Compliance & information security A (bit of a) rant. Jodie Siganto
|
|
- Homer Henry
- 8 years ago
- Views:
Transcription
1 Compliance & information security A (bit of a) rant Jodie Siganto
2 Compliance Definition of compliance : the act of conforming, acquiescing, or yielding. conformity; accordance: in compliance with orders. cooperation or obedience: Compliance with the law is expected of all.
3 Compliance with what? What does compliance mean for information security? For most organisations it should mean conformance with security architecture and policies & procedures But compliance is often based on/bench marked against input from: External (and internal) auditors Consultants Vendors What do they use?
4 Compliance with what? Standards and guides: ISO Information Management System (ISO) Qld Government IS 18: Information Security (State Government) ISM (Commonwealth Government) COBIT (ISACA) Privacy Commissioner s Guide to Protecting Personal Information (Government Regulator) PCI-DSS (Payment Card Industry i.e. Card Issuers) Control lists: SANS Top 20 ASD Top 4/Top 35 ISO Code of Practice: 114 Controls
5 Cert Australia Survey 2013
6 Compliance Interview Results Interviewed 10 information security people Interviewees included: Security Operations Centre Manager Security Architect Governance, Risk & Compliance Consultant IT Risk Manager Security Manager Question: What standard or benchmark do you use to assess security or to determine whether you ve taken reasonable security measures
7 Compliance Interview Results Interviewee A: Benchmark I use for information security compliance is PCI DSS, which is pitched at about the right level in terms of its verboseness, its technical detail although for those for do not understand it it becomes very overwhelming Interviewee H: Good sound practice following 27,000 standards and the other related good practice measures in addition to the Information Security Manual Interviewee J: The ISM provides minimum mandatory requirements if I see the opportunity to make it a little more than I will take the opportunity to do that if it's within the scope of what we are doing and it's not going to cost a lot of money.
8 Compliance Interview Results Interviewee B: There s a list of controls you have in your head, which are applied based on a judgment on how strong the control needs to be given the risks that you are facing. Interviewee D: There are guiding principles, which apply depending on the particular circumstances of each organisation. Standards, e.g. PCI DSS and SANS Top 20, are a way of making security information more accessible. Interviewee C: Couldn t recall the specific standard but regarded it as guidance to give a general intent or vibe rather than a prescriptive list of what the organisation can or cannot do.
9 Compliance Interview Results Interviewee I: Uses Gartner benchmarks and IT maturity levels. Determined what might be reasonable steps to secure the organisation s data based on what was efficient and common-sense.
10 CERT Australia Survey 2013 Increase in the number of organisations applying IT security standards (from 64% in 2012 to 83% in 2013 Decrease in the number of organisations that do not apply IT security standards (from 25% in 2012 to 13% in 2013). Increase in the number of organisations using ISO from 50% in 2012 to 83% in 2013.
11 Compliance & Management Systems ISO created for specialised area of business management other examples include Environmental management Social responsibility management OH&S management New version of ISO aligns requirements with other management disciplines including reliance on: ISO risk management ISO auditing Main purpose of ISM is to provide information security assurance
12 Compliance & Assurance Definition of assurance : A feeling of confidence A feeling or attitude of being certain that something is true e.g. He said it with assurance What is the relationship between compliance and assurance? Does compliance lead to assurance i.e. confidence that your systems are secure?
13 Compliance & Assurance Interviewee A: People believe they want security and when they understand that they have a fair amount of work to get there, they just want compliance. I have sat in rooms with managing directors who have said to me, I just want to do the bare minimum if you could tick the box. Which is understandable, right? Interviewee D (referring to an organisation that was certified but which had appalling security ): I just think well you may have fooled the compliance auditor but you just saw that as a compliance journey and that achieved nothing because your processes are stuffed, you've not got it, you've not understood the point. Do you know what I mean? So I guess that's my attitude towards compliance.
14 Compliance, Assurance & Information Security Practitioners Is compliance or assurance recognised as a role for information security practitioners? There are lots of consultants & vendors who think so But
15 (ISC)² Global Information Security Workforce Study (2013) Governance, Risk & Compliance: 2 top activities within the category are: Developing internal security policies, standards & procedures (78%) and Auditing IT security compliance (63%) Security management: 2 top activities within the category are: Inter-departmental activities(64%) and Manage internal security awareness programs(63%)
16 Compliance, Assurance & Information Security Practitioners European Committee for Standardization: 23 job profiles in six areas of IT security: business management, technical management, design, development, service and operations, and support. Does not refer to compliance or general assurance
17 Compliance The story so far: There is no general understanding of what information security compliance means The main security standard(s) support assurance not compliance Information security people don t believe compliance or certification or audits provide security or assurance Compliance and general assurance aren t seen as a key role for IT Security practitioners although those tasks take up the majority of time of security executives
18 Compliance Question: So why is compliance seen as a major driver for security? One [possible] answer: Because it s a way to engage management.
19 Information Security & Management PwC The Global State of Information Security Survey 2015 : Despite the media attention following a series of high-profile retailer breaches, many organisations have not yet elevated information security to a Board-level discussion. Fewer than half (42%) of respondents say their Board actively participates in the overall security strategy and 36% say the Board is involved in security policies. Garry Sidaway, NTT Com Security Many UK execs do not understand need for data security, study shows Nov 2014: Information security and risk management, and data breach headlines, are often seen as constraining and negative so we need to do a better job of showing the business advantages. Protiviti 2014 IT Security and Privacy Survey : Organizations with a high level of board engagement in information security risks have significantly stronger IT security profiles
20 Compliance and Management Question: Is lack of management engagement with information security: Real? Reduced to a compliance issue because that it the only way for management to understand security? A result of the poor communication skills/inability of information security people to translate security into business terms?
21 Compliance: Some Questions Things to think about: Auditing (and compliance) may be OK for checking the operation of technical controls but does it provide info about the future and the possible (rather than the probable), the black swan event? Most standard approaches to security use risk. Risk provides a veneer of objective rationality/science to information security but does it work? Is information security risk really a negotiated outcome based (at least in part) on emotion, politics and relationships? Accepted practices set the benchmark for what is reasonable. Identifying those practices relies on interactions with professional bodies. This assumes that there are professionals, experts or a community of practice who can convey those practices. Who is doing this in information security?
22 Compliance & Change We have been doing things the same way for a long time but it s not working Is it time for some new ideas? Our findings of many years following the standardization work of the ISO/IEC family of standards and its results is that in the standards revisions it is very difficult to get out-of-box thinking and to create radically new ideas to the ISM standardization in order to keep up with the general development of business environments and managerial practice. This standardization has been strongly the job of a restricted group of information security experts (mainly consultants) to whom it seems to be difficult to get out of old traditions of the information security discipline. J Antilla Integrating ISO/IEC and other Managerial Discipline Standards with Processes of Management in Organizations (2012)
23 Conclusion Information Security A call for change!
SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR
SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR Michael de Crespigny, CEO Information Security Forum Session ID: GRC R02B Session Classification: General Interest KEY ISSUE Our
More informationISO 27001:2005 & ISO 9001:2008
ISO 27001:2005 & ISO 9001:2008 September 2011 1 Main Topics SFA ISO Certificates ISO 27000 Series used in the organization ISO 27001:2005 - Benefits for the organization ISO 9001:2008 - Benefits for the
More informationInformation Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza
Information Security Management System (ISMS) Overview Arhnel Klyde S. Terroza May 12, 2015 1 Arhnel Klyde S. Terroza CPA, CISA, CISM, CRISC, ISO 27001 Provisional Auditor Internal Auditor at Clarien Bank
More informationBenchmark of controls over IT activities. 2011 Report. ABC Ltd
www.pwc.com/cy Benchmark of controls over IT activities 2011 Report ABC Ltd... 2012 Scope and approach We wish to provide you with our IT Benchmarking report over IT activities at ABC Ltd (the Company)
More informationCOBIT Helps Organizations Meet Performance and Compliance Requirements
DISCUSS THIS ARTICLE COBIT Helps Organizations Meet Performance and Compliance Requirements By Sreechith Radhakrishnan, COBIT Certified Assessor, ISO/IEC 20000 LA, ISO/IEC 27001 LA, ISO22301 LA, ITIL Expert,
More informationInformation Security Risk Management
Information Security Risk Management Based on ISO/IEC 17799 Houman Sadeghi Kaji Spread Spectrum Communication System PhD., Cisco Certified Network Professional Security Specialist BS7799 LA info@houmankaji.net
More information9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania
Evaluating and Managing Third Party IT Service Providers Are You Really Getting The Assurance You Need To Mitigate Information Security and Privacy Risks? Kevin Secrest IT Audit Manager, University of
More informationUK Permanent Salary Index - 2015
1 SYSTEM INTEGRATORS & CONSULTANCIES Job Title Guidelines 8 9 2010 2011 2012 2013 2014 Information & Risk IT Officer Project & Risk Consultant Analyst Part of a team in a large organisation responsible
More informationInformation Security, Privacy and Compliance Convergence
Information Security, Privacy and Compliance Convergence Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI Rebecca Herold & Associates, LLC April 2009 Agenda Information lifecycles Security and privacy challenges
More informationIT Service Management ITIL, COBIT
IT Service Management ITIL, COBIT Bülent Ekuklu Business Development Executive IBM Global Services Global Conditions are Changing 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% Agriculture Manufacturing Service
More informationCyber Security and Cloud Computing. Dr Daniel Prince Course Director MSc in Cyber Security d.prince@lancaster.ac.uk
Cyber Security and Cloud Computing Dr Daniel Prince Course Director MSc in Cyber Security d.prince@lancaster.ac.uk Scope of Today SME Attractors for Cloud Switching to the Cloud Public Private Hybrid Big
More informationA Guide to the Cyber Essentials Scheme
A Guide to the Cyber Essentials Scheme Published by: CREST Tel: 0845 686-5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org/ Principal Author Jane Frankland, Managing Director, Jane
More informationName: Lynda Cooper Date: November 24th. Revising ISO/IEC 20000 to fit the future of service management
Name: Lynda Cooper Date: November 24th Revising ISO/IEC 20000 to fit the future of service management Agenda Brief overview of ISO20000 Changes Why and How What Your views and how you can influence the
More informationGobierno de TI Enfrentando al Reto. IT Governance Facing the Challenge. Everett C. Johnson, CPA International President ISACA and ITGI
Gobierno de TI Enfrentando al Reto IT Facing the Challenge Everett C. Johnson, CPA International President ISACA and ITGI 1 Add titles Agenda Agenda IT governance keys IT governance focus areas: theory
More informationMANAGEMENT DEVELOPMENT COURSES
(FULL VIEW) MANAGEMENT DEVELOPMENT COURSES MANAGEMENT DEVELOPMENT COURSES LEADERSHIP DEVELOPMENT Developing Leadership Competencies 4 4 days 230,000 1-4 13-16 26-29 6-9 Critical Thinking: Tools for Problem
More informationProtecting your brand in the cloud Transparency and trust through enhanced reporting
Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business
More informationExecutive Management of Information Security
WHITE PAPER Executive Management of Information Security _experience the commitment Entire contents 2004, 2010 by CGI Group Inc. All rights reserved. Reproduction of this publication in any form without
More informationThis article describes how these seven enablers have contributed towards better information security management at HDFC Bank.
Information Security Management at HDFC Bank: Contribution of Seven Enablers By Vishal Salvi, CISM, and Avinash W. Kadam, CISA, CISM, CGEIT, CRISC, CBCP, CISSP, CSSLP HDFC Bank was incorporated in August
More informationWestern Australian Auditor General s Report. Information Systems Audit Report
Western Australian Auditor General s Report Information Systems Audit Report Report 10 June 2012 Auditor General s Overview The Information Systems Audit Report is tabled each year by my Office. It summarises
More informationRevised October 2013
Revised October 2013 Version 3.0 (Live) Page 0 Owner: Chief Examiner CONTENTS: 1. Introduction..2 2. Foundation Certificate 2 2.1 The Purpose of the COBIT 5 Foundation Certificate.2 2.2 The Target Audience
More informationCloud Security Standards. Aziza Al Rashdi Director, Cyber Security Professional Services Oman National CERT Information Technology Authority
Cloud Security Standards Aziza Al Rashdi Director, Cyber Security Professional Services Oman National CERT Information Technology Authority Introduction Sign Off December 2012 Information Technology Authority
More informationAuditors Need to Know June 13th, 2012. ISACA COBIT 5 for Assurance
COBIT 5 What s New, What Auditors Need to Know June 13th, 2012 Anthony Noble Viacom Inc. ISACA COBIT 5 for Assurance Task Force Chair Special thanks to Derek Oliver & ISACA for supplying material for this
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationNeed to protect your information? Take action with BSI s ISO/IEC 27001.
Need to protect your information? Take action with BSI s ISO/IEC 27001. Put sensitive customer and company information in the safe hands of ISO/IEC 27001. You simply can t be too careful when it comes
More informationCOBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)
COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA
More informationInformation Security Certifications
HERVÉ SCHAUER CONSULTANTS Cabinet de Consultants en Sécurité Informatique depuis 1989 Spécialisé sur Unix, Windows, TCP/IP et Internet Information Security Certifications Persons / Organizations ENISA
More informationCyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things
Cyber security Digital Customer Experience Digital Employee Experience Digital Insight Internet of Things Payments IP Solutions Cyber Security Cloud 2015 CGI IT UK Ltd Contents... Securing organisations
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationFebruary 2015 Issue No: 5.2. CESG Certification for IA Professionals
February 2015 Issue No: 5.2 CESG Certification for IA Professionals Issue No: 5.2 February 2015 The copyright of this document is reserved and vested in the Crown. This document may not be reproduced or
More informationCIO, CISO and Practitioner Guidance IT Security Governance
June 2006 (Revision 1, August 2007) () 1 CIO, CISO and Practitioner Guidance Whatever your business, security and privacy are key matters that affect your enterprise and those dependent upon you. There
More informationAchieve ISO Certification
Achieve ISO Certification Risk Management & Compliance Services Main UK Office 020 3432 2854 Midlands Office 01332 896 478 Wales & West Office 029 2000 4623 Assent 1st Floor, 120 London Road, Benfleet,
More informationThe PCI DSS Compliance Guide For Small Business
PCI DSS Compliance in a hosted infrastructure A Rackspace White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by
More informationCASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link
CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link Peter Milla CASRO Technical Consultant/CIRQ Technical Advisor peter@petermilla.com Background CASRO and Standards CASRO takes
More informationChayuth Singtongthumrongkul
IT is complicated. IT Governance doesn t have to be. Chayuth Singtongthumrongkul CISSP, CISA, ITIL Intermediate, PMP, IRCA ISMS (ISO/IEC 27001) Director of International Academic Alliance, ACIS Professional
More informationIRAP Policy and Procedures up to date as of 16 September 2014.
Australian Signals Directorate Cyber and Information Security Division Information Security Registered Assessors Program Policy and Procedures 09/2014 IRAP Policy and Procedures 09/2014 1 IRAP Policy and
More informationMethods Commission CLUB DE LA SECURITE DE L INFORMATION FRANÇAIS. 30, rue Pierre Semard, 75009 PARIS
MEHARI 2007 Overview Methods Commission Mehari is a trademark registered by the Clusif CLUB DE LA SECURITE DE L INFORMATION FRANÇAIS 30, rue Pierre Semard, 75009 PARIS Tél.: +33 153 25 08 80 - Fax: +33
More informationInformation Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project
Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project Introduction This Advice provides an overview of the steps agencies need to take
More informationI, (MR. TECHIE) GOT THE CISO JOB! SHOULD I PREPARE 3 ENVELOPES?
I, (MR. TECHIE) GOT THE CISO JOB! SHOULD I PREPARE 3 ENVELOPES? Todd Fitzgerald Director Global Information Security Information Security Management Author ManpowerGroup, Inc. (NYSE:MAN, Fortune 500 #129)
More informationCOBIT 5 Introduction. 28 February 2012
COBIT 5 Introduction 28 February 2012 COBIT 5 Executive Summary 2012 ISACA. All rights reserved. 2 Information! Information is a key resource for all enterprises. Information is created, used, retained,
More informationCLASSIFICATION SPECIFICATION FORM
www.mpi.mb.ca CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information
More informationThe Success Profile for Shared Services and Centres of Expertise
1 The Success Profile for Shared Services and Centres of Expertise Contents Role and models 3 Great minds think alike 4 Five factors that make the difference 5 Five factors in action 7 What can we take
More informationBased on 2008 Survey of 255 Non-IT CEOs/Executives
Based on 2008 Survey of 255 Non-IT CEOs/Executives > 50% Ranked ITG as very important > 75% of businesses consider ITG to be an integral part of enterprise governance, but the overall maturity level is
More informationRecommendation for IT Governance Using the COBIT 4.1 Framework
Recommendation for IT Governance Using the COBIT 4.1 Framework William F. Slater, III, MBA, M.S., PMP, CISSP, CISA Week 7 Assignment CYBR 615 Cybersecurity Governance and Compliance January 27, 2013 January
More informationNothing in this job description restricts management's right to assign or reassign duties and responsibilities to this job at any time.
H23790, page 1 Nothing in this job description restricts management's right to assign or reassign duties and responsibilities to this job at any time. DUTIES This is a non-career term job at the Metropolitan
More informationWhite paper. Secure Cloud Services: An Integrated Approach
White paper Secure Cloud Services: An Integrated Approach Edition October 2013 Whitepaper Information Management Secure Cloud Services: An Integrated Approach Edition October 2013 Copyright 2013 EXIN All
More informationHans Bos Microsoft Nederland. hans.bos@microsoft.com
Hans Bos Microsoft Nederland Email: Twitter: hans.bos@microsoft.com @hansbos Microsoft s Cloud Environment Consumer and Small Business Services Software as a Service (SaaS) Enterprise Services Third-party
More informationChoosing Ascentor as your cyber security partner. Secure your information Strengthen your business
Secure your information Strengthen your business Choosing Ascentor as your cyber security partner www.ascentor.co.uk Ascentor Ltd 5 Wheatstone Court, Davy Way Waterwells Business Park Quedgeley, Gloucester
More information1. IT STRATEGY, GOVERNANCE AND RISK TRAINING PROGRAM
1. IT STRATEGY, GOVERNANCE AND RISK TRAINING PROGRAM Many organisations fail to realise optimum business value from their investment in IT. Our series of webinars and management forums aim to provide a
More informationI D C E V E N T P R O C E E D I N G S
I D C E V E N T P R O C E E D I N G S As i a / P a c i f i c Perspecti ve s : N a vi g a t i n g t h e D a t a c e n t e r Security I m p e r a t i ve September 2014 By Chuang Shyne-Song; Program Director,
More informationConsultants Alliance LLC. Professional Development Programs
Consultants Alliance LLC Professional Development Programs About CA: Consultants Alliance (CA) is a local organization dedicated to promote the culture of Service Excellence in public and private sectors.
More informationEffects of the British Standard for IT Service Management
Strategic Planning, S. Mingay, M. Govekar Research Note 4 March 2002 Effects of the British Standard for IT Service Management The release of the British Standard for IT Service Management (BS15000) marks
More informationIIA Conference. September 18, 2015. Paige Needling Director, Global Information Security Recall, Inc.
IIA Conference September 18, 2015 Paige Needling Director, Global Information Security Recall, Inc. IT SECURITY UMBRELLA Compliance for IT Data Privacy Protection Privacy Risk Assessment Vulnerability
More informationINFORMATION TECHNOLOGY FLASH REPORT
INFORMATION TECHNOLOGY FLASH REPORT ISACA Releases COBIT 5: Updated Framework for the Governance and Management of IT May 18, 2012 In April, ISACA released COBIT 5 as a replacement for its current globally
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card
More informationWho s Got Your Data? Managing Vendor Risk. Chris Clymer, Advisory Services
Who s Got Your Data? Managing Vendor Risk Chris Clymer, Advisory Services Any views or opinions presented are solely those of the author and do not necessarily represent those of SecureState LLC. Synopsis
More informationKea Influencer Relations and Marketing for High-Tech & Technology Providers
Kea Analyst Relations Industry analysts play a key role in defining markets and educating buyers. We work with clients to identify and track the most influential and relevant industry analysts, and advise
More informationEnabling Information PREVIEW VERSION
Enabling Information These following pages provide a preview of the information contained in COBIT 5: Enabling Information. The main benefit of this publication is that it provides COBIT 5 users with a
More informationTOP 10 Security Questions Introduction Breaches and other privacy and security incidents in healthcare are on the rise due to the vast size of the industry and the oneoffs of protected health information
More informationISO 14001:2015 Client Transition Checklist
ISO 14001:2015 Client Transition Checklist How to use this document: It is not mandatory to use this document. It is a guide to give you an indication of your readiness for audit against ISO 14001:2015.
More informationAchieving Governance, Risk and Compliance Requirements with HISP Certification Course
Achieving Governance, Risk and Compliance Requirements with HISP Certification Course in corporation with A unique information security and regulatory compliance certification course that provides IT security
More informationUsing COSO Small Business Guidance for Assessing Internal Financial Controls
Using COSO Small Business Guidance for Assessing Internal Financial Controls By János Ivanyos, Memolux Ltd. (H), IIA Hungary Introduction New generation of general models referring to either IT or Internal
More informationSoftware Piracy shows the needs of Software Asset Management. Peter Beruk Sr. Director, Compliance Marketing
Software Piracy shows the needs of Software Asset Management Peter Beruk Sr. Director, Compliance Marketing BSA Members Piracy Is Still A Challenge Global 38% piracy rate $48 billion lost revenue U.S.
More informationISO/IEC 17021:2011 Conformity assessment Requirements for bodies providing audit and certification of management systems
ISO/IEC 17021:2011 Conformity assessment Requirements for bodies providing audit and certification of management systems The publication of ISO/IEC 17021:2011 introduces some important new requirements
More informationLog management and ISO 27001
Log management and ISO 27001 Rakesh Maheshwari STQC Directorate Department of Information Technology Ministry of Communications & IT rakesh@mit.gov.in Log management Log management is the process of generating,
More information2015 GLOBAL THREAT INTELLIGENCE REPORT EXECUTIVE SUMMARY
2015 GLOBAL THREAT INTELLIGENCE REPORT EXECUTIVE SUMMARY 1 EXECUTIVE SUMMARY INTRODUCING THE 2015 GLOBAL THREAT INTELLIGENCE REPORT Over the last several years, there has been significant security industry
More informationHow small and medium-sized enterprises can formulate an information security management system
How small and medium-sized enterprises can formulate an information security management system Royal Holloway Information Security Thesis Series Information security for SMEs Vadim Gordas, MSc (RHUL) and
More informationGLOBAL STANDARD FOR INFORMATION MANAGEMENT
GLOBAL STANDARD FOR INFORMATION MANAGEMENT Manohar Ganshani Businesses have today expanded beyond local geographies. Global presence demands uniformity within the processes across disparate locations of
More informationCloud Security Certification
Cloud Security Certification January 21, 2015 1 Agenda 1. What problem are we solving? 2. Definitions (Attestation vs Certification) 3. Cloud Security Responsibilities and Risk Exposure 4. Who is responsible
More informationEffective Internal Audit in the Financial Services Sector
Effective Internal Audit in the Financial Services Sector Recommendations from the Committee on Internal Audit Guidance for Financial Services: How They Relate to the Global Institute of Internal Auditors
More informationSan Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP
Presented by Mike O. Villegas, CISA, CISSP Agenda Information Security (IS) Vision at Newegg.com Typical Issues at Most Organizations Information Security Governance Four Inter-related CoBIT Domains ISO
More informationIT Governance Implementation Workshop
IT Governance Implementation Workshop 3 Full day power packed workshop facilitated by Mr. Gary Allan Banister and Mr. Sreechith Radhakrishnan About the Programme Information is created, used, retained,
More information14 October 2015 ISACA Curaçao Conference By: Paul Helmich
Governance, Risk & Compliance A practical approach 14 October 2015 ISACA Curaçao Conference By: Paul Helmich Topics today What is GRC? How much of all the GRC literature, tools, etc. do I need to study
More informationCLOUD SECURITY THROUGH COBIT, ISO 27001 ISMS CONTROLS, ASSURANCE AND COMPLIANCE
CLOUD SECURITY THROUGH COBIT, ISO 27001 ISMS CONTROLS, ASSURANCE AND COMPLIANCE Indranil Mukherjee Singapore ISC Pte Ltd Session ID: CLD T02 Session Classification: Intermediate Cloud Computing from a
More informationSecurity Risk Management Strategy in a Mobile and Consumerised World
Security Risk Management Strategy in a Mobile and Consumerised World RYAN RUBIN (Msc, CISSP, CISM, QSA, CHFI) PROTIVITI Session ID: GRC-308 Session Classification: Intermediate AGENDA Current State Key
More informationPortfolio, Programme and Project Management Maturity Model - a Guide to Improving Performance
Portfolio, Programme and Project Management Maturity Model - a Guide to Improving Performance By Andy Murray Improving Performance Using Maturity Models The 1990's saw a dramatic increase in the number
More informationInformation Security Awareness Survey 2008. Prepared by SAI Global
Information Security Awareness Survey 2008 Prepared by SAI Global Security Awareness: Measuring Attitudes, Knowledge and Behaviour Results of The SAI Global Benchmarking Survey 2008 Current Security Awareness
More informationAISA Position Statement: Mandatory Data Breach Notification in Australia
AISA Position Statement: Mandatory Data Breach Notification in Australia Overview Although AISA members are broadly in support of mandatory data breach notification in Australia they have a number of concerns
More informationFramework for Long Term Financial and Asset Management Planning for all Tasmanian Councils
TASMANIAN STATE GOVERNMENT and LOCAL GOVERNMENT ASSOCIATION OF TASMANIA Framework for Long Term Financial and Asset Management Planning for all Tasmanian Councils FINAL REPORT September 2009 Document Control
More informationToday s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation
Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation Assessing the Financial Services Industry Results from Protiviti s 2014 IT Priorities and
More informationDigital Infrastructure - A Model For Success
Organizer: BRIDGING BARRIERS: LEGAL AND TECHNICAL OF CYBERCRIME CASES Session 6 : Securing Your Fortress Best practices, standards, techniques and technologies secure your organization from cyber criminals.
More informationImpact of New Internal Control Frameworks
Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com
More informationTest your talent How does your approach to talent strategy measure up?
1 Test your talent How does your approach to talent strategy measure up? Talent strategy or struggle? Each year at Head Heart + Brain we carry out research projects to help understand best practice in
More informationTÜV UK Ltd Guidance & Self Evaluation Checklist
ISO 9001:2015 Revision TÜV UK Ltd Guidance & Self Evaluation Checklist Why ISO 9001 is changing All ISO management system standards are subject to a periodic review under the rules by which they are written.
More informationAsset information workshop. Julian Schwarzenbach Project Lead
Asset information workshop Julian Schwarzenbach Project Lead Agenda Structure of the Handbook Data quality attributes and how to measure them Data quality solutions Data governance Participative session
More informationInformation Security Standards by Dr. David Brewer Gamma Secure Systems Limited Diamond House, 149 Frimley Road Camberley, Surrey, GU15 2PS +44 1276
Information Security Standards by Dr. David Brewer Gamma Secure Systems Limited Diamond House, 149 Frimley Road Camberley, Surrey, GU15 2PS +44 1276 702500 dbrewer@gammassl.co.uk Agenda Background and
More informationSo Why on Earth Would You WANT To be a CISO?
So Why on Earth Would You WANT To be a CISO? SESSION ID: PROF-M05A Todd Fitzgerald CISSP, CISA, CISM, CRISC, CGEIT, PMP, ISO27000, CIPP, CIPP/US, ITILV3f Global Director of Information Security Grant Thornton
More informationISO 27001 Gap Analysis - Case Study
ISO 27001 Gap Analysis - Case Study Ibrahim Al-Mayahi, Sa ad P. Mansoor School of Computer Science, Bangor University, Bangor, Gwynedd, UK Abstract This work describes the initial steps taken toward the
More informationfor Information Security
for Information Security The following pages provide a preview of the information contained in COBIT 5 for Information Security. The publication provides guidance to help IT and Security professionals
More informationPCI-DSS Penetration Testing
PCI-DSS Penetration Testing Adam Goslin, Co-Founder High Bit Security May 10, 2011 About High Bit Security High Bit helps companies obtain or maintain their PCI compliance (Level 1 through Level 4 compliance)
More informationGOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001
1 GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001 Tolga MATARACIOGLU 1 and Sevgi OZKAN 2 1 TUBITAK National Research Institute of Electronics and Cryptology (UEKAE), Department of
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationCriticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3
Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3 Outline What is IT Service Management What is ISO 20000 Step by step implementation
More informationSecure Cloud Hosting for Healthcare Organizations
Secure Cloud Hosting for Healthcare Organizations OUR MISSION FIREHOST MISSION Our core is an unshakable, no compromise commitment to protect our customer's digital assets with integrity and innovation
More informationEXAM PREPARATION GUIDE
EXAM PREPARATION GUIDE PECB Certified ISO/IEC 27001 Lead Auditor The objective of the Certified ISO/IEC 27001 Lead Auditor examination is to ensure that the candidate has the knowledge and the skills to
More informationInformation Security Management Systems
Information Security Management Systems Øivind Høiem CISA, CRISC, ISO27001 Lead Implementer Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector
More informationEnterprise Mobility Strategy
Enterprise Mobility Strategy Mobile: The new online frontier for your business Miles Cheetham, Director January 2013 Mobile: The new online frontier for your business Your business is already online. It
More informationLeveraging ITIL Foundational Controls to Achieve SOX Compliance. ISACA San Francisco Fall Conference September 17 th, 2007
Leveraging ITIL Foundational Controls to Achieve SOX Compliance ISACA San Francisco Fall Conference September 17 th, 2007 Agenda for today Introductions & Objectives IT Priorities Overview of Sarbanes-Oxley
More informationSAM Success Fee self-repayment of your project!
SAM Success Fee self-repayment of your project! Softline offers implementation of SAM projects following the Success Fee model, when you pay only for successful implementation We are confident that Software
More information