SlideShare une entreprise Scribd logo

Weakest links of an organization's Cybersecurity chain

S
Sanjay Chadha, CPA, CA

What is Cyber Security What is Cyber Threat and Threat Landscape Is Cybersecurity an IT Problem? It’s a human Problem Role of a CFO Well accepted Cybersecurity Frameworks and common Themes SOC (Service Organization Control) and SOC for Cybersecurity Recommended risk mitigation strategies for the weakest links of the Cybersecurity chain Key Takeaways Best Practices

Technologie
1  sur  23
Télécharger pour lire hors ligne
SAV LLP FOR INFORMATION ONLY - DISTRIBUTION IS PROHIBITED WITHOUT PERMISSION Weakest links of an organization’s Cybersecurity Chain and Mitigation Options An Auditor’s Perspective SEPTEMBER 09, 2019
SAV LLP This material is for educational purposes only. As it deals with technical matters which have broad application, it is not practical to include all situations. As well, this material and the references contained therein may reflect laws and practices which are subject to change. Some content of this presentation has been copied or obtained from other sources, hence the preparer takes no responsibility on content’s validity and accuracy. For this reason a particular fact situation should be reviewed by a qualified professional. The references can be shared upon formal request. Although the presentation material has been carefully prepared, none of the persons involved in the preparation of the material accepts any legal responsibility for its contents or for any consequences arising from its use. Distribution of this presentation for commercial purposes is prohibited. Disclaimer
SAV LLP Cyber Security There is a wide range of currently accepted cybersecurity definitions. The National Institute of Standards and Technology defines cybersecurity as "the process of protecting information by preventing, detecting, and responding to attacks." Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers. Myth about Cyber Security – Cyber risk can be reduced, security posture can be improved, by purchasing products and outsourcing support.  There is no absolute security. The only way to prevent death is to already be dead, otherwise there is always a risk.  Security is a balancing act of defending an organization according to the organization’s risk tolerance and profile. In Summary - Cybersecurity is the combination of processes, practice and technologies designed to protect network, computers, programs, data and information from attack, damage or unauthorized access.
SAV LLP 4 Cyber Threat A cyber threat is an activity intended to compromise the security of an information system by altering the availability, integrity, or confidentiality of a system or the information it contains. Define what is at Risk (Physical and Digital)?  Do you know what your “worst possible day” looks like? (not being able to transact, theft of sensitive information, inability to perform physical function)  Once an organization identifies and qualifies risk and assets associated with their key functions, it becomes inherently easier to identify potential causes of a critically impactful incident.  Consequently , the organization will be better prepared to appropriately mitigate risks and spend security resources sensibly.
SAV LLP Threat Landscape As per ENISA ( European Union Agency For Network and Information Security) some of the main trends in the 2018’s cyberthreat landscape are:  Mail and phishing messages.  Staff retention  Raising awareness at the level of security and executive management.  Automated attacks through novel approaches  IoT environments
SAV LLP Is Cybersecurity an IT Problem or a Human Problem? DNA OF AN ATTACKER  Attackers are humans, with human goals  Humans are not perfect – some are good, some are bad, but they aren’t perfect  Perfection doesn’t exist in offence or defense To defend against attack, your strategy must have capabilities to detect, respond and build back up controls to prevent next steps. However it is very important to know what is mission critical and what is trivial?
War Games Learnings from conventional war to mitigate Cyber Threat Cu Chi Tunnels in Ho Chi Minh City during Vietnam War https://www.reddit.com/r/secretcompartments/comments/82fhg3/tunnels_used_by_viet_cong_forces_during_the/
SAV LLP Role of a CFO / Head of Finance  The CFO’s role has always ranged from a fiduciary one (a custodian preserving value) to a visionary one (an architect creating value). This role is becoming much more about strategy and the future rather than stewardship and even more about value realization and optimization.  IFAC (International Federation of Accountants) explains that a professional CFO should: 1. Be an effective organizational leader and a key member of senior management 2. Balance the responsibilities of stewardship with business partnership 3. Act as the integrator and navigator for the organization
SAV LLP Cybersecurity – What do CFOs need to know? Planning and Management • How do we identify our critical assets and associated risks and vulnerabilities? • How do we meet our critical infrastructure operations and regulatory requirements? • What is our strategy and plan to protect our assets? • How robust are our incident response and communication plans? Assets • How do we track what digital information is leaving our organization and where that information is going? • How do we know who’s really logging into our network, and from where? • How do we control what software is running on our devices? • How do we limit the information we voluntarily make available to a cyber adversary?
SAV LLP Cybersecurity Frameworks What is a Framework The framework is voluntary guidelines, and practices for organizations to better manage and reduce cybersecurity risk Well accepted Cybersecurity Frameworks Most frequent adopted cybersecurity frameworks are:  NIST Framework  PCI DSS (Payment Card Industry Data Security Standard),  ISO 27001/27002 (International Organization for Standardization),  CIS Critical Security Controls,  COBIT 2019  TSP 2017 (SOC2) Why adopt a security framework  Framework takes out a lot of guesswork and shows you often with supporting evidence, where to apply the pressure.  Planning and implementing a framework can help organizations understand the operational maturity level and provide matrices that will feedback into the organization.
SAV LLP SOC SOC (Service Organization Control) Reports for outsourced services and SOC For Cybersecurity A high level introduction
Weakest links of the Cybersecurity Chain
SAV LLP Weakest Links of the Cybersecurity Chain Cybersecurity is a shared responsibility – people, processes, tools, and technologies work together to protect an organization's assets. Few of the common Weakest Links in cybersecurity chain are (and it is not tools) - 1. Weak tone at the top - Governance framework 2. Poor user management and access controls 3. Weak asset management 4. Lack of cyber policy 5. Lack of awareness regarding information sharing and breach reporting 6. Lack of monitoring of service providers
The Recommended Risk Mitigation Strategies
SAV LLP Tone at the Top - Governance Framework Governance Framework  Key initial steps  Who should be involved in the development of a cybersecurity program.  Identify known risks and established controls.  Establish a cross-organizational committee of senior executives that brings together the full range of enterprise knowledge and capabilities. This should include IT and corporate security, as well as business owners.  Leadership is key  Selecting an executive with broad cross-functional responsibilities such as the CFO or COO to lead this committee can help broader corporate adoption.  This effort should report to a specialized committee, such as the Audit or the Risk Committees, or in some cases, to the board itself. Board and Senior Management involvement The National Association of Corporate Directors (NACD) cites five cybersecurity principles for boards: 1. Cybersecurity is an enterprise-wide risk management issue, not just an IT issue 2. Legal implications of cyber risks 3. Adequate access to cybersecurity expertise, and regular discussions about cyber-risk management. 4. Establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. 5. Identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
SAV LLP User Account Management and Access Control Need to Know basis The following are recommendations for user account management and access control:  Centrally manage all user accounts e.g. Active directory, UUID.  Disable system accounts that cannot be associated with a business process and owner.  Disabling accounts upon termination of an employee or contractor  Periodic user access review  Force users to automatically re-login after a standard period of inactivity.  Require strong passwords  Limit the number of privileged accounts.  Require two-factor authentication for privileged accounts  Control access to the computer system’s audit logs.  Make cybersecurity training and awareness mandatory for all personnel
SAV LLP Asset Management You can’t control something that you don’t know The following are recommendations for asset management:  Deploy and maintain an automated asset inventory discovery tool that will also assist the entity in building an inventory of systems connected to the organization's private and public network.  Use Dynamic Host Configuration Protocol (DHCP) server logging for asset inventory - it can help detect unknown systems through this DHCP information.  Ensure that the inventory system is updated when newly acquired and approved equipment connects to the network.  Deploy Network level authentication and Network Access Control (NAC). These services will assist in preventing unauthorized devices from connecting to the network.  Utilize client certificates to validate and authenticate systems prior to connecting to an organization’s network.
SAV LLP Cyber Policy Some of the key elements of a good cyber policy:  Scope – all information, systems, facilities, programs, data networks, and all users of technology in the organization (both internal and external), without exception  Information classification – should provide content-specific definitions, rather than more generic “confidential” or “restricted”  Management goals for secure handling of information in each classification category  Specific instruction on organization-wide security mandates (e.g. no sharing of passwords)  Specific designation of established roles and responsibilities  Consequences for non-compliance (e.g. up to and including dismissal or termination of contract) The implementation of a policy is not a single event, but rather an iterative process revisited as business models, relationships, and technology changes. Absent policy, there can be no effective governance of the cybersecurity program as there can be no clear guidance upon which to make program decisions.
SAV LLP Information Sharing and Breach Reporting Requirements Microsoft makes the following eight recommendations for information sharing. 1. Develop a strategy for information sharing and collaboration. 2. Design with privacy protections in mind. 3. Establish a meaningful governance process. 4. Focus sharing on actionable threat, vulnerability, and mitigation information. 5. Build interpersonal relationships. 6. Require mandatory information sharing only in limited circumstances. 7. Make full use of information shared, by conducting analyses on long-term trends. 8. Encourage the sharing of best practices. The exchange of best practices with peer organizations can allow organizations to play a proactive role, by engaging with each other as well as external organizations.
SAV LLP Vendor Risk Management Service Risks:  Volume of transactions processed  Concentration associated with service  Sensitivity risk of the data to which the vendor could potentially have access  Compliance and regulatory risk related to the service  Customer and financial impact Vendor Risks:  Location of the vendor (subject to multinational laws, regulations, etc.)  Previous data or security breaches  Extent of outsourcing performed by the vendor  Performance history Common Deficiencies with 3rd Party Vendors:  Incident Response Management Plan  Inadequate Security Awareness  Data Loss Prevention  Encryption for data at rest and in transit  Administrator Privilege Lockdown  Vulnerability testing or penetration testing Common approaches to evaluating Third Party Vendors and ongoing oversight Include:  Perform vendor evaluation as part of RFP  Desk assessments to evaluate requested information  On-site visits as appropriate by either in- house or contacted experts  Penetration tests of potential vendors  Outside independent reporting company to continuously monitor the cyber posture of any third-party vendor and ensure it’s on par with the security risk level that the evaluating organization accepts.  Process to alert the organization of infractions or breaches, so that they can easily work with vendors to correct and improve their security posture. To be successful, vendor risk management should be an element of an enterprise risk management program with established, repeatable processes in place that are consistent for all areas within the firm.
SAV LLP Key Takeaways Adversaries will always improve their tactics to compensate for emerging security technologies. The only real defense is a layered approach, combining security products, risk management, sensible policies and procedures, proper disaster recovery planning and human expertise.  A sound governance framework with strong leadership is essential to effective enterprise-wide cybersecurity. Board-level and senior management-level engagement is critical to the success of firms’ cybersecurity programs, along with a clear chain of accountability.  A well-trained staff can serve as the first line of defense against cyber attacks. Effective training helps to reduce the likelihood of a successful attack by providing well-intentioned staff with the knowledge to avoid becoming inadvertent attack vectors (for example, by unintentionally downloading malware).  One size doesn’t fit all. The level of sophistication of technical controls employed by an individual firm is highly contingent on that firm’s individual situation. While a smaller firm may not be positioned to implement the included controls in their entirety, these strategies can serve a critical benchmarking function to support an understanding of vulnerabilities relative to industry standards.  Many organizations typically use third-party vendors for services, which requires vendor access to sensitive firm or client information, or access to firm systems. At the same time, the number of security incidents at companies attributed to partners and vendors has risen consistently, year on year. Firms should manage cybersecurity risk exposures that arise from these relationships by exercising strong due diligence and developing clear performance and verification policies.  Cybersecurity is not only an IT problem, it is an enterprise-wide problem that requires an interdisciplinary approach, and a comprehensive governance commitment to ensure that all aspects of the business are aligned to support effective cybersecurity practices. Security isn’t simply one team’s job – it’s everyone’s job however security team need to lead the role to improve overall organization’s security deployment
SAV LLP Summary of Best Practices  Tone at the top – The business itself needs to take security seriously, not just write some policy, support security team with a budget and some people and tools.  Basic IT Security Foundation  Asset Management – What you have, what you value most and where are they now? (You can’t protect it if you can’t find it)  Process / Procedures -  Access Controls - Authentication, Limit Administrative Accounts on Systems, Least Privilege Principle for Access  Data Management, Change Management, Problem Management  Network Security – UTM (Unified Threat Management) tool, and maintain BYOD away from main network  Endpoint Security – EDR (Endpoint Detection & Response) or at least some protection from downloads, attacks, data leakage prevention  Security Operations – Detect, Act and Defend against future Attacks  Encryption - A process of converting data into an unreadable form to prevent unauthorized access and thus ensuring data protection  People - Hire and train people to defend the network (including critical data) and not solely rely on technology  System Updates - Keep your systems UpToDate. Turn on auto update on all devices. Remove legacy applications that are at a sunset stage and can’t be secured  Control Framework - Implement critical security controls framework such as NIST Cybersecurity Framework, PCI, COBIT, ISO 27K+
SAV LLP THERE IS NO SINGLE SILVER BULLET FOR CYBER THREAT Thank You PRESENTER – SANJAY CHADHA CPA, CA, LPA, CISA, CITP SAV LLP CHARTERED PROFESSIONAL ACCOUNTANTS HULLMARK CENTRE AT YONGE AND SHEPPARD 3M-4773 YONGE STREET, TORONTO, ON, M2N 0G2 TEL: 647.831.8322, 416.822.8570 EMAIL: INFO@SAVASSOCIATES.CA

Recommandé

Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
Adam Bulava GCC 2019
Adam Bulava GCC 2019Adam Bulava GCC 2019
Adam Bulava GCC 2019ImekDesign
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
 
Websense
WebsenseWebsense
WebsenseCMR WORLD TECH
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudHappiest Minds Technologies
 
Banks and cybersecurity v2
Banks and cybersecurity v2Banks and cybersecurity v2
Banks and cybersecurity v2Semir Ibrahimovic
 

Recommandé

Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
Adam Bulava GCC 2019
Adam Bulava GCC 2019Adam Bulava GCC 2019
Adam Bulava GCC 2019ImekDesign
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
 
Websense
WebsenseWebsense
WebsenseCMR WORLD TECH
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudHappiest Minds Technologies
 
Banks and cybersecurity v2
Banks and cybersecurity v2Banks and cybersecurity v2
Banks and cybersecurity v2Semir Ibrahimovic
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperBilha Diaz
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk ManagementDeepak Bansal, CPA CISSP
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk ManagementShaun Sloan
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Accounting_Whitepapers
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Inno Eroraha [NetSecurity]
 
Simple Safe Steps to Cyber Security
Simple Safe Steps to Cyber SecuritySimple Safe Steps to Cyber Security
Simple Safe Steps to Cyber SecurityHudson Valley Public Relations
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAmazon Web Services
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
What is WebSense?
What is WebSense?What is WebSense?
What is WebSense?touchdown777a
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityRahul Tyagi
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?manoharparakh
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014Aladdin Dandis
 
CISO Case Study 2011 V2
CISO Case Study 2011 V2CISO Case Study 2011 V2
CISO Case Study 2011 V2candy_alexander
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 

Contenu connexe

Tendances

speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperBilha Diaz
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk ManagementDeepak Bansal, CPA CISSP
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk ManagementShaun Sloan
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Accounting_Whitepapers
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Inno Eroraha [NetSecurity]
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAmazon Web Services
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityRahul Tyagi
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?manoharparakh
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 

Tendances (20)

speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaper
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk Management
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk Management
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
 
Simple Safe Steps to Cyber Security
Simple Safe Steps to Cyber SecuritySimple Safe Steps to Cyber Security
Simple Safe Steps to Cyber Security
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWS
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
What is WebSense?
What is WebSense?What is WebSense?
What is WebSense?
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe Security
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014
 
CISO Case Study 2011 V2
CISO Case Study 2011 V2CISO Case Study 2011 V2
CISO Case Study 2011 V2
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 

Similaire à Weakest links of an organization's Cybersecurity chain

For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...Richard Lawson
 
Department of Homeland Security Guidance
Department of Homeland Security GuidanceDepartment of Homeland Security Guidance
Department of Homeland Security GuidanceMeg Weber
 
DHS Guidelines
DHS GuidelinesDHS Guidelines
DHS GuidelinesMeg Weber
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018Open Security Summit
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0Vincent Toms
 
RH-ISAC_BuildingtheFoundation_WhitePaper.pdf
RH-ISAC_BuildingtheFoundation_WhitePaper.pdfRH-ISAC_BuildingtheFoundation_WhitePaper.pdf
RH-ISAC_BuildingtheFoundation_WhitePaper.pdfssuser2209e8
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Cybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness AssessmentCybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness AssessmentCBIZ, Inc.
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersMighty Guides, Inc.
 

Similaire à Weakest links of an organization's Cybersecurity chain (20)

For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
 
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
 
Department of Homeland Security Guidance
Department of Homeland Security GuidanceDepartment of Homeland Security Guidance
Department of Homeland Security Guidance
 
DHS Guidelines
DHS GuidelinesDHS Guidelines
DHS Guidelines
 
CISO as a service in India | Senselearner
CISO as a service in India | SenselearnerCISO as a service in India | Senselearner
CISO as a service in India | Senselearner
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing Processes
 
Network Security
Network SecurityNetwork Security
Network Security
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0
 
RH-ISAC_BuildingtheFoundation_WhitePaper.pdf
RH-ISAC_BuildingtheFoundation_WhitePaper.pdfRH-ISAC_BuildingtheFoundation_WhitePaper.pdf
RH-ISAC_BuildingtheFoundation_WhitePaper.pdf
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Cybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness AssessmentCybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness Assessment
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
 

Dernier

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 

Dernier (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

Weakest links of an organization's Cybersecurity chain

  • 1. SAV LLP FOR INFORMATION ONLY - DISTRIBUTION IS PROHIBITED WITHOUT PERMISSION Weakest links of an organization’s Cybersecurity Chain and Mitigation Options An Auditor’s Perspective SEPTEMBER 09, 2019
  • 2. SAV LLP This material is for educational purposes only. As it deals with technical matters which have broad application, it is not practical to include all situations. As well, this material and the references contained therein may reflect laws and practices which are subject to change. Some content of this presentation has been copied or obtained from other sources, hence the preparer takes no responsibility on content’s validity and accuracy. For this reason a particular fact situation should be reviewed by a qualified professional. The references can be shared upon formal request. Although the presentation material has been carefully prepared, none of the persons involved in the preparation of the material accepts any legal responsibility for its contents or for any consequences arising from its use. Distribution of this presentation for commercial purposes is prohibited. Disclaimer
  • 3. SAV LLP Cyber Security There is a wide range of currently accepted cybersecurity definitions. The National Institute of Standards and Technology defines cybersecurity as "the process of protecting information by preventing, detecting, and responding to attacks." Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers. Myth about Cyber Security – Cyber risk can be reduced, security posture can be improved, by purchasing products and outsourcing support.  There is no absolute security. The only way to prevent death is to already be dead, otherwise there is always a risk.  Security is a balancing act of defending an organization according to the organization’s risk tolerance and profile. In Summary - Cybersecurity is the combination of processes, practice and technologies designed to protect network, computers, programs, data and information from attack, damage or unauthorized access.
  • 4. SAV LLP 4 Cyber Threat A cyber threat is an activity intended to compromise the security of an information system by altering the availability, integrity, or confidentiality of a system or the information it contains. Define what is at Risk (Physical and Digital)?  Do you know what your “worst possible day” looks like? (not being able to transact, theft of sensitive information, inability to perform physical function)  Once an organization identifies and qualifies risk and assets associated with their key functions, it becomes inherently easier to identify potential causes of a critically impactful incident.  Consequently , the organization will be better prepared to appropriately mitigate risks and spend security resources sensibly.
  • 5. SAV LLP Threat Landscape As per ENISA ( European Union Agency For Network and Information Security) some of the main trends in the 2018’s cyberthreat landscape are:  Mail and phishing messages.  Staff retention  Raising awareness at the level of security and executive management.  Automated attacks through novel approaches  IoT environments
  • 6. SAV LLP Is Cybersecurity an IT Problem or a Human Problem? DNA OF AN ATTACKER  Attackers are humans, with human goals  Humans are not perfect – some are good, some are bad, but they aren’t perfect  Perfection doesn’t exist in offence or defense To defend against attack, your strategy must have capabilities to detect, respond and build back up controls to prevent next steps. However it is very important to know what is mission critical and what is trivial?
  • 7. War Games Learnings from conventional war to mitigate Cyber Threat Cu Chi Tunnels in Ho Chi Minh City during Vietnam War https://www.reddit.com/r/secretcompartments/comments/82fhg3/tunnels_used_by_viet_cong_forces_during_the/
  • 8. SAV LLP Role of a CFO / Head of Finance  The CFO’s role has always ranged from a fiduciary one (a custodian preserving value) to a visionary one (an architect creating value). This role is becoming much more about strategy and the future rather than stewardship and even more about value realization and optimization.  IFAC (International Federation of Accountants) explains that a professional CFO should: 1. Be an effective organizational leader and a key member of senior management 2. Balance the responsibilities of stewardship with business partnership 3. Act as the integrator and navigator for the organization
  • 9. SAV LLP Cybersecurity – What do CFOs need to know? Planning and Management • How do we identify our critical assets and associated risks and vulnerabilities? • How do we meet our critical infrastructure operations and regulatory requirements? • What is our strategy and plan to protect our assets? • How robust are our incident response and communication plans? Assets • How do we track what digital information is leaving our organization and where that information is going? • How do we know who’s really logging into our network, and from where? • How do we control what software is running on our devices? • How do we limit the information we voluntarily make available to a cyber adversary?
  • 10. SAV LLP Cybersecurity Frameworks What is a Framework The framework is voluntary guidelines, and practices for organizations to better manage and reduce cybersecurity risk Well accepted Cybersecurity Frameworks Most frequent adopted cybersecurity frameworks are:  NIST Framework  PCI DSS (Payment Card Industry Data Security Standard),  ISO 27001/27002 (International Organization for Standardization),  CIS Critical Security Controls,  COBIT 2019  TSP 2017 (SOC2) Why adopt a security framework  Framework takes out a lot of guesswork and shows you often with supporting evidence, where to apply the pressure.  Planning and implementing a framework can help organizations understand the operational maturity level and provide matrices that will feedback into the organization.
  • 11. SAV LLP SOC SOC (Service Organization Control) Reports for outsourced services and SOC For Cybersecurity A high level introduction
  • 12. Weakest links of the Cybersecurity Chain
  • 13. SAV LLP Weakest Links of the Cybersecurity Chain Cybersecurity is a shared responsibility – people, processes, tools, and technologies work together to protect an organization's assets. Few of the common Weakest Links in cybersecurity chain are (and it is not tools) - 1. Weak tone at the top - Governance framework 2. Poor user management and access controls 3. Weak asset management 4. Lack of cyber policy 5. Lack of awareness regarding information sharing and breach reporting 6. Lack of monitoring of service providers
  • 14. The Recommended Risk Mitigation Strategies
  • 15. SAV LLP Tone at the Top - Governance Framework Governance Framework  Key initial steps  Who should be involved in the development of a cybersecurity program.  Identify known risks and established controls.  Establish a cross-organizational committee of senior executives that brings together the full range of enterprise knowledge and capabilities. This should include IT and corporate security, as well as business owners.  Leadership is key  Selecting an executive with broad cross-functional responsibilities such as the CFO or COO to lead this committee can help broader corporate adoption.  This effort should report to a specialized committee, such as the Audit or the Risk Committees, or in some cases, to the board itself. Board and Senior Management involvement The National Association of Corporate Directors (NACD) cites five cybersecurity principles for boards: 1. Cybersecurity is an enterprise-wide risk management issue, not just an IT issue 2. Legal implications of cyber risks 3. Adequate access to cybersecurity expertise, and regular discussions about cyber-risk management. 4. Establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. 5. Identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
  • 16. SAV LLP User Account Management and Access Control Need to Know basis The following are recommendations for user account management and access control:  Centrally manage all user accounts e.g. Active directory, UUID.  Disable system accounts that cannot be associated with a business process and owner.  Disabling accounts upon termination of an employee or contractor  Periodic user access review  Force users to automatically re-login after a standard period of inactivity.  Require strong passwords  Limit the number of privileged accounts.  Require two-factor authentication for privileged accounts  Control access to the computer system’s audit logs.  Make cybersecurity training and awareness mandatory for all personnel
  • 17. SAV LLP Asset Management You can’t control something that you don’t know The following are recommendations for asset management:  Deploy and maintain an automated asset inventory discovery tool that will also assist the entity in building an inventory of systems connected to the organization's private and public network.  Use Dynamic Host Configuration Protocol (DHCP) server logging for asset inventory - it can help detect unknown systems through this DHCP information.  Ensure that the inventory system is updated when newly acquired and approved equipment connects to the network.  Deploy Network level authentication and Network Access Control (NAC). These services will assist in preventing unauthorized devices from connecting to the network.  Utilize client certificates to validate and authenticate systems prior to connecting to an organization’s network.
  • 18. SAV LLP Cyber Policy Some of the key elements of a good cyber policy:  Scope – all information, systems, facilities, programs, data networks, and all users of technology in the organization (both internal and external), without exception  Information classification – should provide content-specific definitions, rather than more generic “confidential” or “restricted”  Management goals for secure handling of information in each classification category  Specific instruction on organization-wide security mandates (e.g. no sharing of passwords)  Specific designation of established roles and responsibilities  Consequences for non-compliance (e.g. up to and including dismissal or termination of contract) The implementation of a policy is not a single event, but rather an iterative process revisited as business models, relationships, and technology changes. Absent policy, there can be no effective governance of the cybersecurity program as there can be no clear guidance upon which to make program decisions.
  • 19. SAV LLP Information Sharing and Breach Reporting Requirements Microsoft makes the following eight recommendations for information sharing. 1. Develop a strategy for information sharing and collaboration. 2. Design with privacy protections in mind. 3. Establish a meaningful governance process. 4. Focus sharing on actionable threat, vulnerability, and mitigation information. 5. Build interpersonal relationships. 6. Require mandatory information sharing only in limited circumstances. 7. Make full use of information shared, by conducting analyses on long-term trends. 8. Encourage the sharing of best practices. The exchange of best practices with peer organizations can allow organizations to play a proactive role, by engaging with each other as well as external organizations.
  • 20. SAV LLP Vendor Risk Management Service Risks:  Volume of transactions processed  Concentration associated with service  Sensitivity risk of the data to which the vendor could potentially have access  Compliance and regulatory risk related to the service  Customer and financial impact Vendor Risks:  Location of the vendor (subject to multinational laws, regulations, etc.)  Previous data or security breaches  Extent of outsourcing performed by the vendor  Performance history Common Deficiencies with 3rd Party Vendors:  Incident Response Management Plan  Inadequate Security Awareness  Data Loss Prevention  Encryption for data at rest and in transit  Administrator Privilege Lockdown  Vulnerability testing or penetration testing Common approaches to evaluating Third Party Vendors and ongoing oversight Include:  Perform vendor evaluation as part of RFP  Desk assessments to evaluate requested information  On-site visits as appropriate by either in- house or contacted experts  Penetration tests of potential vendors  Outside independent reporting company to continuously monitor the cyber posture of any third-party vendor and ensure it’s on par with the security risk level that the evaluating organization accepts.  Process to alert the organization of infractions or breaches, so that they can easily work with vendors to correct and improve their security posture. To be successful, vendor risk management should be an element of an enterprise risk management program with established, repeatable processes in place that are consistent for all areas within the firm.
  • 21. SAV LLP Key Takeaways Adversaries will always improve their tactics to compensate for emerging security technologies. The only real defense is a layered approach, combining security products, risk management, sensible policies and procedures, proper disaster recovery planning and human expertise.  A sound governance framework with strong leadership is essential to effective enterprise-wide cybersecurity. Board-level and senior management-level engagement is critical to the success of firms’ cybersecurity programs, along with a clear chain of accountability.  A well-trained staff can serve as the first line of defense against cyber attacks. Effective training helps to reduce the likelihood of a successful attack by providing well-intentioned staff with the knowledge to avoid becoming inadvertent attack vectors (for example, by unintentionally downloading malware).  One size doesn’t fit all. The level of sophistication of technical controls employed by an individual firm is highly contingent on that firm’s individual situation. While a smaller firm may not be positioned to implement the included controls in their entirety, these strategies can serve a critical benchmarking function to support an understanding of vulnerabilities relative to industry standards.  Many organizations typically use third-party vendors for services, which requires vendor access to sensitive firm or client information, or access to firm systems. At the same time, the number of security incidents at companies attributed to partners and vendors has risen consistently, year on year. Firms should manage cybersecurity risk exposures that arise from these relationships by exercising strong due diligence and developing clear performance and verification policies.  Cybersecurity is not only an IT problem, it is an enterprise-wide problem that requires an interdisciplinary approach, and a comprehensive governance commitment to ensure that all aspects of the business are aligned to support effective cybersecurity practices. Security isn’t simply one team’s job – it’s everyone’s job however security team need to lead the role to improve overall organization’s security deployment
  • 22. SAV LLP Summary of Best Practices  Tone at the top – The business itself needs to take security seriously, not just write some policy, support security team with a budget and some people and tools.  Basic IT Security Foundation  Asset Management – What you have, what you value most and where are they now? (You can’t protect it if you can’t find it)  Process / Procedures -  Access Controls - Authentication, Limit Administrative Accounts on Systems, Least Privilege Principle for Access  Data Management, Change Management, Problem Management  Network Security – UTM (Unified Threat Management) tool, and maintain BYOD away from main network  Endpoint Security – EDR (Endpoint Detection & Response) or at least some protection from downloads, attacks, data leakage prevention  Security Operations – Detect, Act and Defend against future Attacks  Encryption - A process of converting data into an unreadable form to prevent unauthorized access and thus ensuring data protection  People - Hire and train people to defend the network (including critical data) and not solely rely on technology  System Updates - Keep your systems UpToDate. Turn on auto update on all devices. Remove legacy applications that are at a sunset stage and can’t be secured  Control Framework - Implement critical security controls framework such as NIST Cybersecurity Framework, PCI, COBIT, ISO 27K+
  • 23. SAV LLP THERE IS NO SINGLE SILVER BULLET FOR CYBER THREAT Thank You PRESENTER – SANJAY CHADHA CPA, CA, LPA, CISA, CITP SAV LLP CHARTERED PROFESSIONAL ACCOUNTANTS HULLMARK CENTRE AT YONGE AND SHEPPARD 3M-4773 YONGE STREET, TORONTO, ON, M2N 0G2 TEL: 647.831.8322, 416.822.8570 EMAIL: INFO@SAVASSOCIATES.CA