the risks to information could lead to Armageddon. Some members have resolved the tension by integrating the two functions and training the information security team to think in terms of risk. One CISO observed: We have to apply risk assessment to everything else that's going on that the business is trying to do. I think you have to evolve all your people to understand risk management philosophy and help them understand the trade-off here. Another noted: We decided back in 2007 to completely scrap our existing information security program, really took almost nothing forward that existed at that time. We've thrown it all out, and we rebuilt the program based around the concepts of our risk management program. There are not two teams; today's information security professional also has to be a risk management professional The program we built under security risk management has now become the framework we're using for enterprise risk management. So, if anything, we ended up creating a grassroots campaign in the company towards enterprise risk management using security as the model to lead the way. There is also a tension between the need to identify all risks an enterprise confronts and the legal requirement to have plausible deniability if something happens, such as breach. One CISO described how his legal team was concerned about the risk register he was using to assess and manage risk. The legal department was concerned that in a legal proceeding the opposing side could obtain the risk register and use it against the company. Wisegate Community Viewpoints 5
6 Other members stressed that risk assessments have to be performed, so the key is to keep the legal team informed but not let them dictate risk assessment processes and procedures. We all know as information security people that in order to do our jobs effectively, we can't be copying our attorneys on every communication. We need the freedom to operate within all the different departments of our organizations where data may be moving. I make sure that the legal teams have an appreciation for what it takes for an information security officer to be effective and that they have the option to work with us and to guide us on what types of things need to be covered, what types of things need to be kept out of electronic documentation, and that there's a partnership between risk management and legal. Risk Assessment Methodologies and Tools As CISOs increasingly assume responsibility for risk management, they are turning to risk assessment methodologies and tools to help them meet the challenges. Which risk assessment methodologies does your organization use? CISOs Share Advice on Managing Both Information Security & Risk 6
7 As one Wisegate member related: We're using an OCTAVE Allegro methodology that uses Monte Carlo simulations to figure out the level of risk and to weed out, outline our situations, and focus on the median area of risk that gives us medium and high issues. During the discussion, some CISOs related that they use risk registers as a way to track risks. Maintaining an enterprise risk register that is focused around risk to information and regularly tracking that program and making it part of the corporate scorecard has been a key initiative for me. During the roundtable, Wisegate members identified the following governance, risk management, and compliance (GRC) tools as useful in meeting the challenges of risk management: HP OpenPages, RSA Archer, Rsam, Oracle s GRC product, Modulo, LockPath, and Third Defense. Our enterprise risk organization uses HP OpenPages to record our risk. Within the security space, we've deployed Archer. And we have a risk library within Archer where we've identified information risk issues and we also log and record remediation plans and progress against remediation. GRC tools enable CISOs to create and map policies to regulations and compliance requirements, assess whether risk management controls are in place, and ease risk assessment and mitigation. These tools vary widely one size does not fit all. The tools need to be customized to fit the needs of a particular organization, as one Wisegate member explained: We've been Archer users for years and years, and what I've learned about the platform is you get out what you put in.i know Archer out of the box pretty much works for nobody. We all tend to modify and write our own tool. Not every organization has the resources to invest in a comprehensive GRC tool like Archer. Some use less expensive tools such as Excel and SharePoint, although these tools make it harder to maintain proper audit trails and can become unmanageable. Wisegate Community Viewpoints 7
8 I've built a system within SharePoint where we have registers with risk classification, data built in, reporting built in, and tags to prioritize the information. It is all of the information risk management data in the company, and it ends up plugging into a spreadsheet with enterprise risk management group users to manage their risk. So it's not very sophisticated. One CISO describes the organization s system for triaging risk: We've established a triage practice, so no matter what security request comes in, no matter how it comes in phone call, walk by there is an engagement process that we're actually plugged into, life cycles, systems due on life cycle, and project management life cycles. We need a security team to be able to triage that so we can very quickly do a low, medium, and high risk assessment. From there we have a risk assessment process, so for medium and high triage assessments, we'll go into a deeper dive for risk assessment. Managing the Evolution: Tips for Success During the discussion, members offered the following insights on how they are managing their new responsibilities and promoting change within their respective organizations: I think we have evolved all our people to think, not no. No is not the answer. It's how. How do we enable the business to do what they're trying to do in a safe manner or a safe manner as possible? Learn how to deal with an imperfect science. It's all about time and money. All that said the business is not omnipotent either. The business can have bad ideas. The business cannot be fully informed with an IT decision and it's our job to really fully inform them of the consequences of what they're about to do, good or bad. I have worked fairly hard on getting the key stakeholders that aren't always in IT to understand that they own various risks and that there's a partnership there, that they can expect me as the CISO to bring certain risks to them and that they become aware of risks consistently from me. CISOs Share Advice on Managing Both Information Security & Risk 8
9 In Closing From the Wisegate roundtable discussion, it is apparent that CISOs will need skills that go far beyond information security. They are being asked to take on a lot more responsibility for the security of their organization, including risk management and privacy. To be successful, CISO will need to master C-level skills, such as communication, business, and leadership skills, in addition to their IT administration knowledge. Wisegate is the invitation-only community where senior IT professionals meet to openly exchange knowledge and solve problems with their peers. It is Wisegate s ambitious mission to make our members job less stressful and more productive by providing the forum professionals need to collaborate and share experiences with a closed community of highly qualified IT peers. By enforcing strict membership guidelines, which exclude vendors from joining, Wisegate is able to provide members with unmatched access to senior-level IT professionals and quality content. Would you like to join us? Go to wisegateit.com/request-invite/ to learn more and to submit your request for membership. 300 Beardsley Lane, Suite C201 Austin, Texas PHONE info@wisegateit.com Wisegate. All rights reserved. Wisegate Community Viewpoints 9
Introduction. Success Tips for GRC Projects
Info Security & Compliance Project Success Tips from Veteran Security Execs What Technology Vendors Don t Tell You and Project Pitfalls to Avoid W I S E G AT E C O M M U N I T Y V I E W P O I N T S 300
More informationMoving From Compliance to Risk-Based Security: CISOs Reveal Practical Tips
Moving From Compliance to Risk-Based Security: CISOs Reveal Practical Tips CISO members of Wisegate discuss effective ways to start and maintain a successful risk-based security program WISEGATE COMMUNITY
More informationDomain 5 Information Security Governance and Risk Management
Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association
More informationINFORMATION SECURITY STRATEGIC PLAN
INFORMATION SECURITY STRATEGIC PLAN UNIVERSITY OF CONNECTICUT INFORMATION SECURITY OFFICE 4/20/10 University of Connecticut / Jason Pufahl, CISSP, CISM 1 1 MISSION STATEMENT The mission of the Information
More informationUsing Enterprise Governance, Risk, And Compliance (EGRC) Tools For Improved Management Of Security And Privacy. June 23, 2015
Using Enterprise Governance, Risk, And Compliance (EGRC) Tools For Improved Management Of Security And Privacy June 23, 2015 What is egrc? A management system for compliance requirements, policies, risk
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationRole Based Access Control: How-to Tips and Lessons Learned from IT Peers
Role Based Access Control: How-to Tips and Lessons Learned from IT Peers Wisegate community members discuss key considerations and practical tips for managing a successful RBAC program WISEGATE COMMUNITY
More informationA CIO s Cloud Decision and 7 Lessons Learned From Peers
A CIO s Cloud Decision and 7 Lessons Learned From Peers Find out what advice Wisegate members gave their fellow CIO about moving core applications to the cloud WISEGATE COMMUNITY VIEWPOINTS Introduction
More informationOrganizational Structure What Works
Organizational Structure What Works Evan Wheeler Director, Omgeo Session ID: PROF-001 Session Classification: Professional Development Once you have gotten past the first few months, you will be presented
More informationIT Governance, Risk, and Compliance Survey, 2014
IT Governance, Risk, and Compliance Survey, 2014 Thank you for participating in this ECAR survey of IT governance, risk, and compliance (GRC). EDUCAUSE has made IT GRC a strategic initiative for 2014,
More informationEMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES
EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES Aligning information with business and operational objectives ESSENTIALS Leverage EMC Consulting as your trusted advisor to move your and compliance
More informationCISOs Discuss Best Ways to Gain Budget and Buy-in for Security
CISOs Discuss Best Ways to Gain Budget and Buy-in for Security Learn how veteran security leaders strategically manage budgets and sell leadership on the importance of security WISEGATE COMMUNITY VIEWPOINTS
More informationIT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE
1 IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE ANSWERS AND PRACTICAL TIPS FROM THE IT GOVERNANCE AUDIT PROFESSIONALS JOHAN LIDROS, PRESIDENT EMINERE GROUP KATE MULLIN, CISO, HEALTH
More informationInformation Security in Business: Issues and Solutions
Covenant University Town & Gown Seminar 2015 Information Security in Business: Issues and Solutions A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information
More informationA BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper
A BUSINESS CASE FOR BEHAVIORAL ANALYTICS White Paper Introduction What is Behavioral 1 In a world in which web applications and websites are becoming ever more diverse and complicated, running them effectively
More informationThe RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief
The RSA Solution for Cloud Security and Compliance A GRC foundation for VMware infrastructure security and compliance Solution Brief The RSA Solution for Cloud Security and Compliance enables end-user
More informationRSA ARCHER OPERATIONAL RISK MANAGEMENT
RSA ARCHER OPERATIONAL RISK MANAGEMENT 87% of organizations surveyed have seen the volume and complexity of risks increase over the past five years. Another 20% of these organizations have seen the volume
More informationIs Chief Customer Officer in Your Future?
feature / jan 2012 Is Chief Customer Officer in Your Future? Are you ready to take a seat at the C-suite table? Build the competencies to lead customer-oriented change. by Susan Hash, Contact Center Pipeline
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationEnterprise Security Governance, Risk and Compliance System. Category: Enterprise IT Management Initiatives. Initiation date: June 15, 2013
Enterprise Security Governance, Risk and Compliance System Category: Enterprise IT Management Initiatives Initiation date: June 15, 2013 Completion date: November 15, 2013 Nomination submitted by: Samuel
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationOrganizational Alignment is Key to Big Data Success
JANUARY 2013 Interview with Randy Bean (NewVantage Partners) Organizational Alignment is Key to Big Data Success REPRINT NUMBER 54307 MIT SLOAN MANAGEMENT REVIEW Organizational Alignment is Key to Big
More informationfs viewpoint www.pwc.com/fsi
fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a
More informationGovernance, Risk, and Compliance (GRC) White Paper
Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More informationKey Trends, Issues and Best Practices in Compliance 2014
Key Trends, Issues and Best Practices in Compliance 2014 What Makes This Survey Different Research conducted by independent third party Clients and non-clients 301 executive decision makers 35 qualitative
More informationCISOs Share Top 10 Tips for Managing Vendors
CISOs Share Top 10 Tips for Managing Vendors Learn How Security Veterans Deal with Vendor Hype, Budgets and Relationships WISEGATE COMMUNITY VIEWPOINTS 222303 Ranch Road 620 South #135-165 Austin, Texas
More informationState of Cloud Survey GLOBAL FINDINGS
2011 State of Cloud Survey GLOBAL FINDINGS CONTENTS Executive Summary... 4 Methodology... 6 Finding 1: Cloud security is top goal and top concern.................................. 8 Finding 2: IT staff
More informationComputer Security Incident Response Plan. Date of Approval: 23- FEB- 2015
Name of Approver: Mary Ann Blair Date of Approval: 23- FEB- 2015 Date of Review: 22- FEB- 2015 Effective Date: 23- FEB- 2015 Name of Reviewer: John Lerchey Table of Contents Table of Contents... 2 Introduction...
More informationState of Cloud Survey SOUTH AFRICA FINDINGS
2011 State of Cloud Survey SOUTH AFRICA FINDINGS CONTENTS Executive Summary... 4 Methodology... 6 Finding 1: Cloud security is top goal and top concern.................................. 8 Finding 2: IT
More informationRSA Solution Brief. The RSA Solution for Cloud Security and Compliance
The RSA Solution for Cloud Security and Compliance The RSA Solution for Cloud Security and Compliance enables enduser organizations and service providers to orchestrate and visualize the security of their
More informationThe Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach
The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach by Philippe Courtot, Chairman and CEO, Qualys Inc. Information Age Security Conference - London - September 25
More informationIMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE
IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE ABSTRACT Changing regulatory requirements, increased attack surfaces and a need to more efficiently deliver access to the business
More informationDon t Get Left in the Dust: How to Evolve from CISO to CIRO
SESSION ID: CXO-W04 Don t Get Left in the Dust: How to Evolve from CISO to CIRO JC-JC James Christiansen VP Information Risk Management Accuvant jchristiansen@accuvant.com Bradley J. Schaufenbuel, CISSP
More informationServer Management-Scans & Patches
THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES Server Management-Scans & Patches Report No. 14-11 OFFICE OF INTERNAL AUDITS THE UNIVERSITY OF TEXAS - PAN AMERICAN 1201 West
More informationGovernance Simplified
Information Security Governance Simplified From the Boardroom to the Keyboard TODD FITZGERALD, cissp; cisa, cism Foreword by Tom Peltier CRC Press Taylor & Francis Croup Boca Raton London NewYork CRC Press
More informationCLASSIFICATION SPECIFICATION FORM
www.mpi.mb.ca CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information
More information14 October 2015 ISACA Curaçao Conference By: Paul Helmich
Governance, Risk & Compliance A practical approach 14 October 2015 ISACA Curaçao Conference By: Paul Helmich Topics today What is GRC? How much of all the GRC literature, tools, etc. do I need to study
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationWhitepaper: 7 Steps to Developing a Cloud Security Plan
Whitepaper: 7 Steps to Developing a Cloud Security Plan Executive Summary: 7 Steps to Developing a Cloud Security Plan Designing and implementing an enterprise security plan can be a daunting task for
More informationPRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART 12 501(b) AND BANK MANAGEMENT
PRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART 12 501(b) AND BANK MANAGEMENT RESOURCES PROVIDED THROUGH APRIL 2001 Slides Narration In the last presentation, you learned about some of the general responsibilities
More informationTenStep Project Management Process Summary
TenStep Project Management Process Summary Project management refers to the definition and planning, and then the subsequent management, control, and conclusion of a project. It is important to recognize
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationFrom Information Management to Information Governance: The New Paradigm
From Information Management to Information Governance: The New Paradigm By: Laurie Fischer Overview The explosive growth of information presents management challenges to every organization today. Retaining
More informationTranscript - Episode 2: When Corporate Culture Threatens Data Security
Transcript - Episode 2: When Corporate Culture Threatens Data Security Guest: Phil Huggins, Vice President, Stroz Friedberg Welcome to Episode 2 of the Business of Truth podcast by Stroz Friedberg, "When
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationJOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.
JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President
More informationLogically Securing a Public Cloud Service
SESSION ID: CIN-W07 Logically Securing a Public Cloud Service Tim Mather CISO Cadence Design Systems @mather_tim Disclaimer: AWS (Amazon Web Services) is referenced in this presentation extensively, only
More informationVermont Enterprise Architecture Framework (VEAF) Identity & Access Management (IAM) Abridged Strategy Level 0
Vermont Enterprise Architecture Framework (VEAF) Identity & Access Management (IAM) Abridged Strategy Level 0 EA APPROVALS EA Approving Authority: Revision
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationcompliance through Integrated solutions for effective compliance management Solution Brief
compliance through RSA SECURITY MANAGEMENT Integrated solutions for effective compliance management Solution Brief WHEN WILL COMPLIANCE GET EASIER? The increasingly complex and stringent compliance environment
More informationOperational Risk Management - The Next Frontier The Risk Management Association (RMA)
Operational Risk Management - The Next Frontier The Risk Management Association (RMA) Operational risk is not new. In fact, it is the first risk that banks must manage, even before they make their first
More informationOpportunity. for Greater Relevance LEVERAGING ENTERPRISE RISK MANAGEMENT: By Janice M. Abraham, Robert Baird, and Frank Neugebauer
LEVERAGING ENTERPRISE RISK MANAGEMENT: Opportunity for Greater Relevance By Janice M. Abraham, Robert Baird, and Frank Neugebauer Enterprise Risk Management (ERM) gained a foothold in higher education
More informationKey Components of a Risk-Based Security Plan
Key Components of a Risk-Based Security Plan How to Create a Plan That Works Authors: Vivek Chudgar Principal Consultant Foundstone Professional Services Jason Bevis Director Foundstone Professional Services
More informationTERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) 1. Reporting Function. The Applications Consultant reports directly to the CIO
TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) Consultant - Enterprise Systems & Applications 1. Reporting Function. The Applications Consultant reports directly to the CIO 2. Qualification and Experience
More informationMike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program
Cyber: The Catalyst to Transform the Security Program Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA A Common Language? Hyper Connected World Rapid IT Evolution Agile Targeted Threat
More informationCOBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)
COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?
More informationIn Partnership with. 2013 PROCUREMENT & STRATEGIC SOURCING DATA SURVEY Facts & Analysis
In Partnership with 2013 PROCUREMENT & STRATEGIC SOURCING DATA SURVEY Facts & Analysis 2013 Consero Group LLC www.consero.com March 18, 2013 INTRODUCTION 2013 Chief Procurement Officer Data Survey Last
More informationSecurity. aspen advisors. An Often Overlooked Meaningful Use Requirement. July 2011
Security An Often Overlooked Meaningful Use Requirement July 2011 aspen advisors Table of Contents Why Perform a Risk Analysis?... 1 How to Conduct a Risk Analysis?... 1 When to do a Risk Analysis?...
More informationNew InfoSec Leader The First 90 Days. John Bruce CEO
New InfoSec Leader The First 90 Days John Bruce CEO Agenda Introduction Co3 Systems Role of the CISO Three critical changes Suggestions Page 2 of 39 The next challenge in security PRODUCTS PREVENTION DETECTION
More informationJuly 6, 2015. Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263
July 6, 2015 Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263 Re: Security Over Electronic Protected Health Information Report 2014-S-67
More informationwith Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief
RSA Solution Brief Streamlining Security Operations with Managing RSA the Lifecycle of Data Loss Prevention and Encryption RSA envision Keys with Solutions RSA Key Manager RSA Solution Brief 1 Who is asking
More informationADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles and Responsibilities
Policy Title: Information Security Roles Policy Type: Administrative Policy Number: ADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles Approval Date: 05/28/2014 Revised Responsible Office:
More informationASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES
ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming
More informationModule 6 Essentials of Enterprise Architecture Tools
Process-Centric Service-Oriented Module 6 Essentials of Enterprise Architecture Tools Capability-Driven Understand the need and necessity for a EA Tool IASA Global - India Chapter Webinar by Vinu Jade
More informationCompliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire
Compliance, Security and Risk Management Relationship Advice Andrew Hicks, Director Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control panel on
More informationHow to Define SIEM Strategy, Management and Success in the Enterprise
How to Define SIEM Strategy, Management and Success in the Enterprise Security information and event management (SIEM) projects continue to challenge enterprises. The editors at SearchSecurity.com have
More informationInternal Auditing: Assurance, Insight, and Objectivity
Internal Auditing: Assurance, Insight, and Objectivity WHAT IS INTERNAL AUDITING? INTERNAL AUDITING business people all around the world are familiar with the term. But do they understand the value it
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationStepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
More informationManaging Cloud Data Security in Regulated Industries for 2016
Managing Cloud Data Security in Regulated Industries for 2016 November, 2015 Table of Contents I. Introduction: Security challenges in regulated industries...1 II. Cloud adoption rates by industries...1
More informationFundamentals of Information Governance:
Fundamentals of Information Governance: More than just records management PETER KURILECZ CRM CA IGP Hard as I try, I simply cannot make myself understand how Information Governance isn t just a different
More informationHow To Improve Your Business
IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends
More informationNETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES
NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES September, 2015 Derek E. Brink, CISSP, Vice President and Research Fellow IT Security and IT GRC Report Highlights p2 p4 p6 p7 SMBs need to adopt a strategy
More informationCloud Services Overview
Cloud Services Overview John Hankins Global Offering Executive Ricoh Production Print Solutions May 23, 2012 Cloud Services Agenda Definitions Types of Clouds The Role of Virtualization Cloud Architecture
More informationApplying ITIL v3 Best Practices
white paper Applying ITIL v3 Best Practices to improve IT processes Rocket bluezone.rocketsoftware.com Applying ITIL v. 3 Best Practices to Improve IT Processes A White Paper by Rocket Software Version
More informationCloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security
Russ Dietz Vice President & Chief Technology Officer Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security By Russ Dietz Vice President & Chief
More informationComputer Forensics for Business Leaders: Building Robust Policies and Processes Transcript
Computer Forensics for Business Leaders: Building Robust Policies and Processes Transcript Part 1: Why Policy Is Key Stephanie Losi: Welcome to CERT's podcast series: Security for Business Leaders. The
More informationRSA SECURITY MANAGEMENT. An Integrated approach to risk, operations and incident management. Solution Brief
RSA SECURITY MANAGEMENT An Integrated approach to risk, operations and incident management Solution Brief THE PROBLEM WITH TACTICAL SECURITY MANAGEMENT What are your organization s most pressing IT security
More informationFIVE PRACTICAL STEPS
WHITEPAPER FIVE PRACTICAL STEPS To Protecting Your Organization Against Breach How Security Intelligence & Reducing Information Risk Play Strategic Roles in Driving Your Business CEOs, CIOs, CTOs, AND
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationEnabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013
Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices April 10, 2013 Today's Agenda: Key Topics Defining IT Governance IT Governance Elements & Responsibilities
More informationWhat can HITRUST do for me?
What can HITRUST do for me? Dr. Bryan Cline CISO & VP, CSF Development & Implementation Bryan.Cline@HITRUSTalliance.net Jason Taule Chief Security & Privacy Officer Jason.Taule@FEIsystems.com Introduction
More informationCloud Security Trust Cisco to Protect Your Data
Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive
More informationBig Data Industry Approaches to Operational Excellence
Big Data Industry Approaches to Operational Excellence The Value of Big Data in the Power and Utilities Industry Overview Evolving systems and infrastructure to meet the needs of 21 st century demands
More informationSpecial report Healthcare
Special report Healthcare Customer-Centric Healthcare: Best Practices for CIOs and CISOs Changing healthcare regulations, and the increasing number of security breaches, have healthcare technology leaders
More informationInformation Governance, Risk, Compliance
Information Governance, Risk, Compliance April White Paper By Galaxy Consulting A At Your Service Today Tomorrow We Appreciate The Privilege Of Serving You! Abstract May 2014 Information is the lifeblood
More informationMulti-Factor Authentication: Do I Need It, and How Do I Get Started? [And If I Do Need It, Why Aren't Folks Deploying It?]
Multi-Factor Authentication: Do I Need It, and How Do I Get Started? [And If I Do Need It, Why Aren't Folks Deploying It?] Joe St Sauver, Ph.D. (joe@internet2.edu) Internet2 Global Summit, Denver Colorado
More informationAuditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP
Auditing your institution's cybersecurity incident/breach response plan Objectives > Provide an overview of incident/breach response plans and their intended benefits > Describe regulatory/legal requirements
More informationProtecting Official Records as Evidence in the Cloud Environment. Anne Thurston
Protecting Official Records as Evidence in the Cloud Environment Anne Thurston Introduction In a cloud computing environment, government records are held in virtual storage. A service provider looks after
More informationSecurity Threat Risk Assessment: the final key piece of the PIA puzzle
Security Threat Risk Assessment: the final key piece of the PIA puzzle Curtis Kore, Information Security Analyst Angela Swan, Director, Information Security Agenda Introduction Current issues The value
More informationInformation Protection Framework: Data Security Compliance and Today s Healthcare Industry
Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement
More informationCybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response
Cybersecurity and Hospitals What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response This resources was prepared exclusively for American Hospital Association members by Mary
More informationSRM Security Resource Management
SRM Security Resource Management A Framework to Support Communications and Boost IT Security - Ken Leeser, President, Kaliber Data Security Copyright Kaliber 2013 trite 2 trite: adjective lacking in freshness
More informationWelcome to Modulo Risk Manager Next Generation. Solutions for GRC
Welcome to Modulo Risk Manager Next Generation Solutions for GRC THE COMPLETE SOLUTION FOR GRC MANAGEMENT GRC MANAGEMENT AUTOMATION EASILY IDENTIFY AND ADDRESS RISK AND COMPLIANCE GAPS INTEGRATED GRC SOLUTIONS
More informationHIPAA Security & Compliance
Creative Mind. Creative Heart. Creative Care. 2014 WALA Spring Conference HIPAA Security & Compliance Jeff Grady Thursday, March 27 10:30 am HIPAA Security & Compliance A TIME FOR ACTION Jeff Grady, Senior
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationHealthcare and IT Working Together. 2013 KY HFMA Spring Institute
Healthcare and IT Working Together 2013 KY HFMA Spring Institute Introduction Michael R Gilliam Over 7 Years Experience in Cyber Security BA Telecommunications Network Security CISSP, GHIC, CCFE, SnortCP,
More information