SlideShare a Scribd company logo

Pragmatic CyberSecurity and Risk Reduction

Download as PPTX, PDF
B
Bruce Hafner

At ClearArmor, we maintain that a fully interconnected approach to Risk Management, CyberSecurity, Audit, Compliance, and Governance is the best approach. For many organization, they may not be ready for that journey. In those cases, a pragmatic approach can significantly improve their risk reduction and CyberSecurity postures by building momentum.

Business
1 of 30
1 CyberSecurity And Risk Reduction Match Effort Expenditure to Expected Results
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 2 Introduction Presenter: Bruce Hafner President, ClearArmor Corporation Website: ClearArmor Corporation (https://cleararmor.com) Contact Info: info@cleararmor.com Genesis for Presentation: Organizations overwhelmingly need to improve upon their CyberSecurity posture. The single most effective method is to adopt a mature framework such as the NIST CyberSecurity Framework. False starts, limited authority, resource deficiencies, and leadership focus conspire to impede CyberSecurity improvement. Under these circumstances, a pragmatic approach can build momentum. Organizations that are just beginning their Cyber Posture improvement journey may benefit from taking a pragmatic approach to risk reduction.
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 3 Some terms we will be using to bring the conversation forward Business is from Mars Technology is from Venus CyberSecurity & Risk Language Barriers
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 4 ‘Lead, follow, or get out of the way’ Risk is the potential of gaining or losing something of value Risk Mitigation to lessen the impact of a risk event through technology, process, training, etc Risk Prevention Removes the ability for a specific trigger an impacting event Risk Event is caused by a trigger and impacts one or more assets, systems, data types, and or business functions Risk Trigger Is the what causes a risk event to occur Risk Trigger Probability Is the likelihood that a trigger would occur, that causes an event, impacting assets Asset Value Assets have value that can be distilled down to financial and other measures Asset Data Is the type of data that may be stored, transmitted, interacted with by people, systems, process Asset System a set of endpoints (Servers, storage, network, external systems) that fulfill a need Asset Landscape Systems may consist of various isolated groups (Dev, Test, QA) that serve isolated functionality Asset Endpoint A System Landscape may consist of one or more endpoints Asset Software is distributed to various endpoints, that perform some function required by the system Detection Is the ability to monitor, report, and alert to an event Detection Tool Is a technical, business, process that is able to detect a trigger to, or impacting event Detection Method Is the specifics on how the detection tool can identify the impacting event Trigger Detection Is the Tools, methods related to detection of a trigger related to an impacting event Detection Confidence Speaks to the likelihood that a trigger would successfully be able to be monitored Detection Audit Validates that the detection method would be successful Response Scenario Is the situation surrounding response to an impacting event Response Roles Are the roles required to be engaged during various events Response Team The team roles, people, vendors, etc. that are required to be involved during a response. Response Schedule Identifies the time durations that should elapse from the time of event to execute tasks Response Execution Are the actual work items that will be executed by roles/people during the schedule Response Simulation Testing through mechanical and/or team collaborative meetings the response, with all required roles and team members Recovery Of systems, operations, processes, and other areas after an impacting Event Recovery Method Is how recovery will occur. Movement to a DR system, tape restoration, operations relocation Recovery Testing Simulating the method of recovery to validate that the method could successfully occur Recovery Event Is the circumstance that a recovery effort will occur Recovery Point Objective (RPO) is the amount of data expected to be lost Recovery Time Objective (RTO) is the expected time to recover Some terms that will allow business and technology team members to communicate effectively (Lido Anthony Iacocca). General Patton said something like this, ….and maybe Thomas Pain. Communication – A Cyber & Risk Requirement
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 5 Risk is everywhere. Risk can be ignored, accepted, transferred, mitigated, or remediated. Understanding of Risk Related Conflict Driving a Car vs No Job (mitigated) Babies on Planes Vs Injury (accepted)
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 6 Identify Risk What is at Risk Manifestation of Risk Prioritize Risk Impact Value of Risk Cost to Reduce Risk Risk Event Scenario Planning Who is involved When they get involved Why they get involved Who does what Scenario Simulation Scheduling table top sessions Frequency of tests Results of test Improvement of plans In some things, an incomplete or immature process method is better than inaction There is always a more effective way. There is always a less effective way. Results Leading to Risk Reduction
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 7 Follow a Process Create processes you can commit to. Not when convenient, but part of the organizational culture Prioritize If everything is Priority 1, nothing is Priority 1 Involve Everyone Everyone is a participant, at some level. Prepare the Organization Adopt a Standard You Don’t have to boil the ocean to start. You do need to embrace a standard. Change takes deliberate choices. Not difficult, just deliberate. Create a Plan Execute Treat CyberSecurity and Risk Reduction on par with revenue generation, compliance, Measure & Communicate Along the Way Elements to Building Momentum
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 8 There are a lot of options when structuring a CyberSecurity Program. Frameworks, Compliance Requirements, • The Center for Internet Security Critical Security Controls • ISO 27001 • New York State Department for Financial Services Rule 500 • NIST 800-53 and NIST 800-171 • The NIST CyberSecurity Framework – A Risk Based Approach Selection of a Path to Reducing Risk NIST CSF Risk Based Approach Framework of What to Do Not How to Do it CIS Controls Technical Approach More Specific Categories of Activities Various frameworks / controls / regulations have different benefits or compliance requirements
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 9 ID.AM-5 ID.GV-3 ID.RA-2 ID.RA-3 ID.GV-4 ID.AM-4 ID.AM-6 ID.GV-1 ID.GV-2 ID.BE-1 ID.BE-2 ID.BE-3 ID.BE-5ID.BE-4 ID.GV-1 ID.GV-2 ID.GV-3 ID.GV-4 ID.RA-1 ID.RA-2 ID.RA-3 ID.RA-4 ID.RA-5 ID.RA-6 ID.RM-1 ID.RM-2 ID.RM-3 ID.SC-1 ID.SC-2 ID.SC-3 ID.SC-4 ID.SC-5 PR.AC-1 PR.AC-3 PR.AC-5 PR.AC-2 PR.AC-4 PR.AC-6 PR.AT-1 PR.AT-2 PR.AT-3 PR.AT-4 PR.AT-5 PR.DS-1 PR.DS-2 PR.DS-3 PR.DS-4 PR.DS-5 PR.DS-6 PR.DS-7 PR.DS-8 PR.IP-1 PR.IP-2 PR.IP-3 PR.IP-4 PR.IP-5 PR.IP-6 PR.IP-7 PR.IP-8 PR.IP-9 PR.IP-10 PR.IP-11 PR.IP-12 PR.MA-1 PR.MA-2 PR.PT-1 PR.PT-2 PR.PT-3 PR.PT-4 PR.PT-5 DE.AE-1 DE.AE-2 DE.AE-3 DE.AE-4 DE.AE-5 NIST ID.AM-1 ID.AM-2 ID.RA-1 ID.AM-3 DE.CM-1 DE.CM-2 DE.CM-3 DE.CM-4 DE.CM-5 DE.CM-6 DE.CM-7 DE.CM-8 DE.DP-1 DE.DP-2 DE.DP-3 DE.DP-4 DE.DP-5 RS.RP-1 RS.CO-1 RS.CO-2 RS.CO-3 RS.CO-4 RS.CO-5 RS.AN-1 RS.AN-2 RS.AN-3 RS.AN-4 RS.MI-1 RS.MI-3 RS.MI-2 RS.IM-1 RS.IM-2 RC.RP-1 RC.IM-1 RC.IM-2 RC.C0-1 RC.C0-1 RC.C0-1 ID PR DE NIST Function RS RC KEYS Starting Point – Both Good and Bad
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction Leading to Risk and CyberSecurity maturity Pragmatic Risk Assets Detection Recovery Things to Consider
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 11 Groups needed for success Executive • CEO • GC • CFO • COO Technical • CIO & CISO • Network Team • IT Admin • Service Team Business • Business Heads • Customer Mgmt. • Accounts Mgmt. • Service Team Additional • Facilities • Risk • Audit & Compliance • Board Risk Reduction Requires Team Engagement
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 12 12 3 more groups. Basically Everyone. Internal Staff Risk Reduction Needs Extended Involvement
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 13 Breaking the plan into achievable steps, with multiple teams Risk Reduction Method Risk Objectives Impacts to Risk Objective What Systems Are Involved? Does the Business Know the Value of the Systems? Does IT know the relationship between Systems, Landscapes, and Endpoints? Identifying Risk Events, Triggers, and Probabilities Calculating the Value of Risk Events Cost of Risk Reduction Identifying Risk Event Mitigations & Remediations Cost vs Value Prioritizing Action Creating Scenario Plans Testing your Plans
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 14 Context for your plan. Ultimately, what are you trying to protect? Identification of What You are Protecting Risk Objectives Intellectual Property Reputation Client Trust
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 15 Employee Data • Human Resources • Facilities • IT Administration Can be Impacted By What Functions Impact Risk Objectives Process Requires Identification Activities Impacts to Risk Objective
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 16 Employee Data • Human Resources • Facilities • IT Administration Can be Impacted By • HRIS • Payroll • 401K • Medical Insurance • Access Control • Annual Review • Training Management Using Getting Context – What Business Functions are Involved Process Identifies Impacted Things Systems Involved
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 17 Employee Data • Human Resources • Facilities • IT Administration Can be Impacted By • HRIS • Payroll • 401K • Medical Insurance • Access Control • Annual Review • Training Management Using • HRIS Outage = $22K / Day • HRIS Data Breach = $100K / Incident Value Digging Deeper – Bringing in Technical and Subject Matter Experts Process Identifies Value of Those Things System Value
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 18 • Ransomware Infects the email system • Patient Data is breached and made public • Intellectual Property is stolen and published on the Web • Client Credit card theft from Web based system Risk ‘A’ Event • Web App servers– poor internal security • Web App Servers not Patched • Code injected into app • Payment processor breach Event 4 Could be triggered by ID concerns of events that could impact the organization and what could trigger them Process Identifies Events that Cause Impact Risk Events Risk Triggers
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 19 •Ransomware Infects the email system •Patient Data is breached and made public •Intellectual Property is stolen and published on the Web •Client Credit card theft from Web based system Risk ‘A’ Event •Web App servers– poor internal security •Web App Servers not Patched •Code injected into app •Payment processor breach Event 4 Could be triggered by • The organization believes that Poor security on Web Applications presents a 2.5% chance of triggering an event in any given year •Latency in patching cycles present a 7.5 % chance of triggering an event in any given year •A 2% chance that modified code could cause the event is estimated. •Poor user authentication creates a 5% risk of triggering an event. to hack into web applications code base. Having annual probabilities of The systems impacted by risk events drive value calculations Process Includes Probability & Likelihood Trigger Probabilities
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 20 • Ransomware Infects the email system • Patient Data is breached and made public • Intellectual Property is stolen and published on the Web • Client Credit card theft from Web based system Risk ‘A’ Event • Web App servers– poor internal security • Web App Servers not Patched • Code injected into app • Payment processor breach Event 4 Could be triggered by • OrderSys2020 And potentially impact these systems The systems impacted by risk events help to automate the value of the impact Process Ties Risk Events to Triggers to Systems Identify Impact
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 21 Risk Events have a real financial impact to your organization, direct and indirect - Follow a Process – Risk Events Have a Value Risk Event Cost System Event Trigger Probability Restoration Time Daily Value Direct Impact OrderSys202 0 Client Credit card theft from Web based system Web App servers– poor internal security 2.5% 1.25 $845,000 $26,406.25 OrderSys202 0 Client Credit card theft from Web based system Web App Servers not Patched 7.5% 1.25 $845,000 $79,218.75 OrderSys202 0 Client Credit card theft from Web based system Code injected into app 2% 1.25 $845,000 $21,125.00 OrderSys202 0 Client Credit card theft from Web based system Payment processor breach 5% 1.25 $845,000 $52,812.50 Total Risk Event Value $179,562.50 If This Event caused an erosion of trust that impacted new orders by .25% (1/4 of 1%) over the next year, based on your $845,000 daily value, that would equate to an indirect impact of $7,710,625
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 22 • Poor Security on the Web Application • Unpatched Servers • Lack of baselining systems exposes organizations for code modifications to go undetected • Weak user authentication polices Risk ‘4’ Triggers • Implement code to limit external communications to certain functions • Adopt a practice of Patching test servers within 1 week, and production servers within 3. • Implement Dial Factor Authentication on the web application Mitigations • Technology - Once Code changes have passed testing, and prior to migration to production, baseline system to ensure integrity of code against a known good image. Validate continuously • Business – No App changes are accepted into production until audit confirm policy has been followed Remediations Identifying Mitigations and Remediations - Mitigation & Remediation Reduces Risk & ImpactMitigations & Remediation
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 23 Risk Events have a real financial impact to your organization, direct and indirect - Follow a Process – Risk Events have a Value Risk Event Cost System Event Trigger Probability Restoration Time Daily Value Direct Impact OrderSys202 0 Code injected into the web based customer order system is stealing client credit card information Poor security on Web Application Servers 2.5% 1.25 $845,000 $26,406.25 OrderSys202 0 Code injected into the web based customer order system is stealing client credit card information Modified Application Code 7.5% 1.25 $845,000 $79,218.75 OrderSys202 0 Code injected into the web based customer order system is stealing client credit card information Modified application code 2% 1.25 $845,000 $21,125.00 OrderSys202 0 Code injected into the web based customer order system is stealing client credit card information Poor user authentication creates a 5% risk of triggering an event. to hack into web applications code base. 5% 1.25 $845,000 $52,812.50 Total Risk Event Value $179,562.50 If This Event caused an erosion of trust that impacted new orders by .25% (1/4 of 1%) over the next year, based on your $845,000 daily value, that would equate to an indirect impact of $7,710,625
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 24 Risk Events have a real financial impact to your organization, direct and indirect - Follow a Process – Risk Remediation has a Cost Risk Event Cost System Trigger Counter Measure Cost Duration OrderSys202 0 Web App servers– poor internal security Mitigate – Limit Access $7,500 1 Week OrderSys202 0 Web App Servers not Patched Mitigate - Force patching policy. Reduce patching latency $25,000 2 Months OrderSys202 0 Code injected into app Remediate - Baseline Application Code $12,000 2 Weeks OrderSys202 0 Payment processor breach Mitigate – Vendor Risk Assessment. Vendor Audit. $12,000 2 Months OrderSys202 0 Payment processor breach Transfer – Insurance $75,000 4 Months Total Risk Event Value $131,500 4 Months Remediations can take multiple paths, by multiple teams, with varying degrees of impact
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 25 Prioritization – Weighing Impact and Probability Risk Events High Probability Low Impact High Impact Low Probability High Probability High Impact High Probability Low Impact Low Probability High Impact Low Probability Low Impact
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 26 - Prioritization Through Constraints Prioritize Impact Value vs Cost Time Expertise Availability Regulatory Prioritize
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 27 - Scenario Planning – The Plan Scenario Plans The best-laid plans of mice and men often go awry. (Robert Burns) And In what order? By whom? When would it need to be done What would need to be done? Who would need to be involved? What if ‘X’ happened
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 28 - Scenario Planning – The What if Plan Scenario Plans The best-laid plans of mice and men often go awry. (Robert Burns) Expected Results Deviate Dependencies Fail Communications Fail Team Members are Unavailable What would you do if ‘Y’ Also Happened
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 29 - Scenario Planning – Building the Plan Scenario Plans Identify Team • Executive • Legal • Business Line • Technical • Cyber • Vendor • Partner • Client Scenario Response Setup • Overall Objective • Response Steps • Step Objectives • Step Communications • Step Owners • Step Schedule • Step Approver • Re Evaluation of Team • Re Evaluation of Objectives • Re Evaluation of Steps Leadership Approves • Objective • Team • Steps • Communications • Schedules • Role that can call and event • Role that can accept results
ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 30 - Scenario Planning – Testing the Plan Scenario Plans Tabletop Decisions • Will the exercise be scheduled • Will the exercise by unscheduled • What data will be recorded • Will the exercise use deviations • Will the exercise remove participants • Will the exercise have time constraints • Will the exercise limit resources • Who will be the scribe Run the Exercise • Call the Event • Assemble the team • Follow the schedule • Follow the steps • Communicate as planned • Simulate tests • Simulate results • Record issues • Lessons Learned • Plan Updates

Recommended

An Intro to Resolver's Incident Management Application
An Intro to Resolver's Incident Management ApplicationAn Intro to Resolver's Incident Management Application
An Intro to Resolver's Incident Management ApplicationResolver Inc.
 
6 Pitfalls when Implementing Enterprise Risk Management
6 Pitfalls when Implementing Enterprise Risk Management6 Pitfalls when Implementing Enterprise Risk Management
6 Pitfalls when Implementing Enterprise Risk ManagementPECB
 
2010; Risk Management Workshop Rev.1.1
2010; Risk Management Workshop Rev.1.12010; Risk Management Workshop Rev.1.1
2010; Risk Management Workshop Rev.1.1Muhammad Ector Prasetyo
 
Facilitated Risk Analysis Process - Tareq Hanaysha
Facilitated Risk Analysis Process - Tareq HanayshaFacilitated Risk Analysis Process - Tareq Hanaysha
Facilitated Risk Analysis Process - Tareq HanayshaHanaysha
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
R1
R1R1
R1Mary Lewis
 
Infographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionInfographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionCorporater
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber SecurityStacy Willis
 

Recommended

An Intro to Resolver's Incident Management Application
An Intro to Resolver's Incident Management ApplicationAn Intro to Resolver's Incident Management Application
An Intro to Resolver's Incident Management ApplicationResolver Inc.
 
6 Pitfalls when Implementing Enterprise Risk Management
6 Pitfalls when Implementing Enterprise Risk Management6 Pitfalls when Implementing Enterprise Risk Management
6 Pitfalls when Implementing Enterprise Risk ManagementPECB
 
2010; Risk Management Workshop Rev.1.1
2010; Risk Management Workshop Rev.1.12010; Risk Management Workshop Rev.1.1
2010; Risk Management Workshop Rev.1.1Muhammad Ector Prasetyo
 
Facilitated Risk Analysis Process - Tareq Hanaysha
Facilitated Risk Analysis Process - Tareq HanayshaFacilitated Risk Analysis Process - Tareq Hanaysha
Facilitated Risk Analysis Process - Tareq HanayshaHanaysha
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
R1
R1R1
R1Mary Lewis
 
Infographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionInfographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionCorporater
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber SecurityStacy Willis
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
Praxiom Overview
Praxiom OverviewPraxiom Overview
Praxiom OverviewPraxiom
 
Enterprise security incident management
Enterprise security incident managementEnterprise security incident management
Enterprise security incident managementzapp0
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslideZakaria Salah, Ph.D,MBA
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachGraydon McKee
 
The Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementThe Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementCorporater
 
An Intro to Resolver's Risk Application
An Intro to Resolver's Risk ApplicationAn Intro to Resolver's Risk Application
An Intro to Resolver's Risk ApplicationResolver Inc.
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and RemediationCarahsoft
 
Risk Management Methodology - Copy
Risk Management Methodology - CopyRisk Management Methodology - Copy
Risk Management Methodology - CopyRabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides SlideTeam
 
CRISC Exam Questions
CRISC Exam QuestionsCRISC Exam Questions
CRISC Exam QuestionsCertifications
 
CRISC sertifikacija
CRISC sertifikacijaCRISC sertifikacija
CRISC sertifikacijaBKA (Baltijos kompiuteriu akademija)
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programPriyanka Aash
 
Ken Kurdziel: Enterprise Risk Management
Ken Kurdziel: Enterprise Risk ManagementKen Kurdziel: Enterprise Risk Management
Ken Kurdziel: Enterprise Risk ManagementJamesMooreCo
 
A holistic approach to Safety and Asset Integrity Excellence
A holistic approach to Safety and Asset Integrity ExcellenceA holistic approach to Safety and Asset Integrity Excellence
A holistic approach to Safety and Asset Integrity ExcellenceKienbaum Consultants
 
Aligning Risk Management with ITIL
Aligning Risk Management with ITILAligning Risk Management with ITIL
Aligning Risk Management with ITILAustin Songer
 
disaster-recovery-online
disaster-recovery-onlinedisaster-recovery-online
disaster-recovery-onlineShaktinandan Satyakam
 
Risk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_ArticulateRisk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_ArticulateAnthony Chiusano
 
Key Risk Indicators - Changing the Reference Points
Key Risk Indicators - Changing the Reference PointsKey Risk Indicators - Changing the Reference Points
Key Risk Indicators - Changing the Reference PointsTony Moroney
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management IIzapp0
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessmentpchronis
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterpriseGRC Solutions, Inc.
 

More Related Content

What's hot

IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
Praxiom Overview
Praxiom OverviewPraxiom Overview
Praxiom OverviewPraxiom
 
Enterprise security incident management
Enterprise security incident managementEnterprise security incident management
Enterprise security incident managementzapp0
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachGraydon McKee
 
The Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementThe Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementCorporater
 
An Intro to Resolver's Risk Application
An Intro to Resolver's Risk ApplicationAn Intro to Resolver's Risk Application
An Intro to Resolver's Risk ApplicationResolver Inc.
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and RemediationCarahsoft
 
Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides SlideTeam
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programPriyanka Aash
 
Ken Kurdziel: Enterprise Risk Management
Ken Kurdziel: Enterprise Risk ManagementKen Kurdziel: Enterprise Risk Management
Ken Kurdziel: Enterprise Risk ManagementJamesMooreCo
 
A holistic approach to Safety and Asset Integrity Excellence
A holistic approach to Safety and Asset Integrity ExcellenceA holistic approach to Safety and Asset Integrity Excellence
A holistic approach to Safety and Asset Integrity ExcellenceKienbaum Consultants
 
Aligning Risk Management with ITIL
Aligning Risk Management with ITILAligning Risk Management with ITIL
Aligning Risk Management with ITILAustin Songer
 
Risk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_ArticulateRisk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_ArticulateAnthony Chiusano
 
Key Risk Indicators - Changing the Reference Points
Key Risk Indicators - Changing the Reference PointsKey Risk Indicators - Changing the Reference Points
Key Risk Indicators - Changing the Reference PointsTony Moroney
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management IIzapp0
 

What's hot (20)

IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
 
Praxiom Overview
Praxiom OverviewPraxiom Overview
Praxiom Overview
 
Enterprise security incident management
Enterprise security incident managementEnterprise security incident management
Enterprise security incident management
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslide
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational Approach
 
The Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementThe Purpose of Holistic Risk Management
The Purpose of Holistic Risk Management
 
An Intro to Resolver's Risk Application
An Intro to Resolver's Risk ApplicationAn Intro to Resolver's Risk Application
An Intro to Resolver's Risk Application
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
 
Risk Management Methodology - Copy
Risk Management Methodology - CopyRisk Management Methodology - Copy
Risk Management Methodology - Copy
 
Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides
 
CRISC Exam Questions
CRISC Exam QuestionsCRISC Exam Questions
CRISC Exam Questions
 
CRISC sertifikacija
CRISC sertifikacijaCRISC sertifikacija
CRISC sertifikacija
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk program
 
Ken Kurdziel: Enterprise Risk Management
Ken Kurdziel: Enterprise Risk ManagementKen Kurdziel: Enterprise Risk Management
Ken Kurdziel: Enterprise Risk Management
 
A holistic approach to Safety and Asset Integrity Excellence
A holistic approach to Safety and Asset Integrity ExcellenceA holistic approach to Safety and Asset Integrity Excellence
A holistic approach to Safety and Asset Integrity Excellence
 
Aligning Risk Management with ITIL
Aligning Risk Management with ITILAligning Risk Management with ITIL
Aligning Risk Management with ITIL
 
disaster-recovery-online
disaster-recovery-onlinedisaster-recovery-online
disaster-recovery-online
 
Risk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_ArticulateRisk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_Articulate
 
Key Risk Indicators - Changing the Reference Points
Key Risk Indicators - Changing the Reference PointsKey Risk Indicators - Changing the Reference Points
Key Risk Indicators - Changing the Reference Points
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management II
 

Similar to Pragmatic CyberSecurity and Risk Reduction

Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessmentpchronis
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisionsAlireza Ghahrood
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSathishKumar960827
 
Procedural Risk Management
Procedural Risk ManagementProcedural Risk Management
Procedural Risk ManagementLouis A. Poulin
 
What is business continuity planning-bcp
What is business continuity planning-bcpWhat is business continuity planning-bcp
What is business continuity planning-bcpAdv Prashant Mali
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention Manish Dixit Ceh
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Eneni Oduwole
 
Charting the right course for your projects
Charting the right course for your projectsCharting the right course for your projects
Charting the right course for your projectsRaymond Stadnik
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...Ed Sattar
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017zapp0
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?John D. Johnson
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
7 Grc Myths Webinar 20110127 Final (2)
7 Grc Myths Webinar 20110127 Final (2)7 Grc Myths Webinar 20110127 Final (2)
7 Grc Myths Webinar 20110127 Final (2)GBBLUME
 

Similar to Pragmatic CyberSecurity and Risk Reduction (20)

Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessment
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisions
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdf
 
Procedural Risk Management
Procedural Risk ManagementProcedural Risk Management
Procedural Risk Management
 
What is business continuity planning-bcp
What is business continuity planning-bcpWhat is business continuity planning-bcp
What is business continuity planning-bcp
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
 
Charting the right course for your projects
Charting the right course for your projectsCharting the right course for your projects
Charting the right course for your projects
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017
 
Dealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem RiskDealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem Risk
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
7 Grc Myths Webinar 20110127 Final (2)
7 Grc Myths Webinar 20110127 Final (2)7 Grc Myths Webinar 20110127 Final (2)
7 Grc Myths Webinar 20110127 Final (2)
 

Recently uploaded

Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxWorkforce Group
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLSeo
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...daisycvs
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLkapoorjyoti4444
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noidadlhescort
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesDipal Arora
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxpriyanshujha201
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangaloreamitlee9823
 
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptBusiness Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptP&CO
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperityhemanthkumar470700
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...rajveerescorts2022
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Sheetaleventcompany
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataExhibitors Data
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Centuryrwgiffor
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayNZSG
 

Recently uploaded (20)

Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptBusiness Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture concept
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 

Pragmatic CyberSecurity and Risk Reduction

  • 1. 1 CyberSecurity And Risk Reduction Match Effort Expenditure to Expected Results
  • 2. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 2 Introduction Presenter: Bruce Hafner President, ClearArmor Corporation Website: ClearArmor Corporation (https://cleararmor.com) Contact Info: info@cleararmor.com Genesis for Presentation: Organizations overwhelmingly need to improve upon their CyberSecurity posture. The single most effective method is to adopt a mature framework such as the NIST CyberSecurity Framework. False starts, limited authority, resource deficiencies, and leadership focus conspire to impede CyberSecurity improvement. Under these circumstances, a pragmatic approach can build momentum. Organizations that are just beginning their Cyber Posture improvement journey may benefit from taking a pragmatic approach to risk reduction.
  • 3. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 3 Some terms we will be using to bring the conversation forward Business is from Mars Technology is from Venus CyberSecurity & Risk Language Barriers
  • 4. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 4 ‘Lead, follow, or get out of the way’ Risk is the potential of gaining or losing something of value Risk Mitigation to lessen the impact of a risk event through technology, process, training, etc Risk Prevention Removes the ability for a specific trigger an impacting event Risk Event is caused by a trigger and impacts one or more assets, systems, data types, and or business functions Risk Trigger Is the what causes a risk event to occur Risk Trigger Probability Is the likelihood that a trigger would occur, that causes an event, impacting assets Asset Value Assets have value that can be distilled down to financial and other measures Asset Data Is the type of data that may be stored, transmitted, interacted with by people, systems, process Asset System a set of endpoints (Servers, storage, network, external systems) that fulfill a need Asset Landscape Systems may consist of various isolated groups (Dev, Test, QA) that serve isolated functionality Asset Endpoint A System Landscape may consist of one or more endpoints Asset Software is distributed to various endpoints, that perform some function required by the system Detection Is the ability to monitor, report, and alert to an event Detection Tool Is a technical, business, process that is able to detect a trigger to, or impacting event Detection Method Is the specifics on how the detection tool can identify the impacting event Trigger Detection Is the Tools, methods related to detection of a trigger related to an impacting event Detection Confidence Speaks to the likelihood that a trigger would successfully be able to be monitored Detection Audit Validates that the detection method would be successful Response Scenario Is the situation surrounding response to an impacting event Response Roles Are the roles required to be engaged during various events Response Team The team roles, people, vendors, etc. that are required to be involved during a response. Response Schedule Identifies the time durations that should elapse from the time of event to execute tasks Response Execution Are the actual work items that will be executed by roles/people during the schedule Response Simulation Testing through mechanical and/or team collaborative meetings the response, with all required roles and team members Recovery Of systems, operations, processes, and other areas after an impacting Event Recovery Method Is how recovery will occur. Movement to a DR system, tape restoration, operations relocation Recovery Testing Simulating the method of recovery to validate that the method could successfully occur Recovery Event Is the circumstance that a recovery effort will occur Recovery Point Objective (RPO) is the amount of data expected to be lost Recovery Time Objective (RTO) is the expected time to recover Some terms that will allow business and technology team members to communicate effectively (Lido Anthony Iacocca). General Patton said something like this, ….and maybe Thomas Pain. Communication – A Cyber & Risk Requirement
  • 5. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 5 Risk is everywhere. Risk can be ignored, accepted, transferred, mitigated, or remediated. Understanding of Risk Related Conflict Driving a Car vs No Job (mitigated) Babies on Planes Vs Injury (accepted)
  • 6. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 6 Identify Risk What is at Risk Manifestation of Risk Prioritize Risk Impact Value of Risk Cost to Reduce Risk Risk Event Scenario Planning Who is involved When they get involved Why they get involved Who does what Scenario Simulation Scheduling table top sessions Frequency of tests Results of test Improvement of plans In some things, an incomplete or immature process method is better than inaction There is always a more effective way. There is always a less effective way. Results Leading to Risk Reduction
  • 7. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 7 Follow a Process Create processes you can commit to. Not when convenient, but part of the organizational culture Prioritize If everything is Priority 1, nothing is Priority 1 Involve Everyone Everyone is a participant, at some level. Prepare the Organization Adopt a Standard You Don’t have to boil the ocean to start. You do need to embrace a standard. Change takes deliberate choices. Not difficult, just deliberate. Create a Plan Execute Treat CyberSecurity and Risk Reduction on par with revenue generation, compliance, Measure & Communicate Along the Way Elements to Building Momentum
  • 8. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 8 There are a lot of options when structuring a CyberSecurity Program. Frameworks, Compliance Requirements, • The Center for Internet Security Critical Security Controls • ISO 27001 • New York State Department for Financial Services Rule 500 • NIST 800-53 and NIST 800-171 • The NIST CyberSecurity Framework – A Risk Based Approach Selection of a Path to Reducing Risk NIST CSF Risk Based Approach Framework of What to Do Not How to Do it CIS Controls Technical Approach More Specific Categories of Activities Various frameworks / controls / regulations have different benefits or compliance requirements
  • 9. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 9 ID.AM-5 ID.GV-3 ID.RA-2 ID.RA-3 ID.GV-4 ID.AM-4 ID.AM-6 ID.GV-1 ID.GV-2 ID.BE-1 ID.BE-2 ID.BE-3 ID.BE-5ID.BE-4 ID.GV-1 ID.GV-2 ID.GV-3 ID.GV-4 ID.RA-1 ID.RA-2 ID.RA-3 ID.RA-4 ID.RA-5 ID.RA-6 ID.RM-1 ID.RM-2 ID.RM-3 ID.SC-1 ID.SC-2 ID.SC-3 ID.SC-4 ID.SC-5 PR.AC-1 PR.AC-3 PR.AC-5 PR.AC-2 PR.AC-4 PR.AC-6 PR.AT-1 PR.AT-2 PR.AT-3 PR.AT-4 PR.AT-5 PR.DS-1 PR.DS-2 PR.DS-3 PR.DS-4 PR.DS-5 PR.DS-6 PR.DS-7 PR.DS-8 PR.IP-1 PR.IP-2 PR.IP-3 PR.IP-4 PR.IP-5 PR.IP-6 PR.IP-7 PR.IP-8 PR.IP-9 PR.IP-10 PR.IP-11 PR.IP-12 PR.MA-1 PR.MA-2 PR.PT-1 PR.PT-2 PR.PT-3 PR.PT-4 PR.PT-5 DE.AE-1 DE.AE-2 DE.AE-3 DE.AE-4 DE.AE-5 NIST ID.AM-1 ID.AM-2 ID.RA-1 ID.AM-3 DE.CM-1 DE.CM-2 DE.CM-3 DE.CM-4 DE.CM-5 DE.CM-6 DE.CM-7 DE.CM-8 DE.DP-1 DE.DP-2 DE.DP-3 DE.DP-4 DE.DP-5 RS.RP-1 RS.CO-1 RS.CO-2 RS.CO-3 RS.CO-4 RS.CO-5 RS.AN-1 RS.AN-2 RS.AN-3 RS.AN-4 RS.MI-1 RS.MI-3 RS.MI-2 RS.IM-1 RS.IM-2 RC.RP-1 RC.IM-1 RC.IM-2 RC.C0-1 RC.C0-1 RC.C0-1 ID PR DE NIST Function RS RC KEYS Starting Point – Both Good and Bad
  • 10. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction Leading to Risk and CyberSecurity maturity Pragmatic Risk Assets Detection Recovery Things to Consider
  • 11. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 11 Groups needed for success Executive • CEO • GC • CFO • COO Technical • CIO & CISO • Network Team • IT Admin • Service Team Business • Business Heads • Customer Mgmt. • Accounts Mgmt. • Service Team Additional • Facilities • Risk • Audit & Compliance • Board Risk Reduction Requires Team Engagement
  • 12. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 12 12 3 more groups. Basically Everyone. Internal Staff Risk Reduction Needs Extended Involvement
  • 13. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 13 Breaking the plan into achievable steps, with multiple teams Risk Reduction Method Risk Objectives Impacts to Risk Objective What Systems Are Involved? Does the Business Know the Value of the Systems? Does IT know the relationship between Systems, Landscapes, and Endpoints? Identifying Risk Events, Triggers, and Probabilities Calculating the Value of Risk Events Cost of Risk Reduction Identifying Risk Event Mitigations & Remediations Cost vs Value Prioritizing Action Creating Scenario Plans Testing your Plans
  • 14. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 14 Context for your plan. Ultimately, what are you trying to protect? Identification of What You are Protecting Risk Objectives Intellectual Property Reputation Client Trust
  • 15. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 15 Employee Data • Human Resources • Facilities • IT Administration Can be Impacted By What Functions Impact Risk Objectives Process Requires Identification Activities Impacts to Risk Objective
  • 16. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 16 Employee Data • Human Resources • Facilities • IT Administration Can be Impacted By • HRIS • Payroll • 401K • Medical Insurance • Access Control • Annual Review • Training Management Using Getting Context – What Business Functions are Involved Process Identifies Impacted Things Systems Involved
  • 17. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 17 Employee Data • Human Resources • Facilities • IT Administration Can be Impacted By • HRIS • Payroll • 401K • Medical Insurance • Access Control • Annual Review • Training Management Using • HRIS Outage = $22K / Day • HRIS Data Breach = $100K / Incident Value Digging Deeper – Bringing in Technical and Subject Matter Experts Process Identifies Value of Those Things System Value
  • 18. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 18 • Ransomware Infects the email system • Patient Data is breached and made public • Intellectual Property is stolen and published on the Web • Client Credit card theft from Web based system Risk ‘A’ Event • Web App servers– poor internal security • Web App Servers not Patched • Code injected into app • Payment processor breach Event 4 Could be triggered by ID concerns of events that could impact the organization and what could trigger them Process Identifies Events that Cause Impact Risk Events Risk Triggers
  • 19. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 19 •Ransomware Infects the email system •Patient Data is breached and made public •Intellectual Property is stolen and published on the Web •Client Credit card theft from Web based system Risk ‘A’ Event •Web App servers– poor internal security •Web App Servers not Patched •Code injected into app •Payment processor breach Event 4 Could be triggered by • The organization believes that Poor security on Web Applications presents a 2.5% chance of triggering an event in any given year •Latency in patching cycles present a 7.5 % chance of triggering an event in any given year •A 2% chance that modified code could cause the event is estimated. •Poor user authentication creates a 5% risk of triggering an event. to hack into web applications code base. Having annual probabilities of The systems impacted by risk events drive value calculations Process Includes Probability & Likelihood Trigger Probabilities
  • 20. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 20 • Ransomware Infects the email system • Patient Data is breached and made public • Intellectual Property is stolen and published on the Web • Client Credit card theft from Web based system Risk ‘A’ Event • Web App servers– poor internal security • Web App Servers not Patched • Code injected into app • Payment processor breach Event 4 Could be triggered by • OrderSys2020 And potentially impact these systems The systems impacted by risk events help to automate the value of the impact Process Ties Risk Events to Triggers to Systems Identify Impact
  • 21. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 21 Risk Events have a real financial impact to your organization, direct and indirect - Follow a Process – Risk Events Have a Value Risk Event Cost System Event Trigger Probability Restoration Time Daily Value Direct Impact OrderSys202 0 Client Credit card theft from Web based system Web App servers– poor internal security 2.5% 1.25 $845,000 $26,406.25 OrderSys202 0 Client Credit card theft from Web based system Web App Servers not Patched 7.5% 1.25 $845,000 $79,218.75 OrderSys202 0 Client Credit card theft from Web based system Code injected into app 2% 1.25 $845,000 $21,125.00 OrderSys202 0 Client Credit card theft from Web based system Payment processor breach 5% 1.25 $845,000 $52,812.50 Total Risk Event Value $179,562.50 If This Event caused an erosion of trust that impacted new orders by .25% (1/4 of 1%) over the next year, based on your $845,000 daily value, that would equate to an indirect impact of $7,710,625
  • 22. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 22 • Poor Security on the Web Application • Unpatched Servers • Lack of baselining systems exposes organizations for code modifications to go undetected • Weak user authentication polices Risk ‘4’ Triggers • Implement code to limit external communications to certain functions • Adopt a practice of Patching test servers within 1 week, and production servers within 3. • Implement Dial Factor Authentication on the web application Mitigations • Technology - Once Code changes have passed testing, and prior to migration to production, baseline system to ensure integrity of code against a known good image. Validate continuously • Business – No App changes are accepted into production until audit confirm policy has been followed Remediations Identifying Mitigations and Remediations - Mitigation & Remediation Reduces Risk & ImpactMitigations & Remediation
  • 23. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 23 Risk Events have a real financial impact to your organization, direct and indirect - Follow a Process – Risk Events have a Value Risk Event Cost System Event Trigger Probability Restoration Time Daily Value Direct Impact OrderSys202 0 Code injected into the web based customer order system is stealing client credit card information Poor security on Web Application Servers 2.5% 1.25 $845,000 $26,406.25 OrderSys202 0 Code injected into the web based customer order system is stealing client credit card information Modified Application Code 7.5% 1.25 $845,000 $79,218.75 OrderSys202 0 Code injected into the web based customer order system is stealing client credit card information Modified application code 2% 1.25 $845,000 $21,125.00 OrderSys202 0 Code injected into the web based customer order system is stealing client credit card information Poor user authentication creates a 5% risk of triggering an event. to hack into web applications code base. 5% 1.25 $845,000 $52,812.50 Total Risk Event Value $179,562.50 If This Event caused an erosion of trust that impacted new orders by .25% (1/4 of 1%) over the next year, based on your $845,000 daily value, that would equate to an indirect impact of $7,710,625
  • 24. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 24 Risk Events have a real financial impact to your organization, direct and indirect - Follow a Process – Risk Remediation has a Cost Risk Event Cost System Trigger Counter Measure Cost Duration OrderSys202 0 Web App servers– poor internal security Mitigate – Limit Access $7,500 1 Week OrderSys202 0 Web App Servers not Patched Mitigate - Force patching policy. Reduce patching latency $25,000 2 Months OrderSys202 0 Code injected into app Remediate - Baseline Application Code $12,000 2 Weeks OrderSys202 0 Payment processor breach Mitigate – Vendor Risk Assessment. Vendor Audit. $12,000 2 Months OrderSys202 0 Payment processor breach Transfer – Insurance $75,000 4 Months Total Risk Event Value $131,500 4 Months Remediations can take multiple paths, by multiple teams, with varying degrees of impact
  • 25. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 25 Prioritization – Weighing Impact and Probability Risk Events High Probability Low Impact High Impact Low Probability High Probability High Impact High Probability Low Impact Low Probability High Impact Low Probability Low Impact
  • 26. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 26 - Prioritization Through Constraints Prioritize Impact Value vs Cost Time Expertise Availability Regulatory Prioritize
  • 27. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 27 - Scenario Planning – The Plan Scenario Plans The best-laid plans of mice and men often go awry. (Robert Burns) And In what order? By whom? When would it need to be done What would need to be done? Who would need to be involved? What if ‘X’ happened
  • 28. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 28 - Scenario Planning – The What if Plan Scenario Plans The best-laid plans of mice and men often go awry. (Robert Burns) Expected Results Deviate Dependencies Fail Communications Fail Team Members are Unavailable What would you do if ‘Y’ Also Happened
  • 29. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 29 - Scenario Planning – Building the Plan Scenario Plans Identify Team • Executive • Legal • Business Line • Technical • Cyber • Vendor • Partner • Client Scenario Response Setup • Overall Objective • Response Steps • Step Objectives • Step Communications • Step Owners • Step Schedule • Step Approver • Re Evaluation of Team • Re Evaluation of Objectives • Re Evaluation of Steps Leadership Approves • Objective • Team • Steps • Communications • Schedules • Role that can call and event • Role that can accept results
  • 30. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction 30 - Scenario Planning – Testing the Plan Scenario Plans Tabletop Decisions • Will the exercise be scheduled • Will the exercise by unscheduled • What data will be recorded • Will the exercise use deviations • Will the exercise remove participants • Will the exercise have time constraints • Will the exercise limit resources • Who will be the scribe Run the Exercise • Call the Event • Assemble the team • Follow the schedule • Follow the steps • Communicate as planned • Simulate tests • Simulate results • Record issues • Lessons Learned • Plan Updates