How To Do An Ismart In The Bcan Government
|
|
- Spencer O’Connor’
- 3 years ago
- Views:
Transcription
1 How to do an STRA in the BC Government Ken Prosser OCIO Information Security Branch
2 AGENDA Trust in a Connected World Security Threat & Risk Assessment Process STRAs and the system lifecycle Introduction to ismart Using ismart to manage risk Demonstrating trustworthiness
3 Trust in a Connected World
4 What is Trust? A belief that expectations will be met 4
5 Why do we need Trust? It s a connected world! 5
6 Would you do business with them? 92% 61% Business application environments with significant control weaknesses Chance they will suffer a MAJOR incident in a year Source: Information Security Forum 6
7 How do we get Trust? Prove IT! 7
8 Demonstrate Best Practice 13% The chance of suffering a major incident when controls are in 'good all round condition'. 8
9 What is Information Security? Confidentiality Integrity Availability
10 WHY MANAGE INFORMATION SECURITY? Enables business success Demonstrates due diligence Reduces # and impact of incidents 10
11 How do we manage security? Identify risk areas Determine risk mitigation Get management signoff
12 STRA Process
13 Risk Assessment Controls environment Criticality RISK FACTORS Special Circumstances Level of Threat Business Impact
14 Risk Mitigation Determine control gaps Analyze key issues Develop action plan
15 Management Signoff Present Risk Status Present Issues/Action Plan Management Risk Decision
16 So why would I do one? Required by Core Policy and Legislation Demonstrates due diligence Prepares organization for audits
17 When is an STRA required? All new information systems Any system subject to major change Every 3 years on critical systems
18 System Development Lifecycle Conceptual Design/Build Pre-Production Audit
19 Effort Required
20 What is ismart? information Security Management And Risk Tool
21 What can we do with ismart? Criticality Assessments Risk Assessments Incident Assessments
22 How to use ismart
23 ismart STRA Process 1. Define Target 2. Issue Scorecard 3. Complete scorecard 4. Identify issues and actions 5. Submit Scorecard and run reports 6. Notify Owner and get signoff
24 Defining a Target What is it? Who owns it? Who knows about it? How to evaluate it?
25 Concept of Owner Responsible for Program Has financial authority Risk decision maker
26 Basis Of Evaluation (BOE) Set of best practise controls Aligns to International standards Allows best fit for application
27 Issue the Scorecard
28 Completing the Scorecard Example scorecard
29 Section A: Information Resource Title Brief description Nature of Target Number of Users Percentage of business operations Date of Last Review Security Classification
30 Section B: Accountability Identifies Owner of resource Key contact information
31 Section C: Criticality Defines MAXIMUM harm from a loss of: Confidentiality Integrity Availability Pre-filled if Criticality Assessment done Helps define security classification
32 Section D: Vulnerability: Status of arrangements Assesses controls environment Based on FIRM (17 control areas) Defines state of compliance with BOE when completed at the detailed level.
33 Section E: Vulnerability: Special circumstances High degree of Change Geographically distributed Large in Scale Complex Immature Accessible by 3 rd parties Supports Call Centre
34 Section F: Level of threat Number of incidents in the last 12 months: Malfunctions of software or hardware Loss of services, equipment or facilities Overloads Human error Unforeseen effects of change Other undesirable acts
35 Section G: Business Impact Impact of incidents in the last 12 months: Financial loss Degraded performance Loss of management control Damaged reputation Impaired growth Any other ways
36 Section H: Strengthening controls Describes actions to improve controls Uses FIRM 17 Control areas Good tool for risk management planning
37 Section I: Completion details Identifies Primary completer Key contact information
38 Getting the most from ismart Use comments to: Document discussion and decisions Identify who is lead for answers to that section Raise questions for the team or management
39 Getting the most from ismart Use Test Field to: Document evidence that supports answer Document the testing required in next phase
40 Getting the most from ismart Use Issues Log to: Document issues that need investigation Document issues that impact the answer Document issues that need remediation
41 Getting the most from ismart Use Action Plan to: Identify a proposed action for each issue Develop a risk mitigation strategy Assign a lead for addressing the action item Track progress of resolution Get approval from Management for changes
42 Reporting to Management Typical report package for Management: Risk Scorecard Risk Status Risk Heatmap Schedule of Issues Action Plan with Signoff Compliance Checklist (if detail level done)
43 Using ismart to manage risk
44 Using ismart to manage risk ismart can help you: Identify critical systems Determine security requirements Build secure architecture Identify the cause & impact of incidents Develop remediation strategy
45 Developing a system security plan Use ismart to: Develop risk profile Document assessment history Build mitigation plans Show linkages/dependencies Support audits
46 Demonstrating Trustworthiness
47 Demonstrating Trustworthiness Proactive risk management Compliance with best practice Proven due diligence
48 Questions? Ken Prosser Information Security Branch Office of the Chief Information Office Province of BC
Critical Systems Guidelines
Architecture, Standards and Planning Branch Office of the CIO Province of BC Document Version 1.0 April 2015 Table of Contents 1.0 Document Control... 3 2.0 Introduction... 4 3.0 Roles and Responsibilities...
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationThis procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.
Privacy Breach No.: 6700 PR2 Policy Reference: 6700 Category: Information Management Department Responsible: Privacy and Records Management Current Approved Date: 2012 May 01 Objectives This procedure
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationWEB APPLICATION SECURITY ASSURANCE STANDARDS. Version 1.6
WEB APPLICATION SECURITY ASSURANCE STANDARDS Version 1.6 March 25, 2014 Table of Contents Document Control... 3 NOTES to Reviewers... 4 Introduction... 5 Conceptual Framework of the Standards... 5 1. Level
More informationHP Security Framework. Jakub Andrle
HP Security Framework Jakub Andrle Hewlett-Packard 11.place in Fortune Magazine chart In fiscal year 2007 we achieved $7bilions growth CEO HP - Mark Hurd, company residence - Palo Alto, California, USA
More informationThe PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis
More informationInformation Technology Governance. Steve Crutchley CEO - Consult2Comply www.consult2comply.com
Information Technology Governance Steve Crutchley CEO - Consult2Comply www.consult2comply.com What is IT Governance? Information Technology Governance, IT Governance is a subset discipline of Corporate
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 14 Risk Mitigation Objectives Explain how to control risk List the types of security policies Describe how awareness and training
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationINCIDENT COMMAND SYSTEM MULTI-CASUALTY POSITION MANUAL PATIENT TRANSPORTATION GROUP SUPERVISOR ICS-MC-222-2 DECEMBER, 1989
INCIDENT COMMAND SYSTEM MULTI-CASUALTY POSITION MANUAL PATIENT TRANSPORTATION GROUP SUPERVISOR DECEMBER, 1989 Revised March, 1993 CONTENTS Page 1.1 CHECKLIST USE...1 1.2 PATIENT TRANSPORTATION GROUP SUPERVISOR'S
More informationInformation Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.
Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments
More informationIT Governance: The benefits of an Information Security Management System
IT Governance: The benefits of an Information Security Management System Katerina Cai, CISSP Hewlett-Packard 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationNIST National Institute of Standards and Technology
NIST National Institute of Standards and Technology Lets look at SP800-30 Risk Management Guide for Information Technology Systems (September 2012) What follows are the NIST SP800-30 slides, which are
More informationUMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE
UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE Originator Patch Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Recommended by Director
More informationBusiness Continuity Trends, Requirements and Expectations in 2009. Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting
Business Continuity Trends, Requirements and Expectations in 2009 Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting Overview What Is Business Continuity? The Value Proposition What
More informationNATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL
NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL SECURITY OF THE NCUA DATA CENTER Report # August 12, 2013 James Hagen Inspector General W. Marvin Stith, CISA Senior IT Auditor Table of
More informationCertified Information Security Manager (CISM)
Certified Information Security Manager (CISM) Course Introduction Course Introduction Domain 01 - Information Security Governance Lesson 1: Information Security Governance Overview Information Security
More informationInformation Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services
Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationTHE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS
THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Collaboration and communication between technical
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationISO IEC 27002 2005 (17799 2005) TRANSLATED INTO PLAIN ENGLISH
13.1 REPORT INFORMATION SECURITY EVENTS AND WEAKNESSES 1 GOAL Make sure that information system security incidents are promptly reported. 2 GOAL Make sure that information system security events and weaknesses
More informationJoint Audit Report for South Lakeland District Council. & Eden District Council
Joint Audit Report for South Lakeland District Council & Eden District Council Audit of IT Data Backup and Recovery Arrangements Audit of Development Management 22nd May 2015 11 th June 2015 0 Page 0 Audit
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationEnterprise Security Architecture
Enterprise Architecture -driven security April 2012 Agenda Facilities and safety information Introduction Overview of the problem Introducing security architecture The SABSA approach A worked example architecture
More informationCLASSIFICATION SPECIFICATION FORM
www.mpi.mb.ca CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information
More informationThe PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page
More informationChange Management Process
Change Management Process Version 1.0 1 Table of Contents 1 About This Document... 3 1.1 Document Objective... 3 1.2 Process Objectives... 3 2 Change Request Lifecycle Stages... 4 3 Change Request (CR)
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationUniversity of Glasgow. Policy for. Business Continuity Management
University of Glasgow Policy for Business Continuity Management 1 Policy Statement The University of Glasgow is committed to delivering the highest possible quality of service to our students, and the
More informationPrinciples for BCM requirements for the Dutch financial sector and its providers.
Principles for BCM requirements for the Dutch financial sector and its providers. Platform Business Continuity Vitale Infrastructuur Financiële sector (BC VIF) Werkgroep BCM requirements 21 September 2011
More informationHow To Protect Your Network From Attack From A Network Security Threat
Cisco Security Services Cisco Security Services help you defend your business from evolving security threats, enhance the efficiency of your internal staff and processes, and increase the return on your
More informationHow to Secure Your Environment
End Point Security How to Secure Your Environment Learning Objectives Define Endpoint Security Describe most common endpoints of data leakage Identify most common security gaps Preview solutions to bridge
More informationStrategic Data Management
Strategic Data Management Kirby Sinclair Clear Cell Canada Inc. September 17, 2010 Presentation Objectives Clear understanding of the value Strategic Data Management (SDM) delivers Define where this Value
More informationKey Considerations for Information Technology Governance. 900 Monroe NW Grand Rapids, MI 49503 (616) 632-8000
Key Considerations for Information Technology Governance What is IT Governance? Big Picture approach to information and data management Sets priorities: Managing performance Delivering value Managing risk
More informationUIIPA - Security Risk Management. June 2015
UIIPA - Security Risk Management June 2015 1 Introduction Tim Hastings, Chief Information Security Officer State of Utah - Department of Technology Services Tim Hastings has more than 16 years of experience
More informationCloud Computing Security Considerations
Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction
More informationThreat Modeling: The Art of Identifying, Assessing, and Mitigating security threats
Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats Mohamed Ali Saleh Abomhara University of Agder mohamed.abomhara@uia.no Winter School in Information Security, Finse May
More informationYour Agency Just Had a Privacy Breach Now What?
1 Your Agency Just Had a Privacy Breach Now What? Kathleen Claffie U.S. Customs and Border Protection What is a Breach The loss of control, compromise, unauthorized disclosure, unauthorized acquisition,
More informationhave adequate policies and practices for secure data disposal have not established a formal 22% risk management program
do not have budgeted disaster 38% recovery plans do not use standardized data 37% classification do not have a plan for responding to 29% security breaches 23% have adequate policies and practices for
More informationAudit Report. Management and Security of Office of Budget and Program Analysis Information Technology Resources. U.S. Department of Agriculture
U.S. Department of Agriculture Office of Inspector General Southeast Region Audit Report Management and Security of Office of Budget and Program Analysis Information Technology Resources Report No. 39099-1-AT
More informationHealthcare and IT Working Together. 2013 KY HFMA Spring Institute
Healthcare and IT Working Together 2013 KY HFMA Spring Institute Introduction Michael R Gilliam Over 7 Years Experience in Cyber Security BA Telecommunications Network Security CISSP, GHIC, CCFE, SnortCP,
More informationOCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION:
OCCUPATIONAL GROUP: Information Technology CLASS FAMILY: Security CLASS FAMILY DESCRIPTION: This family of positions provides security and monitoring for the transmission of information in voice, data,
More informationIT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies
IT Professional Standards Information Security Discipline Sub-discipline 605 Information Security Testing and Information Assurance Methodologies December 2012 Draft Version 0.6 DOCUMENT REVIEW Document
More informationCompliance Management, made easy
Compliance Management, made easy LOGPOINT SECURING BUSINESS ASSETS SECURING BUSINESS ASSETS LogPoint 5.1: Protecting your data, intellectual property and your company Log and Compliance Management in one
More informationChief Information Security Officer
Principles Vision Purpose Statement Chief Information Security Officer healthalliance Purpose, Vision and Principles healthalliance provides shared services to benefit NZ health organisations. We will
More informationESKISP6064.03 Conducts vulnerability assessment under supervision
Conducts vulnerability assessment under supervision Overview This standard covers the competencies required to conduct vulnerability assessments under supervision. This includes following processes for
More informationCorporate Incident Response. Why You Can t Afford to Ignore It
Corporate Incident Response Why You Can t Afford to Ignore It Whether your company needs to comply with new legislation, defend against financial loss, protect its corporate reputation or a combination
More informationCisco Security Optimization Service
Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless
More informationRisk & Audit Committee California Public Employees Retirement System
California Public Employees Retirement System Consent Agenda Item 4d ITEM NAME: Enterprise Risk Management Division Status Report PROGRAM: Risk Management ITEM TYPE: Consent Information EXECUTIVE SUMMARY
More informationInformation Technology Policy
ITP Number ITP-SEC024 Category Security Contact RA-ITCentral@pa.gov Information Technology Policy IT Security Incident Policy Effective Date August 2, 2012 Supersedes Scheduled Review Annual 1. Purpose
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationIT Governance Regulatory. P.K.Patel AGM, MoF
IT Governance Regulatory Perspective P.K.Patel AGM, MoF Agenda What is IT Governance? Aspects of IT Governance What banks should consider before implementing these aspects? What banks should do for implementation
More information2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP
2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level Tracy L. Hall, MBCP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C.
More informationTaking Information Security Risk Management Beyond Smoke & Mirrors
Taking Information Security Risk Management Beyond Smoke & Mirrors Evan Wheeler Omgeo Session ID: GRC-107 Insert presenter logo here on slide master. See hidden slide 4 for directions Session Classification:
More informationCHAPTER 2016-138. Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033
CHAPTER 2016-138 Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033 An act relating to information technology security; amending s. 20.61, F.S.; revising the
More informationRichard Gadsden Information Security Office Office of the CIO Information Services
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO Information Services Sharon Knowles Information Assurance Compliance MUSC Medical Center
More informationSecurity Risk Management Strategy in a Mobile and Consumerised World
Security Risk Management Strategy in a Mobile and Consumerised World RYAN RUBIN (Msc, CISSP, CISM, QSA, CHFI) PROTIVITI Session ID: GRC-308 Session Classification: Intermediate AGENDA Current State Key
More informationLeicestershire Police Incident Response Policy
Leicestershire Police Incident Response Policy Policy Owner: Department Responsible: Chief Officer Approval: Superintendent, Contact Management Tasking Directorate ACC Operations Date of Next Review: October
More informationInformation Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project
Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project Introduction This Advice provides an overview of the steps agencies need to take
More informationwith Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief
RSA Solution Brief Streamlining Security Operations with Managing RSA the Lifecycle of Data Loss Prevention and Encryption RSA envision Keys with Solutions RSA Key Manager RSA Solution Brief 1 Who is asking
More informationTop Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER
Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER Regulatory compliance. Server virtualization. IT Service Management. Business Service Management. Business Continuity planning.
More informationBuilding Reference Security Architecture
Information Security, Privacy and Compliance Building Reference Security Architecture Bob Steadman, Sr. Director Predrag Zivic, Sr. Security Architect Information Security Too many organizations still
More informationCITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard
CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard (Approved by the Information Strategy and Governance Committee in December 2013; revision 1.1 approved by Chief Information
More informationEnterprise Security Tactical Plan
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
More informationAssurance 360 Performa. Ensuring a Secure, Reliable and High-Performing Control System
Assurance 360 Performa Ensuring a Secure, Reliable and High-Performing Control System A Proven Approach Service that Improves Performance Honeywell s Assurance 360 Performa is a multi-year, flexible service
More informationEnsuring Cloud Security Using Cloud Control Matrix
International Journal of Information and Computation Technology. ISSN 0974-2239 Volume 3, Number 9 (2013), pp. 933-938 International Research Publications House http://www. irphouse.com /ijict.htm Ensuring
More informationPrivacy Governance and Compliance Framework Accountability
Privacy Governance and Framework Accountability Agenda Global Data Protection and Privacy (DPP) Organization Structure Privacy The 3 Lines of Defense (LOD) Model: Overview Privacy The 3 Lines of Defense
More informationNERC CIP Compliance with Security Professional Services
NERC CIP Compliance with Professional Services The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is
More informationCONTROLLED DOCUMENT. Traffic Management Policy
CONTROLLED DOCUMENT CATEGORY: CLASSIFICATION: PURPOSE Controlled Number: Document Version Number: 1 Controlled Sponsor: Controlled Lead: Approved By: On: Document Document Policy Governance To set out
More informationThe Department of Technology Services is responsible for installing and managing security controls and technologies on behalf of the State of Utah.
DTS Standard 5000-1002-S1 PATCH MANAGEMENT SECURITY STANDARD Status: Approved Effective Date: August 26, 2009 through August 25, 2011 Revised Date: N/A Approved By: J. Stephen Fletcher Authority: UCA 63F-1-103;
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationBusiness Continuity Management Framework 2014 2017
Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity
More informationAUDIT COMMITTEE BEST PRACTICES CHECKLIST
AUDIT COMMITTEE BEST PRACTICES CHECKLIST General 1. Members have the appropriate predefined qualifications to meet the objectives of the audit committee s charter, including appropriate financial literacy.
More informationClient Update SEC Releases Updated Cybersecurity Examination Guidelines
Client Update September 18, 2015 1 Client Update SEC Releases Updated Cybersecurity Examination Guidelines NEW YORK Jeremy Feigelson jfeigelson@debevoise.com Jim Pastore jjpastore@debevoise.com David Sarratt
More informationThe problem of cloud data governance
The problem of cloud data governance Vasilis Tountopoulos, Athens Technology Center S.A. (ATC) CSP EU Forum 2014 - Thursday, 22 nd May, 2014 Focus on data protection in the cloud Why data governance in
More informationState of Montana Montana Board of Crime Control. Agency IT Plan Fiscal Year 2012-2017
State of Montana Montana Board of Crime Control Agency IT Plan Fiscal Year 2012-2017 Prepared July 2012 Brooke Marshall, Executive Director Jerry Kozak, IT Manager Board of Crime Control 5 S Last Chance
More informationTITLE III INFORMATION SECURITY
H. R. 2458 48 (1) maximize the degree to which unclassified geographic information from various sources can be made electronically compatible and accessible; and (2) promote the development of interoperable
More informationMAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0
MAJOR PROJECTS CONSTRUCTION SAFETY SECURITY MANAGEMENT PROGRAM STANDARD HS-09 Document Owner(s) Tom Munro Project/Organization Role Supervisor, Major Projects Safety & Security (Canada) Version Control:
More informationBusiness Case Outsourcing Information Security: The Benefits of a Managed Security Service
Business Case Outsourcing Information Security: The Benefits of a Managed Security Service seccuris.com (866) 644-8442 Contents Introduction... 3 Full- Time Experts vs. a Part- Time In- House Staff...
More informationResponding to Data Breaches. March 25, 2015
Better breach response how to be good when things go bad Ian Dick Dan Michaluk Better breach response The Rules of Professional Conduct The basis for good breach response Incident response planning Notification,
More informationCyber Security - What Would a Breach Really Mean for your Business?
Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber
More informationI S O I E C 2 7 0 0 2 2 0 1 3 I N F O R M A T I O N S E C U R I T Y A U D I T T O O L
15.1 ESTABLISH SECURITY AGREEMENTS WITH SUPPLIERS 15.1.1 EXPECT SUPPLIERS TO COMPLY WITH RISK MITIGATION AGREEMENTS Do you clarify the information security risks that exist whenever your suppliers have
More informationDEPARTMENT OF MEDICAL ASSISTANCE SERVICES VULNERABILITY ASSESSMENT AND NETWORK PENETRATION TEST JUNE 2009
DEPARTMENT OF MEDICAL ASSISTANCE SERVICES VULNERABILITY ASSESSMENT AND NETWORK PENETRATION TEST JUNE 2009 AUDIT SUMMARY Our vulnerability assessment and network penetration test of the Department of Medical
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationDBC 999 Incident Reporting Procedure
DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible
More informationForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)
ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) CONTENT Introduction 2 Overview of Continuous Diagnostics & Mitigation (CDM) 2 CDM Requirements 2 1. Hardware Asset Management 3 2. Software
More informationCGI Cyber Risk Advisory and Management Services for Insurers
CGI Cyber Risk Advisory and Management Services for Insurers Minimizing Cyber Risks cgi.com 3 As organizations seek to create value in today s highly interconnected world, they inherently increase their
More informationFraud Risk Management
Fraud Risk Management Overview Discussion Questions 1) Does your organization follow a specific risk management model? If so, which one? Do you think this model adequately addresses the risks your organization
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More informationCybersecurity..Is your PE Firm Ready? October 30, 2014
Cybersecurity..Is your PE Firm Ready? October 30, 2014 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services
More informationVersion Adoption by Council: 2013 Resolution Number: 2013/177 Current Version: V1.0 Administered by: Governance Coordinator
Risk Management Framework Version Adoption by Council: 2013 Resolution Number: 2013/177 Current Version: V1.0 TRIM CON: 12/1132 Administered by: Governance Coordinator Last Review Date: 2013 Next Review
More informationWho s next after TalkTalk?
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
More informationESKITP7025 IT/Technology Service Help Desk and Incident Management Level 5 Role
IT/Technology Service Help Desk and Incident Management Level 5 Role Overview This sub-discipline is about the competencies required to manage the contacts made by customers of IT/technology systems, services
More informationHow To Check If A System Is Secure
DEPARTMENT OF MEDICAL ASSISTANCE SERVICES VULNERABLILITY ASSESSMENT AND NETWORK PENETRATION TEST AS OF OCTOBER 2013 www.apa.virginia.gov (804) 225-3350 reports@apa.virginia.gov Audit Summary Our vulnerability
More informationThreat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA
www.pwc.com Vulnerability Management (TVM) Protecting IT assets through a comprehensive program Chicago IIA/ISACA 2 nd Annual Hacking Conference Introductions Paul Hinds Managing Director Cybersecurity
More information