Security Risk Management Strategy in a Mobile and Consumerised World

Similar documents
Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Defending Against Data Beaches: Internal Controls for Cybersecurity

Presented by Frederick J. Santarsiere

Cyber Security - What Would a Breach Really Mean for your Business?

Cybersecurity: Protecting Your Business. March 11, 2015

How To Protect Yourself From Cyber Threats

SECURITY RISK MANAGEMENT

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

FINRA Publishes its 2015 Report on Cybersecurity Practices

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Think STRENGTH. Think Chubb. Cyber Insurance. Andrew Taylor. Asia Pacific Zone Product Manager Chubb Pro PI, Media, Cyber

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

Network Security & Privacy Landscape

2012 雲 端 資 安 報 告. 黃 建 榮 資 深 顧 問 - Verizon Taiwan. August 2012

Security Controls What Works. Southside Virginia Community College: Security Awareness

CIO, CISO and Practitioner Guidance IT Security Governance

Small businesses: What you need to know about cyber security

HP Cyber Security Control Cyber Insight & Defence

How To Protect Yourself From A Hacker Attack

93% of large organisations and 76% of small businesses

Cybersecurity The role of Internal Audit

Cybersecurity and internal audit. August 15, 2014

Virtualization Impact on Compliance and Audit

Simplifying the Challenges of Mobile Device Security

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Technology Risk Management

North Texas ISSA CISO Roundtable

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

10 Smart Ideas for. Keeping Data Safe. From Hackers

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

Hands on, field experiences with BYOD. BYOD Seminar

Global Security Report 2011

Executive Management of Information Security

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Developing National Frameworks & Engaging the Private Sector

External Supplier Control Requirements

Address C-level Cybersecurity issues to enable and secure Digital transformation

I n f o r m a t i o n S e c u r i t y

Cloud Security and Managing Use Risks

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

A NEW APPROACH TO CYBER SECURITY

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Developing Secure Software in the Age of Advanced Persistent Threats

Addressing Cyber Risk Building robust cyber governance

SECURITY CONSIDERATIONS FOR LAW FIRMS

BYOD: End-to-End Security

Certified Secure Computer User

Small businesses: What you need to know about cyber security

Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

The Protection Mission a constant endeavor

Practical Steps To Securing Process Control Networks

Into the cybersecurity breach

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Cyber Security. John Leek Chief Strategist

Cybersecurity. Are you prepared?

F G F O A A N N U A L C O N F E R E N C E

PCI Compliance 3.1. About Us

PCI DSS Overview and Solutions. Anwar McEntee

National Cyber Security Policy -2013

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

ESKISP Conduct security testing, under supervision

INFORMATION SECURITY TESTING

How-To Guide: Cyber Security. Content Provided by

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

The enemies ashore Vulnerabilities & hackers: A relationship that works

Maritime Insurance Cyber Security Framing the Exposure. Tony Cowie May 2015

Information Security Team

Payment Card Industry Data Security Standards

Big Data, Big Risk, Big Rewards. Hussein Syed

Metrics that Matter Security Risk Analytics

How small and medium-sized enterprises can formulate an information security management system

Transcription:

Security Risk Management Strategy in a Mobile and Consumerised World RYAN RUBIN (Msc, CISSP, CISM, QSA, CHFI) PROTIVITI Session ID: GRC-308 Session Classification: Intermediate

AGENDA Current State Key Risks and Challenges Opportunities Practical Next Steps 2

CURRENT STATE 3

THE WORLD HAS CHANGED Consumerisation of IT Younger workforce Mobile workforce Web services Outsourcing / Offshoring Cloud computing Regulatory environment Economic pressure Political risk Lined up outside the IT department for a Blackberry? 4

INTERESTING STATS Verizon breach report 2011 * 2012 ** ISACA Cloud Survey 2011 ** InfoSec Europe 12: Dr. Paul Judge *** Security Breaches Cloud Computing Mobile Computing Social Media Outsider Threat 96% of attacks in 2011 were simple* 97% could have been prevented by rudimentary controls* 45 % risks outweigh benefits** 38% benefits and risks are balanced 17% benefits outweigh risks Est 50 billion apps downloaded this year Mobile malware increased 700% in a year 1 million new iphones and Android devices purchased daily 1 in 100 posts on Twitter are spam / malicious *** 1 in 60 posts on Facebook are spam / malicious *** 20 % of all Facebook users are active targets of malware. 47% have been victims of malware infections 98% breaches stemmed from external agents* Only 4% implicated internal employees * 58% data theft tied to external agents ¼ London Wifi spots still insecure 5

WHY IS INFO SEC NOT WORKING? Constant fire fighting Poor building blocks Shrinking budgets Lack of visibility Ineffective incident response

WHY IS INFO SEC NOT WORKING? Governance and management support Over compliance and regulation People weakest link Supportability of new technologies Organisational culture IS efficiency and effectiveness Poor visibility and awareness 7

RISKS AND CHALLENGES 8

RISKS IN OUR NEW WORLD Loss of control over HW and SW Attacks target users through social networking, mobile apps, browsers, drive by downloads, search engine poisoning Opening our Infrastructures for external access Data leakage and data loss opportunities 3 rd parties and cloud providers Shadow IT 9

RESETTING EXPECTATIONS 100% security is possible We have technical security controls and/or CISO We re certified. Blocker vs business enabler We are not: a bank a target responsible We have a strong perimeter and trust our users

EXISTING FRAMEWORKS Define ISMS and Assets Define CDE Refine Assess Risk Maintain Assess ISO 2700X PCI DSS Measure Security Measures Validate Gaps Remediate Gaps Scope: All Information Assets within ISMS Control Framework: ISO27002 Scope : Cardholder Data Control Framework: PCI DSS 11

OPPORTUNITIES 12

DUTY OF CARE Protect customer data Maintain controls for crime prevention Reduce risk to operations and information assets Know and understand legislation and regulations Accountable and liable for non compliance Retain and protect all records needed Ensure confidential information is not disclosed UK DPA - COMPANIES ACT COMPUTER MISUSE - FRAUD 13

AGILE APPROACH TO SECURITY Think about Risk Reduce Attack Surface Mitigate Apply Risk Appetite Measure Success Aware & Protect Prioritise Prevent new ops Assess Risk Reduce Risk 14

WHERE ARE YOU ON YOUR JOURNEY? Cure-All 15

AGILE BEHAVIOURS Step function thinking Culture and behavioural change Prepare for failure Defensible position Apply cross functional skills Security Inside TM Focus on selling security Better intelligence applying risk based decisions Wider engagement Rapid organisational response Report right things Better collaboration 16

CASE STUDIES European Airline * Focus on reputation Global Publisher * 3 rd party assurance Global Mining Company * Minimum standards & checklists Global Media Company * Measure against Top 10 Controls Global Recruitment Firm * BYOD mobile devices * Social Media Policies Global Shoe Retailer * 8 week group huddles 17

BABY STEPS: SECURITY 80/20 1. UNDERSTAND RISK APPETITE & CULTURE 2. CREATE IMPROVEMENT PLAN 3. DEFINE AND UPDATE POLICY 4. APPLY GOOD (P) RACTICES PCI DSS PEOPLE PERIMETER PENETRATION PROACTIVE PEOPLE PROXY PROGRAMMING PROTECTION PROCUREMENT PASSWORDS PATCHING 18

PRACTICAL STEPS: MOBILE DEVICES Create Formal Policies for Mobile Devices Create Your Own App Store Control Wireless Access Consider Network Access Control Consider Creating a Policy Server 19

Cost & Complexity BALANCING FLEXIBILTY vs CONTROL Minimal Management Few Controls Partial Management Basic Controls Full Management Restrictive Controls Devices are heavily controlled with restrictive policies and granular management Basic management of devices and basic policies. Some functionality may be restricted. Minimal management over devices. Little to no policies or controls restricting devices. Control & Security 20

PRACTICAL STEPS CLOUD Privileged User Access Management Regulatory Compliance Data Location Data Segregation Resilience, Recovery, Continuity Investigative Support Long Term Viability Accreditation 21

REDUCING SECURITY RISKS Security Risks Web application security Social media networking Advanced persistent threats Mobile applications Insider threats Information security function effectiveness Cloud Computing / 3 rd party providers Over compliance and regulation Lack of security awareness Younger workforce Risk reduction strategies Software development lifecycle, education, due diligence, testing Policy, Awareness, Technology Raise the bar as best as you can Awareness, Technology, Process Risk assess key assets and people, appropriate controls Stop putting out the fires educate people not to smoke. Due diligence choose your partners wisely Be pragmatic and sensible think longer term Create awareness and embed Awareness, appropriate controls SORRY - NO SILVER BULLETS FOR SALE 22

MEASURING PROGRESS So what? Aligning exposure with tolerance of business Risk Key Risk Indicator Key Performance Indicator Confidentiality (Manufacturing) Privacy (Insurance) % deals lost to competitive intelligence % of incidents where customer data at risk Competitiveness Index Customer satisfaction and renewal indices Availability (Manufacturing) % of lost inventory due to system downtime Manufacturing Capacity Index BCM (Healthcare) % DR plans tested Bed mortality rates 23

APPLY SLIDE STOP using vulnerabilities and gap lists GET BUY IN from top ENGAGE with people to MANAGE expectations UNDERSTAND risk landscape ESTABLISH risk threshold BALANCE security with appetite SIMPLE security first CHOOSE your partners wisely EDUCATE responsible behaviour COMMUNICATE effectively MEASURE performance, refine and improve XXL 24

It takes twenty years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. Warren Buffett 25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information