2. Agenda……..!
2
• Introduction
• Cybersecurity’s domains & their challenges
• Timeline of data breach incidents
• GDPR & it’s readiness assessment
• Seven Steps of Heaven!
• CS resilience maturity framework
3. Hola!
I am Rishi Kant
I am a Security professional with 11+ years of corporate
experience in the field of Cyber Security, Information Security,
Digital Forensics, GRC, IT Administration, Secure Software
Development, Training, and company operations. I worked in
various industry verticals such as Utilities, IT/ITES, E-Commerce,
Government, BFSI and law-enforcement agencies.
3
https://www.linkedin.com/in/hrishikant
4. • Cybersecurity’s domains & their
challenges
4
• Lack of support from Senior Management
• Unalignment of tactical/operational/strategic plans with business
requirements
• Imperfectly design/implemented or ancient policies/procedure/process
• Decentralized Risk management plan
• Lack of frequency of audit cycle
• Skills & Communication Gaps
• Improper or misconfiguration of Deployment
• Improper IS Controls on different data
owner/custodian/administration/users
• Imperfect data classification labelling and risk alignment
5. • Timeline of data breach incidents
5
1.1 B | 3 Jan
340M | 26 Jun
150M | 25 May
93M | 4 Jun
87M | 17 Mar
37M | 2 Apr
27M | 7 Jun
19.5M | 7 Jun
6M | 31 May
5M | 3 Apr
Aadhaar
Exactis
Under
Armour
My
Heritage
Facebook
Panera
Sacramento
Bee
TicketFly
Saks, Lord
& Taylor
PumpUp
7. “
We have all the fancy
tools/stuffs but we still hit by
data breaches because of
lack of proper evalution of
fancy stuffs, lack of
change/updating of
frequency of cyber security
ecosystem, lack of
frequency of audit trials. 7
-Rishi Kant
8. • GDPR & it’s readiness
assessment
8
Some General Question for better CS Resilience
• Personal data?
• What are “logical” personal data registers?
• Who should own the data?
• What policies are needed?
• What are the responsibilities?
• Is training needed?
• What contracts should be amended?
• What is your policy on data retention?
• What logging and audit trail are needed?
• How do you meet the right of access/right to be forgotten/data portability?
• What are your detection and forensic capabilities?
• User management?
* Applicable to all organizations that process personal data of EU nationals, Including organizations outside EU like US, India, We need to follow Data
Privacy Shield
9. • Seven Steps to Heaven!
9
System
Hygiene
•Establish proactive & systematic process for accessing system hygiene.
Develop
A Plan
•Create a multi-cross domain based hypothetical attack plan
Mapping
Risk
Profile
•Audit all aspects to develop a tailored approach to protecting company assets
Assess &
Measure
•Follow the combination of Qualitative or Quantitively risk assess approach to
calculate the better loss estimation
Mitigate
Risk
•Follow the best Risk Treatment to protect company assets at greatest risk
Cyber
Insuranc
e
•Best approach to have this as it will acted as compensatory control for risk
transfer.
Get
Started
•Continual improvement is needed and frequency of assessment show be high
Step1
•Know your
regulation &
make GDPR a
priority,
Ensure
procedures
are UpToDate
& comm’ed
clearly
Step2
•Separate the
data from
term cond’s
and place a
process
where
customers
can manage
their consent.
Step3
•Collect the
necessary
data only and
try to
separate the
data
retention
policy for that
data
Step4
•Individuals
data rights
are enhanced
by GDPR,
they have
rights to
request
information
free of charge
Step5
•Requested
information
have to
provide in 30
days otherwise
they could be
sued & finned
Step6
•Assign data
protection
officer, they
must be indep.
for any
confliction
Step7
•Any data
breach show
be informed
within 72
hours
GDPR Assurance Cyber Security Resilience
10. • CS resilience maturity
framework
10
Maturity
Description
Employment of
Security Controls
Security Tailored
as Business
Mission
Security Event
Monitoring &
Response
Risk Management
Resilience
Resilience to
Attacks
Level: 5
Resilient
Designed CSC based
on Business
objective/mission
Mission Assurance
Focused
Realtime event
monitoring &
Respond
Business focused
Risk Management
Operate though
Unsophisticated
Attacks
Level:4
Dynamic
Designed CSC based
on Business
objective/mission
Mission Focused Realtime event
monitoring &
Respond
Business focused
Risk Management
Able to respond to
Unsophisticated
Attacks
Level: 3
Managed
CSC integrated &
continuously
Monitored
Partially Mission
Focused
Respond to events
& monitoring
Partially Risk
prevention,
detection and
treatment
Protection against
Unsophisticated
Attacks
Level: 2
Performed
Critical security
controls (CSC)
implemented
Mission Agnostic Inconsistent
Response to event
Respond after the
breach
Some protection
against
Unsophisticated
Attacks
Level: 1
Resilience
Inconsistent
Deployment of IS
Controls
None None Risk Treatment not
implemented
Susceptible to
Unsophisticated
Attacks
Implement
CSC Baseline
More
Business
focused with
better
dealing with
Risk