Contenu connexe Similaire à Prinya acis slide for swpark - it & information security human resource development plan for aec 2015_TISA Pto-Talk 2-2554 Similaire à Prinya acis slide for swpark - it & information security human resource development plan for aec 2015_TISA Pto-Talk 2-2554 (20) Prinya acis slide for swpark - it & information security human resource development plan for aec 2015_TISA Pto-Talk 2-25541. Strategic GRC & iSAT for Management Security intelligence
“
AEC 2015”
Prinya Hom-Anek
CGEIT, CISSP, CSSLP, CISA, CISM, SSCP, SANS GIAC GCFW,
ITIL Expert, CompTIA Security+, IRCA: ISMS Lead Auditor, BCMS Auditor
(ISC)2 Asian Advisory Board; ISACA Thailand Committee,
Thailand Information Security Association (TISA) Committee,
ACIS Professional Center Co., Ltd. , President and Founder
2. Strategic GRC & iSAT for Management Security intelligence
Top 10 Strategic Technology Areas 2009
Top 10 Strategic Technology Areas
Technology Area Rank
Virtualization 1
Cloud Computing 2
Beyond Blade Servers 3
Green IT 4
Web-Oriented Architectures 5
Enterprise Mashups 6
Specialized Systems 7
Social Software and Social Networking 8
Unified Communications (UC) 9
Business Intelligence (BI) 10
Source: Gartner Symposium/ITxpo
© Copyright, ACIS Professional Center Company Limited, All rights reserved 2
3. Strategic GRC & iSAT for Management Security intelligence
Top 10 Strategic Technology Areas 2010
Top 10 Strategic Technology Areas
Technology Area Rank
Cloud Computing 1
Advanced Analytics 2
Client Computing 3
IT for Green 4
Reshaping the Data Center 5
Social Computing 6
Security – Activity Monitoring 7
Flash Memory 8
Virtualization for Availability 9
Mobile Applications 10
Source: Gartner Symposium/ITxpo
© Copyright, ACIS Professional Center Company Limited, All rights reserved 3
4. Strategic GRC & iSAT for Management Security intelligence
Top 10 Strategic Technology Areas 2011
Top 10 Strategic Technologies for 2011
Technology Area Rank
Cloud Computing 1
Mobile Applications and Media Tablets 2
Next Generation Analytics 3
Social Analytics 4
Social Communications and Collaboration 5
Video 6
Context-Aware Computing 7
Ubiquitous Computing 8
Storage Class Memory 9
Fabric-Based Infrastructure and Computers 10
Source: Gartner Symposium/Itxpo
© Copyright, ACIS Professional Center Company Limited, All rights reserved 4
5. Strategic GRC & iSAT for Management Security intelligence
IT Organizations and Users in 2010 and Beyond
This Year's Predictions Span 56 Markets, Topics and Industry Areas, January 2010
Gartner Highlights Key Predictions
By 2012, 20 percent of businesses will own no IT assets.
By 2012, India-centric IT services companies will represent 20 percent
of the leading cloud aggregators in the market (through cloud service
offerings).
By 2012, Facebook will become the hub for social network integration
and Web socialization.
In 2012, 60 percent of a new PC's total life greenhouse gas emissions
will have occurred before the user first turns the machine on.
By 2013, mobile phones will overtake PCs as the most
common Web access device worldwide.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 5
6. Strategic GRC & iSAT for Management Security intelligence
IT Organizations and Users in 2010 and Beyond
This Year's Predictions Span 56 Markets, Topics and Industry Areas, January 2010
Gartner Highlights Key Predictions
By 2014, most IT business cases will include carbon remediation costs.
By 2014, over 3 billion of the world's adult population will be able to
transact electronically via mobile or Internet technology.
By 2015, Internet marketing will be regulated, controlling more than
$250 billion in Internet marketing spending worldwide.
By 2015, context will be as influential to mobile consumer services and
relationships as search engines are to the Web.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 6
7. Strategic GRC & iSAT for Management Security intelligence
Prinya Hom-Anek
Hom-
CGEIT, CISSP, CRISC, CSSLP, CISA, CISM, SSCP, SANS GIAC GCFW,
ITIL Expert, IRCA:ISMS Lead Auditor, BCMS Auditor
(ISC)2 Asian Advisory Board, ISACA Thailand Committee
Thailand Information Security Association (TISA) Committee
ACIS Professional Center Co., Ltd.
8. Strategic GRC & iSAT for Management Security intelligence
1. Integrated GRC Implementation
(Governance, Risk Management & Compliance)
Corporate Governance using COSO ERM, COBIT 5 and ISO 31000
Corporate Governance for IT using ISO 38500
IT Governance/Management using COBIT, Val IT and Risk IT Framework
Information Security Governance/Management using ISO/IEC 27001/27002
2. IT Service Management Implementation
(ITSM, ITIL & ISO/IEC 20000)
3. Business Continuity Management (BCM)
(BS25999 and ICT Continuity Management using BS25777)
© Copyright, ACIS Professional Center Company Limited, All rights reserved 8
9. Strategic GRC & iSAT for Management Security intelligence
4. Tougher Regulatory Compliance, Risk Management
and Internal/External IT Audits
5. The Rising of Information Security Awareness
Training within organization (for Everyone)
6. The Need for Soft Skills Training/Education
(Human Factors in IT/ Information Security Professionals)
7. The Rising of Cloud Computing, Virtualization, and
Social & Mobile Computing
© Copyright, ACIS Professional Center Company Limited, All rights reserved 9
10. Strategic GRC & iSAT for Management Security intelligence
8. Corporate Fraud and Internet Banking/Online
Transaction Fraud Prevention and Detection
9. IT and Information Security Metrics
Implementation
10. The Need for Creating “Culture of Security” and
“Risk-Aware Culture in Organization”
© Copyright, ACIS Professional Center Company Limited, All rights reserved 10
11. Strategic GRC & iSAT for Management Security intelligence
Underlying Drivers
Infrastructure Weakness
Under-
Under-investment in both organizational and national critical
infrastructure has weakened the underlying IT platforms. They are
poorly placed to support new and evolving business technology such
as e-commerce, cloud computing and mobile working.
e-
Cultural Change
The rise of the ‘Internet generation’, coupled with high levels of personal
technology adoption, have caused an irreversible change in attitudes
to protecting information.
Globalization
Continuing globalization means that organizations of all kinds are subject
to greater threats, as a result of being seen as an attractive target,
having to meet the needs of multiple legal jurisdictions, and becoming
a more complex organization.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 11
12. Strategic GRC & iSAT for Management Security intelligence
© Copyright, ACIS Professional Center Company Limited, All rights reserved 12
13. Strategic GRC & iSAT for Management Security intelligence
1. The Need for BCM/BIA
(Over-reliance on the Internet)
• SITUATION – over-reliance on the Internet for all forms of communications
and transactions has resulted in a lack of choice for customers in how they
interact with organizations such as banks, airlines and online retailers – and
higher potential risk of business impact from sustained corporate/regional
Internet failures.
• THREATS – under-investment in critical infrastructure and/or unsecured
critical infrastructure leads to poor resilience at network pinch points, with risk
of complete loss of communications and transaction channels.
• ACTIONS – evaluate business continuity management (BCM), contingency
arrangements prior to contracting with providers; ensure Business Impact
Analysis (BIA) are undertaken for Internet channels.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 13
14. Strategic GRC & iSAT for Management Security intelligence
2. The Rise of Cloud Computing and Virtualization
(Platform-as-a-Service, Infrastructure-as-a-Service, and Security)
• SITUATION – the business and cost benefits of cloud computing have led to
short-cuts being taken, and security and compliance concerns being
overridden. Using of virtualization increased “attack surface”, “virtualization
software vulnerability”
• THREATS – rising costs associated with proving cloud computing compliance
and a rise in incidents associated with fraudulent activities and external
attacks masked by the cloud. The virtualization attack is on the rise.
• ACTIONS – develop strategies for virtualization, cloud computing security
and compliance, covering identity and access mechanisms, disaster recovery,
information classification, and contingency plans for retrenchment from the
cloud if necessary.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 14
15. Strategic GRC & iSAT for Management Security intelligence
3. Pervasive Computing/Ubiquitous Computing
(Eroding Network Boundaries)
• SITUATION – mobile and remote working, outsourcing and cloud computing
have combined to all but remove organizations’ network boundary with the
outside world.
• THREATS – point security solutions are unable to prevent widespread loading
of software from untrusted sources; unauthorized system, network or
information access; or compliance failures in areas such as security and
privacy.
• ACTIONS – consider architectural options for “working without a network
boundary”, and investigate concepts of trusted zones and niche application of
products such as digital rights management (DRMO and data loss prevention
(DLP)
© Copyright, ACIS Professional Center Company Limited, All rights reserved 15
16. Strategic GRC & iSAT for Management Security intelligence
4. The Rise of Mobile Computing
(Smartphone is a new PC)
• SITUATION – the predominance of Smartphones both corporate and private
has blurred the line between business and personal usage, leading to
unproven and untrusted software being used for business/private
communications and transactions.
• THREATS – theft or loss of equipment, along with potential distribution of
mobile phone malware (Mitmo; Man-in-the-mobile), leads to increased risk of
business/private information loss and fraud.
• ACTIONS – establish security policies for use of mobile phones and access
management across devices; establish asset management for smartphones
and assess the security implications of their use; educate users by launching
security awareness program
© Copyright, ACIS Professional Center Company Limited, All rights reserved 16
17. Strategic GRC & iSAT for Management Security intelligence
5. The Rise of The Internet Generation
(Changing Cultures of the Techno-Generation (Gen-Y))
• SITUATION – for the Internet generation, the boundaries between work and
home life are even more indistinct; some even have difficulty distinguishing
between real life and fantasy life (the ‘avatar effect’/’the matrix effect).
Traditional information security awareness approaches are not properly applied.
• THREATS – email, Internet access and Social network use bypasses corporate
controls, increasing the risk of business information disclosure and compliance
failure. Internet Banking Threat; MitB (Man-in-the-Browser) for example Zeus
Trojan/SilentBanker Trojan.
• ACTIONS – create a profile of users, enhance security awareness for all users,
establish baseline policies and deploy technical controls in line with risk;
evaluate the use of Internet reputation protection services.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 17
18. Strategic GRC & iSAT for Management Security intelligence
6. Privacy vs. Security
(Corporate Fraud is on the rise, the need for Lawful Interception)
• SITUATION – the conflict between the right to privacy and the need of
government agencies to analyse personal information in crime prevention has
reduced public confidence in organizations’ ability to safeguard personal
information to an all-time low. Many countries banned Blackberry (Lawful
Intercept issues)
• THREATS – organizations need to perform a compliance across different
jurisdictions with different levels of privacy protection, leading to a higher risk
of compliance failure and business information disclosure.
• ACTIONS – ensure privacy policies for employees and customers are clear
and meet all jurisdictions’ needs; create a forum for discussing changes in the
law with legal advisors and industry colleagues.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 18
19. Strategic GRC & iSAT for Management Security intelligence
7. A lack of Corporate Security Awareness Program
(The LifeStyle Hacking, Integrated Hack vs. Integrated GRC)
• SITUATION – Targeted attack and organized crime are on the rise. The next
generation hacking is focusing on user lifestyle, many users on corporate
unaware of Internet Security Threats.
• THREATS – Blended Threats, Advanced Persistent Threat (APT), Remote
Access Trojan , LifeStyle Hacking, “Drive-by Download”,
• ACTIONS – Implement Corporate iSAT (Information Security Awareness
Program) at least once a year, Train and educate all users, Study occupational
fraud prevention and detection.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 19
20. Strategic GRC & iSAT for Management Security intelligence
8. The Rise of Social Computing
(An insecure use of social software/social media)
• SITUATION – The rise of using social media/social networking over high-speed
Internet. The Viral marketing (the social marketing) techniques that use pre-
existing social networks to produce increases in brand awareness or to achieve
other marketing objectives through self-replicating viral processes, analogous to
the spread of virus or computer viruses.
• THREAT – rapid growth in use of home and mobile equipment has left the
security function unable to cope with the need to manage and protect personally
owned or remote equipment to a proper standard, leading to potential
compliance failure and disclosure of business information.
• ACTIONS – educate users and implement corporate social network security
policy ; implement the application-level filtering technology to monitor/block all
malicious software related with social network software.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 20
21. Strategic GRC & iSAT for Management Security intelligence
9. Insecure Coding and Application Development Practices
(Application Security)
• SITUATION – the vulnerabilities in application software today. Lack of
system programmer/application developer security awareness when designing
and developing application software; insufficient web application security
knowledge.
• THREATS – web application hacking is the common hacking method,
criminals are targeting at application layer. Hackers know that you have
firewalls and hackers are targeting a new way to ‘hack’ into your systems. Not
convenient to hack the network.
• ACTIONS – Today we are wiring the world with applications. Having a skilled
professional capable of designing and deploying secure software is now
critical to this evolving world
© Copyright, ACIS Professional Center Company Limited, All rights reserved 21
22. Strategic GRC & iSAT for Management Security intelligence
10. The Threats Convergence (Integrated Hack)
(Cyber Espionage /Advanced Persistent Threat (APT))
• SITUATION – while there is continued focus on mitigating information security
threats, efforts are still largely siloed. Attackers have adopted strategies based on a
combination of threats, some of which are outside the information security remit.
the highly competitive global market has given rise to more sophisticated cyber-
espionage attacks, both from commercial competitors and from organized criminals.
• THREATS – the converged threat approach can be used to obtain authentication
details, gain access to systems or networks, misuse systems to commit fraud, steal
proprietary information and introduce malware. increased risk of loss of proprietary
information through hacking and other cyber attacks, potentially leading to a loss of
reputation and trust.
• ACTIONS – establish common risk languages across the organization; seek
pragmatic ways to assess and manage risk holistically; and report on converged
threats to the organization.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 22
23. Strategic GRC & iSAT for Management Security intelligence
Live Show in Cyber Defense Initiative Conference 2010 (CDIC 2010)
Spear Phishing, PDF Embedded Exe Attack Spear
Phishing, PDF embedded EXE Attack
Phishing PDF
AutoHack Penetration Testing Tools Become Hacker Aid
AutoHack Penetration Testing Tool
Hacker
RFID Tag Counterfeiting: Case Study e-Passport
RFID TAG
Hack E-Passport Contactless
(VISA Wave Hacking)
© Copyright, ACIS Professional Center Company Limited, All rights reserved 23
24. Strategic GRC & iSAT for Management Security intelligence
Live Show in Cyber Defense Initiative Conference 2010 (CDIC 2010)
Credit Card and Magnetic Card Hacking
GPUs and FPGAs in PC-Based Heterogeneous Systems
DIY Supercomputer Crack GPGPU
FPGA
Wireless Rogue AP & WPA Hacking on Cloud Computing
Rogue AP Crack Key EAP
Cloud computing WPA
The Return of BOT with CAPTCHA Attack
BOT CAPTCHA Attack
© Copyright, ACIS Professional Center Company Limited, All rights reserved 24
25. Strategic GRC & iSAT for Management Security intelligence
Live Show in Cyber Defense Initiative Conference 2010 (CDIC 2010)
Advanced, New and Unseen Social Networking Attacks
Advanced Persistent Threats (APT), Spy Eye, Zeus,
GhostNet, Kneber Botnet and SilentBanker Trojan
Advanced Hacking on Smart Phone
(iPad, iPhone, Android, BlackBerry, Smart Phone)
(iPad, Android, iPhone, BlackBerry, Smartphone)
© Copyright, ACIS Professional Center Company Limited, All rights reserved 25
26. Strategic GRC & iSAT for Management Security intelligence
Why we need Hacking Technics for IT auditing
© Copyright, ACIS Professional Center Company Limited, All rights reserved 26
27. Strategic GRC & iSAT for Management Security intelligence
The Need for ITG : 7 IT Challenges
Keeping IT Running 1 The Essentials of IT and
Value 2 Information Security Standard,
Best practices and Frameworks
Costs 3
Mastering Complexity 4
Aligning IT With Business 5
Regulatory Compliance 6
Security 7 Organization
IT Resources and Expenses
© Copyright, ACIS Professional Center Company Limited, All rights reserved 27
28. Strategic GRC & iSAT for Management Security intelligence
“GRC” not only “ITG” and “ISG” => “CG”
Risk
Governance Compliance
Management
(C) © Copyright, 2007-2009, ACIS Professional Limited, All rights reserved
Copyright ACIS Professional Center Company Center Company Limited 28
29. Strategic GRC & iSAT for Management Security intelligence
An Integrated Approach To Governance, Risk & Compliance
Stakeholder Expectations
Governance
Key linkage Setting objectives, tone, policies, risk appetite
Objectives & and accountabilities. Monitoring performance.
Risk
Appetite
Enterprise Risk Management
Key linkage Identifying and assessing risks that may affect the
Risk ability to achieve objectives and determining risk
Response & response strategies and control activities.
Control
Activities Compliance
Operating in accordance with objectives and ensuring
adherence with laws and regulations, internal policies
and procedures, and stakeholder commitments.
Laws Policies Procedures Processes/system People Tools &Technologies
Source: A New Strategy for Success Through Integrated Governance, Risk and Compliance Management PWC white paper
© Copyright, ACIS Professional Center Company Limited, All rights reserved 29
30. Strategic GRC & iSAT for Management Security intelligence
Integrated GRC Framework
Source: wikipedia.org/wiki/Governance,_Risk_Management,_and_Compliance
© Copyright, ACIS Professional Center Company Limited, All rights reserved 30
31. Strategic GRC & iSAT for Management Security intelligence
TOP
MIDDLE
BOTTOM
© Copyright, ACIS Professional Center Company Limited, All rights reserved 31
32. Strategic GRC & iSAT for Management Security intelligence
Enterprise Governance:
Corporate Governance (CG) Drives IT Governance (ITG)
and Information Security Governance (ISG)
• Enterprise governance is about:
Performance
Improving profitability, efficiency, effectiveness, growth, and so on
Conformance
Adhering to legislation, internal policies, audit requirements, and
so on
• Enterprise governance and IT governance require a balance between the
conformance and performance goals, as directed by the board.
Conformance
Performance
© Copyright, ACIS Professional Center Company Limited, All Rights Reserved 32
33. Strategic GRC & iSAT for Management Security intelligence
Integrated Frameworks on Business / IT Alignment
CONFORMANCE
PERFORMANCE:
Drivers Business Goals
Basel II, Sarbanes-
Oxley Act, contracts etc.
Enterprise Governance Scorecard and COSO
IT Governance COBIT
ISO ISO/IEC ISO/IEC
Best Practice Standards
9001:2000 17799 20000/ITIL
BS 25999 BS 25777
QA Security Service Delivery
Processes and Procedures Procedures Principles procedures
BCM procedure ICT CM procedure
Source: modified from IT Governance (COBIT), ITGI
© Copyright, ACIS Professional Center Company Limited, All rights reserved 33
34. Strategic GRC & iSAT for Management Security intelligence
How to implement Standards and Best Practices in Thailand
SOX, HIPAA, Thai E-Transaction Laws
GLBA, PCI and Computer Crime Laws
DSS, BASEL
Balancing Strategies on
Balancing Strategies on
Process, People and
Process, People and
II
COSO => ISO 31000 Thai OAG / TRIS/
Technology
Technology
(The Committee of Sponsoring Organizations of the BOT/ SEC/ OIC
Treadway Commission) - Financial Reporting &
Business Process Oriented requirements
CobiT 4.1 => CobiT 5
Control Objectives for Information and related Technology IT oriented
bridging the gap between business processes and IT controls
ISG => ISO/IEC BS25999
ISO/IEC 20000
(ITSMS) & ITIL 27001 (ISMS) (BCMS) =>
=> new SC27 ISO 22301
35. Strategic GRC & iSAT for Management Security intelligence
GRC and Related IT Management Frameworks
Organisations will consider and use a variety of IT models, standards and best practices.
These must be understood in order to consider how they can be used together, with COBIT
(IT Governance) acting as the consolidator (‘umbrella’).
COSO
COBIT
ISO 17799 CMM
ISO 27001
BCM
ISO 9000
ITIL
WHAT ISO 20000 HOW
Source: ITGI
SCOPE OF COVERAGE
© Copyright, ACIS Professional Center Company Limited, All rights reserved 35
36. Strategic GRC & iSAT for Management Security intelligence
Integrated GRC Related Standards & Best Practices
© Copyright, ACIS Professional Center Company Limited, All rights reserved 36
37. Strategic GRC & iSAT for Management Security intelligence
COBIT, COSO, ITIL & Compliance
Process and Control Framework
Control App
Enterprise Business Processes
Control
Control App
App
Control
Control
Financial Processes IT Processes
ITIL®/CMMi®
App
Control App
Control Control
App
Control
Company–Level
Company–Level Application
Application IT General
Controls
COSO
Controls Controls
Controls COBIT™ Controls
Control Frameworks: COSO — Control and risk mgmt for corporate governance
COBIT™— IT Control Objectives
IT Process Frameworks: ITIL®/CMMi®—IT Best Practices
COBIT™ Trademark of ISACA
ITIL® Trademark of OGC
CMMi® Trademark of SEI
© Copyright, ACIS Professional Center Company Limited, All rights reserved 37
38. Strategic GRC & iSAT for Management Security intelligence
COBIT, COSO, ITIL & Compliance
How does it all put together?
COSO Control What controls you should have
CobiT Frameworks
ITIL Process What processes you should implement
CMMi Frameworks
Tools IT Service How to implement the required
Consulting controls and processes
The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
COBIT (Control Objectives for Information and Related Technologies)
CMMi - Capability Maturity Model Integration
© Copyright, ACIS Professional Center Company Limited, All rights reserved 38
39. Strategic GRC & iSAT for Management Security intelligence
Manage IT from a Business Perspective
Applications
Manage As Business Services
Function 1 Function 2 Function 3
© Copyright, ACIS Professional Center Company Limited, All rights reserved 39
40. Strategic GRC & iSAT for Management Security intelligence
Use Controls to Go Faster
• Enable new services
• Support growth
• Lower risk
• Reduce cost
IT Controls
• Cost
• Availability
• Performance
© Copyright, ACIS Professional Center Company Limited, All rights reserved 40
41. Strategic GRC & iSAT for Management Security intelligence
How to use COBIT, ISO/IEC 27001 , CMM and ITIL
COBIT is based on and accommodates major international standards, and it is
increasingly recognized as the de facto framework for IT governance.
COBIT is focused on what is required to achieve this governance and control at
a high level. It has been aligned with other best practices and can be used as
the “integrator” of different guidance materials, such as ISO/IEC 27001 and ITIL.
ISO/IEC 27001
Strategic
COBIT
Process Control
CMM
Process Execution
ITIL
• Work instruction • Work instruction • Work instruction • Work instruction • Work instruction
• 2 • 2 • 2 • 2 • 2
Work Instruction • 3 • 3 • 3 • 3 • 3
• 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6….
© Copyright, ACIS Professional Center Company Limited, All rights reserved 41
42. Strategic GRC & iSAT for Management Security intelligence
Big Picture of International Standards and Best Practices
The relevance of standards and practices depends on the organization and its priorities and expectations.
An organization may decide to adopt all, one, or part of one of the standards to improve the
performance of a business process or enable business transformation.
TCO ISO/IEC ITIL/ISO/IEC
Specific
CMM
27001 20000
COBIT
Relevant to IT
General
Six Sigma
ISO/IEC 9000
Malcolm Baldrige Award
Holistic
Scorecards
Low (Process Improvement) Moderate High (Business Transformation)
Improvement Goal
COBIT is positioned centrally at the General level, helping integrate technical and specific practices
with broader business practices.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 42
43. Strategic GRC & iSAT for Management Security intelligence
Business Model for Information Security
BMIS is primarily a three-dimensional model. It consists of four elements and six dynamic interconnections (DIs).
© Copyright, ACIS Professional Center Company Limited, All rights reserved 43
44. Strategic GRC & iSAT for Management Security intelligence
Recognizing Enterprise Architecture
The security programme is subject to the overarching direction provided by enterprise governance and its subsidiary areas, namely governance of IT
and—in some cases—detailed security governance provisions. The security programme implements a layer below the overall governance framework.
Source: www.isaca.org, “BMIS”, the business model for information security, 2010
© Copyright, ACIS Professional Center Company Limited, All rights reserved 44
45. Strategic GRC & iSAT for Management Security intelligence
Aligning Common Security Standards
Source: www.isaca.org, “BMIS”, the business model for information security, 2010
© Copyright, ACIS Professional Center Company Limited, All rights reserved 45
46. Strategic GRC & iSAT for Management Security intelligence
Aligning Generic Frameworks
Source: www.isaca.org, “BMIS”, the business model for information security, 2010
© Copyright, ACIS Professional Center Company Limited, All rights reserved 46
47. Strategic GRC & iSAT for Management Security intelligence
Zachman Enterprise Framework
© Copyright, ACIS Professional Center Company Limited, All rights reserved 47
48. Strategic GRC & iSAT for Management Security intelligence
Enterprise Architecture Framework
Based on ‘The Open Group Architecture Forum’ (TOGAF)
Business Risks What
Business Vision & Drivers
Business Architecture
Business
Organizational People
Processes
Data Application
Architecture Architecture
(Information) ( Services)
Technology Architecture
(Hardware, Software, Network)
IT Risks How
© Copyright, ACIS Professional Center Company Limited, All rights reserved 48
49. Strategic GRC & iSAT for Management Security intelligence
Business drivers for an integrated approach to GRC
Increased
complexity due
to globalisation
Increasing Increased
regulations competitive
pressures
Governance
New Ethical and
technologies Risk and financial
scandals
Compliance
Integrity-driven Transparency and
performance accountability
expectations demands
Increased
demands from
stakeholders
© Copyright, ACIS Professional Center Company Limited, All rights reserved 49
50. Strategic GRC & iSAT for Management Security intelligence
Hottest Cloud in 2011
© Copyright, ACIS Professional Center Company Limited, All rights reserved Page 50
51. Strategic GRC & iSAT for Management Security intelligence
Apple New Data Center in NC ($1 Billions)
© Copyright, ACIS Professional Center Company Limited, All rights reserved Page 51
52. Strategic GRC & iSAT for Management Security intelligence
Apple New Data Center in NC ($1 Billions)
© Copyright, ACIS Professional Center Company Limited, All rights reserved Page 52
53. Strategic GRC & iSAT for Management Security intelligence
iCloud Features
© Copyright, ACIS Professional Center Company Limited, All rights reserved Page 53
54. Strategic GRC & iSAT for Management Security intelligence
Does iCloud Pose Security Risks To Users?
Does iCloud make iPhones and iPads a security risk?
© Copyright, ACIS Professional Center Company Limited, All rights reserved Page 54
55. Strategic GRC & iSAT for Management Security intelligence
iCloud Raises Serious
Data Security Concerns
• Those intent on hacking into big systems will soon
have a big new target. Apple announced its iCloud
service that stores massive amounts of content,
much like a giant storage system in the sky. iCloud
users will be able to wirelessly access their music,
photos, email, calendar and all kinds of other
content on several devices. It's meant to eliminate
the need to sync phones, computers, laptops and
tablets. It's all about convenience. But is it safe?
• The forthcoming free Apple service syncs among
iCloud-enabled devices, moving data to devices and
cloud servers outside your control
•
© Copyright, ACIS Professional Center Company Limited, All rights reserved Page 55
56. Strategic GRC & iSAT for Management Security intelligence
iCloud Raises Serious
Data Security Concerns
• Simple phishing scam or socially engineered
attack could easily dupe a user into surrendering
username and password credentials that will
expose the data stored in iCloud
• In order for iCloud to be a success, Apple has to
assure consumers and businesses that the data
is protected
• The convenience of having documents
automatically synced to iCloud aside, what
happens when the business wants to delete that
information?
© Copyright, ACIS Professional Center Company Limited, All rights reserved Page 56
57. Strategic GRC & iSAT for Management Security intelligence
Concepts for New ITG Framework
Life Cycle Approach
7
“IT Governance”
“Enterprise
Governance”
Frameworks, Standards
“Best Practices”
“Adapt”
“Adopt”
© Copyright, ACIS Professional Center Company Limited, All rights reserved 57
58. Strategic GRC & iSAT for Management Security intelligence
Concepts for New ITG Framework
Implementation Life Cycle
“Implementing and
Continually Implementing IT
Governance” 4
Components
Create the right
environment
Programme Management
Project Management
Change Enablement
Continual Improvement
Life Cycle
7
© Copyright, ACIS Professional Center Company Limited, All rights reserved 58
59. Strategic GRC & iSAT for Management Security intelligence
Inside COBIT 5 Design
COBIT 5 ISACA Initiative
“TGF” “Taking Governance Forward” COBIT 5
7
Framework Val IT, Risk IT, BMIS ITAF
Framework
Framework
“Migrate” COBIT 4.1
COBIT 4.1
Enterprise Architecture (EA) Decision Making
People Skill Organization Structure Charge Enablement
Sustainability
“Governance Process” “Management Process”
“ ”“ “ “Standard”
“Best Practice”
© Copyright, ACIS Professional Center Company Limited, All rights reserved 59
60. Strategic GRC & iSAT for Management Security intelligence
COBIT 5 Family of Products
COBIT 5.0
COBIT 4.1 Internal Stakeholder External Stakeholder
COBIT 5 Stakeholder
COBIT 5 Family of Products
COBIT 5 for Risk
COBIT 5 for Value
COBIT 5 for Security
COBIT 5 for Compliance
© Copyright, ACIS Professional Center Company Limited, All rights reserved 60
61. Strategic GRC & iSAT for Management Security intelligence
COBIT 5 Objectives
COBIT 5 will:
• Provide a renewed and authoritative governance and management
framework for enterprise information and related technology, building
on the current widely recognized and accepted COBIT framework,
linking together and reinforcing all other major ISACA frameworks and
guidance such as:
Val IT Risk IT
BMIS ITAF
Board Briefing Taking Governance Forward
• Connect to other major frameworks and standards in the marketplace
(ITIL, ISO standards, etc.)
© Copyright, ACIS Professional Center Company Limited, All rights reserved 61
62. Strategic GRC & iSAT for Management Security intelligence
Other Guidance Options
The COBIT 5 product architecture will also contain practitioner
guidance designed to support specific business requirements, the
needs of ISACA constituent groups, specific content topic
development and reference to the COBIT framework and specific
framework as necessary. Such guidance could include:
Getting Started Guides
Mappings
Surveys and Benchmarks
Implementation Guides
© Copyright, ACIS Professional Center Company Limited, All rights reserved 62
63. Strategic GRC & iSAT for Management Security intelligence
COBIT 5 – Management of Enterprise IT
COBIT 5 Standard Best Practice
60 ITIL V3, ISO 27000 Series, ISO 20000,
ISO 38500:2008, TOGAF V9 ISO 9000:2008
COBIT 5
“Change”
(Culture) (Behavior)
ISACA
Implement IT Governance Life Cycle CSI 6 Steps
Model ITIL V3 7 Steps
© Copyright, ACIS Professional Center Company Limited, All rights reserved 63
64. Strategic GRC & iSAT for Management Security intelligence
COBIT 5 : ITG Focus Areas
“IT Governance” 5
Strategic Alignment
Value Delivery
Risk Management
Resource Management
Performance Measurement
© Copyright, ACIS Professional Center Company Limited, All rights reserved 64
65. Strategic GRC & iSAT for Management Security intelligence
COBIT 5 : ITG Focus Areas
1. Strategic Alignment
“ ” “Align”
Strategic Alignment
Aligning IT with Business
© Copyright, ACIS Professional Center Company Limited, All rights reserved 65
66. Strategic GRC & iSAT for Management Security intelligence
COBIT 5 : ITG Focus Areas
2. Value Delivery Value Creation
“ ”
,
“ ”
Value Delivery
$
© Copyright, ACIS Professional Center Company Limited, All rights reserved 66
67. Strategic GRC & iSAT for Management Security intelligence
ITG Focus Areas: Value Delivery Focus
“Two Views of Control”
© Copyright, ACIS Professional Center Company Limited, All rights reserved 67
68. Strategic GRC & iSAT for Management Security intelligence
COBIT 5 : ITG Focus Areas
3. Risk Management Value Preservation
“Value Delivery” (Value Creation)
Risk Management
(Value Preservation)
(Assess)
(Analysis) (Treatment)
(Risk Reduction, Risk Retention,
Risk Avoidance Risk Transfer) Risk Acceptance
Criteria (ISO 27005:2008)
Risk Management
© Copyright, ACIS Professional Center Company Limited, All rights reserved 68
69. Strategic GRC & iSAT for Management Security intelligence
COBIT 5 : ITG Focus Areas
3. Risk Management Value Preservation (cont.)
(Risk Aware)
“Risk Appetite” Risk
Acceptance Level” “
”
IT Governance Governance,
Risk Management and Compliance (GRC)
“IT Risk”
“Business Risk”
“IT Risk “Business
Risk”
© Copyright, ACIS Professional Center Company Limited, All rights reserved 69
70. Strategic GRC & iSAT for Management Security intelligence
COBIT 5 : ITG Focus Areas
4. Performance Management
“IT KPI” “IT Metric” “IT
Performance Management”
“ ”
“Metric” (Stakeholder)
Performance Scorecard, Dashboard
Benchmarking If you cannot measure it,
{ you cannot manage it. }
Performance Measurement
© Copyright, ACIS Professional Center Company Limited, All rights reserved 70
71. Strategic GRC & iSAT for Management Security intelligence
COBIT 5 : ITG Focus Areas
4. Performance Management (cont.)
“Measurement”
“Manage” “If you
cannot measure it, you cannot manage it”
Certification Body (CB)
ISO/IEC 27001 (Effectiveness)
ISMS
ISO/IEC 27001
© Copyright, ACIS Professional Center Company Limited, All rights reserved 71
72. Strategic GRC & iSAT for Management Security intelligence
COBIT 5 : ITG Focus Areas
5. Resource Management
4
1. (People)
2. (Infrastructure)
3. (Application)
Resource Management
4. (Information)
“Human Resource
Management”
“Knowledge Worker”
© Copyright, ACIS Professional Center Company Limited, All rights reserved 72
73. Strategic GRC & iSAT for Management Security intelligence
COBIT 5 : ITG Focus Areas
COBIT Framework IT Governance
Implementation Guide COBIT IT
Governance Implementation Guide “Solution”
“Method” “Luc Kordel” “It’s a method,
not the solution!”
Framework “Adopt” “Adapt”
Corporate Culture, Style People Skill
© Copyright, ACIS Professional Center Company Limited, All rights reserved 73
74. Strategic GRC & iSAT for Management Security intelligence
ISO/IEC 38500:2008
Corporate Governance of Information Technology
ITG Framework
ITG Principles:
Principle 1: Responsibility
Principle 2: Strategy
Principle 3: Acquisition
Principle 4: Performance
Principle 5: Conformance
Principle 6: Human Behavior
ITG Model:
a) Evaluate
b) Direct
c) Monitor
© Copyright, ACIS Professional Center Company Limited, All rights reserved 74
75. Strategic GRC & iSAT for Management Security intelligence
Aligning CobiT, ITIL and ISO 27002 for Business Benefit
Source: ITGI
© Copyright, ACIS Professional Center Company Limited, All rights reserved 75
76. Strategic GRC & iSAT for Management Security intelligence
International Register of Certificated Auditors
ACIS and TUV NORD : 3 IRCA Certified Training Courses
© Copyright, ACIS Professional Center Company Limited, All rights reserved 76
77. Strategic GRC & iSAT for Management Security intelligence
Information Security Governance
Source: ITGI
© Copyright, ACIS Professional Center Company Limited, All rights reserved 77
78. Strategic GRC & iSAT for Management Security intelligence
Information Security Governance Conceptual Framework
Source: ITGI
© Copyright, ACIS Professional Center Company Limited, All rights reserved 78
79. Strategic GRC & iSAT for Management Security intelligence
IT Risk vs. Risk IT
Its Impacts to Business
80. Strategic GRC & iSAT for Management Security intelligence
“IT Risk” Book from Harvard Business
School
© Copyright, ACIS Professional Center Company Limited, All rights reserved 80
81. Strategic GRC & iSAT for Management Security intelligence
Categories of IT risk
© Copyright, ACIS Professional Center Company Limited, All rights reserved 81
82. Strategic GRC & iSAT for Management Security intelligence
IT Risk vs. IT Opportunity
Techniques and Uses for Risk IT and its Supporting Materials for
Risk and Opportunity Management (Using COBIT, Val IT and Risk IT)
IT Risk
IT Risk ⇒ Business Risk
Value Inhibitor
⇒ Enterprise Risk
IT Opportunity
Value Enabler
© Copyright, ACIS Professional Center Company Limited, All rights reserved 82
83. Strategic GRC & iSAT for Management Security intelligence
The Core Disciplines of Risk Management
© Copyright, ACIS Professional Center Company Limited, All rights reserved 83
84. Strategic GRC & iSAT for Management Security intelligence
The Three Core Disciplines of Effective Risk Management
1. A well-structured, well-managed foundation of IT assets,
people, and supporting processes
2. A well-designed risk governance process to identify,
prioritize, and track risks
3. A risk-aware culture in which people understand causes
and solutions for IT risks and are comfortable discussing
risk
© Copyright, ACIS Professional Center Company Limited, All rights reserved 84
85. Strategic GRC & iSAT for Management Security intelligence
ISACA Risk IT Framework
Risk IT Based on COBIT Objectives and Principles
© Copyright, ACIS Professional Center Company Limited, All rights reserved 85
86. Strategic GRC & iSAT for Management Security intelligence
Risk IT Framework Principles
Defined around these building blocks is a process model for IT risk that will look familiar to
users of COBIT and ValIT4 substantial guidance is provided on the key activities within each
process, responsibilities for the process, information flows between processes and
performance management of the process. The processes are divided in three domains –
Risk Governance, Risk Evaluation and Risk Response – each containing three processes:
o Establish and Maintain a Common
Risk Governance o Integrate with Enterprise Risk Management
o Make Risk-aware Business Decision
o Collect Data
Risk Evaluation o Analyze Risk
o Maintain Risk Profile
o Articulate Risk
Risk Response o Manage Risk
o React to Events
© Copyright, ACIS Professional Center Company Limited, All rights reserved 86
87. Strategic GRC & iSAT for Management Security intelligence
Risk IT Process Model
© Copyright, ACIS Professional Center Company Limited, All rights reserved 87
88. Strategic GRC & iSAT for Management Security intelligence
Elements of Risk Culture
© Copyright, ACIS Professional Center Company Limited, All rights reserved 88
89. Strategic GRC & iSAT for Management Security intelligence
© Copyright, ACIS Professional Center Company Limited, All rights reserved 89
90. Strategic GRC & iSAT for Management Security intelligence
Embedding Standards & Best Practices
in the organization’s culture
© Copyright, ACIS Professional Center Company Limited, All rights reserved 90
91. Strategic GRC & iSAT for Management Security intelligence
Awareness Training
Information Security Awareness
Program Development
- Awareness (What)
- Training (How)
- Education (Why)
© Copyright, ACIS Professional Center Company Limited, All rights reserved 91
92. Strategic GRC & iSAT for Management Security intelligence
Competency, Knowledge, and Skills
© Copyright, ACIS Professional Center Company Limited, All rights reserved 92
93. Strategic GRC & iSAT for Management Security intelligence
The Seven Habits of Highly Effective People
1.
(Be Proactive)
2.
(Begin with the End in Mind)
3.
(Put first things first)
4. / From “The Seven Habits of Highly
Think Win-Win Effective People: Restoring
the Character Ethic”
by Stephen R. Covey,
5. Simon and Schuster, 1989
Seek First to Understand, Then to be Understood
6.
Synergize
7.
Sharpen the saw
© Copyright, ACIS Professional Center Company Limited, All rights reserved 93
94. Strategic GRC & iSAT for Management Security intelligence
Time Management
1 2
Put the
3 4 Big Rocks
in First
95. Strategic GRC & iSAT for Management Security intelligence
Six Thinking Hats
Edward de Bono
© Copyright, ACIS Professional Center Company Limited, All rights reserved 95
96. Strategic GRC & iSAT for Management Security intelligence
“ 6”
© Copyright, ACIS Professional Center Company Limited, All rights reserved 96
97. Strategic GRC & iSAT for Management Security intelligence
ACIS eEnterprise Series I
ISBN 978-974-401-593-8
.
,
(1987)
( )
99/ 16-20
10400
. 0-2642-3400 3991-5
© Copyright, ACIS Professional Center Company Limited, All rights reserved 97
98. Strategic GRC & iSAT for Management Security intelligence
ACIS eEnterprise Series II
Strategic Roadmap with International Standards and Best Practices to integrated GRC
..
ISBN xxx-xxx-xxx-xxx-x
.
,
(1987)
( )
99/ 16-20
10400
. 0-2642-3400 3991-5
© Copyright, ACIS Professional Center Company Limited, All rights reserved 98
99. Strategic GRC & iSAT for Management Security intelligence
“360 Degree IT Management Book”
Part 1 : Introduction to “GRC”, “IT GRC” and “Integrated GRC”
Implementation
Part 2 : IT Governance implementation using CobiT and New CobiT
Framework
Part 3 : Balancing in Improving Efficiency and Quality of IT Service
Management with ISO/IEC 20000 and ITIL V3
Part 4 : Information Security Management Implementation with
ISO/IEC 27001
Part 5 : Effective and Efficient Business Continuity Management on
Crisis Management
© Copyright, ACIS Professional Center Company Limited, All rights reserved 99
100. Strategic GRC & iSAT for Management Security intelligence
What’s the future trend in Thailand?
Audit => Forensic => Fraud
Security => Privacy
BIA (part of BCM) => PIA
BIA = Business Impact Analysis
PIA = Privacy Impact Assessment
© Copyright, ACIS Professional Center Company Limited, All rights reserved 100
101. Strategic GRC & iSAT for Management Security intelligence
“Social Networking Security”
© Copyright, ACIS Professional Center Company Limited, All rights reserved 101
102. Strategic GRC & iSAT for Management Security intelligence
“Social Networking Security”
1. Social Media / Social Networking
2. Facebook Twitter
3.
4. Facebook
5.
6.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 102
104. Strategic GRC & iSAT for Management Security intelligence
www.cdicconference.com
29-30 November 2011 @BITEC
© Copyright, ACIS Professional Center Company Limited, All rights reserved Page 104
105. Strategic GRC & iSAT for Management Security intelligence
Future Trend 2012 (Conference Highlights)
• The Latest Update Top Ten Cyber Security Threats and Emerging
Trends in Year 2012 and Beyond
• The Latest Update International Business-IT and Security-related
Standards and Best Practices Trends, including New ISO/IEC 27001
and COBIT 5
• Practical Cloud Computing Implementation and its security concerns
• Encountering and Balancing on Security vs. Privacy Issues, and
Privacy Impact Assessment (PIA)
• What else, when an enterprise needs a framework for “IT GRC”,
“Security GRC” and “Integrated GRC”?
© Copyright, ACIS Professional Center Company Limited, All rights reserved 105
106. Strategic GRC & iSAT for Management Security intelligence
Future Trend 2012 (Conference Highlights)
• Integrating Enterprise Governance with IT Governance (ITG) and
Information Security Governance (ISG); Integrated Audit and Risk
Assessment for High Performance Organization and Operational
Excellence
• How to drive a Strategic GRC implementation into Business
Alignment: Conformance vs. Performance, Create Value vs. Preserve
Value, and Corporate Social Responsibility (CSR) vs. Creating Shared
Value (CSV)
•The New Business Impact Analysis (BIA) and Risk Analysis (RA) from
ISO 22301 (BCMS) for Critical Infrastructure
•Layer 8 Exploitation: Lock'n Load Target
•IPv4 to IPv6 State Transition Vulnerabilities & Exploits
© Copyright, ACIS Professional Center Company Limited, All rights reserved 106
107. Strategic GRC & iSAT for Management Security intelligence
Future Trend 2012 (Conference Highlights)
• Strategic Roadmap and Move on Enterprise Cloud Infrastructure
• The New Patterns of Advanced Persistent Threats (APT) and
Targeted Attacks from Anonymous and LulzSec Groups
• Advanced Smart Phone Forensics
• Mobile Malware Transformation
• GSM Deception Episode II
• In-depth Live Show Demonstration on New Advanced Cybercrime
and Ethical Hacking Techniques, Gadgets and Tools
• Real Case Studies from Professionals and the International Security
Experts
© Copyright, ACIS Professional Center Company Limited, All rights reserved 107
108. Strategic GRC & iSAT for Management Security intelligence
www.snsconference.com
SNSCON and MOBISCON 2011
28-29 June 2011
www.cdicconference.com
Cyber Defense Initiative Conference 2011
29-30 November 2011
109. Strategic GRC & iSAT for Management Security intelligence
www.TISA.or.th
Thailand Information Security Association
www.acisonline.net
ACIS Professional Center Co., Ltd.
prinya@acisonline.net
110. Strategic GRC & iSAT for Management Security intelligence
RSA Conference 2011
(ISC)2 member reception
© Copyright, ACIS Professional Center Company Limited, All rights reserved 110
111. Strategic GRC & iSAT for Management Security intelligence
Risk Culture/Culture of Security
When we look at the future of Internet Security with billions
of devices online, the first thing we do is that we have to
create the culture of security.
CDIC 2008, Keynote Speech, Howard Schmidt
CEO of The Information Security Forum
Cyber-Security Coordinator of the Obama Administration
© Copyright, ACIS Professional Center Company Limited, All rights reserved 111
112. Strategic GRC & iSAT for Management Security intelligence
“Risk Culture/Culture of Security”
© Copyright, ACIS Professional Center Company Limited, All rights reserved 112
113. Strategic GRC & iSAT for Management Security intelligence
My Facebook and Twitter
http://www.facebook.com/prinyah
http://www.twitter.com/prinyaACIS
CDIC Conference 2011
http://www.cdicconference.com
ACIS Professional Center Co., Ltd.
http://www.acisonline.net
Thailand Information Security Association
http://www.tisa.or.th
13-Oct-11