Information Security and Risk Management

Similar documents
Defending Against Data Beaches: Internal Controls for Cybersecurity

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

SECURITY. Risk & Compliance Services

2012 Data Breach Investigations Report

Cybersecurity: Protecting Your Business. March 11, 2015

Cybersecurity Awareness. Part 1

Cybersecurity. Are you prepared?

Defensible Strategy To. Cyber Incident Response

10 Smart Ideas for. Keeping Data Safe. From Hackers

SecurityMetrics Vision whitepaper

FINRA Publishes its 2015 Report on Cybersecurity Practices

2010 Data Breach Investigations Report

External Supplier Control Requirements

VENDOR MANAGEMENT. General Overview

Cybersecurity: What CFO s Need to Know

Technology Risk Management

Information Security Services

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Securing OS Legacy Systems Alexander Rau

The Business Case for Security Information Management

Cyber Essentials KAMI VANIEA 2

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

An New Approach to Security. Chris Ellis McAfee Senior System Engineer

Information Security Organizations trends are becoming increasingly reliant upon information technology in

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Italy. EY s Global Information Security Survey 2013

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

F G F O A A N N U A L C O N F E R E N C E

KEY TRENDS AND DRIVERS OF SECURITY

Data Management & Protection: Common Definitions

The Four-Step Guide to Understanding Cyber Risk

Security Controls What Works. Southside Virginia Community College: Security Awareness

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Security aspects of e-tailing. Chapter 7

Overcoming PCI Compliance Challenges

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

September 20, 2013 Senior IT Examiner Gene Lilienthal

The Role of Security Monitoring & SIEM in Risk Management

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Altius IT Policy Collection Compliance and Standards Matrix

Brief. The BakerHostetler Data Security Incident Response Report 2015

Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.

Lot 1 Service Specification MANAGED SECURITY SERVICES

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Data Security for the Hospitality

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Breakthrough Cyber Security Strategies. Introducing Honeywell Risk Manager

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Practical Steps To Securing Process Control Networks

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

Cyber Essentials Scheme

I ve been breached! Now what?

Application Delivery in PCI DSS Compliant Environments

Common Cyber Threats. Common cyber threats include:

PUBLIC SAFETY CYBER SECURITY

93% of large organisations and 76% of small businesses

INFORMATION SECURITY FOR YOUR AGENCY

SANS Top 20 Critical Controls for Effective Cyber Defense

Defending Against Attacks by Modeling Threat Behaviors

Secure Web Applications. The front line defense

Attachment A. Identification of Risks/Cybersecurity Governance

How To Test For Security On A Network Without Being Hacked

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

CORE Security and GLBA

Reference Architecture: Enterprise Security For The Cloud

Cybernetic Global Intelligence. Service Information Package

Enterprise Cybersecurity: Building an Effective Defense

FACT SHEET: Ransomware and HIPAA

Cybersecurity Issues for Community Banks

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

Cutting the Cost of Application Security

Payment Card Industry Data Security Standards

Chapter 1 The Principles of Auditing 1

Franchise Data Compromise Trends and Cardholder. December, 2010

2012 雲 端 資 安 報 告. 黃 建 榮 資 深 顧 問 - Verizon Taiwan. August 2012

ISO Information Security Management Systems Foundation

CIO, CISO and Practitioner Guidance IT Security Governance

Transcription:

Information Security and Risk Management COSO and COBIT Standards and Requirements Page 1

Topics Information Security Industry Standards and COBIT Framework Relation to COSO Internal Control Risk Management IT and Security Concepts COBIT and COSO Perspectives Monitoring Procedural and Technical Page 2

Information Security Some Industry Standards International Standards Organization (ISO) 27000 Series Information Security Forum (ISF) Standard of Good Practice for Information Security National Institutes of Standards and Technology (NIST) Payment Card Industry Data Security Standard (PCI DSS) SANS Top 20 Controls Page 3

Information Security - Definition ISACA defines information security as something that: Ensures that within the enterprise, information is protected against disclosure to unauthorized users (confidentiality), improper modification (integrity), and non-access when required (availability). Page 4

COBIT 5 for Information Security Extended view of COBIT 5 Explains each component from information security perspective Provides: Guidance on drivers and benefits Principles from an information security perspective Enablers for support Alignment with standards Page 5

COBIT 5 for Information Security Policy Framework Input Information Security Principles Information Security Policy Specific Information Security Policies Information Security Procedures Information Security Requirements and Documentation Mandatory Information Security Standards, Frameworks and Models Generic Information Security Standards, Frameworks and Models Source: COBIT 5 for Information Security, figure 10. 2012 ISACA All rights reserved Page 6

Information Security and COBIT 5 Information Security Principles Support The Business Defend the Business Promote Responsible Information Security Behavior Information Security Policy Scope including: A definition for the enterprise Responsibilities Vision, with appropriate goals and metrics Page 7

Information Security and COBIT 5 (Cont.) Policy Driven by Information Security Access Control Personnel Information Security Policy Physical and Environmental Information Security Policy Policy Driven by the Enterprise including: Business Continuity and Disaster Recovery Acceptable Use Communication and Operations Risk Management Page 8

Information Security and COSO Control Environment Principal 1: The organization demonstrates a commitment to integrity and ethical values Principal 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives Principal 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives Page 9

Information Security and COSO (cont.) Risk Assessment Principal 6: Identifies and analyzes risk Principal 9: Identifies and analyzes change Control Activities Principal 12: Deploys policies and procedures Monitoring Activities Principal 16: Conducts evaluations Evaluates and communicates deficiencies Page 10

COBIT 5 and PCI DSS PCI DSS 3.0 Requirements Page 11

COBIT 5 Security and PCI DSS COBIT 5 Enabling Processes Page 12

COBIT 5 Security and PCI DSS Example Mapping Page 13

Risk Management Page 14

Current Threats Statistics Top 5 Threat Actions 1) Use of Stolen Credentials (hack) 2) Export Data (malware) 3) Phishing (social engineering) 4) Ram Scraper (malware) 5) Backdoor (malware) Source: Verizon Data Breaches Investigative Report 2014 Page 15

Current Threats Statistics Top 5 Breach Incident Methods 1) 35% Web App Attacks 2) 22% Cyber-espionage 3) 14% POS Intrusions 4) 9% Card Skimmers 5) 8% Insider Misuse Source: Verizon Data Breaches Investigative Report 2014 Page 16

Risk Management Have you assessed the risk of your IT environment? For example, your Internal Controls may prevent an employee from creating fraudulent checks, but... Is your (or your customer s) information being siphoned off the network? Page 17

Risk Management (cont.) The Goal of an IT Risk Assessment Define threats and potential threats (internal or external) Identify areas that are not adequately protected Identify areas that do not meet regulatory requirements (compliance) Understand the security impact of new technologies Page 18

Risk Management (cont.) Identify Threats and Vulnerabilities Critical Asset Known Threats Vulnerabilities Information, Server, Website Cyber attack, DDOS attack, Staff errors Internal network not patched; external defenses weak Page 19

Risk Management (cont.) Rank the risk to each asset Likelihood or Probability How likely is the threat to occur? Or how likely is the vulnerability to be exploited? Severity or Impact What would be the cost to the business? Consider downtime, brand name, cost of recovery, and cost of penalties. Page 20

Risk Management (cont.) One way to rank risks (time for some math) Probability (%) = Likelihood of threat occurring and being successful (Threat + Vulnerability) Impact (1-5, where 5 is highest impact) = Actual or anticipated cost to the business Risk = Probability X Impact Page 21

Monitoring Page 22

Incident Discovery Remember the threats from earlier? 98% of all attacks lead to a compromise in LESS THAN 1 DAY! Only 25% of all companies detected the compromise in less than 1 day *Median days to discovery 229 DAYS! Sources: Verizon Data Breaches Investigative Report 2014 *Mandiant M-Trends 2014 Report Page 23

Monitoring COSO Monitoring and COBIT 5 16 The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. MEA02 The COBIT 5 Processes enabler guidance specifically addresses monitoring, evaluation and assessment of internal control adequacy (COBIT 5 process MEA02 Monitor, evaluate and assess the system of internal control). 17 The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. EDM05 MEA02 In addition to MEA02, COBIT 5 process EDM05 Ensure stakeholder transparency includes practices and activities to evaluate, direct and monitor stakeholder reporting and communication requirements, including those related to control deficiencies, to senior management and the board, as appropriate. Page 24

Monitoring Network Activity Network Monitoring It is necessary to understand your network If you do not know what is on your network, you cannot defend it effectively. If you do not know how devices on your network are configured and set up, you cannot know how to protect and secure them. --Dr. Eric Cole, recent inductee to the Infosecurity Europe Hall of Fame Page 25

Monitoring Network Activity Don t forget to look inside Your network There s a whole network behind your firewall Page 26 Page 26

Monitoring Network Activity Look inside your network to discover Malicious software, trojan horses, spam-bots, etc. All phone home to a command and control (C2) system Watch your outgoing traffic, not just incoming Page 27 Page 27

Page 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information