CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY
|
|
- Alexander White
- 8 years ago
- Views:
Transcription
1 CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY
2 INTRODUCTION Information security has evolved. As the landscape of threats increases and cyber security 1 management becomes more complex, CISOs, security committees, executives and boards of directors are demanding meaningful information for decision-making. However, cyber security stakeholders face significant challenges identifying, obtaining, processing and aggregating key information that enables them to steer towards defined targets effectively, and ultimately be in better control of their organisation s cyber security. In practice, the responsibility for cyber security is often distributed amongst different organisational areas as is the relevant information. In addition, the range of activities related to cyber security is so broad that it is not easy to identify the key elements that indicate how cyber security is contributing to (or even preventing) the achievement of the business s goals. And, as if that isn t enough of a challenge, the highly technical, specialist origins of cyber security often result in highly technical, specialist sets of information that, although essential for operational activities, are not valuable for high-level, business decision-making. The good news is that complexity, interdependency, specialisation and large quantities of information are not new challenges for the business world. As mentioned in our publication The five most common cyber security mistakes, KPMG approaches cyber security as business as usual an area of risk that requires the same level of attention as fraud. And in the same way that other business areas are monitored and measured, cyber security can be monitored and measured with the support of dashboards that display the right key performance indicators (KPIs). 1 Cyber Security is the endeavor to prevent damage by disruption, outage or misuse of IT and, if damage does occur, the repair of this damage. The damage may consist of: impairment of the reliability of IT, restriction of its availability, and the breach of confidentiality and/or the integrity of information stored in the IT system. (Source: National Cyber Security Strategy ). 2 FEEL FREE Cyber Security Dashboard
3 WHY A CYBER SECURITY DASHBOARD? In short, a Cyber Security Dashboard will help you steer your organisation towards the desired cyber security position, while providing answers to key questions often raised by executives. Examples of these questions are: BOARD OF DIRECTORS What is the status of our cyber resilience capabilities compared to the current and expected threat level? What is the impact that cyber security risks have on our strategy? How do our measures and investments compare to the rest of our sector? Are we compliant with the relevant cyber security and related regulations? Are we in control of cyber security in the value chain? CIO What are the key drivers in cyber security risk management and how are they developing? What is the status of our preventative capabilities, as related to cyber security? What is the status of our detective and reactive capabilities, as related to cyber security? What is the status of the compliance framework? What were the root causes and actions taken in relation to the high-impact incidents in the last period? FEEL FREE Cyber Security Dashboard 3
4 When adequately designed and implemented, Cyber Security Dashboards also provide: INSIGHT into the overall state of cyber security, as related to business targets. This allows for improved decision-making and better control of cyber security; FOCUS on what is important for the business. Cyber security efforts should be balanced between business risks and opportunities. Nevertheless, it is easy to lose focus when the information available is too spread, detailed or technical to provide a consistent overview; COMMUNICATION & AWARENESS. Business executives and boards of directors are demanding relevant information, while cyber security professionals are trying to raise the awareness of executives and boards of directors. A Cyber Security Dashboard provides a means of communication that facilitates awareness of major areas of concern from both perspectives: cyber security and organisational goals; STANDARDISATION AND EFFICIENCY, particularly across regions and functional units within large organisations. As mentioned earlier, the responsibility for information security is often scattered, with local or regional security officers often interpreting, customising and implementing policies that are usually defined at corporate level. This sometimes results in nonstandard reporting formats, increasing the time required to compile and produce aggregated reports, as well as the work required to interpret them. Depending on the specific purpose of the dashboard, some benefits may be more prevalent than others; in any case, the dashboard will contribute by providing an overview of the main information needed to control cyber security and make decisions that further the business objectives. But what information should a Cyber Security Dashboard display? In the same way that each organisation has a unique strategy, culture and maturity, it has unique cyber security information needs. Through a combination of research and our extensive experience, KPMG has identified six key areas of focus that provide a comprehensive overview of cyber security. 4 FEEL FREE Cyber Security Dashboard
5 THE CYBER SECURITY DASHBOARD FOUNDATION: SIX AREAS OF FOCUS The areas of focus serve as the foundation for identifying the most relevant measures to be considered on a company s dashboard. They cover the core areas of cyber security: risks, compliance, incidents, awareness & culture, threat level and key cyber security projects in development. PROJECTS - Impact on risk reduction - Progress - Cyber Security Maturity RISKS - Benchmark with peers - Coverage - Top risks - Others AWARENESS & CULTURE - Learning scores - Training coverage - Incidents and other violations associated with awareness AREAS OF FOCUS COMPLIANCE - External - Internal - Readiness THREAT LEVEL - External - Internal INCIDENTS - Statistics - Incident Management - Benchmark with peers FEEL FREE Cyber Security Dashboard 5
6 CYBER SECURITY RISKS Cyber security management and business decisionmaking are closely related to risk management. Executives and board members need to understand and monitor the cyber risks that may hinder the organisation s ability to achieve its goals. These risks are represented by key risk indicators (KRIs) that are directly derived from the organisation s strategy. For example, if a retail company s strategy is to grow through increased revenue and market share on e-commerce channels, then the downtime of online shopping sites directly affects the realisation of the strategy, becoming a KRI. Another perspective on risk may be provided via benchmarking. Executives often want to know their organisation s status compared to industry peers or best practices. Benchmarks related to organisational maturity levels and framework compliance are available in the marketplace. Likelihood TOP 10 RISKS 6 5 R3 R8 4 R4 R6 R R9 R5 R10 R7 R Impact Top Risks RISK DESCRIPTION LEVEL TREND COMMENTS R1 LOSS OR ALTERATION OF INTELLECTUAL PROPERTY Very High Existing system does not allow control of administrators. Analysis for change of system in progress. R2 SENSITIVE COSTUMER DATA DISCLOSURE Medium Inventory of repositories is at 80%. Identified repositories are compliant with risk apetite. R3 UNAVAILABILITY OF ONLINE SALES CHANNELS High Penetration test identified severe vulnerabilities in configuration. Changes in progress. R8 STRATEGIC INFORMATION LEAKAGE Very High Increased impact with new business project. IT acquisition and awareness trainings in process. R7 FINANCIAL FRAUD Medium Recent audit findings identified failures in user management processes. Changes in progress. Benchmark Security Forum Control Framework 2014: second quartile 6 FEEL FREE Cyber Security Dashboard
7 COMPLIANCE In practice, one of the main drivers of cyber security is compliance. Typical requirements that organisations need to comply with include laws, regulations and contractual demands from business partners, suppliers and customers. Failing to comply may result in substantial fines, termination of contracts with strategic partners or customers and, ultimately, suspension to operate. Furthermore, as threats increase and customers demand higher levels of data protection, new compliance requirements are continuously emerging. Being able to proactively monitor your organisation s readiness to meet coming requirements may allow for a more timely and cost-effective compliance strategy. Overall Maturity per Requirement (Europe) Other ISF Current Target DNB PII Internal Framework ISO CYBER SECURITY INCIDENTS Incidents do happen, and we need to react to, and learn from them. Analysis of information security incidents often provides business stakeholders with an additional perspective on risk levels, making it highly valuable. Usual measures of interest are general statistics on severe incidents such as the number, business impact and source; benchmarking with industry peers; and elements associated with the effectiveness of the incident management process, such as average incident detection/response time. Impact of incidents per category of threats (in millions) Error Physical theft/loss Insider Misuse Social Malware Hacking FEEL FREE Cyber Security Dashboard 7
8 AWARENESS & CULTURE As important as awareness is, measuring it objectively poses a significant challenge. Current social and technology trends are forcing organisations to become more reliant on end-user behaviour to protect information. Telecommuting and bring-your-own-device are common practices worldwide, making information readily available almost everywhere, and more difficult and expensive to protect. Cyber security awareness aims to develop specific behaviours in employees, contractors and other parties that process or use the organisation s information. The main objectives are to reduce risks related to human error, as well as the time required to identify incidents and violations. There is no single metric that accurately and objectively assesses people s level of understanding, or their expected reaction should a cyber security situation arise. This is why KPMG approaches this dimension from two perspectives: KPMG measures behaviour by looking at 8 soft controls: clarity of rules; exemplary behaviour; practicability; involvement; visibility; organizational openness; peer Openness and enforcement. Being able to determine and compare security awareness levels between business units and regions supports decision-makers in prioritising resources and activities. Awareness Current Target Enforcement Response Clarity of Rules 100% 80% 60% 40% Exemplary Behaviour Prevention training what is the company doing towards culture development and actual behaviour what is the result of those actions. Peer Openness 20% 0% Practicabillity Indicators in training are usually related to coverage of the target audience and scores on assessments such as e-quizzes or surveys. Organizational Openness Involvement Detection Visibility 8 FEEL FREE Cyber Security Dashboard
9 AWARENESS KEY SECURITY PROJECTS/INITIATIVES Knowing the progress and general status of the major security projects is essential to cyber security management. Furthermore, executives want to be able to assess the potential impact of these projects on cyber security posture, the potential constraints they may pose to target achievement, and whether actions are required to guarantee alignment with business objectives. THREAT LEVEL Modern cyber resilience is based on threat intelligence. The better an organisation understands its threat environment, the better it can prepare and 0 respond to it. 100 Threats in the cyber landscape include nations, activists, organised crime, the competition 70 and the organisation s insiders, amongst others. By gathering and analysing data from internal and external - No sources, recent incidents and identifying their implications in your - Positive own environment, scores test it (Q3-2013) is possible to obtain an overview of a general threat level that can be used as a point of reference. Threat level Key cyber security projects/initiatives Project Division Status vs. target IRM Cyber Security Governance Outsourcing review ISO Certification Awareness EMEA EMEA ASIA AMERICAS ALL Progress vs. plan No discernible activity with a moderate or severe risk rating. Source: ThreatCon These areas of focus are not exhaustive, but they cover the key areas KPMG has found to make the difference in controlling cyber security. The goal is to identify the areas that better fit your organisation s current and future business needs and include them as part of the dashboard. It is possible that additional topics, such as costs and budget-related indicators also need to be considered, but at the end, what matters is that the selected elements actually contribute to business decision-making, respond to the audience s needs and are aligned with the company s current security practices. FEEL FREE Cyber Security Dashboard 9
10 STRATEGIC APPROACH TO A CYBER SECURITY DASHBOARD Defining and implementing a dashboard is a challenging project. Difficulties commonly found on the way include selecting the dashboard elements that will support decision-making, unforeseen impacts on operational and tactical processes, and complex data sources sometimes dependent on third parties. This is why KPMG has developed a strategic, phased approach: by incrementally defining and constructing the dashboard, requirements are constantly refined, while enabling optimal management of investment and creating situational awareness of the target audience. The dashboard is built in two main phases, so from the beginning the benefits are tangible: first the reporting elements & prototype are defined, and then the dashboard is automated and embedded in the processes. REPORTING ELEMENTS & PROTOTYPE DEFINITION INITIAL DESIGN PROTOTYPE Identification of key stakeholders and their needs Design prototype Assessment of delivery capabilities Evaluation and refinements DETAILED DESIGN Develop dashboard growth model Build business case DASHBOARD IMPLEMENTATION & AUTOMATION PROOF-OF- CONCEPT BUILD DASHBOARD Build PoC Phased approach for dashboard development Evaluate PoC Implementation and embedding per phase TRAINING & SUPPORT Training of users and administrators Establish organisation for support and enhancements 10 FEEL FREE Cyber Security Dashboard
11 The initial design should be balanced against what we refer to as delivery capabilities, in other words, elements within the organisation that enable the desired outcome. Examples of these capabilities are the organisation s maturity, management support, internal processes, and available data sources and technology. Delivery capabilities often pose important challenges for the project. For example, a data source may seem reliable and comprehensive, but later on it can be found that the data only covers a low percentage of the target population, or that the originating process is highly prone to human error. Once the initial design is finalised, a prototype is built. The prototype allows for validation of the initial requirements, and results in design and metric adjustments. The subsequent two stages focus on the development of a proofof-concept that will determine whether the organisation is ready to build the dashboard, provided a growth model and a business case. After the proof-of-concept has been positively evaluated, the dashboard is developed. This is achieved by following a phased approach that allows for gradual embedding in the internal processes. During this stage, common challenges relate to stakeholder management and dashboard embedding, since certain (parts of) processes may require changes to successfully incorporate the tool. Finally the transition activities take place, including training, implementation of the support scheme, and update and expansion processes. FEEL FREE Cyber Security Dashboard 11
12 CONCLUSION Strategic Risk 4 Measuring and reporting on cyber security to the strategic level is not an easy task. Most existing security metrics focus on operational and technical aspects, while executives are demanding high-level, meaningful businessrelated information. In addition, the delegation of cyber security activities to local/regional security officers often results in non-standardised reporting, hindering in turn decision-making processes. Impact R5 R3 R2 R1 R4 The end result may look simple but to deliver and successfully embed a reliable Cyber Security Dashboard requires skills and experience in many diverse areas, during each of the development phases. A strategic approach to the definition of a Cyber Security Dashboard helps your organisation steer on key focus areas, create situational awareness, standardise reporting practices, align cyber security with the business and improve the control over cyber security activities Chance Maturity 3,5 3,0 2,5 2,0 1,5 1,0 0,5 0,0 IT Health Finance Administration HR Risk Marketing Treasury Industry 12 FEEL FREE Cyber Security Dashboard
13 Strategic Projects Key Incidents CMDB setup project 4 External penetration test 3 Hiring SOC personnel Information security plan 2015 Internal vulnerability scanner Occurance % ,000 10,000 Impact % Status vs. Target % Target vs. Plan Denial of Service Misc. Errors Unknown Insider Misuse Physical Theft Compliance Threat Level Requirement Category Current level Current level COBIT 75% 80% 80% Competitors 3 DNB (banks) 90% 90% 20% Cyber Investigators 2 Internal Framework 60% 30% 10% Cyberpunks and scriptkiddies 4 ISF 60% 60% 60% External consultants 2 ISO % 65% 65% Hacktivists 1 SANS 70% 70% 65% Internal employee 4 SOx 70% 90% 90% Organized cyber criminals 4 States 2 FEEL FREE Cyber Security Dashboard 13
14 WHY KPMG? The Cyber Security Dashboard is one component of KPMG s Global Cyber Transformation Service[s]. Our vision is to make cyber security an integral part of your business through: EXPERIENCE We understand the business and know about cyber security. We have supported organisations in diverse industry sectors in developing Cyber Security Dashboards, and have identified key information and metrics that strategic stakeholders are looking for; INTEGRATED APPROACH We bring together specialists in information protection, risk management, organisational design, behavioural change and intelligence management. These combined skills are utilised to tailor a solution relevant to your risk appetite and the cyber threats your organisation faces; END-TO-END VISION We do not just display data on a dashboard but also analyse the related processes and identify potential areas of improvement. By analysing the dashboard audiences and their activities, we develop the dashboard accordingly. Assistance is provided with embedding the dashboard within existing processes and leveraging it to further the organisation s capabilities; DATA RELIABILITY KPMG is an audit firm. We look for reliable data. We challenge the data sources and assist in taking the steps required to make it accurate, complete and, ultimately, suitable for decision-making. 14 FEEL FREE Cyber Security Dashboard
15 FEEL FREE Cyber Security Dashboard 15
16 Contact John Hermans Partner Tel: Dennis de Geus Director Tel: Koos Wolters Director Tel: kpmg.com/nl/cybersecurity, registered with the trade register in the Netherlands under number , is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The name KPMG, logo and cutting through complexity are registered trademarks of KPMG International. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
A NEW APPROACH TO CYBER SECURITY
A NEW APPROACH TO CYBER SECURITY We believe cyber security should be about what you can do not what you can t. DRIVEN BY BUSINESS ASPIRATIONS We work with you to move your business forward. Positively
More informationCyber Security: from threat to opportunity
IT ADVISORY Cyber Security: from threat to opportunity www.kpmg.com/nl/cybersecurity From threat to opportunity / Cyber security / 1 FOREWORD OPPORTUNITY-DRIVEN CYBER SECURITY Cyber security (also known
More informationCyber Security, a theme for the boardroom www.kpmg.com/nl/cybersecurity
IT ADVISORY Cyber Security, a theme for the boardroom www.kpmg.com/nl/cybersecurity TABLE OF CONTENTS 1 Cyber security, a theme for the boardroom 3 2 What is cyber security? 4 3 Relevance to the boardroom
More informationCyber threat intelligence and the lessons from law enforcement. kpmg.com/cybersecurity
Cyber threat intelligence and the lessons from law enforcement kpmg.com/cybersecurity Introduction Cyber security breaches are rarely out of the media s eye. As adversary sophistication increases, many
More informationHow To Transform It Risk Management
The transformation of IT Risk Management kpmg.com The transformation of IT Risk Management The role of IT Risk Management Scope of IT risk management Examples of IT risk areas of focus How KPMG can help
More informationCyber threat intelligence and the lessons from law enforcement. kpmg.com.au
Cyber threat intelligence and the lessons from law enforcement kpmg.com.au Introduction Cyber security breaches are rarely out of the media s eye. As adversary sophistication increases, many organisations
More informationAddress C-level Cybersecurity issues to enable and secure Digital transformation
Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,
More informationAccenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges
Accenture Intelligent Security for the Digital Enterprise Archer s important role in solving today's pressing security challenges The opportunity to improve cyber security has never been greater 229 2,287
More informationwww.pwc.co.uk Cyber security Building confidence in your digital future
www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in
More informationCyber Security Issues - Brief Business Report
Cyber Security: Are You Prepared? This briefing provides a high-level overview of the cyber security issues that businesses should be aware of. You should talk to a lawyer and an IT specialist for a complete
More informationAddressing Cyber Risk Building robust cyber governance
Addressing Cyber Risk Building robust cyber governance Mike Maddison Partner Head of Cyber Risk Services The future of security The business environment is changing The IT environment is changing The cyber
More informationRunning the business of IT metrics that matter
INFORMATION TECHNOLOGY SERVICES Running the business of IT metrics that matter November 2014 kpmg.com Contents Introduction... 2 Do you have the right KPIs to run IT as a business?... 4 Data is not the
More informationAchieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations
Achieving Control: The Four Critical Success Factors of Change Management Technology Concepts & Business Considerations T e c h n i c a l W H I T E P A P E R Table of Contents Executive Summary...........................................................
More informationCyber Security - What Would a Breach Really Mean for your Business?
Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber
More informationCYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES
POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response
More informationCyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
More informationHow to measure your business resiliency
How to measure your business resiliency Define the KPI s/kri s and scorecards to control your security and business continuity capabilities Krzysztof Pulkiewicz BCMLogic krzysztof.pulkiewicz@bcmlogic.com
More informationCyber Security Risks for Banking Institutions.
Cyber Security Risks for Banking Institutions. September 8, 2014 1 Administrative CPE regulations require that online participants take part in online questions Must respond to a minimum of four questions
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationCYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
More informationCYBER SECURITY, A GROWING CIO PRIORITY
www.wipro.com CYBER SECURITY, A GROWING CIO PRIORITY Bivin John Verghese, Practitioner - Managed Security Services, Wipro Ltd. Contents 03 ------------------------------------- Abstract 03 -------------------------------------
More informationWHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK
WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationFeature. Developing an Information Security and Risk Management Strategy
Feature Developing an Information Security and Risk Management Strategy John P. Pironti, CISA, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC. He has designed and implemented enterprisewide
More informationRSA ARCHER OPERATIONAL RISK MANAGEMENT
RSA ARCHER OPERATIONAL RISK MANAGEMENT 87% of organizations surveyed have seen the volume and complexity of risks increase over the past five years. Another 20% of these organizations have seen the volume
More informationMike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program
Cyber: The Catalyst to Transform the Security Program Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA A Common Language? Hyper Connected World Rapid IT Evolution Agile Targeted Threat
More informationA Guide to the Cyber Essentials Scheme
A Guide to the Cyber Essentials Scheme Published by: CREST Tel: 0845 686-5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org/ Principal Author Jane Frankland, Managing Director, Jane
More informationConfiguration Management System:
True Knowledge of IT infrastructure Part of the SunView Software White Paper Series: Service Catalog Service Desk Change Management Configuration Management 1 Contents Executive Summary... 1 Challenges
More informationLondon Business Interruption Association Technology new risks and opportunities for the Insurance industry
London Business Interruption Association Technology new risks and opportunities for the Insurance industry Kiran Nagaraj Senior Manager, KPMG LLP February 2014 Agenda Introduction The world we live in
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationInto the cybersecurity breach
Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing
More informationHR Function Optimization
HR Function Optimization People & Change Advisory Services kpmg.com/in Unlocking the value of human capital Human Resources function is now recognized as a strategic enabler, aimed at delivering sustainable
More informationTAX MANAGEMENT CONSULTING. How can you be more efficient at managing tax?
TAX MANAGEMENT CONSULTING How can you be more efficient at managing tax? NEW HEAD OF TAX/CFO TAX TRANSPARENCY Business Case Dispute Resolution Finance Transformation Authority Interaction Compliance Delivery
More informationCOBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)
COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA
More informationCPNI VIEWPOINT 01/2010 CLOUD COMPUTING
CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected
More informationThe Changing IT Risk Landscape Understanding and managing existing and emerging risks
The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015
More informationIT Governance Regulatory. P.K.Patel AGM, MoF
IT Governance Regulatory Perspective P.K.Patel AGM, MoF Agenda What is IT Governance? Aspects of IT Governance What banks should consider before implementing these aspects? What banks should do for implementation
More informationAchieving Regulatory Compliance through Security Information Management
www.netforensics.com NETFORENSICS WHITE PAPER Achieving Regulatory Compliance through Security Information Management Contents Executive Summary The Compliance Challenge Common Requirements of Regulations
More informationState of Security Survey GLOBAL FINDINGS
2011 State of Security Survey GLOBAL FINDINGS CONTENTS Introduction... 4 Methodology... 6 Finding 1: Cybersecurity is important to business... 8 Finding 2: The drivers of security are changing... 10 Finding
More informationA global infrastructure to safeguard your business_
Global Security Services A global infrastructure to safeguard your business_ Global Solutions More than just peace of mind: increase confidence and reduce risk across your entire organisation_ How do you
More informationSymantec Control Compliance Suite. Overview
Symantec Control Compliance Suite Overview Addressing IT Risk and Compliance Challenges Only 1 in 8 best performing organizations feel their Information Security teams can effectively influence business
More informationLeveraging a Maturity Model to Achieve Proactive Compliance
Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................
More informationIBM Internet Security Systems October 2007. FISMA Compliance A Holistic Approach to FISMA and Information Security
IBM Internet Security Systems October 2007 FISMA Compliance A Holistic Approach to FISMA and Information Security Page 1 Contents 1 Executive Summary 1 FISMA Overview 3 Agency Challenges 4 The IBM ISS
More informationUnderstanding and articulating risk appetite
Understanding and articulating risk appetite advisory Understanding and articulating risk appetite Understanding and articulating risk appetite When risk appetite is properly understood and clearly defined,
More informationConnecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm
Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom kpmg.bm Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom 1 Connecting the dots:
More informationInstitute of Internal Auditors Cyber Security. Birmingham Event 15 th May 2014 Jason Alexander
Institute of Internal Auditors Cyber Security Birmingham Event 15 th May 2014 Jason Alexander Introduction Boards growing concern with Cyber Risk Cyber risk is not new, but incidents have increased in
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationWhite Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA
White Paper Achieving HIPAA Compliance through Security Information Management White Paper / HIPAA Contents Executive Summary... 1 Introduction: Brief Overview of HIPAA... 1 The HIPAA Challenge: Protecting
More informationIT Insights. Managing Third Party Technology Risk
IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate
More informationCyber Risks and Insurance Solutions Malaysia, November 2013
Cyber Risks and Insurance Solutions Malaysia, November 2013 Dynamic but vulnerable IT environment 2 Cyber risks are many and varied Malicious attacks Cyber theft/cyber fraud Cyber terrorism Cyber warfare
More informationCYBER RISK SECURITY, NETWORK & PRIVACY
CYBER RISK SECURITY, NETWORK & PRIVACY CYBER SECURITY, NETWORK & PRIVACY In the ever-evolving technological landscape in which we live, our lives are dominated by technology. The development and widespread
More informationAt Risk. In this Issue: Avoiding a world of hurt: Knowing your counterparties before you engage. Volume 8, No. 1. kpmg.ca/atrisk.
At Volume 8, No. 1 In this Issue: Avoiding a world of hurt: Knowing your counterparties before you engage Regulatory Threats Operations Emerging Markets Management Canadian Organizations Supply Chains
More informationIMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE
IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE ABSTRACT Changing regulatory requirements, increased attack surfaces and a need to more efficiently deliver access to the business
More informationCyber Security and the Impact on Banks in China
Cyber Security and the Impact on Banks in China Regulatory Policy Development and Updates March 015 kpmg.com/cn Executive Summary The China Banking Regulatory Commission (CBRC) issued two circulars (Circulars
More informationRisk Considerations for Internal Audit
Risk Considerations for Internal Audit Cecile Galvez, Deloitte & Touche LLP Enterprise Risk Services Director Traci Mizoguchi, Deloitte & Touche LLP Enterprise Risk Services Senior Manager February 2013
More informationEnabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013
Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices April 10, 2013 Today's Agenda: Key Topics Defining IT Governance IT Governance Elements & Responsibilities
More informationwww.pwc.nl/cybersecurity Cyber security Building confidence in your digital future
www.pwc.nl/cybersecurity Cyber security Building confidence in your digital future 2015 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence
More informationInformation Technology Risk Management
Find What Matters Information Technology Risk Management Control What Counts The Cyber-Security Discussion Series for Federal Government security experts... by Carson Associates your bridge to better IT
More informationHow To Transform Insurance Through Digital Transformation
Digital transformation can help you tame the perfect storm. The digital future for insurance. Following the 2008 financial crisis, the insurance sector has faced tighter regulation, which has made it harder
More informationCyber security: Are consumer companies up to the challenge?
Cyber security: Are consumer companies up to the challenge? 1 Cyber security: Are consumer companies up to the challenge? A survey of webcast participants kpmg.com 1 Cyber security: Are consumer companies
More informationCommittees Date: Subject: Public Report of: For Information Summary
Committees Audit & Risk Management Committee Finance Committee Subject: Cyber Security Risks Report of: Chamberlain Date: 17 September 2015 22 September 2015 Public For Information Summary Cyber security
More informationStakeholder management and. communication PROJECT ADVISORY. Leadership Series 3
/01 PROJECT ADVISORY Stakeholder management and communication Leadership Series 3 kpmg.com/nz About the Leadership Series KPMG s Leadership Series is targeted towards owners of major capital programmes,
More informationHow To Manage Social Media Risk
www.pwc.co.uk/riskassurance Social media governance Harnessing your social media opportunity June 2014 Social media allows organisations to engage with people directly, express their corporate personality
More information2 Gabi Siboni, 1 Senior Research Fellow and Director,
Cyber Security Build-up of India s National Force 2 Gabi Siboni, 1 Senior Research Fellow and Director, Military and Strategic Affairs and Cyber Security Programs, Institute for National Security Studies,
More informationNSW Government Digital Information Security Policy
NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core
More informationThe economics of IT risk and reputation
Global Technology Services Research Report Risk Management The economics of IT risk and reputation What business continuity and IT security really mean to your organization Findings from the IBM Global
More informationGold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary
Gold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK Executive Summary Core statements I. Cyber security is now too hard for enterprises The threat is increasing
More informationTitle here. Successful Business Model Transformation. in the Financial Services Industry. KPMG s Evolving World of Risk Management SECTORS AND THEMES
SECTORS AND THEMES Successful Business Model Transformation Title here in the Financial Services Industry Additional information in Univers 45 Light 12pt on 16pt leading KPMG s Evolving World of Risk Management
More informationCybersecurity Strategic Consulting
Home Overview Challenges Global Resource Growth Impacting Industries Why Capgemini Capgemini & Sogeti Cybersecurity Strategic Consulting Enabling business ambitions, resilience and cost efficiency with
More informationProcuring Penetration Testing Services
Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat
More informationApplying ITIL v3 Best Practices
white paper Applying ITIL v3 Best Practices to improve IT processes Rocket bluezone.rocketsoftware.com Applying ITIL v. 3 Best Practices to Improve IT Processes A White Paper by Rocket Software Version
More informationCIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016
CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016 My name is Jacob Olcott and I am pleased to share some observations on
More informationCyber Security Metrics Dashboards & Analytics
Cyber Security Metrics Dashboards & Analytics Feb, 2014 Robert J. Michalsky Principal, Cyber Security NJVC, LLC Proprietary Data UNCLASSIFIED Agenda Healthcare Sector Threats Recent History Security Metrics
More informationData Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan
WHITE PAPER Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan Introduction to Data Privacy Today, organizations face a heightened threat landscape with data
More informationServices. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure
Home Secure digital transformation SMACT Advise, Protect & Monitor Why Capgemini & Sogeti? In safe hands Capgemini & Sogeti Cybersecurity Services Guiding enterprises and government through digital transformation
More informationIT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP
IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP IT Audit Perspective on Continuous Auditing/Continuous Monitoring INTRODUCTION New demands from the board, senior organizational
More informationSymantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,
Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security, streamline compliance reporting, and reduce the overall
More informationNine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity
Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers
More informationThe five most common cyber security mistakes
The five most common cyber security mistakes Management s perspective on cyber security ADVISORY kpmg.nl 2 The Continuous five most auditing common and cyber continuous security monitoring: mistakes The
More informationCyber Risks in the Boardroom
Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing
More informationRSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief
RSA Solution Brief RSA envision Platform Real-time Actionable Information, Streamlined Incident Handling, Effective Measures RSA Solution Brief The job of Operations, whether a large organization with
More informationVital Risk Insights kpmg.com
Vital Risk Insights kpmg.com KPMG INTERNATIONAL business Using intelligence software to monitor indicators of governance, risk and compliance Success in today s global marketplace demands that leading
More informationSupporting information technology risk management
IBM Global Technology Services Thought Leadership White Paper October 2011 Supporting information technology risk management It takes an entire organization 2 Supporting information technology risk management
More informationWhite Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
More informationwww.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14
www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the
More informationService Management. A framework for providing worlds class IT services
Service Management A framework for providing worlds class IT services Barry Corless MISM Slide - 1 Copyright Remarc Technologies Ltd, 2007 These course notes were produced by Remarc Service Management,
More informationUtilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: What do large enterprises need in order to address increasingly
More informationWhite paper September 2009. Realizing business value with mainframe security management
White paper September 2009 Realizing business value with mainframe security management Page 2 Contents 2 Executive summary 2 Meeting today s security challenges 3 Addressing risks in the mainframe environment
More informationOCC 98-3 OCC BULLETIN
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
More informationSmart Security. Smart Compliance.
Smart Security. Smart Compliance. SRM are dedicated to helping our clients stay safe in the information environment. With a wide range of knowledge and practical experience, our consultants are ready to
More informationInformation Security Program CHARTER
State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information
More informationEnterprise Security Governance, Risk and Compliance System. Category: Enterprise IT Management Initiatives. Initiation date: June 15, 2013
Enterprise Security Governance, Risk and Compliance System Category: Enterprise IT Management Initiatives Initiation date: June 15, 2013 Completion date: November 15, 2013 Nomination submitted by: Samuel
More informationSUSTAINING COMPETITIVE DIFFERENTIATION
SUSTAINING COMPETITIVE DIFFERENTIATION Maintaining a competitive edge in customer experience requires proactive vigilance and the ability to take quick, effective, and unified action E M C P e r s pec
More informationSytorus Information Security Assessment Overview
Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationTying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation
Tying It All Together: Practical ERM Integration Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation November 16, 2007 1 Agenda Basis for ERM Integration ERM Objectives ERM Focus
More informationThreat Intelligence. Benefits for the enterprise
Benefits for the enterprise Contents Introduction Threat intelligence: a maturing defence differentiator Understanding the types of threat intelligence: from the generic to the specific Deriving value
More informationReputation. Further excellence. business continuity. risk management. Data security
Reputation competitive advantage speed to market safety Further excellence trust Data security risk management business continuity HOW CAN YOU CREATE AND SECURE SUSTAINABLE BUSINESS? SOLUTIONS FOR MANAGING
More informationFINANCIAL INSTITUTIONS: MANAGING OPERATIONAL RISK WITH RSA ARCHER
FINANCIAL INSTITUTIONS: MANAGING OPERATIONAL RISK WITH RSA ARCHER As a board-level discussion topic at all financial institutions (FI) today, operational risk is real and public disclosure of significant
More information