SlideShare une entreprise Scribd logo

NUS-ISS Learning Day 2019-Architecting security in the digital age

N
NUS-ISS

Presented by Mr Tan Eng Tsze, Principal Lecturer & Consultant, Digital Strategy & Leadership Practice ,NUS-ISS, at NUS-ISS Learning Day 2019

Technologie
1  sur  46
Télécharger pour lire hors ligne
Architecting Security in the Digital Age #ISSLearningDay Tan Eng Tsze, Principal Lecturer & Consultant, Digital Strategy & Leadership Practice, NUS-ISS 2 Aug 2019 [TOTAL SLIDES = 46] 1
Objectives #ISSLearningDay Upon completion of this session, you will be able to understand:  Security Architecture  A Business-driven approach to Architect Security  Adaptive Security Architecture  Security Governance  Profile of a Good Security Architect 2
Agenda  Security Architecture Overview • Business Driven Approach to Architect Security • Adaptive Security Architecture • Security Governance • Profile of a Good Security Architect #ISSLearningDay 3
The Digital Age #ISSLearningDay Source: Cyber Resilience in the Digital Age 4
Common Approach to Security (1) – Piecemeal Approach #ISSLearningDay Piecemeal Approach: Most organisations approach security from a project by project basis and security solutions are installed on a Tactical basis and results in mixture of solutions and no assurance that collectively they will be effective against cyber threats 5
Common Approach to Security (2) – Compliance Perspective #ISSLearningDay How many of us mistakenly believe that securing our information systems requires little more than working from a checklist of technical and procedural controls and applying the right security measures from the list? It’s like if your checklist includes all the components needed to build a plane, do you have a plane?  Cybersecurity Frameworks 6
Common Approach to Security (3) – Lack of Traceability to Business Objectives / Drivers • A global financial-services company left cybersecurity investments mainly to the discretion of the chief information-security officer (CISO), within certain budget constraints. The security team was isolated from business leaders, and resulting controls were not focused on the information that the business felt was most important to protect. • A healthcare provider made patient data its only priority. Other areas were neglected, such as confidential financial data relevant to big-dollar negotiations and protections against other risks such as alterations to internal data. • A global mining concern focused on protecting its production and exploration data but failed to separate proprietary information from information that could be reconstructed from public sources. Thus, broadly available information was being protected using resources that could have been shifted to high-value data like internal communications on business negotiations. #ISSLearningDay Bottom line: Is your Security supporting the Business? Does your Security knows what are the Organisation’s CROWN Jewels (Assets) that are important to protect? 7
What is at Risk? #ISSLearningDay • Reputation, Brand, Image • Trust • Competitive Advantage • Market & Investor Confidence • Relationships with business partners • Customer Retention & Growth • Business Continuity & Resilience • Ability to offer, fulfill transactions Think Security is Expensive? Insecurity costs much more! 8
What Is needed ? #ISSLearningDay 9
A Unified Enterprise-wide approach to Cybersecurity - involving the Business, the Risk, IT and Cybersecurity groups #ISSLearningDay 10
Security in the Digital Age #ISSLearningDay From To Shift the Security Perspective Bolt-On/Preventative Only Security Business Driven Security Technical Problem Business Problem Objective is IT Security Objective is Business Continuity / Resilience One Size Fits all Security Practices Security is the implementation of layered controls that meet agreed business requirements and address risks Tactical, Ad hoc approach Holistic, Enterprise-wide, Integrated, Adaptive approach Expense Investment Perimeter Security Security through Prevention, Detection, Response and Predictive 11
Security Program: The Objective Develop an Enterprise Security Program that … Enables and Supports your Organisation’s Business Strategies and Objectives and clearly communicate these Linkages and demonstrates the Business Benefits as they are realised #ISSLearningDay 12
Common Questions: How do we…? #ISSLearningDay How do we ensure all our Security Controls are Integrated and working Effectively Together to Optimise Value? How do we use best practice frameworks effectively when one size does not fit all? How do we know if we are managing risk in the right areas and to an acceptable level? How do we ensure Security supports the business? Are we spending too much on security or on the right things? 13
ARCHITECTING Security in the Digital Age #ISSLearningDay Source: SABSA Source: Integrating Risk and Security within a TOGAF EA 14
Security as a Cross-Cutting Concern in Enterprise Architecture #ISSLearningDay Business Application Data Technology SECURITY Security By Design Architecting Security 15
Integrating Risk & Security Within TOGAF EA #ISSLearningDay Enterprise Security ArchitectureEnterprise Architecture Business Drivers / Business Objectives Security Principles Risk Appetite Key Risk Areas / Business Impact Security Resource Plan Applicable Law and Regulation Register Applicable Control Framework Register Security Domain Model Security Policy Architecture Trust Framework Risk Assessment Business Risk Model / Risk Register Security Services Catalogue Security Classification Data Quality Identity & Access Mgt Continuity Management Security Intelligence Etc. Enterprise Risk Management Information Security Management Security Standards Risk Mitigation Plan Security Audit Security Training & Awareness Business Attribute Profile Control Objectives / Security Objectives Security Monitoring Compliance Management Source: Integrating Risk and Security within a TOGAF Enterprise Architecture, The Open Group 16
Agenda • Security Architecture Overview  Business Driven Approach to Architect Security • Adaptive Security Architecture • Security Governance • Profile of a Good Security Architect #ISSLearningDay 17
Business-Driven Security Architecture #ISSLearningDay An organisation needs security controls that are:  Directly Traceable to Business Goals and Objectives  Driven by Business Requirements  Are appropriate to both the Business Risks and organisation’s Risk Appetite  Meet Legal, Regulatory and Policy Compliance requirements by Design The challenge in developing the security architecture is to balance between Usability, Risk and Cost Effective Security 18
SABSA – Sherwood Applied Business Security Architecture #ISSLearningDay  World’s Leading Security Architecture – Official and De Facto Standard  Free-use Enterprise Security Architecture Methodology & Framework  Formal Regulated Professional Institute 19
SABSA – Taking a Top-Down Business-driven Approach to Architect Security #ISSLearningDay 20
The SABSA Matrix #ISSLearningDay Logical Process Maps & Services Domain Maps Entity & Trust Framework Calendar & Timetable Physical ICT Infrastructure Human Interface Processing Schedule Component Locator Tools & Standards Personnel Management Tools & Standards Step Timing & Sequencing Tools Service Management Service Delivery Management Process Delivery Management Management of Environment Personnel Management Time & Performance Management Information Assets Data Assets ICT Components Process Mechanisms Process Tools & Standards Assets (What) Process (How) Location (Where) People (Who) Time (When) Contextual Business Decisions Business Processes Business Geography Business Governance Business Time Dependence Conceptual Business Knowledge & Risk Strategy Strategies for Process Assurance Domain Framework Roles & Responsibilities Time Management Framework Motivation (Why) Business Risk Risk Management Objectives Risk Management Policies Risk Management Practices Risk Management Tools & Standards Operational Risk Management Business Design Build Operate 21 ARCHITECT
A worked example #ISSLearningDay 77 million customer details stolen Service down for X days Costed USD $250 million One of the largest Data Security breaches to hit console gamers! Happened in 2011 77 million customer accounts were compromised and prevented from accessing the service Outage lasted for 23 days Result of “External Intrusion” on Company’s Network Costed USD $250 million as the company worked to clean up the mess and reinforce its defenses MISSION: “a company that provides customers with Kando – to move them emotionally – and inspires and fulfils their curiosity.” 22
A worked example #ISSLearningDay Technical Security Services Kazuo Hirai, CEO Sony Entertainment 23
The SABSA Approach #ISSLearningDay Security Service Identify Security Services to provide required control objectives Control Objective Define Control Objectives to mitigate the identified threats to acceptable levels Impact Analysis Use Qualitative or Quantitative methods to define impact of the realization of the threat on the identified business objectives Threat Analysis Perform threat analysis Identify actual threats to business attributes / business drivers Business Attribute Translate Drivers into Business Security Attributes Security Attributes are provided by the SABSA framework Business Driver Identify the Business Drivers / Objectives Prioritise Drivers 24
Understand the Business and its Risks - Contextual and Conceptual Security Architecture #ISSLearningDay • Business Strategy • Business Processes and Functions • Organisational Structure – Personnel, Geographical, Partnerships • Budgets, Technical Constraints, Time Dependencies Gather, Assess and Analyse Business Requirements • Use the Business Attributes database to describes the business in terms of Strategy, related Assets, Business Goals and Objectives -> Business Attribute Profile Describe the Business Requirements • Perform a Threat Analysis on the business Assets, Goals and Objectives • Define the Business Impact of the realization of the threats • Identify Technical and Procedural Vulnerabilities Analyse the Business Risks 25
SABSA – Business Attribute Profile #ISSLearningDay Business Attributes Management Attributes User Attributes Operational Attributes Risk Management Attributes Technical Strategy Attributes Flexible / Adaptable Scalable Upgradeable Usable Accessible Cost-Effective Efficient Reliable Inter-Operable Trustworthy Reputable Business Strategy Attributes Credible Confident Crime-Free Insurable Compliant Confidential Private Controlled Liability Managed Admissible Resolvable Available Legal / Regulatory Attributes EnforceableError-Free Non-Repudiable Accountable Auditable Traceable Integrity-Assured Assurable Authorised Governable Business-Enabled Protected Independently Secure Measured Legacy-Sensitive Migratable Flexibly Secure Productive COTS / GOTS Simple Providing Investment Re-use Supportable Automated Standards Compliant Architecturally Open Future-Proof Capturing New Risks Multi-Sourced Extendible Maintainable Consistent Accurate Current Supported Access-controlled In our sole possession Change-managed Informed Owned Identified Authenticated Time-bound Timely Providing Good Stewardship and Custody Assuring Honesty Educated & Aware Motivated RecoverableDuty Segregated Detectable Brand Enhancing Competent Transparent Responsive Anonymous Continuous Monitored Legal Regulated Providing Return on Investment Enabling time-to-market Culture-sensitive  To prompt your thinking on business strategies, business drivers, business assets, goals and objectives  Key tool for conceptualizing the business assets that need protection in an information security architecture  Engineering technique for modeling Business Requirements into normalized, measurable, demonstrable, reusable, reportable form  Attributes must be validated (and preferably created) by senior management & the business stakeholders by report, interview or facilitated workshop  Measurable to define performance targets and risk appetite 26
A worked example – Business Drivers #ISSLearningDay Business Driver Business Attributes Threats Prioritised Business Impact Data Protection Legislation Access-Controlled Compliant Protected Private  Customer data is disclosed to internal users through inappropriate access controls  Staff leak customer information to unauthorized third parties  Customer information is disclosed in transit to third-party processor  Sensitive customer data is disclosed to unauthorized parties  Wide loss of customer confidence  Company brand damage  Prosecution by the regulators 27
A worked example – Control Objectives #ISSLearningDay Control Objectives: Protect Customer Information Business Attributes: Access-Controlled, Compliant, Protected, Private People  Training and Awareness for all Staff on Data Protection Technology  Identity Management  Authentication and Authorisation  Database and Network Encryption to protect personal data in storage and transit  Auditing and Logging of access to sensitive personal data Operations, Process & Procedures  User Access Management  Monitoring User Access Levels and User Activity particularly Third Parties  Incident Response for Data Breach Governance  Nominated Data Protection Officer  Data Protection Policies, Standards and Procedures  Third Party Risk Management Framework  Data Protection Assurance Compliant Access-controlled Protected Private 28
Logical Security Architecture – What does it look like? #ISSLearningDay Business Attribute Profile •Select Business Attributes ( mapped to business drivers) •Define enterprise specific business attributes, a measurement approach, metrics and targets Control Objectives •Derive control objectives from the Business Attribute Profile and the Business Risk Model developed at the Conceptual Layer Security Strategies •Define appropriate security strategies based on the business process model, the Business Attributes profile, the control objectives and the assessment of the current state of security Security Services •Layered model of security services including •Prevention •Containment •Detection and Notification •Event Collection and Tracking •Recovery •Assurance Business Attribute Profile Control Objectives Security Strategies Security Services 29
A worked example – Security Services #ISSLearningDay Security Services Security Services  Identity Management Tools  Authentication  Access Control  Authorisation  Auditing  Storage Encryption  Link Encryption  Breach  Security Management  Incident Management  Policies, Standards, Procedures, Guidelines  Training & Awareness  Proactive Reviews  Third Party Management Frameworks 30
A worked example – Physical Security Architecture #ISSLearningDay 31
Security Architecture Deliverables – what do you get? #ISSLearningDay • Business Drivers • Prioritised Drivers • Impact Assessment Contextual Security Architecture • Business Attribute Profile • Business Risk Model • Security Domain Model Conceptual Security Architecture • Security Domains and Associations • Logical Security Services Framework Logical Security Architecture • Detailed infrastructure and component solution design • Documented controls against control objectives Physical & Component Security Architecture OperationalSecurityControl Framework 32
SABSA – Provides Traceability #ISSLearningDay Business Justified: Every operational or technological security element can be justified by reference to a risk-prioritized business requirement 33
SABSA Top Applications #ISSLearningDay • Security Architecture • Traceability & Alignment of Solutions to Business Requirements • Enterprise Risk & Opportunity Management • Assurance, Compliance & Audit • Governance & Policy Architecture • Technical Solutions Design • Security Service Management Framework • Critical National Infrastructure Strategy 34
Benefits of Security Architecture Approach  Provides the Strategic Roadmap and Long-term View for security across the organisation  Enable Business-to-Security alignment  Ensure that all security models and implementations can be traced back to business  All security controls are integrated and working together to optimise value  Reduces ad hoc or tactical security implementations  Establish a common “language” for information security within organisation #ISSLearningDay 35
Measuring Success in Security Architecture #ISSLearningDay Characteristics of a Good Security Architecture:  Strategic Alignment – aligned to the current business strategy  Pragmatism: reflects the operating environment of the organisation and imposes appropriate controls to mitigate the risks  Robustness: demonstrates a thorough development with appropriate input, review and approval with stakeholders  Adaptive & Agile – designing a security architecture to deal with changing legal, regulatory and customer requirements Driven by business requirements rather than technical considerations Good Security Controls Meets regulatory audit and compliance requirements by design Appropriate to both the business risks and organisation’s risk appetite Directly traceable to business objectives 36
Agenda • Security Architecture Overview • Business Driven Approach to Architect Security  Adaptive Security Architecture • Security Governance • Profile of a Good Security Architect #ISSLearningDay 37
Adaptive Security Architecture • Enterprises are overly dependent on blocking and prevention mechanisms that are decreasingly effective against advance attacks • Comprehensive protection requires an adaptive protection process integrating Predictive, Preventive, Detective and Respond security capabilities • An Adaptive Security Protection Architecture requires Continuous Monitoring #ISSLearningDay 38
Agenda • Security Architecture Overview • Business Driven Approach to Architect Security • Adaptive Security Architecture  Security Governance • Profile of a Good Security Architect #ISSLearningDay 39
Security Governance #ISSLearningDay The process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies • are aligned with and support business objectives • adhere to policies, standards, and internal controls • provide assignment of authority and responsibility all in an effort to manage risk. Source: Information Security Governance, ISACA 40
Agenda • Security Architecture Overview • Business Driven Approach to Architect Security • Adaptive Security Architecture • Security Governance  Profile of a Good Security Architect #ISSLearningDay 41
Profile of a Good Security Architect #ISSLearningDay A Security Architect’s skill set is different from a designer:  Business-focused & Thinking in Business Terms at all time: Understand business goals and objectives and how they translate into security practices. Need to focus on security in conjunction with business enablement.  Why are we doing this?  What are we trying to achieve in business terms here?  Holistic Enterprise Security Mindset  Proficient in Risk Management  Soft skills also important like Big Picture Thinking, Problem Solving, Leadership, Communication, Collaboration, Negotiation etc… Security 42
Key Takeaways  The Business-Driven approach to ARCHITECT Security provides Traceability to Business Objectives and allows you to understand the Business and its Risks  Good Security Controls are driven by Business Requirements rather than technical considerations or picking from a checklist of best practice security control objectives   The need for Security Architecture to be Adaptive and Constantly Adapting to changing Business and evolving Threats and Proactive in Monitoring / Analytics  For Security Architecture to be successful, you also need to GOVERN the Security  Security Architecture Thinking and Mindset…a Holistic Enterprise-Wide View of Securing the Enterprise in the Digital Age #ISSLearningDay 43
References: 1. Cyber Resilience in the Digital Age https://www.worldgovernmentsummit.org/api/publications/document?id=24717dc 4-e97c-6578-b2f8-ff0000a7ddb6 2. What is SABSA – A Introduction https://www.vanharen.net/Player/eKnowledge/sabsa_-_a_introduction.pdf 3. Information Security Governance: Guidance for Board of Directors and Executive Management https://www.isaca.org/Knowledge-Center/Research/Documents/Information-Security- Govenance-for-Board-of-Directors-and-Executive-Management_res_Eng_0510.pdf 4. Integrating Risk and Security within a TOGAF Enterprise Architecture , The Open Group https://publications.opengroup.org/review/product/list/id/85/category/63/ #ISSLearningDay 44
NUS-ISS’ Developing Cybersecurity Architecture Course - Coming Soon!  #ISSLearningDay 45
Thank You! isstet@nus.edu.sg #ISSLearningDay 46

Recommandé

NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS
 
NUS-ISS Learning Day 2019- Risk Analytics in Banking: Past, Present and (a bi...
NUS-ISS Learning Day 2019- Risk Analytics in Banking: Past, Present and (a bi...NUS-ISS Learning Day 2019- Risk Analytics in Banking: Past, Present and (a bi...
NUS-ISS Learning Day 2019- Risk Analytics in Banking: Past, Present and (a bi...NUS-ISS
 
NUS-ISS Learning Day 2019-The Power of Data Visualisation
NUS-ISS Learning Day 2019-The Power of Data VisualisationNUS-ISS Learning Day 2019-The Power of Data Visualisation
NUS-ISS Learning Day 2019-The Power of Data VisualisationNUS-ISS
 
Info sec for startups
Info sec for startupsInfo sec for startups
Info sec for startupsKesava Reddy
 
7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)Mighty Guides, Inc.
 
Omnia AI Factory – Cyber AI Product Suite
Omnia AI Factory – Cyber AI Product SuiteOmnia AI Factory – Cyber AI Product Suite
Omnia AI Factory – Cyber AI Product SuiteNeo4j
 
William Diederich - Security Certifications: Are They Worth the Investment? A...
William Diederich - Security Certifications: Are They Worth the Investment? A...William Diederich - Security Certifications: Are They Worth the Investment? A...
William Diederich - Security Certifications: Are They Worth the Investment? A...centralohioissa
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 

Recommandé

NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS
 
NUS-ISS Learning Day 2019- Risk Analytics in Banking: Past, Present and (a bi...
NUS-ISS Learning Day 2019- Risk Analytics in Banking: Past, Present and (a bi...NUS-ISS Learning Day 2019- Risk Analytics in Banking: Past, Present and (a bi...
NUS-ISS Learning Day 2019- Risk Analytics in Banking: Past, Present and (a bi...NUS-ISS
 
NUS-ISS Learning Day 2019-The Power of Data Visualisation
NUS-ISS Learning Day 2019-The Power of Data VisualisationNUS-ISS Learning Day 2019-The Power of Data Visualisation
NUS-ISS Learning Day 2019-The Power of Data VisualisationNUS-ISS
 
Info sec for startups
Info sec for startupsInfo sec for startups
Info sec for startupsKesava Reddy
 
7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)Mighty Guides, Inc.
 
Omnia AI Factory – Cyber AI Product Suite
Omnia AI Factory – Cyber AI Product SuiteOmnia AI Factory – Cyber AI Product Suite
Omnia AI Factory – Cyber AI Product SuiteNeo4j
 
William Diederich - Security Certifications: Are They Worth the Investment? A...
William Diederich - Security Certifications: Are They Worth the Investment? A...William Diederich - Security Certifications: Are They Worth the Investment? A...
William Diederich - Security Certifications: Are They Worth the Investment? A...centralohioissa
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
Naxolink AI Concepts
Naxolink AI ConceptsNaxolink AI Concepts
Naxolink AI Conceptsprateek verma
 
The MSP of the Future: Key Trends and Opportunities for Growing Your Revenue ...
The MSP of the Future: Key Trends and Opportunities for Growing Your Revenue ...The MSP of the Future: Key Trends and Opportunities for Growing Your Revenue ...
The MSP of the Future: Key Trends and Opportunities for Growing Your Revenue ...Kaseya
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0Happiest Minds Technologies
 
Applying AI & Search in Europe - featuring 451 Research
Applying AI & Search in Europe - featuring 451 ResearchApplying AI & Search in Europe - featuring 451 Research
Applying AI & Search in Europe - featuring 451 ResearchLucidworks
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersMighty Guides, Inc.
 
Lean Startup for Geeks with Eric Ries
Lean Startup for Geeks with Eric RiesLean Startup for Geeks with Eric Ries
Lean Startup for Geeks with Eric RiesWealthfront
 
Value Stories - 3rd issue - April 2019
Value Stories - 3rd issue - April 2019Value Stories - 3rd issue - April 2019
Value Stories - 3rd issue - April 2019Redington Value Distribution
 
Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]LinkedIn
 
CWIN17 san francisco-rob vellinga - Interaction between AI and people
CWIN17 san francisco-rob vellinga - Interaction between AI and peopleCWIN17 san francisco-rob vellinga - Interaction between AI and people
CWIN17 san francisco-rob vellinga - Interaction between AI and peopleCapgemini
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?centralohioissa
 
Webinar: Smart answers for employee and customer support after covid 19 - Europe
Webinar: Smart answers for employee and customer support after covid 19 - EuropeWebinar: Smart answers for employee and customer support after covid 19 - Europe
Webinar: Smart answers for employee and customer support after covid 19 - EuropeLucidworks
 
Why Information Architecture is Vital for Effective Information Management
Why Information Architecture is Vital for Effective Information ManagementWhy Information Architecture is Vital for Effective Information Management
Why Information Architecture is Vital for Effective Information ManagementJ. Kevin Parker, CIP
 
Microsoft 365 eEnterprise E5 Overview
Microsoft 365 eEnterprise E5 OverviewMicrosoft 365 eEnterprise E5 Overview
Microsoft 365 eEnterprise E5 OverviewDavid J Rosenthal
 
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr TechMT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr TechDell EMC World
 
Dell and Deloitte: Managing Risk in the Cloud with Salesforce
Dell and Deloitte: Managing Risk in the Cloud with SalesforceDell and Deloitte: Managing Risk in the Cloud with Salesforce
Dell and Deloitte: Managing Risk in the Cloud with SalesforceDreamforce
 
Smart Answers for Employee and Customer Support After COVID-19
Smart Answers for Employee and Customer Support After COVID-19Smart Answers for Employee and Customer Support After COVID-19
Smart Answers for Employee and Customer Support After COVID-19Lucidworks
 
Effectively Using Digital Credentials
Effectively Using Digital CredentialsEffectively Using Digital Credentials
Effectively Using Digital CredentialsSusan Manning
 
Understanding What’s Possible: Getting Business Value from Big Data Quickly
Understanding What’s Possible: Getting Business Value from Big Data QuicklyUnderstanding What’s Possible: Getting Business Value from Big Data Quickly
Understanding What’s Possible: Getting Business Value from Big Data QuicklyInside Analysis
 
Protecting Sensitive Personal Data in the Enterprise
Protecting Sensitive Personal Data in the EnterpriseProtecting Sensitive Personal Data in the Enterprise
Protecting Sensitive Personal Data in the EnterpriseTata Consultancy Services
 
How to Recruit and Select the Best Candidate for an Intelligence Job
How to Recruit and Select the Best Candidate for an Intelligence JobHow to Recruit and Select the Best Candidate for an Intelligence Job
How to Recruit and Select the Best Candidate for an Intelligence JobIntelCollab.com
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...EC-Council
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 

Contenu connexe

Tendances

Naxolink AI Concepts
Naxolink AI ConceptsNaxolink AI Concepts
Naxolink AI Conceptsprateek verma
 
The MSP of the Future: Key Trends and Opportunities for Growing Your Revenue ...
The MSP of the Future: Key Trends and Opportunities for Growing Your Revenue ...The MSP of the Future: Key Trends and Opportunities for Growing Your Revenue ...
The MSP of the Future: Key Trends and Opportunities for Growing Your Revenue ...Kaseya
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0Happiest Minds Technologies
 
Applying AI & Search in Europe - featuring 451 Research
Applying AI & Search in Europe - featuring 451 ResearchApplying AI & Search in Europe - featuring 451 Research
Applying AI & Search in Europe - featuring 451 ResearchLucidworks
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersMighty Guides, Inc.
 
Lean Startup for Geeks with Eric Ries
Lean Startup for Geeks with Eric RiesLean Startup for Geeks with Eric Ries
Lean Startup for Geeks with Eric RiesWealthfront
 
Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]LinkedIn
 
CWIN17 san francisco-rob vellinga - Interaction between AI and people
CWIN17 san francisco-rob vellinga - Interaction between AI and peopleCWIN17 san francisco-rob vellinga - Interaction between AI and people
CWIN17 san francisco-rob vellinga - Interaction between AI and peopleCapgemini
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?centralohioissa
 
Webinar: Smart answers for employee and customer support after covid 19 - Europe
Webinar: Smart answers for employee and customer support after covid 19 - EuropeWebinar: Smart answers for employee and customer support after covid 19 - Europe
Webinar: Smart answers for employee and customer support after covid 19 - EuropeLucidworks
 
Why Information Architecture is Vital for Effective Information Management
Why Information Architecture is Vital for Effective Information ManagementWhy Information Architecture is Vital for Effective Information Management
Why Information Architecture is Vital for Effective Information ManagementJ. Kevin Parker, CIP
 
Microsoft 365 eEnterprise E5 Overview
Microsoft 365 eEnterprise E5 OverviewMicrosoft 365 eEnterprise E5 Overview
Microsoft 365 eEnterprise E5 OverviewDavid J Rosenthal
 
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr TechMT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr TechDell EMC World
 
Dell and Deloitte: Managing Risk in the Cloud with Salesforce
Dell and Deloitte: Managing Risk in the Cloud with SalesforceDell and Deloitte: Managing Risk in the Cloud with Salesforce
Dell and Deloitte: Managing Risk in the Cloud with SalesforceDreamforce
 
Smart Answers for Employee and Customer Support After COVID-19
Smart Answers for Employee and Customer Support After COVID-19Smart Answers for Employee and Customer Support After COVID-19
Smart Answers for Employee and Customer Support After COVID-19Lucidworks
 
Effectively Using Digital Credentials
Effectively Using Digital CredentialsEffectively Using Digital Credentials
Effectively Using Digital CredentialsSusan Manning
 
Understanding What’s Possible: Getting Business Value from Big Data Quickly
Understanding What’s Possible: Getting Business Value from Big Data QuicklyUnderstanding What’s Possible: Getting Business Value from Big Data Quickly
Understanding What’s Possible: Getting Business Value from Big Data QuicklyInside Analysis
 
Protecting Sensitive Personal Data in the Enterprise
Protecting Sensitive Personal Data in the EnterpriseProtecting Sensitive Personal Data in the Enterprise
Protecting Sensitive Personal Data in the EnterpriseTata Consultancy Services
 
How to Recruit and Select the Best Candidate for an Intelligence Job
How to Recruit and Select the Best Candidate for an Intelligence JobHow to Recruit and Select the Best Candidate for an Intelligence Job
How to Recruit and Select the Best Candidate for an Intelligence JobIntelCollab.com
 

Tendances (20)

Naxolink AI Concepts
Naxolink AI ConceptsNaxolink AI Concepts
Naxolink AI Concepts
 
The MSP of the Future: Key Trends and Opportunities for Growing Your Revenue ...
The MSP of the Future: Key Trends and Opportunities for Growing Your Revenue ...The MSP of the Future: Key Trends and Opportunities for Growing Your Revenue ...
The MSP of the Future: Key Trends and Opportunities for Growing Your Revenue ...
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
 
Applying AI & Search in Europe - featuring 451 Research
Applying AI & Search in Europe - featuring 451 ResearchApplying AI & Search in Europe - featuring 451 Research
Applying AI & Search in Europe - featuring 451 Research
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
 
Lean Startup for Geeks with Eric Ries
Lean Startup for Geeks with Eric RiesLean Startup for Geeks with Eric Ries
Lean Startup for Geeks with Eric Ries
 
Value Stories - 3rd issue - April 2019
Value Stories - 3rd issue - April 2019Value Stories - 3rd issue - April 2019
Value Stories - 3rd issue - April 2019
 
Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]
 
CWIN17 san francisco-rob vellinga - Interaction between AI and people
CWIN17 san francisco-rob vellinga - Interaction between AI and peopleCWIN17 san francisco-rob vellinga - Interaction between AI and people
CWIN17 san francisco-rob vellinga - Interaction between AI and people
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
 
Webinar: Smart answers for employee and customer support after covid 19 - Europe
Webinar: Smart answers for employee and customer support after covid 19 - EuropeWebinar: Smart answers for employee and customer support after covid 19 - Europe
Webinar: Smart answers for employee and customer support after covid 19 - Europe
 
Why Information Architecture is Vital for Effective Information Management
Why Information Architecture is Vital for Effective Information ManagementWhy Information Architecture is Vital for Effective Information Management
Why Information Architecture is Vital for Effective Information Management
 
Microsoft 365 eEnterprise E5 Overview
Microsoft 365 eEnterprise E5 OverviewMicrosoft 365 eEnterprise E5 Overview
Microsoft 365 eEnterprise E5 Overview
 
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr TechMT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
 
Dell and Deloitte: Managing Risk in the Cloud with Salesforce
Dell and Deloitte: Managing Risk in the Cloud with SalesforceDell and Deloitte: Managing Risk in the Cloud with Salesforce
Dell and Deloitte: Managing Risk in the Cloud with Salesforce
 
Smart Answers for Employee and Customer Support After COVID-19
Smart Answers for Employee and Customer Support After COVID-19Smart Answers for Employee and Customer Support After COVID-19
Smart Answers for Employee and Customer Support After COVID-19
 
Effectively Using Digital Credentials
Effectively Using Digital CredentialsEffectively Using Digital Credentials
Effectively Using Digital Credentials
 
Understanding What’s Possible: Getting Business Value from Big Data Quickly
Understanding What’s Possible: Getting Business Value from Big Data QuicklyUnderstanding What’s Possible: Getting Business Value from Big Data Quickly
Understanding What’s Possible: Getting Business Value from Big Data Quickly
 
Protecting Sensitive Personal Data in the Enterprise
Protecting Sensitive Personal Data in the EnterpriseProtecting Sensitive Personal Data in the Enterprise
Protecting Sensitive Personal Data in the Enterprise
 
How to Recruit and Select the Best Candidate for an Intelligence Job
How to Recruit and Select the Best Candidate for an Intelligence JobHow to Recruit and Select the Best Candidate for an Intelligence Job
How to Recruit and Select the Best Candidate for an Intelligence Job
 

Similaire à NUS-ISS Learning Day 2019-Architecting security in the digital age

Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...EC-Council
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Needsimplyme12345
 
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...Mighty Guides, Inc.
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
Mobility Security - A Business-Centric Approach
Mobility Security - A Business-Centric ApproachMobility Security - A Business-Centric Approach
Mobility Security - A Business-Centric ApproachOmar Khawaja
 
Making Security Work—Implementing a Transformational Security Program
Making Security Work—Implementing a Transformational Security ProgramMaking Security Work—Implementing a Transformational Security Program
Making Security Work—Implementing a Transformational Security ProgramCA Technologies
 
Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Matthew Rosenquist
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
ciso-platform-annual-summit-2013-ciso assessment exec summary _ibm
ciso-platform-annual-summit-2013-ciso assessment exec summary _ibmciso-platform-annual-summit-2013-ciso assessment exec summary _ibm
ciso-platform-annual-summit-2013-ciso assessment exec summary _ibmPriyanka Aash
 
MCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementMCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementWilliam McBorrough
 
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...Matthew Rosenquist
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
The Most Trustworthy Enterprise Security Solution Providers of India.pdf
The Most Trustworthy Enterprise Security Solution Providers of India.pdfThe Most Trustworthy Enterprise Security Solution Providers of India.pdf
The Most Trustworthy Enterprise Security Solution Providers of India.pdfCIO Look Magazine
 

Similaire à NUS-ISS Learning Day 2019-Architecting security in the digital age (20)

Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
 
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
 
Mobility Security - A Business-Centric Approach
Mobility Security - A Business-Centric ApproachMobility Security - A Business-Centric Approach
Mobility Security - A Business-Centric Approach
 
Making Security Work—Implementing a Transformational Security Program
Making Security Work—Implementing a Transformational Security ProgramMaking Security Work—Implementing a Transformational Security Program
Making Security Work—Implementing a Transformational Security Program
 
CCA study group
CCA study groupCCA study group
CCA study group
 
Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022
 
CSCSS / DEFENCE INTELLIGENCE GROUP
CSCSS / DEFENCE INTELLIGENCE GROUPCSCSS / DEFENCE INTELLIGENCE GROUP
CSCSS / DEFENCE INTELLIGENCE GROUP
 
India's Leading Cyber Security Companies_compressed.pdf
India's Leading Cyber Security Companies_compressed.pdfIndia's Leading Cyber Security Companies_compressed.pdf
India's Leading Cyber Security Companies_compressed.pdf
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
ciso-platform-annual-summit-2013-ciso assessment exec summary _ibm
ciso-platform-annual-summit-2013-ciso assessment exec summary _ibmciso-platform-annual-summit-2013-ciso assessment exec summary _ibm
ciso-platform-annual-summit-2013-ciso assessment exec summary _ibm
 
The 10 most promising enterprise security solution providers 2019
The 10 most promising enterprise security solution providers 2019The 10 most promising enterprise security solution providers 2019
The 10 most promising enterprise security solution providers 2019
 
MCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementMCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability Statement
 
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
The Most Trustworthy Enterprise Security Solution Providers of India.pdf
The Most Trustworthy Enterprise Security Solution Providers of India.pdfThe Most Trustworthy Enterprise Security Solution Providers of India.pdf
The Most Trustworthy Enterprise Security Solution Providers of India.pdf
 

Plus de NUS-ISS

Designing Impactful Services and User Experience - Lim Wee Khee
Designing Impactful Services and User Experience - Lim Wee KheeDesigning Impactful Services and User Experience - Lim Wee Khee
Designing Impactful Services and User Experience - Lim Wee KheeNUS-ISS
 
Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...
Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...
Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...NUS-ISS
 
How the World's Leading Independent Automotive Distributor is Reinventing Its...
How the World's Leading Independent Automotive Distributor is Reinventing Its...How the World's Leading Independent Automotive Distributor is Reinventing Its...
How the World's Leading Independent Automotive Distributor is Reinventing Its...NUS-ISS
 
The Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital TransformationThe Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital TransformationNUS-ISS
 
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...NUS-ISS
 
Understanding GenAI/LLM and What is Google Offering - Felix Goh
Understanding GenAI/LLM and What is Google Offering - Felix GohUnderstanding GenAI/LLM and What is Google Offering - Felix Goh
Understanding GenAI/LLM and What is Google Offering - Felix GohNUS-ISS
 
Digital Product-Centric Enterprise and Enterprise Architecture - Tan Eng Tsze
Digital Product-Centric Enterprise and Enterprise Architecture - Tan Eng TszeDigital Product-Centric Enterprise and Enterprise Architecture - Tan Eng Tsze
Digital Product-Centric Enterprise and Enterprise Architecture - Tan Eng TszeNUS-ISS
 
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...NUS-ISS
 
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...NUS-ISS
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnSupply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnNUS-ISS
 
Future of Learning - Yap Aye Wee.pdf
Future of Learning - Yap Aye Wee.pdfFuture of Learning - Yap Aye Wee.pdf
Future of Learning - Yap Aye Wee.pdfNUS-ISS
 
Future of Learning - Khoong Chan Meng
Future of Learning - Khoong Chan MengFuture of Learning - Khoong Chan Meng
Future of Learning - Khoong Chan MengNUS-ISS
 
Site Reliability Engineer (SRE), We Keep The Lights On 24/7
Site Reliability Engineer (SRE), We Keep The Lights On 24/7Site Reliability Engineer (SRE), We Keep The Lights On 24/7
Site Reliability Engineer (SRE), We Keep The Lights On 24/7NUS-ISS
 
Product Management in The Trenches for a Cloud Service
Product Management in The Trenches for a Cloud ServiceProduct Management in The Trenches for a Cloud Service
Product Management in The Trenches for a Cloud ServiceNUS-ISS
 
Overview of Data and Analytics Essentials and Foundations
Overview of Data and Analytics Essentials and FoundationsOverview of Data and Analytics Essentials and Foundations
Overview of Data and Analytics Essentials and FoundationsNUS-ISS
 
Predictive Analytics
Predictive AnalyticsPredictive Analytics
Predictive AnalyticsNUS-ISS
 
Feature Engineering for IoT
Feature Engineering for IoTFeature Engineering for IoT
Feature Engineering for IoTNUS-ISS
 
Master of Technology in Software Engineering
Master of Technology in Software EngineeringMaster of Technology in Software Engineering
Master of Technology in Software EngineeringNUS-ISS
 
Master of Technology in Enterprise Business Analytics
Master of Technology in Enterprise Business AnalyticsMaster of Technology in Enterprise Business Analytics
Master of Technology in Enterprise Business AnalyticsNUS-ISS
 
Diagnosing Complex Problems Using System Archetypes
Diagnosing Complex Problems Using System ArchetypesDiagnosing Complex Problems Using System Archetypes
Diagnosing Complex Problems Using System ArchetypesNUS-ISS
 

Plus de NUS-ISS (20)

Designing Impactful Services and User Experience - Lim Wee Khee
Designing Impactful Services and User Experience - Lim Wee KheeDesigning Impactful Services and User Experience - Lim Wee Khee
Designing Impactful Services and User Experience - Lim Wee Khee
 
Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...
Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...
Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...
 
How the World's Leading Independent Automotive Distributor is Reinventing Its...
How the World's Leading Independent Automotive Distributor is Reinventing Its...How the World's Leading Independent Automotive Distributor is Reinventing Its...
How the World's Leading Independent Automotive Distributor is Reinventing Its...
 
The Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital TransformationThe Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital Transformation
 
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...
 
Understanding GenAI/LLM and What is Google Offering - Felix Goh
Understanding GenAI/LLM and What is Google Offering - Felix GohUnderstanding GenAI/LLM and What is Google Offering - Felix Goh
Understanding GenAI/LLM and What is Google Offering - Felix Goh
 
Digital Product-Centric Enterprise and Enterprise Architecture - Tan Eng Tsze
Digital Product-Centric Enterprise and Enterprise Architecture - Tan Eng TszeDigital Product-Centric Enterprise and Enterprise Architecture - Tan Eng Tsze
Digital Product-Centric Enterprise and Enterprise Architecture - Tan Eng Tsze
 
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...
 
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk MunnSupply Chain Security for Containerised Workloads - Lee Chuk Munn
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
 
Future of Learning - Yap Aye Wee.pdf
Future of Learning - Yap Aye Wee.pdfFuture of Learning - Yap Aye Wee.pdf
Future of Learning - Yap Aye Wee.pdf
 
Future of Learning - Khoong Chan Meng
Future of Learning - Khoong Chan MengFuture of Learning - Khoong Chan Meng
Future of Learning - Khoong Chan Meng
 
Site Reliability Engineer (SRE), We Keep The Lights On 24/7
Site Reliability Engineer (SRE), We Keep The Lights On 24/7Site Reliability Engineer (SRE), We Keep The Lights On 24/7
Site Reliability Engineer (SRE), We Keep The Lights On 24/7
 
Product Management in The Trenches for a Cloud Service
Product Management in The Trenches for a Cloud ServiceProduct Management in The Trenches for a Cloud Service
Product Management in The Trenches for a Cloud Service
 
Overview of Data and Analytics Essentials and Foundations
Overview of Data and Analytics Essentials and FoundationsOverview of Data and Analytics Essentials and Foundations
Overview of Data and Analytics Essentials and Foundations
 
Predictive Analytics
Predictive AnalyticsPredictive Analytics
Predictive Analytics
 
Feature Engineering for IoT
Feature Engineering for IoTFeature Engineering for IoT
Feature Engineering for IoT
 
Master of Technology in Software Engineering
Master of Technology in Software EngineeringMaster of Technology in Software Engineering
Master of Technology in Software Engineering
 
Master of Technology in Enterprise Business Analytics
Master of Technology in Enterprise Business AnalyticsMaster of Technology in Enterprise Business Analytics
Master of Technology in Enterprise Business Analytics
 
Diagnosing Complex Problems Using System Archetypes
Diagnosing Complex Problems Using System ArchetypesDiagnosing Complex Problems Using System Archetypes
Diagnosing Complex Problems Using System Archetypes
 

Dernier

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Dernier (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

NUS-ISS Learning Day 2019-Architecting security in the digital age

  • 1. Architecting Security in the Digital Age #ISSLearningDay Tan Eng Tsze, Principal Lecturer & Consultant, Digital Strategy & Leadership Practice, NUS-ISS 2 Aug 2019 [TOTAL SLIDES = 46] 1
  • 2. Objectives #ISSLearningDay Upon completion of this session, you will be able to understand:  Security Architecture  A Business-driven approach to Architect Security  Adaptive Security Architecture  Security Governance  Profile of a Good Security Architect 2
  • 3. Agenda  Security Architecture Overview • Business Driven Approach to Architect Security • Adaptive Security Architecture • Security Governance • Profile of a Good Security Architect #ISSLearningDay 3
  • 4. The Digital Age #ISSLearningDay Source: Cyber Resilience in the Digital Age 4
  • 5. Common Approach to Security (1) – Piecemeal Approach #ISSLearningDay Piecemeal Approach: Most organisations approach security from a project by project basis and security solutions are installed on a Tactical basis and results in mixture of solutions and no assurance that collectively they will be effective against cyber threats 5
  • 6. Common Approach to Security (2) – Compliance Perspective #ISSLearningDay How many of us mistakenly believe that securing our information systems requires little more than working from a checklist of technical and procedural controls and applying the right security measures from the list? It’s like if your checklist includes all the components needed to build a plane, do you have a plane?  Cybersecurity Frameworks 6
  • 7. Common Approach to Security (3) – Lack of Traceability to Business Objectives / Drivers • A global financial-services company left cybersecurity investments mainly to the discretion of the chief information-security officer (CISO), within certain budget constraints. The security team was isolated from business leaders, and resulting controls were not focused on the information that the business felt was most important to protect. • A healthcare provider made patient data its only priority. Other areas were neglected, such as confidential financial data relevant to big-dollar negotiations and protections against other risks such as alterations to internal data. • A global mining concern focused on protecting its production and exploration data but failed to separate proprietary information from information that could be reconstructed from public sources. Thus, broadly available information was being protected using resources that could have been shifted to high-value data like internal communications on business negotiations. #ISSLearningDay Bottom line: Is your Security supporting the Business? Does your Security knows what are the Organisation’s CROWN Jewels (Assets) that are important to protect? 7
  • 8. What is at Risk? #ISSLearningDay • Reputation, Brand, Image • Trust • Competitive Advantage • Market & Investor Confidence • Relationships with business partners • Customer Retention & Growth • Business Continuity & Resilience • Ability to offer, fulfill transactions Think Security is Expensive? Insecurity costs much more! 8
  • 10. A Unified Enterprise-wide approach to Cybersecurity - involving the Business, the Risk, IT and Cybersecurity groups #ISSLearningDay 10
  • 11. Security in the Digital Age #ISSLearningDay From To Shift the Security Perspective Bolt-On/Preventative Only Security Business Driven Security Technical Problem Business Problem Objective is IT Security Objective is Business Continuity / Resilience One Size Fits all Security Practices Security is the implementation of layered controls that meet agreed business requirements and address risks Tactical, Ad hoc approach Holistic, Enterprise-wide, Integrated, Adaptive approach Expense Investment Perimeter Security Security through Prevention, Detection, Response and Predictive 11
  • 12. Security Program: The Objective Develop an Enterprise Security Program that … Enables and Supports your Organisation’s Business Strategies and Objectives and clearly communicate these Linkages and demonstrates the Business Benefits as they are realised #ISSLearningDay 12
  • 13. Common Questions: How do we…? #ISSLearningDay How do we ensure all our Security Controls are Integrated and working Effectively Together to Optimise Value? How do we use best practice frameworks effectively when one size does not fit all? How do we know if we are managing risk in the right areas and to an acceptable level? How do we ensure Security supports the business? Are we spending too much on security or on the right things? 13
  • 14. ARCHITECTING Security in the Digital Age #ISSLearningDay Source: SABSA Source: Integrating Risk and Security within a TOGAF EA 14
  • 15. Security as a Cross-Cutting Concern in Enterprise Architecture #ISSLearningDay Business Application Data Technology SECURITY Security By Design Architecting Security 15
  • 16. Integrating Risk & Security Within TOGAF EA #ISSLearningDay Enterprise Security ArchitectureEnterprise Architecture Business Drivers / Business Objectives Security Principles Risk Appetite Key Risk Areas / Business Impact Security Resource Plan Applicable Law and Regulation Register Applicable Control Framework Register Security Domain Model Security Policy Architecture Trust Framework Risk Assessment Business Risk Model / Risk Register Security Services Catalogue Security Classification Data Quality Identity & Access Mgt Continuity Management Security Intelligence Etc. Enterprise Risk Management Information Security Management Security Standards Risk Mitigation Plan Security Audit Security Training & Awareness Business Attribute Profile Control Objectives / Security Objectives Security Monitoring Compliance Management Source: Integrating Risk and Security within a TOGAF Enterprise Architecture, The Open Group 16
  • 17. Agenda • Security Architecture Overview  Business Driven Approach to Architect Security • Adaptive Security Architecture • Security Governance • Profile of a Good Security Architect #ISSLearningDay 17
  • 18. Business-Driven Security Architecture #ISSLearningDay An organisation needs security controls that are:  Directly Traceable to Business Goals and Objectives  Driven by Business Requirements  Are appropriate to both the Business Risks and organisation’s Risk Appetite  Meet Legal, Regulatory and Policy Compliance requirements by Design The challenge in developing the security architecture is to balance between Usability, Risk and Cost Effective Security 18
  • 19. SABSA – Sherwood Applied Business Security Architecture #ISSLearningDay  World’s Leading Security Architecture – Official and De Facto Standard  Free-use Enterprise Security Architecture Methodology & Framework  Formal Regulated Professional Institute 19
  • 20. SABSA – Taking a Top-Down Business-driven Approach to Architect Security #ISSLearningDay 20
  • 21. The SABSA Matrix #ISSLearningDay Logical Process Maps & Services Domain Maps Entity & Trust Framework Calendar & Timetable Physical ICT Infrastructure Human Interface Processing Schedule Component Locator Tools & Standards Personnel Management Tools & Standards Step Timing & Sequencing Tools Service Management Service Delivery Management Process Delivery Management Management of Environment Personnel Management Time & Performance Management Information Assets Data Assets ICT Components Process Mechanisms Process Tools & Standards Assets (What) Process (How) Location (Where) People (Who) Time (When) Contextual Business Decisions Business Processes Business Geography Business Governance Business Time Dependence Conceptual Business Knowledge & Risk Strategy Strategies for Process Assurance Domain Framework Roles & Responsibilities Time Management Framework Motivation (Why) Business Risk Risk Management Objectives Risk Management Policies Risk Management Practices Risk Management Tools & Standards Operational Risk Management Business Design Build Operate 21 ARCHITECT
  • 22. A worked example #ISSLearningDay 77 million customer details stolen Service down for X days Costed USD $250 million One of the largest Data Security breaches to hit console gamers! Happened in 2011 77 million customer accounts were compromised and prevented from accessing the service Outage lasted for 23 days Result of “External Intrusion” on Company’s Network Costed USD $250 million as the company worked to clean up the mess and reinforce its defenses MISSION: “a company that provides customers with Kando – to move them emotionally – and inspires and fulfils their curiosity.” 22
  • 24. The SABSA Approach #ISSLearningDay Security Service Identify Security Services to provide required control objectives Control Objective Define Control Objectives to mitigate the identified threats to acceptable levels Impact Analysis Use Qualitative or Quantitative methods to define impact of the realization of the threat on the identified business objectives Threat Analysis Perform threat analysis Identify actual threats to business attributes / business drivers Business Attribute Translate Drivers into Business Security Attributes Security Attributes are provided by the SABSA framework Business Driver Identify the Business Drivers / Objectives Prioritise Drivers 24
  • 25. Understand the Business and its Risks - Contextual and Conceptual Security Architecture #ISSLearningDay • Business Strategy • Business Processes and Functions • Organisational Structure – Personnel, Geographical, Partnerships • Budgets, Technical Constraints, Time Dependencies Gather, Assess and Analyse Business Requirements • Use the Business Attributes database to describes the business in terms of Strategy, related Assets, Business Goals and Objectives -> Business Attribute Profile Describe the Business Requirements • Perform a Threat Analysis on the business Assets, Goals and Objectives • Define the Business Impact of the realization of the threats • Identify Technical and Procedural Vulnerabilities Analyse the Business Risks 25
  • 26. SABSA – Business Attribute Profile #ISSLearningDay Business Attributes Management Attributes User Attributes Operational Attributes Risk Management Attributes Technical Strategy Attributes Flexible / Adaptable Scalable Upgradeable Usable Accessible Cost-Effective Efficient Reliable Inter-Operable Trustworthy Reputable Business Strategy Attributes Credible Confident Crime-Free Insurable Compliant Confidential Private Controlled Liability Managed Admissible Resolvable Available Legal / Regulatory Attributes EnforceableError-Free Non-Repudiable Accountable Auditable Traceable Integrity-Assured Assurable Authorised Governable Business-Enabled Protected Independently Secure Measured Legacy-Sensitive Migratable Flexibly Secure Productive COTS / GOTS Simple Providing Investment Re-use Supportable Automated Standards Compliant Architecturally Open Future-Proof Capturing New Risks Multi-Sourced Extendible Maintainable Consistent Accurate Current Supported Access-controlled In our sole possession Change-managed Informed Owned Identified Authenticated Time-bound Timely Providing Good Stewardship and Custody Assuring Honesty Educated & Aware Motivated RecoverableDuty Segregated Detectable Brand Enhancing Competent Transparent Responsive Anonymous Continuous Monitored Legal Regulated Providing Return on Investment Enabling time-to-market Culture-sensitive  To prompt your thinking on business strategies, business drivers, business assets, goals and objectives  Key tool for conceptualizing the business assets that need protection in an information security architecture  Engineering technique for modeling Business Requirements into normalized, measurable, demonstrable, reusable, reportable form  Attributes must be validated (and preferably created) by senior management & the business stakeholders by report, interview or facilitated workshop  Measurable to define performance targets and risk appetite 26
  • 27. A worked example – Business Drivers #ISSLearningDay Business Driver Business Attributes Threats Prioritised Business Impact Data Protection Legislation Access-Controlled Compliant Protected Private  Customer data is disclosed to internal users through inappropriate access controls  Staff leak customer information to unauthorized third parties  Customer information is disclosed in transit to third-party processor  Sensitive customer data is disclosed to unauthorized parties  Wide loss of customer confidence  Company brand damage  Prosecution by the regulators 27
  • 28. A worked example – Control Objectives #ISSLearningDay Control Objectives: Protect Customer Information Business Attributes: Access-Controlled, Compliant, Protected, Private People  Training and Awareness for all Staff on Data Protection Technology  Identity Management  Authentication and Authorisation  Database and Network Encryption to protect personal data in storage and transit  Auditing and Logging of access to sensitive personal data Operations, Process & Procedures  User Access Management  Monitoring User Access Levels and User Activity particularly Third Parties  Incident Response for Data Breach Governance  Nominated Data Protection Officer  Data Protection Policies, Standards and Procedures  Third Party Risk Management Framework  Data Protection Assurance Compliant Access-controlled Protected Private 28
  • 29. Logical Security Architecture – What does it look like? #ISSLearningDay Business Attribute Profile •Select Business Attributes ( mapped to business drivers) •Define enterprise specific business attributes, a measurement approach, metrics and targets Control Objectives •Derive control objectives from the Business Attribute Profile and the Business Risk Model developed at the Conceptual Layer Security Strategies •Define appropriate security strategies based on the business process model, the Business Attributes profile, the control objectives and the assessment of the current state of security Security Services •Layered model of security services including •Prevention •Containment •Detection and Notification •Event Collection and Tracking •Recovery •Assurance Business Attribute Profile Control Objectives Security Strategies Security Services 29
  • 30. A worked example – Security Services #ISSLearningDay Security Services Security Services  Identity Management Tools  Authentication  Access Control  Authorisation  Auditing  Storage Encryption  Link Encryption  Breach  Security Management  Incident Management  Policies, Standards, Procedures, Guidelines  Training & Awareness  Proactive Reviews  Third Party Management Frameworks 30
  • 31. A worked example – Physical Security Architecture #ISSLearningDay 31
  • 32. Security Architecture Deliverables – what do you get? #ISSLearningDay • Business Drivers • Prioritised Drivers • Impact Assessment Contextual Security Architecture • Business Attribute Profile • Business Risk Model • Security Domain Model Conceptual Security Architecture • Security Domains and Associations • Logical Security Services Framework Logical Security Architecture • Detailed infrastructure and component solution design • Documented controls against control objectives Physical & Component Security Architecture OperationalSecurityControl Framework 32
  • 33. SABSA – Provides Traceability #ISSLearningDay Business Justified: Every operational or technological security element can be justified by reference to a risk-prioritized business requirement 33
  • 34. SABSA Top Applications #ISSLearningDay • Security Architecture • Traceability & Alignment of Solutions to Business Requirements • Enterprise Risk & Opportunity Management • Assurance, Compliance & Audit • Governance & Policy Architecture • Technical Solutions Design • Security Service Management Framework • Critical National Infrastructure Strategy 34
  • 35. Benefits of Security Architecture Approach  Provides the Strategic Roadmap and Long-term View for security across the organisation  Enable Business-to-Security alignment  Ensure that all security models and implementations can be traced back to business  All security controls are integrated and working together to optimise value  Reduces ad hoc or tactical security implementations  Establish a common “language” for information security within organisation #ISSLearningDay 35
  • 36. Measuring Success in Security Architecture #ISSLearningDay Characteristics of a Good Security Architecture:  Strategic Alignment – aligned to the current business strategy  Pragmatism: reflects the operating environment of the organisation and imposes appropriate controls to mitigate the risks  Robustness: demonstrates a thorough development with appropriate input, review and approval with stakeholders  Adaptive & Agile – designing a security architecture to deal with changing legal, regulatory and customer requirements Driven by business requirements rather than technical considerations Good Security Controls Meets regulatory audit and compliance requirements by design Appropriate to both the business risks and organisation’s risk appetite Directly traceable to business objectives 36
  • 37. Agenda • Security Architecture Overview • Business Driven Approach to Architect Security  Adaptive Security Architecture • Security Governance • Profile of a Good Security Architect #ISSLearningDay 37
  • 38. Adaptive Security Architecture • Enterprises are overly dependent on blocking and prevention mechanisms that are decreasingly effective against advance attacks • Comprehensive protection requires an adaptive protection process integrating Predictive, Preventive, Detective and Respond security capabilities • An Adaptive Security Protection Architecture requires Continuous Monitoring #ISSLearningDay 38
  • 39. Agenda • Security Architecture Overview • Business Driven Approach to Architect Security • Adaptive Security Architecture  Security Governance • Profile of a Good Security Architect #ISSLearningDay 39
  • 40. Security Governance #ISSLearningDay The process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies • are aligned with and support business objectives • adhere to policies, standards, and internal controls • provide assignment of authority and responsibility all in an effort to manage risk. Source: Information Security Governance, ISACA 40
  • 41. Agenda • Security Architecture Overview • Business Driven Approach to Architect Security • Adaptive Security Architecture • Security Governance  Profile of a Good Security Architect #ISSLearningDay 41
  • 42. Profile of a Good Security Architect #ISSLearningDay A Security Architect’s skill set is different from a designer:  Business-focused & Thinking in Business Terms at all time: Understand business goals and objectives and how they translate into security practices. Need to focus on security in conjunction with business enablement.  Why are we doing this?  What are we trying to achieve in business terms here?  Holistic Enterprise Security Mindset  Proficient in Risk Management  Soft skills also important like Big Picture Thinking, Problem Solving, Leadership, Communication, Collaboration, Negotiation etc… Security 42
  • 43. Key Takeaways  The Business-Driven approach to ARCHITECT Security provides Traceability to Business Objectives and allows you to understand the Business and its Risks  Good Security Controls are driven by Business Requirements rather than technical considerations or picking from a checklist of best practice security control objectives   The need for Security Architecture to be Adaptive and Constantly Adapting to changing Business and evolving Threats and Proactive in Monitoring / Analytics  For Security Architecture to be successful, you also need to GOVERN the Security  Security Architecture Thinking and Mindset…a Holistic Enterprise-Wide View of Securing the Enterprise in the Digital Age #ISSLearningDay 43
  • 44. References: 1. Cyber Resilience in the Digital Age https://www.worldgovernmentsummit.org/api/publications/document?id=24717dc 4-e97c-6578-b2f8-ff0000a7ddb6 2. What is SABSA – A Introduction https://www.vanharen.net/Player/eKnowledge/sabsa_-_a_introduction.pdf 3. Information Security Governance: Guidance for Board of Directors and Executive Management https://www.isaca.org/Knowledge-Center/Research/Documents/Information-Security- Govenance-for-Board-of-Directors-and-Executive-Management_res_Eng_0510.pdf 4. Integrating Risk and Security within a TOGAF Enterprise Architecture , The Open Group https://publications.opengroup.org/review/product/list/id/85/category/63/ #ISSLearningDay 44