SlideShare une entreprise Scribd logo
1  sur  39
PECB Webinar 2nd December 2015
Speaker : Fabrice De Paepe
Senior Information Security Consultant / PECB Partner & Trainer
Introduction to ISO/IEC 27032
What’s the n°1 worldwide security threat ?
Introduction to ISO 27032 2
Hacking Will Replace Terrorism
FBI Director Robert Mueller reiterated his testimony
cyber-threats would surpass terrorism as the
country's top concern (2012)
Introduction to ISO 27032 3
Schedule for the day
An overview of Cybersecurity
Cybersecurity relationships within other
type of security
Guidance for addressing common
cybersecurity issues
Convincing stakeholders to collaborate
on resolving cybersecurity issues
Introduction to ISO 27032 4
1- An overview of Cybersecurity
What is Cyberspace ?
“The cyberspace can be described as a virtual
environment, which does not exist in any physical
form, but rather, a complex environment or space
resulting from the emergences of the Internet, plus the
people, organizations, and activities on all sorts of
technology devices and networks that are connected
to it”
(ISO 27032)
Introduction to ISO 27032 5
1- An overview of Cybersecurity
What is Cybersecurity ?
“ Cyberspace security or Cybersecurity is about the
security of this virtual world”
“Cybersecurity relates to actions that stakeholders
should be taking to establish and maintain security in
the Cyberspace”
(ISO 27032)
Introduction to ISO 27032 6
1- An overview of Cybersecurity
ISO 27032 provides guidance for improving the state
of cybersecurity with a focus on :
Introduction to ISO 27032 7
Attacks by malicious and potentially unwanted software
Social Engineering attacks
Information sharing and coordination
Introduction to ISO 27032 8
1- An overview of Cybersecurity
2 – Cybersecurity relationships within other type of
security
Introduction to ISO 27032 9
ISO27001 ISO27032
2 - Cybersecurity relationships within other type of
security
Introduction to ISO 27032 10
3 – Guidance for addressing Common Cybersecurity issues
Introduction to ISO 27032 11
Assets in the Cyberspace
Assets
Information Software Physical Services People
reputation,
image
3 – Guidance for addressing Common Cybersecurity issues
Introduction to ISO 27032 12
Assets in the Cyberspace
Assets
Personal
Physical
Personal digital device
endpoint, smartphone
Virtual
Online credit
information, Bitcoins
Organizational
Physical Infrastructure
Virtual Online Brand
3 – Guidance for addressing Common
Cybersecurity issues
Introduction to ISO 27032 13
Threats to personal or organizational assets in the
Cyberspace
Threats
Personal
Physical
Identity issue
Leakage, theft of personal
information
Virtual
Virtual theft
and mugging
Organizational
Disclosure of Personal info from employees, clients, partners, suppliers
Financial filling regulations breached
Government agencies
Gray area in which terrorism thrives
3 – Guidance for addressing Common
Cybersecurity issues
Social engineering attacks
Hacking
Malicious Software (malware)
Spyware
Unwanted software
Introduction to ISO 27032 14
3 – Guidance for addressing Common
Cybersecurity issues
Application Level Controls
Server Protection
End user controls
Social Engineering attacks
Introduction to ISO 27032 15
3- Guidance for addressing Common
Cybersecurity issues – Technical controls
Introduction to ISO 27032 16
• Display Short notice of the company’s
essential online services
• Secure
• Handling of sessions for Web Applications
(Cookies, Session Fixation,.)
• Input validation and handling to prevent
attacks (SQL Injection)
• Web page Scripting to prevent XSS
• (See Owasp, ISO 27034, CWE, SANS)
• Code Security Review
• HTTPS- SSL
Application
Level
Controls
3- Guidance for addressing Common
Cybersecurity issues – Technical controls
Introduction to ISO 27032 17
• Hardening
• Implement a system to test and deploy
security patches
• Monitor the security performance
• Review the security configuration
• Run anti-malicous software controls (anti-
virus, anti-malware)
• Scan all hosted and uploaded contents
regularly
• Perform regular vulnerability assessment
• Regularly scan for compromises
Server
Protection
(against
unauthorized
access of
malicious
content on
servers)
3- Guidance for addressing Common
Cybersecurity issues – Technical controls
Introduction to ISO 27032 18
•Use of supported OS
•Use of the latest supported Software
applications
•Use of anti-virus and anti-spyware
•Enable script blockers
•Use phishing filters
•Use other available web browser security
features
•Enable personal FW & HIDS
•Enable automated update
End-
user
3- Guidance for addressing Common
Cybersecurity issues – Technical controls
Introduction to ISO 27032 19
•Policies
•Methods and processes
•Categorization and classification
of information
•Awareness and training
•Testing
•People & Organization
•Technical
Social
engineering
attacks
3- Guidance for addressing Common Cybersecurity issues –
Framework of information sharing and coordination
Introduction to ISO 27032 20
IPO
Information
Providing
Organisation
IRO
Information
Receiving
Organisation
3- Guidance for addressing Common Cybersecurity issues –
Framework of information sharing and coordination
Policies
• Policies should be defined to address the
lifecycle of the Cybersecurity incident
information from creation to transfer and
destruction to ensure C.I.A are maintained
• Classification and categorization of information
• Information minimization
• Limited audience
• Coordination protocol
Introduction to ISO 27032 21
3- Guidance for addressing Common Cybersecurity issues –
Framework of information sharing and coordination
Methods and Processes
• Classification and categorization of
information
• NDA
• Code of Practice
• Testing and drills
• Timing and scheduling of information sharing
Introduction to ISO 27032 22
3- Guidance for addressing Common Cybersecurity issues –
Framework of information sharing and coordination
People and organizations
•Contacts
•Alliances
•Awareness and training
Introduction to ISO 27032 23
3- Guidance for addressing Common Cybersecurity issues –
Framework of information sharing and coordination
Technical
• Data standardization for automated system
• Data visualization
• Cryptographic key exchange and software/hardware backups
• Secure file sharing, instant messaging, web portal, and
discussion forum
• Testing systems
Introduction to ISO 27032 24
4 – Convincing stakeholders to collaborate on resolving security issues
Introduction to ISO 27032 25
•individuals
•organizations
Roles of consumers
Roles of providers
4 – Convincing stakeholders to collaborate on
resolving security issues
Introduction to ISO 27032 26
Roles of consumers (individuals)
General Cyberspace Application user
Online Gamer, instant messaging, websurfer…
Buyer (Ecommerce)
Seller (Ebay)
Blogger (blog, wiki, twitter, youtube,…)
IAP (Idenpendent Application Provider)
You as an employee of an organization
...
When a user visits a site which requires authorization, and
unintentionally gain access, the user may be labelled as
an intruder.
4 – Convincing stakeholders to collaborate on
resolving security issues
Introduction to ISO 27032 27
Roles of consumers (organizations)
Should extend their corporate responsibilities to
Cyberspace
By proactively ensuring that their practices and actions do not
introduce further security risks (into the cyberspace)
Some proactive measures :
Implementing ISMS
Proper security monitoring and response
Incorporating Security as part of the SDLC (ISO 27034)
Regular security education of users
Understanding and using proper channels
4 – Convincing stakeholders to collaborate on
resolving security issues
Introduction to ISO 27032 28
Roles of consumers (organizations)
The government, law enforcement agencies and regulators
may have the following roles to play :
Advise organizations of their R&R in the Cyberspace
Share info with other stakeholders
On the latest trends and developments in technology
On the current prevalent risks
Be a conduit for receiving any information with regards to security
risks
Be the primary coordinator for info dissemination and orchestration
Ex: National CERT (cert.be, cert.lu)
4 – Convincing stakeholders to collaborate on
resolving security issues
Introduction to ISO 27032 29
Roles of providers
Same roles and responsibilities as consumer organizations
They have additional responsibilities in maintaining
cybersecurity by providing
Safe and secure products and services
Safety and security guidance for end-users
Security inputs to others providers and to consumers
4 – Convincing stakeholders to collaborate on resolving
security issues
Consumers
- Individuals
- Organizations
- Private
- Public
Providers
- Internet Service Providers
- Application Service Providers
Personal
- Physical Assets
- Virtual Assets
Organizational
- Physical Assets
- Virtual Assets
Best Practices
- Preventive
- Detective
- Reactive
Coordination &
Information Sharing
Introduction to ISO 27032 30
Stakeholders Assets
Measures
4 – Convincing stakeholders to collaborate on
resolving security issues
Introduction to ISO 27032 31
Guidelines for Stakeholders
Risk assessment and treatment
ISO31000 and ISO27005 guidelines are sufficient for addressing
Cybersecurity Risks
Guidelines for Consumers
Learn and understand the security and privacy policy of
the site and application concerned as published by the site
provider
Manage online identity
…
4 – Convincing stakeholders to collaborate on
resolving security issues
Introduction to ISO 27032 32
Guidelines for organizations and services providers
Manage IS Risks in the business
ISMS
Provide Secure Products
Network Monitoring and Response
Support and Escalation
Keeping up-to-date with latest development
Address security requirements for hosting Web and other
cyber-application services
Comply with practices standards, policy, terms of agreements,
Data Protection, Privacy, …protected against unauthorized access
Provide security guidance to consumers
How to stay secure online (security newsletter, direct broadcast,
security seminar,…)
Conclusion
Introduction to ISO 27032 33
Cyber security is everyone’s business, impacts could
be catastrophic
Cybersecurity risks involve a combination of
multiples strategies, taking into account the various
stakeholders (consumer, employee, partner, third
party,…)
Risks need to be identified and addressed
Need of Awareness and Communication on how to
report – detect potential risk and security incidents
Keep an eye on new emerging technologies (e.g.:
IoT)
Conclusion
Introduction to ISO 27032 34
Prevention
Detection
Recovery
Facts
Introduction to ISO 27032 35
“The average number of days that attackers were
present on a victim’s network before they were
discovered is 229.”
Mandiant M-Trends Report 2014
http://www.infosecurityeurope.com
Q&A
Introduction to ISO 27032 36
What’s next ?
Get your passport to Cybersecurity and join us in
#Nice for the PECB Partner Event on CyberSecurity
Introduction to ISO 27032 37
What’s next ?
Introduction to ISO 27032 38
I am a #nice #BlueOwl passionate about #traveling
and #cybersecurity. Tweeting in #EN #ES #FR
What’s next ?
Introduction to ISO 27032 39
#FollowBlueOwl on Twitter @BlueOwlJourney

Contenu connexe

Tendances

NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500Shawn Tuma
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review ChecklistEberly Wilson
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseMart Rovers
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Business Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesBusiness Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesSlideTeam
 
Iso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaIso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaFahmi Albaheth
 

Tendances (20)

NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
SOC 1 Overview
SOC 1 OverviewSOC 1 Overview
SOC 1 Overview
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
Business Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesBusiness Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation Slides
 
Iso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaIso27001- Nashwan Mustafa
Iso27001- Nashwan Mustafa
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 

En vedette

Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal
Bcp Dr Grant Thornton Llp(Danny Miller) VfinalBcp Dr Grant Thornton Llp(Danny Miller) Vfinal
Bcp Dr Grant Thornton Llp(Danny Miller) VfinalDanny Miller
 
Business continuity exercise feb 13
Business continuity exercise feb 13Business continuity exercise feb 13
Business continuity exercise feb 13Steve Finegan
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicesmcloete
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
A Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedA Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedMike Chapple
 
Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Raul Soto
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
ACI's Global Encryption, Cloud & Cybersecurity Controls
ACI's Global Encryption, Cloud & Cybersecurity Controls ACI's Global Encryption, Cloud & Cybersecurity Controls
ACI's Global Encryption, Cloud & Cybersecurity Controls Dyan Cornacchio
 
Meet You GxP Compliance in the Cloud
Meet You GxP Compliance in the CloudMeet You GxP Compliance in the Cloud
Meet You GxP Compliance in the CloudAppian
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachTeri Radichel
 
Cybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security ControlsCybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security ControlsKristian Alisasis Pura
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramTammy Clark
 
Embracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud ComputingEmbracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud ComputingPECB
 
Regulatory Considerations for use of Cloud Computing and SaaS Environments
Regulatory Considerations for use of Cloud Computing and SaaS EnvironmentsRegulatory Considerations for use of Cloud Computing and SaaS Environments
Regulatory Considerations for use of Cloud Computing and SaaS EnvironmentsInstitute of Validation Technology
 

En vedette (20)

Webinar ISO 27001 informatiebeveiliging: revisie, certificering en implementa...
Webinar ISO 27001 informatiebeveiliging: revisie, certificering en implementa...Webinar ISO 27001 informatiebeveiliging: revisie, certificering en implementa...
Webinar ISO 27001 informatiebeveiliging: revisie, certificering en implementa...
 
A Strategy for Addressing Cyber Security Challenges
A Strategy for Addressing Cyber Security Challenges A Strategy for Addressing Cyber Security Challenges
A Strategy for Addressing Cyber Security Challenges
 
Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal
Bcp Dr Grant Thornton Llp(Danny Miller) VfinalBcp Dr Grant Thornton Llp(Danny Miller) Vfinal
Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal
 
Business continuity exercise feb 13
Business continuity exercise feb 13Business continuity exercise feb 13
Business continuity exercise feb 13
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
 
ISM BCP Case study
ISM BCP Case studyISM BCP Case study
ISM BCP Case study
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills Audit
 
A Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedA Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons Learned
 
Company Product Sheet
Company Product SheetCompany Product Sheet
Company Product Sheet
 
Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
 
Ispe Article
Ispe ArticleIspe Article
Ispe Article
 
ACI's Global Encryption, Cloud & Cybersecurity Controls
ACI's Global Encryption, Cloud & Cybersecurity Controls ACI's Global Encryption, Cloud & Cybersecurity Controls
ACI's Global Encryption, Cloud & Cybersecurity Controls
 
Meet You GxP Compliance in the Cloud
Meet You GxP Compliance in the CloudMeet You GxP Compliance in the Cloud
Meet You GxP Compliance in the Cloud
 
Virtual infrastructure qualification
Virtual infrastructure qualificationVirtual infrastructure qualification
Virtual infrastructure qualification
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target Breach
 
Cybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security ControlsCybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security Controls
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 
Embracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud ComputingEmbracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud Computing
 
Regulatory Considerations for use of Cloud Computing and SaaS Environments
Regulatory Considerations for use of Cloud Computing and SaaS EnvironmentsRegulatory Considerations for use of Cloud Computing and SaaS Environments
Regulatory Considerations for use of Cloud Computing and SaaS Environments
 

Similaire à PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032

Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Luca Moroni ✔✔
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxkevlekalakala
 
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaLuca Moroni ✔✔
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On InternetAna Meskovska
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantIlesh Dattani
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021lior mazor
 
How To Manage Iot And Byod Threats While Still Preserving
How To Manage Iot And Byod Threats While Still PreservingHow To Manage Iot And Byod Threats While Still Preserving
How To Manage Iot And Byod Threats While Still PreservingMelissa Hewitt
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information TechnologyKathirvel Ayyaswamy
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Jisc e safety presentation AoC 2014
Jisc e safety presentation AoC 2014Jisc e safety presentation AoC 2014
Jisc e safety presentation AoC 2014Jisc
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
Nt1330 Unit 2 Research Paper
Nt1330 Unit 2 Research PaperNt1330 Unit 2 Research Paper
Nt1330 Unit 2 Research PaperMarilyn Marie
 
Cyber Security and Cloud Security
Cyber Security and Cloud SecurityCyber Security and Cloud Security
Cyber Security and Cloud SecurityIT Governance Ltd
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesWAJAHAT IQBAL
 
Major global information security trends - a summary
Major global information security trends - a  summaryMajor global information security trends - a  summary
Major global information security trends - a summarySensePost
 

Similaire à PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032 (20)

Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
 
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliant
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
How To Manage Iot And Byod Threats While Still Preserving
How To Manage Iot And Byod Threats While Still PreservingHow To Manage Iot And Byod Threats While Still Preserving
How To Manage Iot And Byod Threats While Still Preserving
 
Information security
Information securityInformation security
Information security
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
 
ITrust Cybersecurity Services - Datasheet EN
ITrust Cybersecurity Services - Datasheet ENITrust Cybersecurity Services - Datasheet EN
ITrust Cybersecurity Services - Datasheet EN
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
Jisc e safety presentation AoC 2014
Jisc e safety presentation AoC 2014Jisc e safety presentation AoC 2014
Jisc e safety presentation AoC 2014
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
Nt1330 Unit 2 Research Paper
Nt1330 Unit 2 Research PaperNt1330 Unit 2 Research Paper
Nt1330 Unit 2 Research Paper
 
Cyber Security and Cloud Security
Cyber Security and Cloud SecurityCyber Security and Cloud Security
Cyber Security and Cloud Security
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practises
 
Major global information security trends - a summary
Major global information security trends - a  summaryMajor global information security trends - a  summary
Major global information security trends - a summary
 

Plus de PECB

Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...PECB
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?PECB
 
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?PECB
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
 

Plus de PECB (20)

Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?
 
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
 

Dernier

Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesMohammad Hassany
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptxSandy Millin
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17Celine George
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfYu Kanazawa / Osaka University
 
Latin American Revolutions, c. 1789-1830
Latin American Revolutions, c. 1789-1830Latin American Revolutions, c. 1789-1830
Latin American Revolutions, c. 1789-1830Dave Phillips
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationMJDuyan
 
UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxDr. Santhosh Kumar. N
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...raviapr7
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptxraviapr7
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?TechSoup
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17Celine George
 
Practical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxPractical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxKatherine Villaluna
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxMYDA ANGELICA SUAN
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational PhilosophyShuvankar Madhu
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxiammrhaywood
 

Dernier (20)

Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming Classes
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
 
Prelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quizPrelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quiz
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
 
Latin American Revolutions, c. 1789-1830
Latin American Revolutions, c. 1789-1830Latin American Revolutions, c. 1789-1830
Latin American Revolutions, c. 1789-1830
 
Finals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quizFinals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quiz
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive Education
 
UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptx
 
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdfPersonal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17
 
Practical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptxPractical Research 1 Lesson 9 Scope and delimitation.pptx
Practical Research 1 Lesson 9 Scope and delimitation.pptx
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptx
 
Philosophy of Education and Educational Philosophy
Philosophy of Education  and Educational PhilosophyPhilosophy of Education  and Educational Philosophy
Philosophy of Education and Educational Philosophy
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
 

PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032

  • 1. PECB Webinar 2nd December 2015 Speaker : Fabrice De Paepe Senior Information Security Consultant / PECB Partner & Trainer Introduction to ISO/IEC 27032
  • 2. What’s the n°1 worldwide security threat ? Introduction to ISO 27032 2
  • 3. Hacking Will Replace Terrorism FBI Director Robert Mueller reiterated his testimony cyber-threats would surpass terrorism as the country's top concern (2012) Introduction to ISO 27032 3
  • 4. Schedule for the day An overview of Cybersecurity Cybersecurity relationships within other type of security Guidance for addressing common cybersecurity issues Convincing stakeholders to collaborate on resolving cybersecurity issues Introduction to ISO 27032 4
  • 5. 1- An overview of Cybersecurity What is Cyberspace ? “The cyberspace can be described as a virtual environment, which does not exist in any physical form, but rather, a complex environment or space resulting from the emergences of the Internet, plus the people, organizations, and activities on all sorts of technology devices and networks that are connected to it” (ISO 27032) Introduction to ISO 27032 5
  • 6. 1- An overview of Cybersecurity What is Cybersecurity ? “ Cyberspace security or Cybersecurity is about the security of this virtual world” “Cybersecurity relates to actions that stakeholders should be taking to establish and maintain security in the Cyberspace” (ISO 27032) Introduction to ISO 27032 6
  • 7. 1- An overview of Cybersecurity ISO 27032 provides guidance for improving the state of cybersecurity with a focus on : Introduction to ISO 27032 7 Attacks by malicious and potentially unwanted software Social Engineering attacks Information sharing and coordination
  • 8. Introduction to ISO 27032 8 1- An overview of Cybersecurity
  • 9. 2 – Cybersecurity relationships within other type of security Introduction to ISO 27032 9 ISO27001 ISO27032
  • 10. 2 - Cybersecurity relationships within other type of security Introduction to ISO 27032 10
  • 11. 3 – Guidance for addressing Common Cybersecurity issues Introduction to ISO 27032 11 Assets in the Cyberspace Assets Information Software Physical Services People reputation, image
  • 12. 3 – Guidance for addressing Common Cybersecurity issues Introduction to ISO 27032 12 Assets in the Cyberspace Assets Personal Physical Personal digital device endpoint, smartphone Virtual Online credit information, Bitcoins Organizational Physical Infrastructure Virtual Online Brand
  • 13. 3 – Guidance for addressing Common Cybersecurity issues Introduction to ISO 27032 13 Threats to personal or organizational assets in the Cyberspace Threats Personal Physical Identity issue Leakage, theft of personal information Virtual Virtual theft and mugging Organizational Disclosure of Personal info from employees, clients, partners, suppliers Financial filling regulations breached Government agencies Gray area in which terrorism thrives
  • 14. 3 – Guidance for addressing Common Cybersecurity issues Social engineering attacks Hacking Malicious Software (malware) Spyware Unwanted software Introduction to ISO 27032 14
  • 15. 3 – Guidance for addressing Common Cybersecurity issues Application Level Controls Server Protection End user controls Social Engineering attacks Introduction to ISO 27032 15
  • 16. 3- Guidance for addressing Common Cybersecurity issues – Technical controls Introduction to ISO 27032 16 • Display Short notice of the company’s essential online services • Secure • Handling of sessions for Web Applications (Cookies, Session Fixation,.) • Input validation and handling to prevent attacks (SQL Injection) • Web page Scripting to prevent XSS • (See Owasp, ISO 27034, CWE, SANS) • Code Security Review • HTTPS- SSL Application Level Controls
  • 17. 3- Guidance for addressing Common Cybersecurity issues – Technical controls Introduction to ISO 27032 17 • Hardening • Implement a system to test and deploy security patches • Monitor the security performance • Review the security configuration • Run anti-malicous software controls (anti- virus, anti-malware) • Scan all hosted and uploaded contents regularly • Perform regular vulnerability assessment • Regularly scan for compromises Server Protection (against unauthorized access of malicious content on servers)
  • 18. 3- Guidance for addressing Common Cybersecurity issues – Technical controls Introduction to ISO 27032 18 •Use of supported OS •Use of the latest supported Software applications •Use of anti-virus and anti-spyware •Enable script blockers •Use phishing filters •Use other available web browser security features •Enable personal FW & HIDS •Enable automated update End- user
  • 19. 3- Guidance for addressing Common Cybersecurity issues – Technical controls Introduction to ISO 27032 19 •Policies •Methods and processes •Categorization and classification of information •Awareness and training •Testing •People & Organization •Technical Social engineering attacks
  • 20. 3- Guidance for addressing Common Cybersecurity issues – Framework of information sharing and coordination Introduction to ISO 27032 20 IPO Information Providing Organisation IRO Information Receiving Organisation
  • 21. 3- Guidance for addressing Common Cybersecurity issues – Framework of information sharing and coordination Policies • Policies should be defined to address the lifecycle of the Cybersecurity incident information from creation to transfer and destruction to ensure C.I.A are maintained • Classification and categorization of information • Information minimization • Limited audience • Coordination protocol Introduction to ISO 27032 21
  • 22. 3- Guidance for addressing Common Cybersecurity issues – Framework of information sharing and coordination Methods and Processes • Classification and categorization of information • NDA • Code of Practice • Testing and drills • Timing and scheduling of information sharing Introduction to ISO 27032 22
  • 23. 3- Guidance for addressing Common Cybersecurity issues – Framework of information sharing and coordination People and organizations •Contacts •Alliances •Awareness and training Introduction to ISO 27032 23
  • 24. 3- Guidance for addressing Common Cybersecurity issues – Framework of information sharing and coordination Technical • Data standardization for automated system • Data visualization • Cryptographic key exchange and software/hardware backups • Secure file sharing, instant messaging, web portal, and discussion forum • Testing systems Introduction to ISO 27032 24
  • 25. 4 – Convincing stakeholders to collaborate on resolving security issues Introduction to ISO 27032 25 •individuals •organizations Roles of consumers Roles of providers
  • 26. 4 – Convincing stakeholders to collaborate on resolving security issues Introduction to ISO 27032 26 Roles of consumers (individuals) General Cyberspace Application user Online Gamer, instant messaging, websurfer… Buyer (Ecommerce) Seller (Ebay) Blogger (blog, wiki, twitter, youtube,…) IAP (Idenpendent Application Provider) You as an employee of an organization ... When a user visits a site which requires authorization, and unintentionally gain access, the user may be labelled as an intruder.
  • 27. 4 – Convincing stakeholders to collaborate on resolving security issues Introduction to ISO 27032 27 Roles of consumers (organizations) Should extend their corporate responsibilities to Cyberspace By proactively ensuring that their practices and actions do not introduce further security risks (into the cyberspace) Some proactive measures : Implementing ISMS Proper security monitoring and response Incorporating Security as part of the SDLC (ISO 27034) Regular security education of users Understanding and using proper channels
  • 28. 4 – Convincing stakeholders to collaborate on resolving security issues Introduction to ISO 27032 28 Roles of consumers (organizations) The government, law enforcement agencies and regulators may have the following roles to play : Advise organizations of their R&R in the Cyberspace Share info with other stakeholders On the latest trends and developments in technology On the current prevalent risks Be a conduit for receiving any information with regards to security risks Be the primary coordinator for info dissemination and orchestration Ex: National CERT (cert.be, cert.lu)
  • 29. 4 – Convincing stakeholders to collaborate on resolving security issues Introduction to ISO 27032 29 Roles of providers Same roles and responsibilities as consumer organizations They have additional responsibilities in maintaining cybersecurity by providing Safe and secure products and services Safety and security guidance for end-users Security inputs to others providers and to consumers
  • 30. 4 – Convincing stakeholders to collaborate on resolving security issues Consumers - Individuals - Organizations - Private - Public Providers - Internet Service Providers - Application Service Providers Personal - Physical Assets - Virtual Assets Organizational - Physical Assets - Virtual Assets Best Practices - Preventive - Detective - Reactive Coordination & Information Sharing Introduction to ISO 27032 30 Stakeholders Assets Measures
  • 31. 4 – Convincing stakeholders to collaborate on resolving security issues Introduction to ISO 27032 31 Guidelines for Stakeholders Risk assessment and treatment ISO31000 and ISO27005 guidelines are sufficient for addressing Cybersecurity Risks Guidelines for Consumers Learn and understand the security and privacy policy of the site and application concerned as published by the site provider Manage online identity …
  • 32. 4 – Convincing stakeholders to collaborate on resolving security issues Introduction to ISO 27032 32 Guidelines for organizations and services providers Manage IS Risks in the business ISMS Provide Secure Products Network Monitoring and Response Support and Escalation Keeping up-to-date with latest development Address security requirements for hosting Web and other cyber-application services Comply with practices standards, policy, terms of agreements, Data Protection, Privacy, …protected against unauthorized access Provide security guidance to consumers How to stay secure online (security newsletter, direct broadcast, security seminar,…)
  • 33. Conclusion Introduction to ISO 27032 33 Cyber security is everyone’s business, impacts could be catastrophic Cybersecurity risks involve a combination of multiples strategies, taking into account the various stakeholders (consumer, employee, partner, third party,…) Risks need to be identified and addressed Need of Awareness and Communication on how to report – detect potential risk and security incidents Keep an eye on new emerging technologies (e.g.: IoT)
  • 34. Conclusion Introduction to ISO 27032 34 Prevention Detection Recovery
  • 35. Facts Introduction to ISO 27032 35 “The average number of days that attackers were present on a victim’s network before they were discovered is 229.” Mandiant M-Trends Report 2014 http://www.infosecurityeurope.com
  • 37. What’s next ? Get your passport to Cybersecurity and join us in #Nice for the PECB Partner Event on CyberSecurity Introduction to ISO 27032 37
  • 38. What’s next ? Introduction to ISO 27032 38 I am a #nice #BlueOwl passionate about #traveling and #cybersecurity. Tweeting in #EN #ES #FR
  • 39. What’s next ? Introduction to ISO 27032 39 #FollowBlueOwl on Twitter @BlueOwlJourney

Notes de l'éditeur

  1. According to the FBI’s Director (Robert Mueller – 2012) Cela veut surtout dire que c’était déjà l’une des préoccupation du FBI il y a 3 ans. Le hacking peut aussi être une arme des terroristes pour s’enrichir Rappelez-vous un Tweet comme quoi Barack Obama a été blessé, il s’agissait en fait du piratage d’un compte twitter. Les systèmes informatiques de la bourse de N-Y ont immédiatement réagit, cela a perturbé la valeurs des échanges Celui qui est au courant de cela, peut après racheter à bas pris ou vendre juste avant que cela ne baisse, pour racheter à bas pris derriere
  2. First, a few basic things. What is cyberspace? Well – we use it everyday to exchange emails, we use the cloud to handle our bills and invoice, we speak with our partners true Skype, Viber, IMO or any other Mobile App – We use a VPN to connect to our corporate network from abroad and we read it with our Tablets from everywhere in the world. We follow distance learning trainings (MOOC), or E-learning, follow a Webex or a webinar on ISO 27032 for instance and it’s where finally I decide to purchase my Xmas gift (meaning online, doing some e shopping sessions)
  3. While there is no lack of cybersecurity threats, and as many, albeit not standardized, ways to counter them, the focus of this International Standard is on the following key issues: -Attacks by malicious and potentially unwanted software- -Social engineering attacks, and -Information sharing and coordination
  4. Security is concerned with the protection of assets from threats, where threats are categorised as the potential for abuse of protected assets. All categories of threats should be considered, but in the domain of security greater attention is given to those threats that are related to malicious or other human activities. Safeguarding assets of interests is the responsibility of stakeholders who place value on those assets. Threat agents may also put value on your assets and seek to abuse them. The risks rely on C.I.A (Confidentiality, Integrity, Availability of the information) Stakeholders assess risks taking into account threats that apply to their assets. This analysis can help In the selection of controls to counter the risks and reduce it to an acceptable level. Controls are imposed to reduce the vulnerabilities or impact to an acceptable level for the stakeholders Stakeholders can also ask assessment of the controls to externals organizations (Pentesting, Auditors, code reviewers, social engineers,…)
  5. ISO 27001 vs ISO 27032 There are many standards in the ISO 27001 series, all related to security.  You probably don’t know much about ISO 27032:2012 because it is not as well-known as ISO 27001, ISO 27002, or ISO 22301, but it is near you, because it has to do with a place that you habitually visit: cyberspace. ISO 27032 has not been released as an auditable international standard The proposed guidelines regarding Governance of Cybersecurity are a direct adaptation of the ISO 27001 (ISMS) – requirements with the suggestion of extending the scope of the existing ISMS to include the transfer and sharing of information via the Cyberspace. Organisations implementing an ISMS in accordance with ISO 27001 will be aligned to the Governance guidelines of ISO 27032 once the scope of the ISMS is extended to include Cybersecurity. The biggest and, for many, the most welcoming adaptation of the ISO 27001 standard in ISO 27032 is the dependency on the Risk Assessment process organisations implement to comply with ISO27001. As an organization in the Cyberspace you are still required to identify your critical assets, identify your threats and vulnerabilities and prioritise the risks to your criticals assets which will, in turn give you a framework for Cybersecurity investment. The word “security” is a complex term that involves various disciplines, and it is composed of various domains, like application security, network security … and cybersecurity. So, cybersecurity is not synonymous with information security, application security, network security, etc. The main objective of cybersecurity is to require stakeholders to play an active role in the maintenance of cyberspace (i.e., it requires actions that stakeholders should be taking to establish and maintain security in cyberspace) and in the improvement of its reliability and utility.
  6. This figures summarizes the relationship between Cybersecurity and other security domains. The relationship between these security domains and Cybersecurity is complex. Cybersecurity is different of Information Security and of Network security and Internet security e.g Some of the critical infrastructure services, for example water distribution and transportation, need not impact the state of Cybersecurity directly or significantly. However, the lack of Cybersecurity can have a negative impact on the availability of critical information infrastructure systems provided by the critical infrastructure providers. On the other hands the availability and reliability of the Cyberspace in many ways rely on the availability and reliability of related critical infrastructures and services (e.g telecoms) The security of the Cyberspace is also closely related to the security of Internet, enterprise/home networks and information security in general. Each security domains identified in the picture may have it’s own scope, objective or focus. A basic framework for information sharing and issue or incident coordination is necessary to bridge the gaps and provide adequate assurance to the Stakeholders in the Cyberspace. Well, I hope you clearly see that Cybersecurity is a subset of Information Security right now and the different possible relationships between them.
  7. An asset is anything that has value to an individual or an organization There are many types of assets, including but not limited to … Information Software Physical (hardware, computer, server) Services People Reputation, image
  8. For the purpose of this Standard, assets in the Cyberspace are classified into the following classes : Personal and organizational For both classes, an asset can also be further classified as a physical asset (whose form exist in the real world) or a virtual asset (which only exists in the Cyberspace and cannot be seen or touched in the Real World)
  9. Threat to personal assets revolve mainly around identity issues, posed by leakage or theft of personal information Ex: Credit information can be sold on the black market, which can facilitate online identity theft As rules and regulations for the protection of real physical assets, in connection with the Cyberspace, are still being written, Those pertaining to virtuals assets are almost non-existent. Extra care and caution must be undertaken by participants. In the event of a successfull attack, personal information from employees, clients, partners or suppliers could be disclosed and result in sanctions, against the organizations. Financial filling regulations could also be breached if organizational results are disclosed in an unauthorized manner. Well, recent events around the world remind us that terrorism is still a threat and is present. The Government agencies also need to protect their data if they want to fight against these organizations Cyberspace is a gray area in which terrorism thrives, thanks to the ease of communication provided by the Cyberspace. It’s really difficult to regulate and control the way that it can be used (borders, scope, boundaries,...)
  10. Attack mechanisms This standard highlights 5 types of attacks Attacks can come from inside the Private Network or outside the Private Network (meaning from Internet) Inside – normally launched inside an organization’ private network, typically the local area network, and can be initiated by employees or someone who get access to a computer or network within an organization or individual’s premises. Outside DoS, XML Bomb, buffer overflow, IP spoofing , … Many of the attacks are carried out using malicious software, such as spyware, worms and viruses. Information is often gathered through phishing techniques. These attacks can be propagated via suspicious websites, unverified downloads, spam emails, remote exploitation, and infected removable media. Other mechanisms growing in use are those based on social networking (Clickjacking, you click on a video on Facebook and nothing happen, Well indeed, there is no Video, rather a remote script, or a trojan is installed in stealth mode on your computer…) Individuals tend to implicitly trust messages and content received from contacts previously accepted in their profiles on their social networking websites. Once an attacker can disguise him/herself as a legitimate contact, the attacker can engage others, and a new avenue is open for launching the various types of attacks previously discussed. I’m pretty sure, if I send you an email as the CEO of a major company (from the inside), and you work for this company, I’m sure you will click on the link I provided you. Legitimate websites can also be hacked into and have some of their files corrupted and used as a means for perpetrating attacks. Individuals tend to implicitly trust commonly visited websites, often bookmarked in their Internet browsers for a long time, and even more those which use security mechanisms such as SSL (Secure Sockets Layer). We will see later some precautions against this.
  11. Once the risks are identified and appropriate guidelines are drafted, Cybersecurity controls that support the security requirements can be selected and implemented. This is an overview of the key Cybersecurity controls that can be implemented to support the guidelines laid out in this Standard The technical controls include : Application level controls Implement controls to protect against unauthorized data edits, carry out transaction logging, and error handling Secure coding must be implemented to secure information collected by products in the Cyberspace Server Protection Controls must be implemented to ensure servers are securely accessible from the Cyberspace and protected against unauthorised access and malicious content End-user Controls Controls must be implemented to protect the end user infrastructure across organisations against known exploits and attacks Controls against social engineering attacks Organisations should train and educate users on the use of suitable technical controls to protect against known exploits and attacks. As a general guide, technical controls defined in this section of ISO27032 should be implemented
  12. Application level controls include the following 1 Display short notice of the company’s essential online services so users ara able to make more informed choices about sharing their information online. Have a look also at local Charters e.g e-commerce compliancy Charter, Ethical Charter …in your different countries 2 Secure handling of sessions for Web Applications (Cookies, Cookie Flag) Secure input validation and handling to prevent attacks such as SQL-Injection Secure Web page Scripting to prevent common attacks suchs a XSS See OWASP and ISO 27034, CWE , SANS 3 Code Security Review and testing by appropriate skilled entities 4 HTTPS – SSL the organization’s service should be provided in a fashion that the consumer can authenticate the service.
  13. Well there is nothing new here and it looks really abious to me Server Protection 1°) Hardening – in accordance to a baseline security configuration guide 2°) Implement a system to test and deploy security updates, and ensure the server OS and applications are kept up-to-date promplty when New security updates are available 3 Monitor the security performance of the server through regular reviews of audit trails 4 Review the security configuration 5 Run anti-malicous software controls (anti-virus, anti malware) on the server 6 Scan all hosted and uploaded contents regularly 7 Perform regular vulnerability assessments and security testing for the online sites and applications to ensure that their security is adequately maintained Regularly scan for compromises – and I’d say it’s not only there we need to focus on trade-offs but everywhere in business, it’s also part of negociation and Risk Analysis
  14. Well there is nothing new here and it looks really abious to me Server Protection 1°) Hardening – in accordance to a baseline security configuration guide 2°) Implement a system to test and deploy security updates, and ensure the server OS and applications are kept up-to-date promplty when New security updates are available 3 Monitor the security performance of the server through regular reviews of audit trails 4 Review the security configuration 5 Run anti-malicous software controls (anti-virus, anti malware) on the server 6 Scan all hosted and uploaded contents regularly 7 Perform regular vulnerability assessments and security testing for the online sites and applications to ensure that their security is adequately maintained Regularly scan for compromises – and I’d say it’s not only there we need to focus on trade-offs but everywhere in business, it’s also part of negociation and Risk Analysis
  15. Cybercriminals are increasingly resorting to psychological or social engineering tactics in order to succeed As we are e-connected (mobile, tablet, social networks) such attacks are also transcending technology beyond the PC systems and traditional network Connectivity (including BlueTooth, VOIP) Rise Awareness on this – to communicate and follow the rules described in a security policy towards enduser
  16. The ISO 27032 standard introduces the concepts of IPO and IRO which the ISO advise should feature heavily in the framework developed for Information sharing and incident handling IPO – Information Providing Organisation IRO – Information Receiving Organisation Where an IPO can becomes an IRO and vice & versa (such as Client/Server finally) IPO – Information Providing Organisation (the sender of the Cybersecurity related information) IRO – Information Receiving Organisation (the recipient of the Cybersecurity information) This section of the standard provides guidelines for the implementation of a secure, reliable, effective and efficient information sharing and cyber Incident response framework. The framework includes the following areas
  17. This standard defines a framework of information sharing and coordination Why ? Well when you have a security incident accross different organizations, countries, geo-localisation, different stakeholers, you need to establish a system for information sharing and coordination to help prepare and reponsd to Cybersecurity events and incidents. This is a basic framework, for me you can also rely on the 27035 (Information Security Incident Management) Or if you already have an ISO 22301 (For BCP) you could also rely on the crisis management – then you define your proper « framework to communicate » based on the existing processes at your company. Policies Classification and categorization of information IPO should determine the different categories of information they collect Security events, security threats, security vulnerabilities, suspected/confirmed perpertretors profiles and so forth For each category it should be further broken down into two or more classifications based on the contents of the information involved. (e.g sensitive and unrestrictred), if information contains personal data, pribacy may also be applied Then you can also have a look at the ISO 29100 – which defines a framework to implement Privacy. Information minimization For each category and classification IPO should exercice caution to minimize the information to be distributed Limited audience In line, with the minimization principle, a policy to limit the audience, which may be to a specific contact person, group, or organization, for distrinution is necessary when sharing information containing private or confidential data. Coordination protocol A High-level policy for coordinating the request and distribution (whether it is IPO , or IRO intiated) should be established.
  18. To implement the policies defined in the framework and ensure consistency in practices of information sharing and incident handling, the appropriate methods and processes should be in place which all parties involved in the information sharing practices follow Methods and processes Classification and categorization of information Information to be shared will come from both open (e.g Internet, newspapers) and closed sources (not public available) NDA (Non Disclosure Agreement) Bear in mind we are in a context of information sharing – that said. We need it to ensure the adequate handling and protection of sensitive, personal, confidential information shared among IPO and IRO. while responding to Cybersecurity events, the pre-establishement of an NDA enables swift sharing and distribution of information amongst authorized parties. Code of practice Establishing this is a good practice to ensure adequate sharing and handling of sensitive information Testing and Drills To ensure effectiveness and reliability and to achieve the desired level of efficiency, methods and processes should be devleoped for conducting regular testing and drills scenario Timing and scheduling of information sharing Define also the requirements to share the information at which interval. Some organizations will need Real-Time information, others will accept some delay – as it also provide them time for further analysis.
  19. People & organizations are the key determinants to the success of cybersecurity. People refers to individuals involved in executing the methods and processes for information sharing and coordinating to make a positive Difference to the outcomes of Cyberseucrity events. While Organizations refer to groups of people within a company up to entire company involved in such activities. Contacts a list of contacts should be copiled by the IPO and IRO and mutually exchanged. (it’s the same in business continuity with ISO 22301 and if you need to operate an BCMS, it’s the same in crisis management and incident management, look obious isn’t ? Alliances to facilitate information sharing , establish common and consistent practices governed by an agreed code of practice and/or NDA, organizations and groups of individuals may form alliances based on their aread of interest.s (e.g : Interpol , antispyware coalation, saferinternet.be ) Awareness and training People in organizations should be made aware of emerging and new Cybersecurity risks and trained so that they develop the required skills and expertise to respond effectively to any situation related to cybersecurity
  20. These controls may be used to improve efficicency, reduce human error, and enhance security involved in the information sharing and coordination processes Data standardization for automated system These systems may be developed and deployed amongst coordination organizations to collect data on evolving Cybersecurity events For real-time and offine analysis assessments Data visualization It’s kind of representation of Data without the help of technicians Secure file sharing, instant messaging, web portal, and discussion forum IPO and IRO should consider using suitable file sharing tools that can meet the security effectiveness, efficiency and reliability needs. Testing Systems Of course, you need to test your tools, methods, processes, scenarios (it should be considered) You can simulate with the perception of each organization
  21. Introduction To improve the state of Cybersecurity, stakeholders in the cyberspace need to play an active role in their respective use and development of the Internet. Roles can overlap with individual and organizations networks (intranet, extranets, website, networks exposed to the Internet,…) Pitfall – because of this overlap roles can be seen as insignifant for the concerned stakeholders, But significant to enhancing Cybersecurity
  22. Roles of stakeholders in Cybersecurity Roles of consumers Individuals They may assume different roles in different context and applications It may include -General cyberspace application user, general user, online auction and marketplace sites for interested byers and vice and versa -Buyer/seller -Blogger and other contents contributor (twitter, wikipedia, youtube,…) - Member of an organization, ... ex: an individual acting as buyer or seller can unknowingly participate in criminal transactions of selling stolen goods or money laundrey activities And you can switch from task to task during the day, so from role to role also ....
  23. Roles of stakeholders in Cybersecurity Roles of Organizations The organizations should extend their corporate responsibilities to the Cyberspace. How ? By proactively ensuring that their practices and actions do not introduce further security risks (into the Cyberspace) Some proactive measures include: - Implementing ISMS - proper security monitoring and response; - incorporating security as part of the Software Development Life-cycle (SDLC), - regular security education of users in the organization through continuous technology updates and keeping track of latest technology developments; - understanding and using proper channels in communicating with vendors and service providers on security issues discovered during usage.
  24. Roles of stakeholders in Cybersecurity The government, primarily law enforcement agencies and regulators, may have the following important roles to play: — advise organizations of their roles and responsibilities in the Cyberspace; — share information with other stakeholders on the latest trends and developments in technology; — share information with other stakeholders on the current prevalent security risks; — be a conduit for receiving any information, whether close or open, with regard to security risks to the Cyberspace; and — be the primary coordinator for information dissemination and orchestrating any required resources, both at national-level or corporate level, in times of crisis arising from a massive cyber-attack.
  25. Service providers are also consumer organizations. They are thus expected to observe the same roles and responsibilities as consumer organizations. As Service providers they have additional responsibilities in maintaining or even enhancing cybersecurity. Providing safe and secure products and services Providing safety and security guidance for end-users Providing security inputs to others providers and to consumers about trends and observations of traffic in their network and services
  26. This picture provided an overview of the salient points in the approach taken in this standard. Consumers refer to individual users as well as private and public organizations Private organizations include small and medium enterprises (SMEs), as well as large enterprises. Government and other public agencies are collectively referred to as public organizations. An individual or an organization becomes a consumer when they access the Cyberspace or any services available in the Cyberspace. And you see, A consumer can also be a provider it it provides a service in the Cyberspace (ISP) or enables another consumer to access the Cyberspace. A consumer of a virtual world service may become a provider by making available virtual products and services to other consumers. Providers refer to providers of services in the Cyberspace, as well as ISP’s that enable consumers to access the Cyberspace and the various services available in the Cyberspace. Providers might also be understood as carriers or wholesalers, versus distributors and retailers of access services. Application service providers make services available to consumers through their software. These services take many forms and include combinations of the following non-exhaustive list: — document editing, storage, distribution; — online virtual environments for entertainment, communications and interaction with other users; — online digital media repositories with aggregation, indexing, search, store-front, catalogue, shopping cart and payment services; and — enterprise resource management functions such as human resource, finance and payroll, supply chain management, customer relationship, invoicing.
  27. Guidelines for Stakeholders ISO 31000, Risk management – Principles and guidelines , provides principles and generic guidelines on risk Management. ISO 27005, Information technology – Security techniques – Information security risk management , provides guidelines and processes for information security risk management in an organization, Supporting in particular the requirements of an ISMS according to ISO/IEC 27001. Guidelines for consumers (non exhaustive list) My dears, it means when you want to install a new mobile app, or a new version of a patch (Adobe) or a new version of OS (Mac) You will need to read dozen of Policy pages prior saying “Yes I’ve read it” Manage online identity use different identifiers for different web applications an minimize the sharing of personal information to each website or application requesting such information
  28. -Manage IS risks in the business -Address security requirements for hosting website and other cyber-application services -Provide security guidance to consumers ISMS Provide secure products Could be independently validated against Common Criteria Scheme (Personnaly I would validate it against SDLC and ISO 27034, OWASP and so forth) Network monitoring and reponse to ensure reliability and quality of the network services Support and escalation
  29. Prevention Understand the business processes, assets & evolving technology Professionnals need to know their environment (internal/external) factors business plan, processes, regulation Risk Analysis (prioritize) Communicate with stakeholders and agree on findings and recommendations 2 Incident Response Detection CERT – CSIRT – Specialized Team of a Security Incident Team Fast Incident Response – Incident Response and Management Responsible Vulnerability Disclosure Incident Response Recovery Forensics
  30. Cybersec attacks increase People are always the most vulnerable (Social Engineering, Awareness, Policies, Cybersec culture, … ) It takes time to discover intruders (and what about if you dont have a Detection Team, Monitoring, Response Team, .?
  31. PECB will launch a brand new training in #Nice (France) in January.
  32. With the consent of PECB we started a campaign with the Trainings Mascot called BlueOwl The beast tweets about Cybersecurity, meets security professionals across Europe, and join also Cybersecurity Events Feel free to #FollowBlueOwl on Twitter
  33. The campaign started 2 weeks ago, and we still got some surprises for you untill January.