SlideShare une entreprise Scribd logo

2 Day MOSTI Workshop

Télécharger en tant que PPTX, PDF
Condition Zebra (CONZebra)
Condition Zebra (CONZebra)
1  sur  65
Critical Infrastructure Security Workshop: For Cybersecurity Malaysia Drew Williams President, Condition Zebra, inc.
Greetings and Welcome Special thanks to MOSTI & CSM for arranging this Summary Value Points: • Infrastructure Risk Management Takes Time • MOSTI & CSM have initiated strong benchmarks to success • Tools & Technology should be considered AFTER Process • Managing expectations is key to long-term strategy • Start with what you have, fix what you know • Discover (quickly) what you don’t know you don’t know
Greetings and Welcome If you are here, then you are interested in: • Identifying the issues and challenges with regard to infrastructure security and preservation. • Researching & recommending the types of best practices and courses of action to assess, mitigate and prevent risk in your infrastructure. • Increasing your organization’s competitiveness and business position safely, while keeping risk in check. • The potential costs/risks associated with the introduction of GRC mandates in the region, and how they may impact the sustainability and growth of your organization.
You are sacrificing 3 hours of your day for what? We’re going to provide a fast-track view into GRC/CNII • Information that you can take back and use today. • Relevant data as it pertains to risk management. • Awareness of trends that will impact your business. • Insight into MY cyber-security mandates. • Preview of ConZebra’s greater value as a VAS.
Caveat & Disclaimer  #1: Many citations are U.S. / ISO originated policies  #2. These policies DO APPLY if your organization has some form of relevant business or operational relationship with the U.S. or its partners  #3. Use the following information as guidelines for potential trending of potential mandates on Asia’s horizons
1. GRC Scope in the APAC Region
1. GRC Scope in the APAC Region  Throughout Asia: • 1:5 companies have started and stopped infrastructure upgrades because of uncertainty about expenses related to GRC • IT / Web infrastructures are not fully controllable any longer (BYOD) • “Server Talk” is shifting to “Protecting virtual business assets” (credit card access, e-transactions, mobile computing, etc.) • “ROI” has become guesswork for “CYA” • SEA has been traditionally a global tech-driver Now it needs to be an “early adopter” process implementer
Defining GRC  Governance, Risk [management], Compliance • A system of people, processes, and technology that enables an organization to: – Understand and Prioritize stakeholder expectations. – Set business objectives: congruent with Values & Risks. – Meet objectives / value while Managing Risk profile. – Operate within Boundaries  legal, contractual, internal, social, ethical. – Provide relevant, reliable, and timely information to appropriate stakeholders (“Accountability”).
What is “Governance?” Focusing on the achievement of long-term success • Ensures the fit between the organization's mission and its performance. • It’s about being in control and taking responsibility for the work and actions of your company. • Uses transparent decision-making processes to direct its resources and exercise power in an effective and accountable way. • Is accountable for what your organization does and how it does it.
What is “Governance?” MOSTI is clearly articulated, but vague in delivery • Centralize coordination of national cyber security initiatives • Promote effective cooperation between public and private sectors • Establish formal and encourage informal information sharing exchanges
“Governance”-- At the pinnacle of implementation
What is “Risk?”  Risk (and its Management) • The effect of uncertainty on objectives – positive or negative • Coordinated & economical application of resources to: – Minimize, – Monitor, – Control the probability and/or impact of unfortunate events • Mgt = Identification, assessment, prioritization of risks
What is “Compliance?”  Risk (and its Management) • The effect of uncertainty on objectives – positive or negative • Coordinated & economical application of resources to: – Minimize, – Monitor, – Control the probability and/or impact of unfortunate events • Mgt = Identification, assessment, prioritization of risks
GRC Landscape
2. Critical Infrastructures for Malaysia  Driven by MOSTi:
Defining Critical Infrastructure  “Big Picture” • Basic, essential systems, services and resources needed for an organization, designated population or region, to maintain its existence.
Defining Critical Infrastructure  Traditional Definition— • Resources and “hard assets” vital to the security, governance, public health and safety, economy and public confidence of a state entity (U.S. National Security Agency)
Defining Critical Infrastructure  Health  Defense  Government (Non-defense)  Communications  Energy & Utilities  Transportation  Finance  Commerce & Economy  Agriculture & Food  Water  Emergency Services
Part 2: Sector Profiling: Health  Relevant Parameters • Physical conditions must be evaluated first • Technical controls must consider how EPHI is managed – Patient health information – Patient billing information – This includes insurance plans, etc. • Administrative controls must be reviewed
Part 2: Sector Profiling: Health  GRC Mandates • Payment Card Industry Data Security Standard (PCI DSS) • National mandatory disclosure laws • Model Audit Rule (applies to health insurance companies) • Sarbanes-Oxley (SOX)  These legal and compliance obligations and exposure require that health care organizations proactively manage compliance.  Compliance risk in health care needs to be a coordinated effort that brings together a cohesive compliance process in a  Constantly changing environment—you must remain current. — SAMPLE HIPAA POLICY
Part 2: Sector Profiling: Defense  Relevant Parameters • Physical controls exist to limit physical access to the system • There is a suitable access control policy in place to confirm the identity of the user prior to • accessing the system; • Configured to guarantee accountability with proper auditing functions enabled; • Configured to ensure integrity of data. – This is includes proper backups, permissions, contingency planning • Latest appropriate patches • Users trained regarding system security awareness; • Procedures exist for handling security incidents; • Risk management analyses performed – Assess value of additional security measures vs. the increased cost of those measures; • Security planning / implementation performed throughout system lifecycle • Periodic reviews of security postures assure consistent application
Part 2: Sector Profiling: Defense  GRC Mandates – DoD – NIST FISMA – Specific Branches – Classified Document Handling Protocols – DefCons – Border Patrol Policies – Operational Handling of Secure Processes — SAMPLE DoD / DoAF POLICIES — ISO 27K (excerpt)
Part 2: Sector Profiling: Gov’t Admin  Relevant Parameters • Critical Infrastructure Protection and Compliance Policy coordinates the inter-department development and implementation of policies – Protection of the critical infrastructure of the non- defense government sectors – Development of certain other statutes and regulations within the specific sectors
Part 2: Sector Profiling: Gov’t Admin  GRC Mandate • FISMA • MOSTI • ISO27K • Agency-specific Policies • Treaty-based guidelines – E.g., NAFTA — ISO 27K (excerpt)
Part 2: Sector Profiling: Communications  Relevant Parameters • Create a flexible framework to manage both control definition & regulatory requirements with compliance measurements • Load balancing & consistent NOC reporting mechanisms • Manage telecommunications-targeted enterprise risks within enormous infrastructures • Carrier plans may vary from region to region • Wireless & data stream management parameters differ • Platform compliance (SAP applications, Oracle, etc.)
Part 2: Sector Profiling: Communications  GRC Mandates • FCC • SOX • GLBA • PCI / DSS • ISO27K — ISO 27K (excerpt) — T-Mobile Case Study
Part 2: Sector Profiling: Energy  Relevant Parameters • Maintaining support during Disasters • Grid Management & Physical Exposure to risk/threat • Policies may vary depending on location of infrastructure • “Energy” is Multi-faceted – Power – Natural Gas – Other sources
Part 2: Sector Profiling: Energy This model overlays energy infrastructure networks on a specific location. The vertical lines identify system interdependencies.
Part 2: Sector Profiling: Energy  GRC Mandates • FEMA (U.S.) • MY DoE guidelines — ISO 27K (excerpt)
Part 2: Sector Profiling: Finance  Relevant Parameters • Traded companies must comply with SEC rules by reporting on the effectiveness of their internal controls in the annual report. • The content must contain – A statement of management’s responsibilities for establishing and maintaining an adequate system. – The identification of the framework used to evaluate the internal controls. – A statement as to whether or not the internal control system is effective as of yearend – The disclosure of any material weaknesses in the system. – A statement that the company’s auditors have issued an audit report on management’s assessment. • Senior management require CPA input • Must determine whether there are any material weaknesses
Part 2: Sector Profiling: Finance  GRC Mandates • SEC Mandates • Sarbanes Oxley • Gramm Leach Bliley • PCI / DSS • ISO 27K — SAMPLE SOX REPORTING POLICY (excerpt) — ISO 27K (excerpt)
Part 2: Sector Profiling: Commerce  Relevant Parameters • Regulating free trade • Dealing with price gauging – In times of shortage – Disasters – Event times • Antitrust laws • Investment regulations
Part 2: Sector Profiling: Commerce  GRC Mandates • SEC Mandates • Sarbanes Oxley • Gramm Leach Bliley • PCI / DSS • ISO 27K — SAMPLE SOX REPORTING POLICY (excerpt) — ISO 27K (excerpt)
Part 2: Sector Profiling: Emergency Services  Relevant Parameters • Contingency planning models • Business continuity • Disaster Response & Recovery
Part 2: Sector Profiling: Emergency Services  GRC Mandates • FEMA • Regional or MY directed models — ISO 27K (excerpt)
Part 3. GRC Fail-points & what causes them
Part 3: GRC Fail-points  Why (how) do efforts fail? • Five Key Reasons: – Redundant and inefficient processes – Inconsistent focus across the environment (enterprise) – It’s complicated! – Lack of business agility – Incomplete, reaction-based point solutions
Part 3: GRC Fail-points  Redundant & Inefficient Processes • Band-Aid Approach – Compartmentalize risk management efforts – Contrary to “Big Picture” oversight • Overlook how to leverage & integrate resources – Offer greater impact & timeliness to respond • Varying levels of success (“Hit & Miss”) • Inconsistent responses to individual risk and compliance requirements. • More expensive: multiple initiatives to build independent GRC systems
Part 3: GRC Fail-points  Inconsistent focus across the environment (enterprise) • “Island Management” – Creates silos of isolationism – Nobody knows what the others are doing – Creates “Scope Creep” and drains budgets • No common framework for activity – COSO / CobIT / IIA / SANS • CIO can’t create consistent management patterns ($, resources) – Creates FUD about overall efforts at high levels – Nobody “downstairs” wants to follow the plan, sees no value
Part 3: GRC Fail-points  “It’s Complicated!” • Adding layers of GRC initiatives creates complex, reactive-based conditions. • GRC is “Distractive” by its very nature – Most in-house departments focus on their sector, not GRC issues – Complexity increases inherent risk and results in processes that are not streamlined and managed consistently • More confusion fosters lack of trust in processes – Discredits departments and individuals – . . . As well as the organization itself—should something happen! – Also breeds confusion in regulators, stakeholders, business partners
Part 3: GRC Fail-points  Lack of Business Agility • Reaction-based policies are not flexible • Limitations caused by including complex plans, hundreds of disconnected documents and spreadsheets • Dynamic distributed business structures need simple traffic patterns for disseminating policy • Point solutions have some impact but often miss the large-scale risk management solution framework and objectives – Data can become disconnected and difficult to manage / resolve
Part 3: GRC Fail-points  Incomplete, reaction-based point solutions • Requires a top-down AND holistic view • Unravel one thread at a time • “Immediate Reaction” does not equal “Immediate Response” • GRC point solutions often focus on assessment – They might replace spreadsheets, – They usually don’t deliver on analytics – They usually don’t align with business applications. • Gaps develop in the GRC plan, causing internal misalignment
Part 3: 10 Critical Fail-points in GRC Planning  Intelligence reporting • Needed to support decision-making: – Risk awareness / mitigation and compliance areas  Identifying consistent risk patterns & dependencies  Inconsistent, inaccurate system and operational data reports  Cost of consolidating disparate / inconsistent data streams  Liabilities of fines for failing to report and trend GRC across required assessment and reporting periods
Part 3: 10 Critical Fail-points in GRC Planning  Unreliable or irreconcilable risk assessment results • Different formats & approaches (e.g., human monitoring without automation)  Redundant risk management & compliance efforts  Inconsistent approaches to risk/compliance activities  Different vocabulary and processes that limit correlation, comparison and integration of information • Not following a common criteria standard or framework  Limitations in response times to changing environments
Part 3: GRC Fail-points—ASK FIRST!!  High-level questions need to be answered first: • What does our end-to-end GRC program look like today? – Budget, Planning, C-level Buy-in, Org-wide understanding • How can we align GRC requirements with our policies and day-to-day business operations? • What is our real exposure and what controls need to be implemented to address/mitigate/recover from risks? • How can we leverage technology to manage GRC holistically across the enterprise? • How can we govern our GRC processes across silos and stakeholders?
Content Acknowledgements. . .  National Institute of Standards & Technology  Deloitte  Cisco  U.S. DoD  SANS Institute  Modulo  Michael Rasmussen  IIA / ISACA
3 Key Target Trends for CNII/NCSP implementation  Text
Critical Assets Infrastructure
Governance Risk Management Compliance Critical Assets Infrastructure
Governance Risk Management Compliance Critical Assets Infrastructure • Objectives • Policies / Mandates • Development Pathway • Internal Assessment • Technology Assurances • Business Rules • Common Criteria • Gap Assessment • Physical Reviews • Audits • Contingency / Continuity Mgmt Relevance Factoring
GRC Scope in APAC Region
Elements of a successful GRC roadmap  High-level questions need to be answered first: • What does your end-to-end GRC program look like today? – Budget, Planning, C-level Buy-in, Org-wide understanding • How can you align GRC requirements with your policies and day-to-day business operations? • What is your real exposure and what controls need to be implemented to address/mitigate/recover from risks? • How can you leverage technology to manage GRC holistically across the enterprise? • How can you govern your GRC processes across silos and stakeholders?
GRC IT Maturity Model (Deloitte)
GRC IT Maturity Model (Deloitte)
GRC IT Maturity Model (Deloitte)
GRC IT Maturity Model (Deloitte)
GRC IT Maturity Model (Deloitte)
Your ConZebra Point of Value . . .  We Created a scenario for how to establish a critical infrastructure, and identified our GRC plans  We Established a common parameter of understanding for each respective operational sector of a Critical Infrastructure  We Identified potential gaps that may appear from our analysis of our respective sector-by-sector activities  We Recognized consequences and fail-points when configuring an effective GRC strategy
Thank You Drew Williams President, Condition Zebra, inc. drew@conzebra.com

Recommandé

Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceLumension
 
CMMC Breakdown
CMMC BreakdownCMMC Breakdown
CMMC BreakdownIgnyte Assurance Platform
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Educause+V4
Educause+V4Educause+V4
Educause+V4ecarrow
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 

Recommandé

Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceLumension
 
CMMC Breakdown
CMMC BreakdownCMMC Breakdown
CMMC BreakdownIgnyte Assurance Platform
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Educause+V4
Educause+V4Educause+V4
Educause+V4ecarrow
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014Aladdin Dandis
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014Aladdin Dandis
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Aladdin Dandis
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar ProposalAbsar Husain
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
Ch2 cism 2014
Ch2 cism 2014Ch2 cism 2014
Ch2 cism 2014Aladdin Dandis
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity AssessmentClaude Baudoin
 
Module 3 business continuity student slides ver 1.0
Module 3 business continuity student slides ver 1.0Module 3 business continuity student slides ver 1.0
Module 3 business continuity student slides ver 1.0Aladdin Dandis
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Aladdin Dandis
 
Cisa 2013 ch4
Cisa 2013 ch4Cisa 2013 ch4
Cisa 2013 ch4Aladdin Dandis
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelnooralmousa
 
Gtag 1 information risk and control
Gtag 1 information risk and controlGtag 1 information risk and control
Gtag 1 information risk and controlYulias Sihombing, Ak, MAk, CIA
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 

Contenu connexe

Tendances

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Aladdin Dandis
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity AssessmentClaude Baudoin
 
Module 3 business continuity student slides ver 1.0
Module 3 business continuity student slides ver 1.0Module 3 business continuity student slides ver 1.0
Module 3 business continuity student slides ver 1.0Aladdin Dandis
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Aladdin Dandis
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelnooralmousa
 

Tendances (20)

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
 
Security policy
Security policySecurity policy
Security policy
 
Information technology risks
Information technology risksInformation technology risks
Information technology risks
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1
 
Ch2 cism 2014
Ch2 cism 2014Ch2 cism 2014
Ch2 cism 2014
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity Assessment
 
Module 3 business continuity student slides ver 1.0
Module 3 business continuity student slides ver 1.0Module 3 business continuity student slides ver 1.0
Module 3 business continuity student slides ver 1.0
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0
 
Cisa 2013 ch4
Cisa 2013 ch4Cisa 2013 ch4
Cisa 2013 ch4
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity model
 
Gtag 1 information risk and control
Gtag 1 information risk and controlGtag 1 information risk and control
Gtag 1 information risk and control
 

Similaire à 2 Day MOSTI Workshop

Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptxdotco
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPScott Baron
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsSkoda Minotti
 
3 focus areas for any organisation's IT & Security department
3 focus areas for any organisation's IT & Security department 3 focus areas for any organisation's IT & Security department
3 focus areas for any organisation's IT & Security department Sandeep S Jaryal
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for SecurityTripwire
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Enterprise Risk Management-Paper
Enterprise Risk Management-PaperEnterprise Risk Management-Paper
Enterprise Risk Management-PaperPierre Samson
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptxHardikKundra
 
CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07Thomas Danford
 
Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2 Jayant Dalvi
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 

Similaire à 2 Day MOSTI Workshop (20)

Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptx
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 
3 focus areas for any organisation's IT & Security department
3 focus areas for any organisation's IT & Security department 3 focus areas for any organisation's IT & Security department
3 focus areas for any organisation's IT & Security department
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for Security
 
Profile_Kishore Sundar
Profile_Kishore SundarProfile_Kishore Sundar
Profile_Kishore Sundar
 
Itrisksisaudit1
Itrisksisaudit1Itrisksisaudit1
Itrisksisaudit1
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
Enterprise Risk Management-Paper
Enterprise Risk Management-PaperEnterprise Risk Management-Paper
Enterprise Risk Management-Paper
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptx
 
CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07
 
Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 

Plus de Condition Zebra (CONZebra)

Weathering the Storm of IT Security Compliance
Weathering the Storm of IT Security ComplianceWeathering the Storm of IT Security Compliance
Weathering the Storm of IT Security ComplianceCondition Zebra (CONZebra)
 

Plus de Condition Zebra (CONZebra) (6)

AXENT-Everything-IDS
AXENT-Everything-IDSAXENT-Everything-IDS
AXENT-Everything-IDS
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-Article
 
Host-Based IDS LLifecycle
Host-Based IDS LLifecycleHost-Based IDS LLifecycle
Host-Based IDS LLifecycle
 
BYOD eBook Part 1 DREW
BYOD eBook Part 1 DREWBYOD eBook Part 1 DREW
BYOD eBook Part 1 DREW
 
BO2K Byline
BO2K BylineBO2K Byline
BO2K Byline
 
Weathering the Storm of IT Security Compliance
Weathering the Storm of IT Security ComplianceWeathering the Storm of IT Security Compliance
Weathering the Storm of IT Security Compliance
 

2 Day MOSTI Workshop

  • 1. Critical Infrastructure Security Workshop: For Cybersecurity Malaysia Drew Williams President, Condition Zebra, inc.
  • 2. Greetings and Welcome Special thanks to MOSTI & CSM for arranging this Summary Value Points: • Infrastructure Risk Management Takes Time • MOSTI & CSM have initiated strong benchmarks to success • Tools & Technology should be considered AFTER Process • Managing expectations is key to long-term strategy • Start with what you have, fix what you know • Discover (quickly) what you don’t know you don’t know
  • 3. Greetings and Welcome If you are here, then you are interested in: • Identifying the issues and challenges with regard to infrastructure security and preservation. • Researching & recommending the types of best practices and courses of action to assess, mitigate and prevent risk in your infrastructure. • Increasing your organization’s competitiveness and business position safely, while keeping risk in check. • The potential costs/risks associated with the introduction of GRC mandates in the region, and how they may impact the sustainability and growth of your organization.
  • 4. You are sacrificing 3 hours of your day for what? We’re going to provide a fast-track view into GRC/CNII • Information that you can take back and use today. • Relevant data as it pertains to risk management. • Awareness of trends that will impact your business. • Insight into MY cyber-security mandates. • Preview of ConZebra’s greater value as a VAS.
  • 5. Caveat & Disclaimer  #1: Many citations are U.S. / ISO originated policies  #2. These policies DO APPLY if your organization has some form of relevant business or operational relationship with the U.S. or its partners  #3. Use the following information as guidelines for potential trending of potential mandates on Asia’s horizons
  • 6. 1. GRC Scope in the APAC Region
  • 7. 1. GRC Scope in the APAC Region  Throughout Asia: • 1:5 companies have started and stopped infrastructure upgrades because of uncertainty about expenses related to GRC • IT / Web infrastructures are not fully controllable any longer (BYOD) • “Server Talk” is shifting to “Protecting virtual business assets” (credit card access, e-transactions, mobile computing, etc.) • “ROI” has become guesswork for “CYA” • SEA has been traditionally a global tech-driver Now it needs to be an “early adopter” process implementer
  • 8. Defining GRC  Governance, Risk [management], Compliance • A system of people, processes, and technology that enables an organization to: – Understand and Prioritize stakeholder expectations. – Set business objectives: congruent with Values & Risks. – Meet objectives / value while Managing Risk profile. – Operate within Boundaries  legal, contractual, internal, social, ethical. – Provide relevant, reliable, and timely information to appropriate stakeholders (“Accountability”).
  • 9. What is “Governance?” Focusing on the achievement of long-term success • Ensures the fit between the organization's mission and its performance. • It’s about being in control and taking responsibility for the work and actions of your company. • Uses transparent decision-making processes to direct its resources and exercise power in an effective and accountable way. • Is accountable for what your organization does and how it does it.
  • 10. What is “Governance?” MOSTI is clearly articulated, but vague in delivery • Centralize coordination of national cyber security initiatives • Promote effective cooperation between public and private sectors • Establish formal and encourage informal information sharing exchanges
  • 11. “Governance”-- At the pinnacle of implementation
  • 12. What is “Risk?”  Risk (and its Management) • The effect of uncertainty on objectives – positive or negative • Coordinated & economical application of resources to: – Minimize, – Monitor, – Control the probability and/or impact of unfortunate events • Mgt = Identification, assessment, prioritization of risks
  • 13.
  • 14. What is “Compliance?”  Risk (and its Management) • The effect of uncertainty on objectives – positive or negative • Coordinated & economical application of resources to: – Minimize, – Monitor, – Control the probability and/or impact of unfortunate events • Mgt = Identification, assessment, prioritization of risks
  • 16. 2. Critical Infrastructures for Malaysia  Driven by MOSTi:
  • 17. Defining Critical Infrastructure  “Big Picture” • Basic, essential systems, services and resources needed for an organization, designated population or region, to maintain its existence.
  • 18. Defining Critical Infrastructure  Traditional Definition— • Resources and “hard assets” vital to the security, governance, public health and safety, economy and public confidence of a state entity (U.S. National Security Agency)
  • 19. Defining Critical Infrastructure  Health  Defense  Government (Non-defense)  Communications  Energy & Utilities  Transportation  Finance  Commerce & Economy  Agriculture & Food  Water  Emergency Services
  • 20. Part 2: Sector Profiling: Health  Relevant Parameters • Physical conditions must be evaluated first • Technical controls must consider how EPHI is managed – Patient health information – Patient billing information – This includes insurance plans, etc. • Administrative controls must be reviewed
  • 21. Part 2: Sector Profiling: Health  GRC Mandates • Payment Card Industry Data Security Standard (PCI DSS) • National mandatory disclosure laws • Model Audit Rule (applies to health insurance companies) • Sarbanes-Oxley (SOX)  These legal and compliance obligations and exposure require that health care organizations proactively manage compliance.  Compliance risk in health care needs to be a coordinated effort that brings together a cohesive compliance process in a  Constantly changing environment—you must remain current. — SAMPLE HIPAA POLICY
  • 22. Part 2: Sector Profiling: Defense  Relevant Parameters • Physical controls exist to limit physical access to the system • There is a suitable access control policy in place to confirm the identity of the user prior to • accessing the system; • Configured to guarantee accountability with proper auditing functions enabled; • Configured to ensure integrity of data. – This is includes proper backups, permissions, contingency planning • Latest appropriate patches • Users trained regarding system security awareness; • Procedures exist for handling security incidents; • Risk management analyses performed – Assess value of additional security measures vs. the increased cost of those measures; • Security planning / implementation performed throughout system lifecycle • Periodic reviews of security postures assure consistent application
  • 23. Part 2: Sector Profiling: Defense  GRC Mandates – DoD – NIST FISMA – Specific Branches – Classified Document Handling Protocols – DefCons – Border Patrol Policies – Operational Handling of Secure Processes — SAMPLE DoD / DoAF POLICIES — ISO 27K (excerpt)
  • 24. Part 2: Sector Profiling: Gov’t Admin  Relevant Parameters • Critical Infrastructure Protection and Compliance Policy coordinates the inter-department development and implementation of policies – Protection of the critical infrastructure of the non- defense government sectors – Development of certain other statutes and regulations within the specific sectors
  • 25. Part 2: Sector Profiling: Gov’t Admin  GRC Mandate • FISMA • MOSTI • ISO27K • Agency-specific Policies • Treaty-based guidelines – E.g., NAFTA — ISO 27K (excerpt)
  • 26. Part 2: Sector Profiling: Communications  Relevant Parameters • Create a flexible framework to manage both control definition & regulatory requirements with compliance measurements • Load balancing & consistent NOC reporting mechanisms • Manage telecommunications-targeted enterprise risks within enormous infrastructures • Carrier plans may vary from region to region • Wireless & data stream management parameters differ • Platform compliance (SAP applications, Oracle, etc.)
  • 27. Part 2: Sector Profiling: Communications  GRC Mandates • FCC • SOX • GLBA • PCI / DSS • ISO27K — ISO 27K (excerpt) — T-Mobile Case Study
  • 28. Part 2: Sector Profiling: Energy  Relevant Parameters • Maintaining support during Disasters • Grid Management & Physical Exposure to risk/threat • Policies may vary depending on location of infrastructure • “Energy” is Multi-faceted – Power – Natural Gas – Other sources
  • 29.
  • 30. Part 2: Sector Profiling: Energy This model overlays energy infrastructure networks on a specific location. The vertical lines identify system interdependencies.
  • 31. Part 2: Sector Profiling: Energy  GRC Mandates • FEMA (U.S.) • MY DoE guidelines — ISO 27K (excerpt)
  • 32. Part 2: Sector Profiling: Finance  Relevant Parameters • Traded companies must comply with SEC rules by reporting on the effectiveness of their internal controls in the annual report. • The content must contain – A statement of management’s responsibilities for establishing and maintaining an adequate system. – The identification of the framework used to evaluate the internal controls. – A statement as to whether or not the internal control system is effective as of yearend – The disclosure of any material weaknesses in the system. – A statement that the company’s auditors have issued an audit report on management’s assessment. • Senior management require CPA input • Must determine whether there are any material weaknesses
  • 33. Part 2: Sector Profiling: Finance  GRC Mandates • SEC Mandates • Sarbanes Oxley • Gramm Leach Bliley • PCI / DSS • ISO 27K — SAMPLE SOX REPORTING POLICY (excerpt) — ISO 27K (excerpt)
  • 34. Part 2: Sector Profiling: Commerce  Relevant Parameters • Regulating free trade • Dealing with price gauging – In times of shortage – Disasters – Event times • Antitrust laws • Investment regulations
  • 35. Part 2: Sector Profiling: Commerce  GRC Mandates • SEC Mandates • Sarbanes Oxley • Gramm Leach Bliley • PCI / DSS • ISO 27K — SAMPLE SOX REPORTING POLICY (excerpt) — ISO 27K (excerpt)
  • 36. Part 2: Sector Profiling: Emergency Services  Relevant Parameters • Contingency planning models • Business continuity • Disaster Response & Recovery
  • 37. Part 2: Sector Profiling: Emergency Services  GRC Mandates • FEMA • Regional or MY directed models — ISO 27K (excerpt)
  • 38. Part 3. GRC Fail-points & what causes them
  • 39. Part 3: GRC Fail-points  Why (how) do efforts fail? • Five Key Reasons: – Redundant and inefficient processes – Inconsistent focus across the environment (enterprise) – It’s complicated! – Lack of business agility – Incomplete, reaction-based point solutions
  • 40. Part 3: GRC Fail-points  Redundant & Inefficient Processes • Band-Aid Approach – Compartmentalize risk management efforts – Contrary to “Big Picture” oversight • Overlook how to leverage & integrate resources – Offer greater impact & timeliness to respond • Varying levels of success (“Hit & Miss”) • Inconsistent responses to individual risk and compliance requirements. • More expensive: multiple initiatives to build independent GRC systems
  • 41. Part 3: GRC Fail-points  Inconsistent focus across the environment (enterprise) • “Island Management” – Creates silos of isolationism – Nobody knows what the others are doing – Creates “Scope Creep” and drains budgets • No common framework for activity – COSO / CobIT / IIA / SANS • CIO can’t create consistent management patterns ($, resources) – Creates FUD about overall efforts at high levels – Nobody “downstairs” wants to follow the plan, sees no value
  • 42. Part 3: GRC Fail-points  “It’s Complicated!” • Adding layers of GRC initiatives creates complex, reactive-based conditions. • GRC is “Distractive” by its very nature – Most in-house departments focus on their sector, not GRC issues – Complexity increases inherent risk and results in processes that are not streamlined and managed consistently • More confusion fosters lack of trust in processes – Discredits departments and individuals – . . . As well as the organization itself—should something happen! – Also breeds confusion in regulators, stakeholders, business partners
  • 43. Part 3: GRC Fail-points  Lack of Business Agility • Reaction-based policies are not flexible • Limitations caused by including complex plans, hundreds of disconnected documents and spreadsheets • Dynamic distributed business structures need simple traffic patterns for disseminating policy • Point solutions have some impact but often miss the large-scale risk management solution framework and objectives – Data can become disconnected and difficult to manage / resolve
  • 44. Part 3: GRC Fail-points  Incomplete, reaction-based point solutions • Requires a top-down AND holistic view • Unravel one thread at a time • “Immediate Reaction” does not equal “Immediate Response” • GRC point solutions often focus on assessment – They might replace spreadsheets, – They usually don’t deliver on analytics – They usually don’t align with business applications. • Gaps develop in the GRC plan, causing internal misalignment
  • 45. Part 3: 10 Critical Fail-points in GRC Planning  Intelligence reporting • Needed to support decision-making: – Risk awareness / mitigation and compliance areas  Identifying consistent risk patterns & dependencies  Inconsistent, inaccurate system and operational data reports  Cost of consolidating disparate / inconsistent data streams  Liabilities of fines for failing to report and trend GRC across required assessment and reporting periods
  • 46. Part 3: 10 Critical Fail-points in GRC Planning  Unreliable or irreconcilable risk assessment results • Different formats & approaches (e.g., human monitoring without automation)  Redundant risk management & compliance efforts  Inconsistent approaches to risk/compliance activities  Different vocabulary and processes that limit correlation, comparison and integration of information • Not following a common criteria standard or framework  Limitations in response times to changing environments
  • 47. Part 3: GRC Fail-points—ASK FIRST!!  High-level questions need to be answered first: • What does our end-to-end GRC program look like today? – Budget, Planning, C-level Buy-in, Org-wide understanding • How can we align GRC requirements with our policies and day-to-day business operations? • What is our real exposure and what controls need to be implemented to address/mitigate/recover from risks? • How can we leverage technology to manage GRC holistically across the enterprise? • How can we govern our GRC processes across silos and stakeholders?
  • 48. Content Acknowledgements. . .  National Institute of Standards & Technology  Deloitte  Cisco  U.S. DoD  SANS Institute  Modulo  Michael Rasmussen  IIA / ISACA
  • 49. 3 Key Target Trends for CNII/NCSP implementation  Text
  • 52. Governance Risk Management Compliance Critical Assets Infrastructure • Objectives • Policies / Mandates • Development Pathway • Internal Assessment • Technology Assurances • Business Rules • Common Criteria • Gap Assessment • Physical Reviews • Audits • Contingency / Continuity Mgmt Relevance Factoring
  • 53. GRC Scope in APAC Region
  • 54. Elements of a successful GRC roadmap  High-level questions need to be answered first: • What does your end-to-end GRC program look like today? – Budget, Planning, C-level Buy-in, Org-wide understanding • How can you align GRC requirements with your policies and day-to-day business operations? • What is your real exposure and what controls need to be implemented to address/mitigate/recover from risks? • How can you leverage technology to manage GRC holistically across the enterprise? • How can you govern your GRC processes across silos and stakeholders?
  • 55.
  • 56.
  • 57.
  • 58.
  • 59. GRC IT Maturity Model (Deloitte)
  • 60. GRC IT Maturity Model (Deloitte)
  • 61. GRC IT Maturity Model (Deloitte)
  • 62. GRC IT Maturity Model (Deloitte)
  • 63. GRC IT Maturity Model (Deloitte)
  • 64. Your ConZebra Point of Value . . .  We Created a scenario for how to establish a critical infrastructure, and identified our GRC plans  We Established a common parameter of understanding for each respective operational sector of a Critical Infrastructure  We Identified potential gaps that may appear from our analysis of our respective sector-by-sector activities  We Recognized consequences and fail-points when configuring an effective GRC strategy
  • 65. Thank You Drew Williams President, Condition Zebra, inc. drew@conzebra.com

Notes de l'éditeur

  1. PT 1 EFFECTIVE GOVERNANCE PT 2 LEGISLATIVE & REGULATORY FRAMEWORK PT 3 CYBER SECURITY TECHNOLOGY FRAMEWORK PT 4 CULTURE OF SECURITY & CAPACITY BUILDING PT 5 RESEARCH & DEVELOPMENT TOWARDS SELF RELIANCE PT 6 COMPLIANCE & ENFORCEMENT PT 7 CYBER SECURITY EMERGENCY READINESS PT 8 INTERNATIONAL COOPERATION
  2. -- Top Five Target Trends for 2013 (incl BYOD) -- . . . And Suggested strategies to address them