New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Case study financial_services
1. Case Study on Cyber Security
Prepared by
G. Subramanian
2. Financial services is a startup company 100% owned by China based Mobile company.
Line of Business under Financial services are:
Retail Lending
Mutual funding
Wallet payment
As part of business operation, financial services would be implementing Information Security
standards for regulatory requirements based on ISO 27001, PCI DSS compliance, GDPR, etc.,
02/09/2019 G. SUBRAMANIAN 2
About the company
3. Board level engagement, business driven strategy
Risk based approach is key — threats vary according to industry, but all industries
are vulnerable
As technology advances, so do the threats; it is harder than ever to protect business processes
and information
Compliance and regulatory requirements are a factor
Safeguarding intellectual property, financial information, and a company’s reputation is
fundamental to business strategy
Clients expect their data and their assets to be secure, and services to be available
Cyber is not just about technology, it’s also about people and processes
A diverse and talented workforce can be the difference between cyber being viewed as a
technology solution or as a business differentiator
02/09/2019 G. SUBRAMANIAN 3
Cybersecurity
A critical part of a company’s business strategy
4. Goal of cybersecurity = protect assets that allow business to perform
Cyber risk = probability of threat exploiting weak point of assets
Potential impact: Stakes include reputational harm, shareholder stock price, continuity of
operations, overall confidence and liability
Importance of Cybersecurity:
Risks caused by poor security knowledge and practice:
Identity Theft
Monetary Theft
Security: We must protect our computers and data in the same way that we secure the doors to
our homes.
Safety: We must behave in ways that protect us against risks and threats that come with
technology.
02/09/2019 G. SUBRAMANIAN 4
Cyber Security Goal
5. There is a noticeable shift in the banking industry in the way customers deal with their
transactions. There is a rapid increase in the usage of digital channels such as internet
banking, digital wallets, mobile banking, ATM. This leads to the increase in exposure and
thereby cyber attacks which further may lead to financial and reputational losses. Banks
may loose the customer confidence which can further increase the impact.
Increase in financial data losses including card data, personal identifiable information etc.
Unauthorized access to network and systems.
02/09/2019 G. SUBRAMANIAN 5
Cyber Security in financial industry
6. Risk based approach is key — threats vary according to industry, but all industries
are vulnerable
As technology advances, so do the threats; it is harder than ever to protect business
processes and information
Compliance and regulatory requirements are a factor which needs to followed.
Safeguarding intellectual property, financial information, and a company’s reputation is
fundamental to business strategy
Cyber is not just about technology, it’s also about people and processes
A diverse and talented workforce can be the difference between cyber being viewed as a
technology solution or as a business differentiator
02/09/2019 G. SUBRAMANIAN 6
A critical part of a company’s business strategy
7. 02/09/2019 G. SUBRAMANIAN 7
People Process Technology
These three important aspects, People, Process and Technology are the Golden Triangle and must be in alignment for
any business to run effectively and successfully.
Process
• Helpdesk / Service management
• Incident Reporting and Management
• Change Requests process
• Request fulfillment
• Access management
• Identity management
• Service Level / Third-party Services
Management
• BCP / DR
• IT procurement process etc...
People
• Employees
• Shareholders/owners of the business
• Government agencies/regulators
• Emergency services (e.g. ambulance,
police, Firefighters)
• Clients
• Employee families,
• Media, suppliers and partners … and,
• Anyone else that you consider
important for your business.
Technology
• Cabling, Data/Voice Networks and
equipment
• Telecommunications services,
including VoIP services , ISDN , Video
Conferencing
• Server computers and associated
storage devices
• Operating software for server
computers
• Communications equipment and
related hardware.
• Intranet and Internet connections
• VPNs and Virtual environments
• Remote access services
• Wireless connectivity
DATA –
Data is defined as facts or figures, or information used by a computer/performed by a
computer, which may be stored and transmitted in the form of electrical signals and
recorded on magnetic, optical, recording media or print media. Data is limitless and present
everywhere.
An example of data is information collected for a research paper.
An example of data is an email.
8. 02/09/2019 G. SUBRAMANIAN 8
IT security strategy
Is a processes and methodologies which are
designed and implemented to protect print,
electronic, or any other form of confidential,
private and sensitive information or data from
unauthorized access, use, misuse, disclosure,
destruction, modification, or disruption.
Information Security
Confidentiality: Ensures that data or an
information system is accessed by only an
authorized person. User Id’s and passwords,
access control lists (ACL) and policy based
security are some of the methods through
which confidentiality is achieved
Integrity: Integrity assures that the data or
information system can be trusted. Ensures
that it is edited by only authorized persons
and remains in its original state when at rest.
Data encryption and hashing algorithms are
key processes in providing integrity
Availability: Data and information systems
are available when required. Hardware
maintenance, software patching/upgrading
and network optimization ensures availability
GOALS
We need information security to reduce the risk of
unauthorized information disclosure, modification,
and destruction.
We need information security to reduce risk to a
level that is acceptable to the business
(management).
We need information security to improve the way we
do business.
We need information security to have a competitive
edge.
Maintain compliance with multiple standards like PCI
and ISO 27001 and readiness for any Client / Internal
audit.
Why do we need Information Security?
Getting back to basics (patching, endpoint, hygiene) :
This is the biggest issue every year and the malware has
shown just how easy it is to comprise systems.
Malware with worm capabilities: Wannacry shocked
the world by its rapid spread and this wouldn't have
been possible without its worm component.
Monitoring Configuration and Security: There have
been discovered misconfigurations leading to data
leaks, but for every one of these found, there are likely
many more that aren't published. With a rapid rate of
technological change, huge variation of skills, and fast
paced adoption, it's clear that monitoring assets and
infrastructure will continue to be a challenge.
Users: are a large source of incidents we face today. Be
it from an insider threat (a malicious employee inside
the organization) or accidental user actions.
Budgets: Like always, it can be difficult for security
professionals to acquire the budget needed for a proper
cyber security program. Unfortunately, much of the
budget is only obtained after a large-scale data breach
or incident negatively affecting the company.
Challenges
10. 02/09/2019 G. SUBRAMANIAN 10
The COBIT 5 Framework
Simply stated, COBIT 5 helps enterprises create
optimal value from IT by maintaining a balance
between realising benefits and optimising risk levels
and resource use.
COBIT 5 enables information and related technology
to be governed and managed in a holistic manner for
the entire enterprise, taking in the full end-to-end
business and functional areas of responsibility,
considering the IT-related interests of internal and
external stakeholders.
The COBIT 5 principles and enablers are generic and
useful for enterprises of all sizes, whether commercial,
not-for-profit or in the public sector.
11. Security is focused around three areas which are confidentiality, integrity, and availability
You can think of these as providing continuity of services as well protection of information assets
Security is no longer bound to the boundaries of the organization because of the large growth of
technologies such as cloud computing
When we apply the goals of CIA, it is usually towards the protection of information.
The task of providing the necessary protection for information resources must now be raised to a
board level activity as well as other governance functions.
The benefits of good IS security governance are:
The reduction of civil or legal liability as a consequence to providing inaccurate information or the loss
of private information
Providing and assurance of policy and standards compliance
Reducing concerns about business operations by lowering risks to acceptable levels
Providing a structure and framework to optimize limited security resources
Instilling more confidence that critical decisions are made on altered information
Providing accountability for business activities such as partnerships, mergers, and other acquisitions
02/09/2019 G. SUBRAMANIAN 11
Information Security Governance
13. Principles, policies and frameworks (vehicle to translate desired behaviour into practical
guidance for day to day administration)
Processes (organized set of practices and activities to achieve enterprise goals)
Organizational structures (key decision making entities in an enterprise)
Culture, ethics and behaviour.
Information (both as input for decisions and as an end product)
Services, infrastructure and applications (technology and applications for processing)
People, skills and composition (correct decision making)
02/09/2019 G. SUBRAMANIAN 13
Enablers of COBIT 5
15. Board members should take an active role in IT strategy or similar committees.
CEOs should provide organisational structures to support the implementation of IT strategy.
CIOs must be business-oriented and provide a bridge between IT and the business.
All executives should become involved in IT steering or similar committees.
02/09/2019 G. SUBRAMANIAN 15
Roles and responsibilities
16. 02/09/2019 G. SUBRAMANIAN 16
Roles and responsibilities
Board of directors Strategic
Alignment
Value Delivery IT Resource
Management
Risk Management Performance
Management
Board of
Directors
Ensure management has
put in place an effective
strategic planning process
• Ratify the aligned
business and IT strategy
• Ensure the IT
organisational
structure complements
the business model and
direction
Ascertain that
management has put
processes and practices in
place that ensure IT
delivers provable value to
the business
• Ensure IT investments
represent a balance of risk
and benefit and that
budgets are acceptable
Monitor how
management
determines what IT
resources are
needed to achieve
strategic goals
• Ensure a proper balance
of IT investments for
sustaining and growing the
enterprise
• Be aware about IT risk
exposures and their
containment
• Evaluate the
effectiveness of
management’s monitoring
of IT Risks
Assess senior
management’s
performance on IT
strategies in
operation
• Work with the executive
to define
and monitor high-level IT
performance
IT Strategy
Committee
• Provide strategy
direction and the
alignment of IT and the
business
• Issue high-level policy
guidance (e.g., risk,
funding, sourcing,
partnering)
• Verify strategy
compliance (e.g.,
achievement of strategic
goals and objectives)
• Confirm that the
IT/business architecture is
designed to drive
maximum business value
from IT
• Oversee the delivery of
value by IT to the
enterprise
• Take into account return
and competitive aspects of
IT Investments
Provide high-level
direction for sourcing and
use of IT resources,
e.g., strategic alliances
• Oversee the aggregate
funding of IT at the
enterprise level
• Ascertain that
management has
resources in place to
ensure proper
management of IT risks
• Take into account risk
aspects of IT
investments
• Confirm that critical
risks have been
Managed
• Verify strategy
compliance, i.e.,
achievement of strategic
IT objectives
• Review the
measurement of IT
performance and the
contribution of IT to the
business (i.e., delivering
the promised business
value)
17. 02/09/2019 G. SUBRAMANIAN 17
Roles and responsibilities
Executive
management
Strategic
Alignment
Value Delivery IT Resource
Management
Risk Management Performance
Management
CEO • Align and integrate IT
strategy with business
goals
• Align IT operations with
business operations
• Cascade strategy and
goals down into the
organisation
• Mediate between
imperatives of the
business and of the
technology
• Direct the optimisation
of IT costs
• Establish co-
responsibility between
the business and IT for IT
investments
• Ensure the IT budget and
investment plan is realistic
and integrate into the
overall financial plan
• Ensure that financial
reporting has
accurate accounting of IT
• Ensure the organisation
is in the best position to
capitalise on its
information and
knowledge
• Establish business
priorities and allocate
resources to enable
effective IT performance
• Set up organisational
structures and
responsibilities that
facilitate IT strategy
implementation
• Define and support the
CIO’s role, ensuring the
CIO is a key business
player and part of
executive decision-making
• Adopt a risk, control and
governance framework
• Embed responsibilities
for risk management in
the organisation
• Monitor IT risk and
accept residual IT risks
• Obtain assurance of the
performance, control and
risks of
IT and independent
comfort about
major IT decisions
• Work with the CIO on
developing
an IT balanced scorecard
ensuring it
is properly linked to
business goals
18. 02/09/2019 G. SUBRAMANIAN 18
Roles and responsibilitiesExecutive
management
Strategic
Alignment
Value Delivery IT Resource
Management
Risk Management Performance
Management
Business
Executives
• Understand the
enterprise’s IT
organisation, infrastructure
and
capabilities
• Drive the definition of
business
requirements and own
them
• Act as sponsor for major
IT projects
• Approve and control
service levels
• Act as customer for
available IT
services
• Identify and acquire new
IT services
• Assess and publish
operational
benefits of owned IT
investments
• Allocate business
resources required
to ensure effective IT
governance
over projects and
operations
• Provide business impact
assessments
to the enterprise risk
management
process
• Sign off on the IT
balanced
scorecard
• Monitor service levels
• Provide priorities for
addressing IT
performance problems and
corrective actions
CIO • Drive IT strategy
development and
execute against it, ensuring
measurable value is
delivered on time and
budget, currently and in
the future
• Implement IT standards
and policies
• Educate executives on
dependence on IT, IT-
related costs, technology
issues and insights, and IT
Capabilities
• Clarify and demonstrate
the value of IT
• Proactively seek ways to
increase IT value
contribution
• Link IT budgets to
strategic aims and
objectives
• Manage business and
executive expectations
relative to IT
• Establish strong IT project
management disciplines
• Provide IT infrastructures
that
facilitate creation and
sharing of business
information at optimal cost
• Ensure the availability of
suitable IT resources, skills
and infrastructure to meet
the strategic objectives
• Ensure that roles critical
for driving maximum value
from IT are appropriately
defined and staffed
• Standardise architectures
and
Technology
• Assess risks, mitigate
efficiently and
make risks transparent to
the stakeholders
• Implement an IT control
framework
• Ensure that roles critical
for managing IT risks are
appropriately
defined and staffed
• Ensure the day-to-day
management
and verification of IT
processes and controls
• Implement an IT balanced
scorecard
with few but precise
performance
measures directly and
demonstrably
linked to the strategy
19. 02/09/2019 G. SUBRAMANIAN 19
Roles and responsibilities
Committees
supporting the
executives
Strategic
Alignment
Value Delivery IT Resource
Management
Risk Management Performance
Management
IT Steering
Committee
• Define project priorities
• Assess strategic fit of
proposals
• Perform portfolio reviews
for continuing strategic
relevance
• Review, approve and fund
initiatives, assessing how
they improve business
processes
• Ensure identification of
all costs and fulfillment of
cost/benefit analysis
• Perform portfolio reviews
for cost Optimisation
• Balance investments
between supporting and
growing the Enterprise
• Ensure all projects have a
project risk management
component
• Act as sponsor of the
control, risk and
governance framework
• Make key IT governance
decisions
• Define project success
measures
• Follow progress on major
IT projects
• Monitor and direct key IT
governance processes
20. Chief Information Security Officer (CISO): Coordinates all the activities related to securing
the information in a Company. It includes compliance, documentation, risk management,
human resources, relationship with top managers, asset management, communication and
business continuity.
Information security management representative (ISMR): Has the overall responsibility for
the implementation, maintenance and improvement of an Information security. He reports
directly to CISO.
Information Security Officer: The information security officer is responsible for
implementing technical aspects of the security policy designed to protect information and
any support.
Steering Committee: Include CISO, ISMR, ISO and CIO.
Its main responsibility is to ensure the implementation, maintenance, control, monitoring and
measurement of ISMS. Eventually they have to present results and initiatives to the Security
Committee.
02/09/2019 G. SUBRAMANIAN 20
Roles and responsibilities
21. CISO
Sr. Manager IT Security
Operations
( In a month )
Asst. Manger IT
security Operations
( Starting of Product
procurement / Project
Implementation)
IT Engineer L2
(during the
implementation phase)
IT Engineer L1
(Post Implementation
phase)
Sr. Manger IT Auditor /
compliance
(with in 3 months)
Asst. Manager IT Audit
/ compliance
( with in 6 months)
02/09/2019 G. SUBRAMANIAN 21
Roadmap to IT security Org
22. 1 Month 2 Month 3 Month 4 Month 5 Month 6 Month
Sr. Manager IT
Security
Operations
Asst. Manger IT
security
Operations
IT Engineer L2 IT Engineer L1
Sr. Manger IT
Auditor /
compliance
Asst. Manager
IT Audit /
compliance
02/09/2019 G. SUBRAMANIAN 22
Roadmap to IT security Org
23. Security Operation Center is the main portion of Information technology and information security
SOC Roadmap, consists of the following factors:
People
Technology
Process
People:
Sr. Manager IT Security Operations
Asst. Manger IT security Operations
Sr. Manger IT Auditor / compliance
Asst. Manager IT Audit / compliance
L2: IT Network / Security Engineer
L1: IT Network / Security Engineer
02/09/2019 G. SUBRAMANIAN 23
Roadmap to IT security Org
24. 02/09/2019 G. SUBRAMANIAN 24
Roles and Responsibility
Sr. Manager IT
Security Operations
Asst. Manger IT
security
Operations
Sr. Manger IT
Auditor /
compliance
Asst. Manager IT
Audit / compliance
L2: IT Network /
Security Engineer
L1: IT Network /
Security Engineer
Overall Manager has
more responsibilities
from managing the team
as well as senior
management.
Implementation of
Security solutions (SIEM,
DLP, WAF, Security
changes, Etc.,
Ensure the Polices /
procedures are
implemented.
Ensure the Quality
assurance on
information security
procedures followed
Ensure the Polices /
procedures are
implemented.
Ensure the Quality
assurance on
information security
procedures followed
Respond and closure the
Security Incidents
created on a daily basis
by L1 within defined SLA
L1 Analyst should have
Ethical Hacking
knowledge
Preparation and
validation of the daily,
weekly and monthly
report which showcase
the Team contribution
towards the security of
organizations.
BCP (Business Continuity
Planning) and DR
(Disaster Recovery)
setup, maintenance and
proper execution.
Conduct internal audit
for information security
Conduct internal audit
for information security
SIEM, DLP, AV, IAM
Administration,
Incidents which have a
high priority needs a
deeper investigation will
be handed over to SIRT
Analyst for immediate
response and closure.
monitoring SIEM console
is totally responsible for
identifying the Security
incidents and reporting.
Handling multiple
projects, understanding
the requirement of new
technologies and
implementation. Doing
knowledge transfer
within the team.
Immediate support to
team and escalation if
no proper response
received from
vendor/asset owner etc.
Co-ordination of
External Audit and
ensure the closure of
the findings
Provide Awareness
Training to all
Conduct VAPT, Risk
assessment for
infrastructure, Network
and Applications.
Adhere change
management process
Conduct VAPT, Risk
assessment for
infrastructure, Network
and Applications.
Adhere change
management process
25. Process:
The number of processes and procedures of a SOC identified and based on company policies,
procedure and requirements, and technologies used.
minimum baseline, the following are the processes for references.
SIEM monitoring and Notification procedure.
Event management process.
Security Incident Ticket management process
Incident Handling, Reporting and Escalation process.
Daily activities process like checklist and handover.
Daily, weekly and monthly report format to Management
Compliance monitoring process.
Incident analysis and investigation response process.
New technology operating process.
02/09/2019 G. SUBRAMANIAN 25
Roadmap to IT security operation (cont’d)
26. Technology:
Core technologies such as SIEM having multiple solutions like data (raw log/packets) collection, aggregation,
normalization, detection, and analytics is a secret of the effectiveness of SOC.
Security devices (AV, DLP, WAF, IAM, EPS etc.) are more in number, and monitoring for individual
intrusive detection at each tool is not possible and increase the count of manpower.
SIEM monitoring and Notification procedure.
Event management process.
Security Incident Ticket management process
Incident Handling, Reporting and Escalation process.
Daily activities process like checklist and handover.
Daily, weekly and monthly report format to Management
Compliance monitoring process.
Incident analysis and investigation response process.
New technology operating process.
02/09/2019 G. SUBRAMANIAN 26
Roadmap to security operation (cont’d)
27. RBI reference- RBI/DNBS/2016-17/53 dated June 08, 2017
IT Governance
IT Policy
Information & Cyber Security
IT Operations
IS Audit
Business Continuity Planning
IT Services Outsourcing
02/09/2019 G. SUBRAMANIAN 27
Information Technology Framework - NBFC Sector
RBI_IT_Framework
_NBFC
28. SEBI/HO/MIRSD/CIR/PB/2018/147 December 03, 2018
IT Governance
IT Policy
Information & Cyber Security
IT Operations
Asset Identification
Asset Protection
Physical Security
Data security
Application Security in Customer Facing Applications
Patch management
Disposal of data, systems and storage devices
Vulnerability Assessment and Penetration Testing (VAPT)
Monitoring and Detection
Response and Recovery
Sharing of Information
Training and Education
IS Audit
Business Continuity Planning
02/09/2019 G. SUBRAMANIAN 28
Information Technology Framework
SEBI_CyberSecurit
y_framework
29. ISO/IEC 27001:2013 ISMS Control Point and Control Objective Summary
02/09/2019 G. SUBRAMANIAN 29
Reference Description Control
A5 Information security policies A.5.1 Management direction for information
security
A6 Organization of information security A.6.1 Internal organization
A.6.2 Mobile devices and teleworking
A7 Human resource security A.7.1 Prior to employment
A.7.2 During employment
A.7.3 Termination and change of employment
A8 Asset management A.8.1 Responsibility for assets
A.8.2 Information classification
A.8.3 Media Handling
A9 Access control A.9.1 Business requirements of access control
A.9.2 User access management
A.9.3 User responsibilities
A.9.4 System and application access control
A10 Cryptography A.10.1 Cryptographic controls
30. ISO/IEC 27001:2013 ISMS Control Point and Control Objective Summary
02/09/2019 G. SUBRAMANIAN 30
Reference Description Control
A11 Physical and environmental security A.11.1 Secure areas
A.11.2 Equipment
A12 Operations security A.12.1 Operational procedures and responsibilities
A.12.2 Protection from malware
A.12.3 Backup
A.12.4 Logging and monitoring
A.12.5 Control of operational software
A.12.6 Technical vulnerability management
A.12.7 Information systems audit considerations
A13 Communications security A.13.1 Network security management
A.13.2 Information transfer
A14 System acquisition, development and
maintenance
A.14.1 Security requirements of information systems
A.14.2 Security in development and support processes
A.14.3 Test data
A15 Supplier relationships A.15.1 Information security in supplier relationships
A.15.2 Supplier service delivery management
31. ISO/IEC 27001:2013 ISMS Control Point and Control Objective Summary
02/09/2019 G. SUBRAMANIAN 31
Reference Description Control
A16 Information security incident
management
A.16.1 Management of information security incidents
and improvements
A17 Information security aspects of business
continuity management
A.17.1 Information security continuity
A.17.2 Redundancies
A18 Compliance A.18.1 Compliance with legal and contractual
requirements
A.18.2 Information security reviews
32. Best framework for complying with information security legal, regulatory and contractual
requirements
Better organizational image because of the certificate issued by a certification body
Proves that senior management are committed to the security of the organization, including
customer’s information
Focused on reducing the risks for information that is valuable for the organization
Provides a common goal
Optimized operations within the organization because of clearly defined responsibilities and
business processes
Builds a culture of security
02/09/2019 G. SUBRAMANIAN 32
Benefits of ISO/IEC 27001:2013
33. 02/09/2019 G. SUBRAMANIAN 33
PCI Data Security Standard – High Level Overview
Build and Maintain a Secure Network
and Systems
1. Install and maintain a firewall configuration to protect cardholder data
2. 2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management
Program
5. Protect all systems against malware and regularly update anti-virus software
or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control
Measures
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components 9. Restrict physical
access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
34. Prioritized Approach Summary & Attestation of Compliance*
Milestone Goals
1
Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for
entities that have been compromised. Remember – if sensitive authentication data and other cardholder data
are not stored, the effects of a compromise will be greatly reduced. If you don't need it, don't store it
2
Protect systems and networks, and be prepared to respond to a system breach. This milestone targets
controls for points of access to most compromises, and the processes for responding.
3
Secure payment card applications. This milestone targets controls for applications, application processes, and
application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access
to cardholder data.
4
Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what,
when, and how concerning who is accessing your network and cardholder data environment.
5
Protect stored cardholder data. For those organizations that have analyzed their business processes and
determined that they must store Primary Account Numbers, Milestone Five targets key protection
mechanisms for that stored data.
6
Finalize remaining compliance efforts, and ensure all controls are in place. The intent of Milestone Six is to
complete PCI DSS requirements, and to finalize all remaining related policies, procedures, and processes
needed to protect the cardholder data environment.
02/09/2019 G. SUBRAMANIAN 34
35. 02/09/2019 G. SUBRAMANIAN 35
Policy implementation Roadmap
Aug-19 Sep-19 Oct-19 Nov-19 Dec-19 Dec-19 Jan-20 Feb-20 Mar-20 Apr-20 Apr-20
Define Information Security Scope
Inventory information
assets
Gap Assessment
Documentation - IS Policy and Procedure
Implementation of Security controls
Procurement of Software/tools for security controls
Deployment of SIEM, End Point Protection, DLP, IAM etc.,
Risk Assessment
Risk Treatment
Complaince Audit
SIEM
DLP
Identiy & Access Management
FIM
2FA
36. A risk assessment is nothing more than a careful examination of what could cause harm to
people. By pinpointing precisely the risks to your health and safety you have a sound
foundation on which to base appropriate control measures- before accidents occur.
In this practical exercise we shall highlight:
the most significant hazards associated with the practical
persons that may be affected
the control measures that are necessary to adequately control the risks associated with the
hazards
02/09/2019 G. SUBRAMANIAN 36
Risk Assessment
37. Record in a Risk Register
Describe the RISK
Assess the Likelihood, Impact, and risk rating
Agree recommended Risk Mitigation / Treatment
Establish a contingency position if possible
Assign to an appropriate RISK OWNER (usually a Business Stakeholder)
Agree a Mitigation Owner
Obtain a decision (Reduce, Accept, Avoid, Transfer)
Monitor mitigation progress until target risk is achieved – retain awareness of closed or mitigated risks
Produce monthly status reports
02/09/2019 G. SUBRAMANIAN 37
Manage the Risks
38. 02/09/2019 G. SUBRAMANIAN 38
Effective Risk Management
Identify risks and collect data
Assess risk
Articulate risk
Define a Risk Management Action
Portfolio
Respond to risk.
Monitor
41. Know your data:
creating a data inventory. This should include every piece of information stored or processed by your company, both
electronically and/or hard copies.
Analyze your data privacy risks
A risk-based approach is your safest bet for making sure every data privacy vulnerability, threat source.
Create a Data Privacy policy
corporate policy is usually defined as a documented set of broad guidelines, formulated after an analysis of all
internal and external factors that can affect a company’s objectives, operations, and plans.
Create a Data Privacy procedure
Data Privacy policy should focus on strategic aspects, procedures will help with any day-to-day tasks
procedures such as the necessary steps for retention of records, secure data disposal,data transfer.
Implement the necessary Data Privacy controls
moving private/sensible customer information to a more secure server, doing an access review to limit how
can access private data
02/09/2019 G. SUBRAMANIAN 41
Data Protection Strategy
42. Initiate Data Privacy training and awareness:
employees should at least understand the basic requirements for working with private data,
some specialized functions, including IT staff, Security team, Legal, Auditors, and even the DPO,
may require advanced training, especially if they are expected to follow specific procedures.
Monitoring and compliance:
data is protected should not be thought of as a project; it is instead a process which should
include continuous monitoring for compliance, new risks and chances of improvement.
Monitor and block unauthorised network traffic
Monitor all traffic leaving the organization and detect any unauthorized use of encryption
disk encryption software to encrypt the hard drive and mobile devices
02/09/2019 G. SUBRAMANIAN 42
Data Protection Strategy
43. 02/09/2019 G. SUBRAMANIAN 43
The incident response phases are:
Preparation
• Ensure
employees are
properly
trained regarding
their incident
response roles and
responsibilities in
the event of data
breach
• Ensure that all
aspects of your
incident response
plan (training,
execution, hardware
and software
resources, etc.) are
approved and
funded in advance
Identification
• This is the process
where you
determine whether
you’ve been
breached. A breach,
or incident, could
originate from many
different areas.
• When did the event
happen?
• How was it
discovered?
• Who discovered it?
• Have any other
areas been
impacted?
• What is the scope of
the compromise?
• Does it affect
operations?
• Has the source
(point of entry) of
the event been
discovered?
Containment
•When a breach is first
discovered, your initial
instinct may be to
securely delete everything
so you can just get rid of
it. However, that will likely
hurt you in the long run
since you’ll be destroying
valuable evidence that
you need to determine
•What’s been done to
contain the breach short
term?
•What’s been done to
contain the breach long
term?
•Has any discovered
malware been
quarantined from the rest
of the environment?
•What sort of backups are
in place?
•Does your remote access
require true multi-factor
authentication?
•Have all access credentials
been reviewed for
legitimacy, hardened and
changed?
•Have you applied all
recent security patches
and updates?
Eradication
• Once you’ve
contained the issue,
you need to find and
eliminate the root
cause of the breach.
This means all
malware should be
securely removed,
systems should
again be hardened
and patched, and
updates should be
applied.
• Have artifacts /
malware from the
attacker been
securely removed?
• Has the system be
hardened, patched,
and updates
applied?
• Can the system be
re-imaged?
Recovery
•This is the process of
restoring and returning
affected systems and
devices back into your
business environment.
During this time, it’s
important to get your
systems and business
operations up and running
again without the fear of
another breach.
•When can systems be
returned to production?
•Have systems been
patched, hardened and
tested?
•Can the system be
restored from a trusted
back-up?
•How long will the affected
systems be monitored and
what will you look for
when monitoring?
•What tools will ensure
similar attacks will not
reoccur? (File integrity
monitoring, intrusion
detection/protection, etc)
Lessons Learned
•Once the investigation is
complete, hold an after-
action meeting with all
Incident Response Team
members and discuss
what you’ve learned from
the data breach. This is
where you will analyze
and document everything
about the breach.
•What changes need to be
made to the security?
•How should employee be
trained differently?
•What weakness did the
breach exploit?
•How will you ensure a
similar breach doesn’t
happen again?
45. A Security Operation Center (SOC) is a centralized function within an organization employing people,
processes, and technology to continuously monitor and improve an organization's security posture while
preventing, detecting, analyzing, and responding to cybersecurity incidents.
SOC team has two core responsibilities:
Maintaining security monitoring tools—the team must maintain and update tools regularly. Without the
correct tools, they can’t properly secure systems and networks. Team members should maintain tools used
in every part of the security process.
Investigate suspicious activities—the SOC team should investigate suspicious and malicious activity within
the networks and systems. Generally, your SIEM or analytics software will issue alerts. The team then
analyses and examines the alerts, carries out triage, and discovers the extent of the threat.
Detect threats through all stages of an attack
Investigate all alerts to ensure nothing is overlooked
Gather forensic evidence for investigation and remediation
02/09/2019 G. SUBRAMANIAN 45
Security Operations Center (SOC)
46. Security information and event management (SIEM)
Governance, risk and compliance (GRC) systems
Vulnerability scanners and penetration testing tools
Intrusion detection systems (IDS), intrusion prevention systems (IPS), and wireless intrusion
prevention
Firewalls and next-generation firewalls (NGFW) which can function as an IPS
Log management systems (commonly as part of the SIEM)
Cyber threat intelligence feeds and databases
02/09/2019 G. SUBRAMANIAN 46
Security operations center tools and technologies
47. Endpoint
Net flow
Network
monitoring
Threat Monitoring
Forensics
Incident Detection
/ Management
02/09/2019 G. SUBRAMANIAN 47
Security operations center
Preparation
Identification
Containment
Eradication
Recovery
Lessons
Learned
Formal Training
On-the-Job-
Training
Vendor Specific
Training
Internal Training
Technology Process
People
48. SOC High Level Goals SOC Functional Areas
Situational awareness deliverance Log Collection, Log Analysis, Monitoring of Security
Environments, Event Correlation, Reporting
Risk and/or downtime reduction Log Retention and Archival, Monitoring of Security
Environments, Event Correlation, Incident Management,
Reporting
Threat control and/or prevention Log Retention and Archival, Log Analysis, Monitoring of Security
Environments, Event Correlation, Incident Management, Threat
Identification, Threat Reaction, Reporting
Diminishing of administrative overhead Log Retention and Archival, Log Analysis, Monitoring of Security
Environments, Event Correlation, Reporting
Forensics Log Collection, Reporting
Audit and compliance support Log Collection, Log Retention and Archival, Reporting
02/09/2019 G. SUBRAMANIAN 48
Overview of Security Operations Center
49. Denial of service attacks
Malware target with keyloggers
SIM swap
Ransomware
DDoS Ransom threats
Remote access Trojans
02/09/2019 G. SUBRAMANIAN 49
Cyber security trend in 2020