Compiled by; Mark E.S. Bernard, ISO Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
|
|
- Felicia Underwood
- 8 years ago
- Views:
Transcription
1 Compiled by; Mark E.S. Bernard, ISO Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
2 Introduction Current Known Threats Potential Impacts to Enterprise Assets Legal Risks Managing Compliance Risks Preventive Security Measurers Risk Management Policy Risk Management Process Ranking & Prioritization of Risks Treating Risks Monitoring Risks Conclusion
3
4 Skype; Mark_E_S_Bernard; LinkedIn; Mark E.S. Bernard, - Information Security /Privacy, GRC Management Consultant CRISC, CGEIT, CISA, CISM, CISSP, PM, ISO 27001LA, CNA, SABSA-Security Service Management /Architecture, COBiT, ITIL Mark has 24 years of proven experience within the domain of Information Security, Privacy, Governance, Compliance. Mark has led teams of 30 or more as a Director and Project Manager and managed budgets of $5 Million +. Mark has also provided oversight to 250 contractors and 230 regular fulltime employees as a senior manager during government outsourcing contract valued at $300 million. Mark skills and experience as a Systems Engineer, Software Engineer and Network Engineer has provided him an ability to led small and larger contracts for specialized services including ERP systems like Oracle, SAP, JD Edwards, BPCS, JBA and red team penetration testing. Mark also led his work-stream during Negotiated RFP process, followed by the on-boarding and knowledge transfer of the exiting Service Provider for a $25 Million Dollar Contract. Mark designed information security and privacy architecture established information security management systems as program manager based on ISO Mark Also led the reengineered IT processes based on Service Manager ITIL/ISO building in Quality Management ISO 9001 also establishing a Knowledge Management framework. Accomplishments: In 2013 Assisted Provincial Government with Privacy Impact Assessment of External Parties In 2013 Assisted Aviation organization with ISO/IEC Registration/Certification In 2013 Facilitated ISO Lead Auditor Training for International Manufacturing and Services Corporation In 2013 Assisted Major Bank with Risk Assessment of New Services and Products In 2012 Assisted National Legal Firm with ISO/IEC Reg./Certification In 2012 Assisted Executive Relocation Organization to ISO/IEC Reg./Certification In 2012 Assisted Cloud Service Provider of SaaS to achieve ISO/IEC Reg./Certification In 2012 Assisted Global Electronic Solutions Provider ISO/IEC Reg./Certification In 2012 Assisted Nano Technology Manufacturer with ISO/IEC Reg./Certification In 2010/11 Led Cloud Service Provider of PaaS and IaaS in 8 DCs & 4 Continents to ISO Reg./Cert In 2009 Led Provincial Government to become 1st Canadian Public Sector ISO Reg./Certification In 2009 Led Provincial Government On-boarding Project for Oracle ERP Integrated Service Provider In 2009 Led Technology and Operations during Negotiated Request for Proposal on behalf of Prov. Gov. In 2007 Led Major Credit Union Trade & Wholesale Service to achieve ISO/IEC Reg./Certification In 2006 Led Privacy, Security, and Compliance Office during BC Government, outsourcing to Alternate Service Delivery during migration to SAP R3 - ERP
5 Registration need not be the final goal however every business can benefit from adopting a management system that provides assurance of information assets in alignment with strategy and tactical business goals while addressing Governance, Risk Management, Compliance Management requirements.
6 The demand for ISO/IEC 27001:2005 has nearly tripled in six years and the number of countries adopting the Information Security Management System has doubled. ISO/IEC 27001:2005 will soon be releasing its first major revision since the 2005 adoption and if it turns out to be anything like the changes that we've seen in ICFR /ICIF, ISAE 3402 or NIST SP 53 there will be significant improvements to be leveraged. In 2006, the first year of the annual survey, ISO/IEC 27001:2005 certificates at the end of December 2006 totaled 5,797. The number of countries adopting ISO/IEC totaled 64. At the end of 2010, at least 15,625 certificates had been issued in 117 countries. The 2010 total represents an increase of 2,691 or (+21 %) since December In 2006 the top three countries adopting ISO/IEC included Japan, United Kingdom and India and in 2010 that trend continued. However, the top three countries from December 2009 to 2010 were Japan, China and the Czech Republic.
7
8 Source: Computer Security Institute 2010/11 Survey
9 Source: Verizon business 2011 Data Breach Investigations Report Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favour highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers. Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches. Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these cardskimming schemes. Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and key logger functionalities. Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.
10 Source: 2010 Cloud Security Alliance Threats #1: Abuse and Nefarious Use of Cloud Computing #2: Insecure Interfaces and APIs #3: Malicious Insiders #4: Shared Technology Issues #5: Data Loss or Leakage #6: Account or Service Hijacking #7: Unknown Risk Profile
11 Source: 2010 OWSAP Top 10 Web Application Security Risks A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) A6: Security Misconfiguration A7: Insecure Cryptographic Storage A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Invalidated Redirects and Forwards
12 Source: The Risk of Insider Fraud Ponemon Institute 2011 Employee-related incidents of fraud, on average, occur weekly in participating organizations. Sixty-four percent of the respondents in this study say the risk of insider fraud is very high or high within their organizations. CEO s and other C-level executives may be ignoring the threat, according to respondents. The majority of insider fraud incidents go unpunished, leaving organizations vulnerable to future such incidents. The threat vectors most difficult to secure and safeguard from insider fraud are mobile devices, outsourced relationships (including cloud providers) and applications. The majority of respondents do not believe their organization has the appropriate technologies to prevent or quickly detect insider fraud, including employees misuse of IT resources.
13 Source: Computer Security Institute 2010/11 Survey
14
15 The Enterprise Risk Management system identifies four major areas of risk within strategic planning, financial services, compliance management and operations. Generally capital and resources are allocated based on priority determined by the Board of Directors and Executive Team. There are six major groups of Enterprise Assets that contribute to the Enterprise strategy, people, information, software, hardware, telecommunications and facilities. The risk associated with each asset can be assessed and treated based on Enterprise Strategic priorities. A risk score can be calculated for each product, service channel, and revenue stream and risk treatment can be applied again based on strategic priorities.
16 The following example is a subset demonstrating the potential results of an exploited vulnerability within People Assets and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
17 The following example is a subset demonstrating the potential results of an exploited vulnerability within Information Assets and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
18 The following example is a subset demonstrating the potential results of an exploited vulnerability within Software Assets and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
19 The following example is a subset demonstrating the potential results of an exploited vulnerability within Hardware Assets and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
20 The following example is a subset demonstrating the potential results of an exploited vulnerability within Telecommunication Assets and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
21 The following example is a subset demonstrating the potential results of an exploited vulnerability within Facility Assets and most common Enterprises. The impacts are measured against the principles of information security, confidentiality, integrity, and availability. The severity in this example is rated high, medium or low to simplify the message to a broad audience.
22
23
24
25 Here is an example of how ISO ISMS can easily and seamlessly address all HIPA Act legal requirements.
26 When all the mapping has been completed approximately 70 of the already existing 133 ISO control objectives will be leveraged to address HIPAA Compliance.
27
28 Compliance Management can be broken down into 4 general categories statutes, regulations, internal facing and external facing.
29 Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health Act (HITECH Act) Federal Information Security Management Act (FISMA) Gramm-Leach-Bliley Act (GLBA) Payment Card Industry Data Security Standard (PCI-DSS) Payment Card Industry Payment Application Standard Sarbanes-Oxley Act (SOX) U.S. state data breach notification law International privacy or security laws
30 Before we can treat compliance concerns we need to identify, record and map ISO controls listed in the Statement of Applicability to specific legal obligations defined by provisions and clauses within statutes, regulations and internal/external facing contracts.
31
32 We can choose to respond to the security incident after the fact? Or before a Threat exploit the known Vulnerability? We can choose to identify the threats and matching vulnerabilities and remediate them to acceptable levels.
33 ISO has already developed controls that are designed to remediate common or known threats, vulnerabilities and risks.
34 A close assessment of the technology stack can easily identify vulnerabilities that might be exposed to threats leading to risks.
35
36 Risk Management Goals To assess risks to Information Assets and System Resources To state the goals of the RM, along with the desired security level to be attained, consistent with the Enterprise s risk appetite and Information Assets sensitivity To identify vulnerabilities within the infrastructure and facilitate the decision making process by determining the likelihood and impact based on motive and opportunity To identify potential impacts should a threat agent successfully exploit the identified vulnerability further impacting the Information Assets and System Resource and business functions supported along with applications, expressed in terms of confidentiality, integrity and availability and To provide recommendations that will mitigate and/or eliminate risk to acceptable levels.
37 Risk Acceptance Criteria: There are three possible Risk Acceptance Criteria scenarios that management can choose from based on the results of a Risk Assessment and the overall Risk Rating include the following: Management can choose to accept the risk in which case they do nothing to remediate it. They should understand that they will be held accountable for any security incident, however the risk of a security may not be a concern to management and thus they tend to accept low risks as part of normal daily operations. Management may choose to remediate the risk in which case management takes some sort of corrective and/or preventive action to mitigate and/or eliminate the risk from the Enterprise s environment. Management may also choose to transfer the risk in which case management has chosen to outsource the process causing the risk and/or purchase insurance to cover the potential damages caused by the realization of a risk.
38 Temporary ISMS Exemption Application There may be occasions where compliance is not possible during a particular period of time and an exemption from compliance is this best method of identifying those occasions and following up to ensure that they are closed. During these instances it is important to identify the manager responsible for these security gaps and have them sign off. This will not only help the Enterprise s security office to document gaps but also to identify the responsible party who will ensure that they are closed. The following information is required for the Temporary Exemption Form to be completed: Exemption period - From-To ISMS policy, procedure or standard reference ID Reason for Exemption Application Department or division unit affected Information system affected Network location affected Rational by not granting this application: a). would adversely affect the accomplishment of Enterprise s business b). would cause a major adverse financial impact Rational explanation Signature of Responsible Manager and date
39
40 Where possible and practical organizations need to integrate the Risk Management decision tool within existing business processes. The Control Self Assessment technique is an excellent approach to RM integration.
41 The optimal time to initiate the RM process with SDLC is during the creation of the systems definition and functional design criteria or during development and acquisition.
42 Identify Assets in Scope: in this work task we document department name, asset owner and asset name. Identify Threats: in this work task we document threat(s) to asset(s) in scope of the risk analysis as defined within the RA worksheet including the threat identification, description, and rating. Identify Business Impact: in this work step we clarify the business perspective for confidentiality, integrity and availability based on a high, medium or low impact to regular business processes. Identify Vulnerabilities: in this work task we document vulnerabilities associated with the asset in scope for risk analysis as defined in RA worksheet including the vulnerability identification, description, and rating.
43
44 Control Selection: in this work task we list the existing controls for further consideration during the preparation of remediation activities designed to lower the overall risk rating. It is possible that existing controls may be implemented incorrectly or suffer from other deficiency that if corrected would eliminate the need for additional controls. Risk Assessment: in the work task we calculate the overall risk rating, calculated sum of the threat and CIA business impact ratings multiplied by business impact rating multiplied by vulnerability rating. Recommendations: in this work task we identify the manager who has been assigned the responsibility of facilitating the risk mitigation activity, the date of expected delivery and the current status of progress in the resolution process. Report to Management: in this work task we identify and report to management the planned targets for risk mitigation expressed in terms of high, medium, and low impacts to confidentiality, integrity and availability. These values are rolled up into an overall revised Residual Risk Rating.
45
46
47
48
49
50
51
52
53
54 The Corrective Action and Preventive Action plans are important pieces of the evidence based Quality Management component of Risk Management. The CA or PA can be initiated together or completely separate from one another. CAPA reports will be audited and include specific information like the date, source of nonconformity, who s responsible for taking action and the date it will be completed. The Root-Cause must also be documented. Once the CAPA has been completed it must be independently validated.
55 Risk Treatment Plans are defined by Corrective Action plans and Preventive Action plans. The RTP is basically a rolled up dashboard utilized for tracking and monitoring CAPA by ISMS Governance Committee.
56
57 Following the assessment of threats, vulnerabilities and identification of risks management makes a decision and we begin monitoring and tracking risks.
58 In more advanced ISMS Risk Management programs we monitor and track risks in connection with the Enterprise Risk Management program.
59 We should not only track risks internally as many risks are shared with external vendors and service providers through Service Management processes and Service Desk.
60 Risk Management is a useful process that should be seamlessly integrated within every business process to help support and facilitate management decisions. Need help with your Risk Management adoption or integration project please contact me, thanks.
61 For more information contact Skype; Mark_E_S_Bernard LinkedIn;
Cloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationHans Bos Microsoft Nederland. hans.bos@microsoft.com
Hans Bos Microsoft Nederland Email: Twitter: hans.bos@microsoft.com @hansbos Microsoft s Cloud Environment Consumer and Small Business Services Software as a Service (SaaS) Enterprise Services Third-party
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationSQuAD: Application Security Testing
SQuAD: Application Security Testing Terry Morreale Ben Whaley June 8, 2010 Why talk about security? There has been exponential growth of networked digital systems in the past 15 years The great things
More informationGovernance Simplified
Information Security Governance Simplified From the Boardroom to the Keyboard TODD FITZGERALD, cissp; cisa, cism Foreword by Tom Peltier CRC Press Taylor & Francis Croup Boca Raton London NewYork CRC Press
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationIs it Time to Trust the Cloud? Unpacking the Notorious Nine
Is it Time to Trust the Cloud? Unpacking the Notorious Nine Jonathan C. Trull, CISO, Qualys Cloud Security Alliance Agenda Cloud Security Model Background on the Notorious Nine Unpacking the Notorious
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationInformation Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza
Information Security Management System (ISMS) Overview Arhnel Klyde S. Terroza May 12, 2015 1 Arhnel Klyde S. Terroza CPA, CISA, CISM, CRISC, ISO 27001 Provisional Auditor Internal Auditor at Clarien Bank
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationSecuring The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
More informationIs your business prepared for Cyber Risks in 2016
Is your business prepared for Cyber Risks in 2016 The 2016 GSS Find out Security with the Assessment Excellus BCBS customers hurt by security breach Hackers Access 80 Mn Medical Records At Anthem Hackers
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationCloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week
Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationIT Audit in the Cloud
IT Audit in the Cloud Pavlina Ivanova, CISM ISACA-Sofia Chapter Content: o 1. Introduction o 2. Cloud Computing o 3. IT Audit in the Cloud o 4. Residual Risks o Used Resources o Questions 1. ISACA Trust
More information2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP
2010 AICPA Top Technology Initiatives Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP Georgia Society of CPAs Annual Convention June 16, 2010 About the Presenter Partner-in-Charge, Habif,
More informationSecuring SaaS Applications: A Cloud Security Perspective for Application Providers
P a g e 2 Securing SaaS Applications: A Cloud Security Perspective for Application Providers Software as a Service [SaaS] is rapidly emerging as the dominant delivery model for meeting the needs of enterprise
More informationSTORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM
STORAGE SECURITY TUTORIAL With a focus on Cloud Storage Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members
More informationA Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationProtecting What Matters Most. Terry Ray Chief Product Strategist Trending Technologies Session 11
Protecting What Matters Most Terry Ray Chief Product Strategist Trending Technologies Session 11 Cyber attacks are bad and getting Significant economic Stock price fell by 14% Impacted profits by 46% Total
More informationOverview of the Penetration Test Implementation and Service. Peter Kanters
Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing
More informationPresentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy
Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc. Quote of the Day "It takes
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationHow To Protect Yourself From A Hacker Attack
Cybersecurity Demystified: Information Technology Security Trends Joe Oleksak, Plante Moran Agenda Data Security Trends Example Attacks Industry Examples An Answer 1 Who Are The Victims? Targets - victims
More informationCybersecurity: Protecting Your Business. March 11, 2015
Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks
More informationIntegrating Security Testing into Quality Control
Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional
More informationIntegrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Agenda Seek First to Understand Source Code Security AppSec and SQA Analyzing
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationFrom the Bottom to the Top: The Evolution of Application Monitoring
From the Bottom to the Top: The Evolution of Application Monitoring Narayan Makaram, CISSP Director, Security Solutions HP/Enterprise Security Business Unit Session ID: SP01-202 Session 2012 Classification:
More informationWEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services
WEB SITE SECURITY Jeff Aliber Verizon Digital Media Services 1 SECURITY & THE CLOUD The Cloud (Web) o The Cloud is becoming the de-facto way for enterprises to leverage common infrastructure while innovating
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationISO/IEC 27001 Information Security Management System Vs. ITIL IT Security Management
ISO/IEC 27001 Information Security Management System Vs ITIL IT Security Management ISMS ITIL ITSM Presented by Mark E.S. Bernard, CGEIT, CISM, CISA, CISSP, ISO27k Lead Auditor, PM, ITIL/COBiT Foundation,
More informationInformation Security Risk Management
Information Security Risk Management June 11, 2013 Patrick Perreault Daniel Gaudreau Agenda Current State of Affairs Why Information Security? The Role of Risk Management Information Security Threats,
More informationWhat IT Auditors Need to Know About Secure Shell. SSH Communications Security
What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic
More informationExpert Reference Series of White Papers. 10 Security Concerns for Cloud Computing
Expert Reference Series of White Papers 10 Security Concerns for Cloud Computing 1-800-COURSES www.globalknowledge.com 10 Security Concerns for Cloud Computing Michael Gregg, Global Knowledge Instructor,
More informationMean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More informationCyber Security & Data Privacy. January 22, 2014
Cyber Security & Data Privacy January 22, 2014 Today s Presenters Bob DiBella Director of Product Management Aclara Technologies Srinivasalu Ambati Application Architect, Consumer Engagement Aclara Technologies
More informationPromoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org
Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation
More information9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania
Evaluating and Managing Third Party IT Service Providers Are You Really Getting The Assurance You Need To Mitigate Information Security and Privacy Risks? Kevin Secrest IT Audit Manager, University of
More informationSERENA SOFTWARE Serena Service Manager Security
SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand
More informationPCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker
PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS
More informationCloud Computing Governance & Security. Security Risks in the Cloud
Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationSecuring the Microsoft Cloud
Securing the Microsoft Cloud Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and consumers to fully embrace and benefit from
More informationDefending the Database Techniques and best practices
ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationInformation Security Team
Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface
More informationCloud Security: Critical Threats and Global Initiatives
Cloud Security: Critical Threats and Global Initiatives Richard Zhao, Founder and Board Member of CSA-GCC Chief Strategy Officer, NSFOCUS Sept. 2010 What is Cloud Computing? Compute as a utility: third
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationMaking your web application. White paper - August 2014. secure
Making your web application White paper - August 2014 secure User Acceptance Tests Test Case Execution Quality Definition Test Design Test Plan Test Case Development Table of Contents Introduction 1 Why
More informationUsing Free Tools To Test Web Application Security
Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,
More informationPACB One-Day Cybersecurity Workshop
PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance
More informationCRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data
CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical
More informationCyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013
Cyber Security and Information Assurance Controls Prevention and Reaction 1 About Enterprise Risk Management Capabilities Cyber Security Risk Management Information Assurance Strategic Governance Regulatory
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationStaying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.
Managing business infrastructure White paper Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities. September 2008 2 Contents 2 Overview 5 Understanding
More informationWeb Hacking Incidents Revealed: Trends, Stats and How to Defend. Ryan Barnett Senior Security Researcher SpiderLabs Research
Web Hacking Incidents Revealed: Trends, Stats and How to Defend Ryan Barnett Senior Security Researcher SpiderLabs Research Ryan Barnett - Background Trustwave Senior Security Researcher Web application
More informationNetwork Test Labs (NTL) Software Testing Services for igaming
Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs
More informationHow-To Guide: Cyber Security. Content Provided by
How-To Guide: Cyber Security Content Provided by Who needs cyber security? Businesses that have, use, or support computers, smartphones, email, websites, social media, or cloudbased services. Businesses
More informationHow to achieve PCI DSS Compliance with Checkmarx Source Code Analysis
How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.
More informationENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT
ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT IS THIS ebook RIGHT FOR ME? Not sure if this is the right ebook for you? Check the following qualifications to make
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationWhat s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
More informationMaking Sure Cloud Security is Not Up in Smoke: Integrating Protection in the Acquisition Process Digital Government Institute Cloud-Enabled
Making Sure Cloud Security is Not Up in Smoke: Integrating Protection in the Acquisition Process Digital Government Institute Cloud-Enabled Government Conference & Expo September 22, 2011 Disclaimer This
More informationAuditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement
Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement Copyright Elevate Consult LLC. All Rights Reserved 1 Presenter Ray Guzman MBA, CISSP, CGEIT, CRISC, CISA Over 25
More informationEnterprise Computing Solutions
Business Intelligence Data Center Cloud Mobility Enterprise Computing Solutions Security Solutions arrow.com Security Solutions Secure the integrity of your systems and data today with the one company
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationFACING SECURITY CHALLENGES
24 July 2013 TimeTec Cloud Security FACING SECURITY CHALLENGES HEAD-ON - by Mr. Daryl Choo, Chief Information Officer, FingerTec HQ Cloud usage and trend Cloud Computing is getting more common nowadays
More informationOutsourcing and Information Security
IBM Global Technology Services Outsourcing and Information Security Preparation is the Key However ultimately accountability cannot be outsourced February 2009 page 2 1. Introduction 3 1.1 Reason for outsourcing
More informationPCI Compliance Updates
PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com Direct: 248.388.4328 PCI Guidance Google: PCI e-commerce guidance https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_ecommerce_guidelines.pdf
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationPurpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.
Federal CIO Council Information Security and Identity Management Committee (ISIMC) Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies DRAFT V0.41 Earl Crane, CISSP, CISM
More informationEXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources
EXECUTIVE STRATEGY BRIEF Securing the Cloud Infrastructure Cloud Resources 01 Securing the Cloud Infrastructure / Executive Strategy Brief Securing the Cloud Infrastructure Microsoft recognizes that trust
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationSOFTARE SECURTY OF WEB APPLICATION AND WEB ATTACKS
SOFTARE SECURTY OF WEB APPLICATION AND WEB ATTACKS Hanım Eken Gazi University hanim.eken@os.gazi.edu.tr Abstract Today, thousands of applications world-wide web, and mobile media applications are used
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationIntroduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec
Introduction Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec More than 20 years of experience in cybersecurity specializing
More informationExternal Penetration Assessment and Database Access Review
External Penetration Assessment and Database Access Review Performed by Protiviti, Inc. At the request of Internal Audit April 25, 2012 Note: This presentation is intended solely for the use of the management
More informationCyber Exploits: Improving Defenses Against Penetration Attempts
Cyber Exploits: Improving Defenses Against Penetration Attempts Mark Burnette, CPA, CISA, CISSP, CISM, CGEIT, CRISC, QSA LBMC Security & Risk Services Today s Agenda Planning a Cyber Defense Strategy How
More informationCloud Security. DLT Solutions LLC June 2011. #DLTCloud
Cloud Security DLT Solutions LLC June 2011 Contact Information DLT Cloud Advisory Group 1-855-CLOUD01 (256-8301) cloud@dlt.com www.dlt.com/cloud Your Hosts Van Ristau Chief Technology Officer, DLT Solutions
More informationVendor Questions and Answers
OHIO DEFERRED COMPENSATION REQUEST FOR PROPOSALS (RFP) FOR COMPREHENSIVE SECURITY ASSESSMENT CONSULTANT Issue Date: December 7, 2016 Written Question Deadline: January 11, 2016 Proposal Deadline: RFP Contact:
More informationCLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM
CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material
More informationwww.pwc.com/mt Internal Audit Takes On Emerging Technologies
www.pwc.com/mt In Internal Audit Takes On Emerging Technologies Contents Introduction 2 Cloud Computing & Internal Audit 3 Smart Devices/ Technology & Internal Audit 6 Social Media & Internal Audit 8 Cyber
More informationThrough the Security Looking Glass. Presented by Steve Meek, CISSP
Through the Security Looking Glass Presented by Steve Meek, CISSP Agenda Presentation Goal Quick Survey of audience Security Basics Overview Risk Management Overview Organizational Security Tools Secure
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationCloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC
Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications
More informationDevelopment Processes (Lecture outline)
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationHow to complete the Secure Internet Site Declaration (SISD) form
1 How to complete the Secure Internet Site Declaration (SISD) form The following instructions are designed to assist you in completing the SISD form that forms part of your Merchant application. Once completed,
More informationBMC s Security Strategy for ITSM in the SaaS Environment
BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...
More informationCloud Computing: What needs to Be Validated and Qualified. Ivan Soto
Cloud Computing: What needs to Be Validated and Qualified Ivan Soto Learning Objectives At the end of this session we will have covered: Technical Overview of the Cloud Risk Factors Cloud Security & Data
More information