ISACA Victoria Chapter CyberSecurity Presentation Oct 21st 2015

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

October 21st 2015

• Introduction and Bio• CyberSecurity Defined• CyberSecurity Risks• NIST CyberSecurity Framework• References



Chapter 3. Framework Implementation• Relationship of the COBIT 5 Goals Cascade to the CSF• Step 1: Prioritize and Scope• Step 2: Orient, and Step 3: Create a Current Profile• Step 4: Conduct a Risk Assessment, • Step 5: Create a Target Profile• Step 6: Determine, Analyze, and Prioritize Gaps• Step 7: Implement Action Plan• Action Plan Review• Life Cycle Management

http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Implementing-the-NIST-Cybersecurity-Framework.aspx


Mark E.S. Bernard CyberSecurity Courses: • White label Foundation Course: http://itprn.rs/1MscLu8• Subscription Mentorship Practitioner Course: http://itsmmentor.com/mark-e-s-bernard/


Mark E.S. Bernard, CRISC, CGEIT, CISA, CISM,

CISSP, PM, ISO 27001 Lead

Auditor, SABSA-F2

Information Security, Privacy,

Governance ,Risk Management,

Compliance Consultant


Link; CyberSecurity Infographic. http://tinyurl.com/mhm7k5d


CyberSecurity Defined

The Enterprise’s Cyber Security Management System encompasses Governance, Risk Management, Internal Audit, Quality Management, Continuous Improvement, Incident Management, Vulnerability Management, Active Monitoring, Cryptographic Management, Identity and Access Management, Procurement and Supply Chain Management to be established to drive the CyberSecurity Program the brings value to the organization, resilience, and sustainable.


Key takeaways from this research include:

• Cyber crimes are costly. We found that the average annualized cost of cyber crime for 234 organizations in our study is $7.2 million per year, with a range of $375,387 to $58 million. This represents an increase in cost of 30 percent from the consolidated global results of last year’s cyber cost study.

• Cyber attacks have become common occurrences. The companies in our study experienced 343 successful attacks per week and 1.4 successful attacks per company per week.1 This represents an increase of 20 percent from last year’s successful attack experience. Last year’s study reported 262 successful attacks on average per week.

• The most costly cyber crimes are those caused by malicious insiders, denial of service and web-based attacks. Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, application security testing and enterprise governance, risk management and compliance (GRC) solutions.

Credits - October 2013 Ponemon Institute© Research Report


Credits - 2013 Cost of Data Breach Study: Global Analysis


Source:

Credits - 2013 Cost of Data Breach Study: Global Analysis


Source:

Credits – RedSocks 2015 Quarterly Report


Source:

Link; http://tinyurl.com/kmy35wn


Source:

Source; BC Information and Privacy Commissionaire

• FIPP Act clause 74 – Financial penalties, ZERO!


Source:

• 3.7 Million Records worth $50.00 per on Black Market. • Credit Report costs $150.00 per record


Source:

Link; http://tinyurl.com/q4n6soq


Source:

Link; http://tinyurl.com/omhworn


The Most Significant Threats Link; http://tinyurl.com/oaorzda


The Most Common Vulnerabilities Link; http://tinyurl.com/k3bedps


DETECT


ISO/IEC 27001

FoundationKnowledge /Comprehension

PractitionerImplementation /Maintenance

ProfessionalDesign /Architecture

ITIL

ISO/IEC 9001 ISO/IEC 38500

ISO/IEC 31000 SIRT

ISO/IEC 14001 ISO 18001

BS 25999 COSO ERM

COBiT NIST

RMCP HTRAIndustry

Standards

ISO/IEC 27001/2 ITIL

ISO/IEC 9001 ISO/IEC 38500

ISO/IEC 31000 SIRT

ISO/IEC 14001 ISO 18001

BS 25999 COSO ERM

COBiT NIST

RMCP HTRA PMP/Prince2

CISSP CISM

GIAC CISA

CGEIT CRISC

SABSA

EA - FEMA TOGAF

CISCO

IBM SAP

ORACLE TCP/IP

OSI

DBA

System Admin

Java

Programmer

API

ARC

Blooms 1-2, Knowledge & Comprehension

Blooms 3-4, Application & Analysis Blooms 5-6, Synthesis & Evaluation

Exe

cuti

ve O

verv

iew

Notes: other considerations Accounting skills, communications, skills & competencies, procurement, strategic planning, etc…

NIS

T /U

K C

yber

Secu

rity

Buy In

Work-stream Leaders Managers /PM Subject Matter Experts


The knowledge transfer process will establish a link between our

instructional objectives and your knowledge deliverables. During the

knowledge transfer process we will improve three predominant skills,

they are as follows:

• Cognitive; intellectual outcomes;

• Psychomotor; new physical skills; and

• Affective; attitudes, values, beliefs.

Step 1 Step 2 Step 3 Step 4

Knowledge Comprehension Application Analysis


• Defense Industrial Base

• Emergency Services

• Commercial Facilities

• Communications

• Critical Manufacturing

• Chemical

• Dams

• Energy

• Financial Services

• Food and Agriculture

• Government Facilities

• Healthcare and Public Health

• Information Technology

• Nuclear Reactors, Materials, and Waste

• Transportation Systems

• Water and Wastewater Systems


The NIST CyberSecurity Foundation course comprises the following Processes.

• Identify: Business Environment, Governance, Risk Management Strategy, Risk Assessment, Asset Management

• Protect : Access Control, Awareness Training, Data Security, Information Protection Processes and Procedures, Maintenance, Protective Technology

• Detect: Anomalies and events, Security Continuous Monitoring, Detection Processes.

• Respond: Response Planning, Communications, Analysis, Mitigation, Improvements.

• Recover: Recovery Planning, Improvements, Communications.


• NIST CyberSecurity Framework• Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience• ISO 27001 – Information Security Management System• ITIL – Service Management• ISO 9001 – Quality Management Systems• RCMP HTRA – Harmonized Threat Risk Assessment• COSO Enterprise Risk Management – Integrated Framework• Carnegie Mellon CSIRT (Computer Security Incident Response Team)• COBIT5 – Control Objectives for Information and Related Technology• ISO 31000 Risk Management – Principles and Guidelines• ISO 20000 Information Technology – Service Management – Concepts and Terminology• ISO 38501 Governance – Corporate Governance of Information Technology• ISO 14001 Environmental Management Systems• ISO 18001 Occupational Health and Safety• ISO 22000 Requirements for a Food Safety Management System• ISO 55001 Asset Management and Supply Chain• ISO 28001 Supply Chain Security Management Standard• Carnegie Mellon Defence-in-Depth: Foundations for Secure and Resilient IT Enterprises• Carnegie Mellon Software Development Life Cycle• BS 25999 Business Continuity


For more information contact Email: [email protected]

Phone: 202-306-4907

mailto:[email protected]

ISACA Victoria Chapter CyberSecurity Presentation Oct 21st 2015

Business

Transcript of ISACA Victoria Chapter CyberSecurity Presentation Oct 21st 2015