SlideShare una empresa de Scribd logo

Information Security It's All About Compliance

Dinesh O Bareja
Dinesh O Bareja

The primary driver for Information Security is compliance, in any organization, be it public, private or government.

Tecnología
1 de 37
Descargar para leer sin conexión
Information Security … Title Title Title Title Title Title Title Title Title Title Title Title Title Title simply perform as you expect It’s All About COMPLIANCE Honey! DINESH BAREJA DD MM YYYY 08 October 2011
ME: Dinesh Bareja (dinesh.bareja@gridinfocom.com) AT: Grid Infocom Pvt Ltd, Gurgaon AS: VP and Principal Consultant (Information Security) CERTS: CISA, CISM, ITIL, BS7799, Cert in IPR, ERM ASSNS: ISACA, Indian Honeynet Project, NULL, ClubHack, NSD, Open Security Alliance, The FAQ Project. An InfoSec professional I believe real life provides most of the answers to the problems that ail cyberia. My heart is happily under constant attack by the dynamics / excitement of the security business, and I happily live in a state of constant surprise at the ignorance of those who think they are secure. Try to give back to the community, in my own small way, for the perennial flow of knowledge, learning and friends.
This talk is about… • Information Security – where does it come into an organization, how…. Why, when.. • InfoSec Drivers – what drives IS • Analyst reports about IS drivers • International Regulations • India – Compliance Drivers
Information Security… what, why, when … • Good Controls (thinking) • Awareness • Compliance (good habits) • Tools • Efficiency • Process Hygiene A LOT OF HARD WORK THAT • Technology Management IS NEVER ENOUGH • 24 x 7 x 365 IT’S ABOUT COMPLIANCE .. • Proactive … Real time You are never in order 
Information Security Components • GOVERNANCE • RISK • COMPLIANCE • AVAILABILITY • ACCESSIBILITY • ACCOUNTABILITY
And What Drives InfoSecurity • Technology Upgrades • Forward thinking management • CxO buy in • Optimized Processes • Customer Requirement • Post incident trauma • Organization Growth and Maturity
Primary Driver for Information Security “Compliance with incident disclosure laws, Payment Card Industry Data Security Standard (PCI-DSS), and data privacy regulations is the primary driver of our data security.” “The Value Of Corporate Secrets,” a commissioned study conducted by Forrester Consulting on behalf of RSA and Microsoft, November 2009
Primary Driver for Information Security “Compliance” of all types has become the primary driver of data security programs. Nearly 90% of surveyed enterprises agreed that compliance with PCI-DSS, Data Privacy laws, Data Breach regulations, and existing Data Security Policies is the primary driver of their data security programs “The Value Of Corporate Secrets,” a commissioned study conducted by Forrester Consulting on behalf of RSA and Microsoft, November 2009
Why Regulations • Regulators impose rules to ensure that business risks are minimized • Corporate accounting scandals and frauds • Global financial crisis / recession • Corporate Governance • Accountability to shareholders • Guarantee of quality of service • Compliance rules may prescribe not only a code of conduct for employees, but also how compliance is to be verified • Non compliance may result in penalties
Forrester The_Value_of_Corporate_Secrets : Source: A commissioned study conducted by Forrester Consulting on behalf of RSA and Microsoft, November 2009
Regulatory compliance is the key driver of IT security adoption for 50 % of Indian financial services enterprises Symantec Security Check – Indian Financial Services Industry 2011 (Banking, Financial Services and Insurance industries).
Why Should I Comply • Internal Revenue, New Zealand
The Regulatory Cocktail IT Act, DSCI RBI Framework, Guidelines, ISO27001 BS25999, SEBI Guidelines, CTCL Audit Telecom Security, Clause 49, PCI DSS Compliance Requirements lead to Information Security
Regulatory / Compliance Requirement Extracts • FISMA Section 3534 "(a) The head of each [Federal] agency shall delegate to the agency Chief Information Officer ensuring that the agency effectively implements and maintains information security policies, procedures, and control techniques;“ • ISO 27002 Section 5.1 "A written policy document should be available to all employees responsible for information security“ • HIPAA Security Final Rule, 164.316 (a) Policies and Procedures "(R) Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart.“
Information Security Related…
Some Laws / Statutory Regulations • Health Insurance Portability and Accountability Act (HIPAA) of 1996 - requires health care providers, insurance providers and employers to safeguard the security and privacy of health data. • Gramm-Leach-Bliley Act of 1999 (GLBA), also known as the Financial Services Modernization Act of 1999, protects the privacy and security of private financial information that financial institutions collect, hold, and process. • Sarbanes-Oxley Act of 2002 (SOX). Section 404 - publicly traded companies assess the effectiveness of their internal controls for financial reporting. CIO responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. • Payment Card Industry Data Security Standard (PCI DSS) - requirements for enhancing payment account data security. • Personal Information Protection and Electronics Document Act (PIPEDA) –protecting personal information that is collected, used or disclosed
Some Laws / Statutory Regulations • The Family Educational Rights and Privacy Act (USA Federal law) privacy of student education records. • UK Data Protection Act 1998 - provisions for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. • UK Computer Misuse Act 1990 - computer crime (e.g. cracking - sometimes incorrectly referred to as hacking) a criminal offence. • EU Data Protection Directive - adopt national regulations to standardize the protection of data privacy for citizens throughout the EU. • EU Data Retention – ISPs, phone companies keep data on every electronic message sent and phone call made for between six months and two years.
INDIA… Some Statutory Regulations • IT Act • RBI Guidelines • Telecom Security Guidelines • SEBI • CTCL • Clause 49 • Environmental • IPC
ATTACKS ARE COSTLY • 23% experienced external attacks (phishing attempts, IP theft, DoS attacks). • 67% experiencing a data breach lost man hours • 61% lost customers as a result • 80% faced downtime due to online attacks • Rs 6.86 crore avg losses due to security breaches at Financial services • Rs 12.6 crore avg losses at Indian banks • External theft of confidential information was faced an average of 1.5 times • Internal theft of information an average of 5.8 times. • 4 hours (average) to resume normal operations • 51% financial services enterprises in India cited compliance as the primary driver for adopting IT security. • 25% respondents that experienced a digital attack faced monetary penalization.
The Consequences of Non-Compliance Dept of Telecommunication Rs 50cr for a security breach due to inadequacies Liability of criminal proceedings under Indian Telegraph Act, IT Act, IPC, CrPC License cancellation
Cost of Non Compliance • 2010 … Example – Encryption (Ponemon Institute’s annual “U.S. Enterprise Encryption Trends Report” - 964 IT and business leaders surveyed) • In the past, protecting data and mitigating data breaches drove encryption adoption. • Now regulatory compliance became the top reason for implementing encryption technologies • 69% compliance is their primary driver for encryption • 63% mitigating data breaches was the driver for encryption adoption • The results show the growing realization that compliance is important as companies try to avoid post-breach legal noncompliance penalties.
Business Benefits for InfoSec Vendors Over the last year, RBI has mandated two factor authentication at banks for all delivery channels. • In the past 12 months… – 31% of respondent-banks invested in identity management – Investment in technologies to address such regulations is likely to continue. • Survey finding.. – Technology investments during the next financial year will be made towards stronger governance, business continuity planning, securing mobile and wireless transactions, data loss prevention and network security.
RBI Security Guidelines Framework (1) NINE areas identified from the use of IT in Banking Information Technology Governance Recommendations of the “Working Group on (5) IS Audit Information Security, Electronic Banking, (2) (8) Technology Risk Management and Cyber Frauds” Information Customer Security (6) Education Conduct current state Gap Analysis Cyber Frauds Plan for remediation and compliance (3) (9) IT Operations (7) Legal Issues Implement basic framework by Oct 31, 2011 and Business Continuity rest within a period of one year Planning (4) IT Services Report management oversight and review in bank Outsourcing Annual Report from 2011-12 onwards Continuously improve controls based on emerging risks and concerns
Requirements & GIC Solution Policies and procedures Vulnerability Assessment • Develop and maintain security policies (Automated Risk Assessment Establishing on-going security monitoring processes Compliance) Inventory , information/data Patch Management: • Generation of meaningful security metrics of classification security performance (Archer) Defining roles and Change Management • Assignment of roles, responsibilities and responsibilities accountability for information security (Access Access Control Audit trails Manager) Information security and Information security reporting and • Development/maintenance of a security and control information asset life-cycle metrics framework that consists of standards, measures, Personnel security Information security and Critical service practices and procedures (Archer, enVision) providers/vendors Physical security Network Security • Classification and assignment of ownership of User Training and Awareness Remote Access: information assets (DLP) • Periodic risk assessments and ensuring adequate, Incident management Distributed Denial of service attacks(DDoS/DoS): effective and tested controls for people, processes Application Control and Implementation of ISO 27001 and technology to enhance information security Security Information Security Management (Consulting) System • Processes to monitor security incidents (SIEM) Migration controls Wireless Security • Effective identity and access management processes Implementation of new Business Continuity Considerations: (Access Manager) technologies: • IS awareness program for users/officials Encryption Information security assurance (2) Date Security General Information Security delivery Information channels Security
Telecom Security … HIGHLIGHTS OF AMENDMENT TO NLD LICENSE AGREEMENT DATED 31 MAY 2011 23.7(i) 23.7(i) Security Responsibility Security - Complete and Total Responsibility for Security of Networks under which the following must Responsibility be done – Network Forensics, Network Hardening, Network PT, Risk Assessment 23.7(ii) Security Audit - Conduct a network security audit once a year by network audit certification agency, as per ISO15408 and ISO27001 23.7(iii) Security Testing - Network elements must be tested as per defined standards – IT and IT related against ISO15048, ISMS against ISO27001; Telecom elements against 3GPP 3GPP2 security . standards. Up to 31 Mar 2013 this can be done overseas and after this date in India 23.7(iv) Security Configuration - Include all security features, as per standards, while procuring equipment and implement the same. - Maintain list of all features while equipment is in use - List is subject to inspection by Licensing Authority 23.7(v) Security Personnel - CISO, System Administrators, Nodal Executives for handling NLD/ILD switches, central database, softswitches … all must be Indian Nationals.
CTCL Audit – shall broadly cover… • Existing features and system parameters implemented in the trading system. • Identify the adequacy of input, processing and output controls • Identify the adequacy of the application security so that it commensurate to the size and nature of application. • Event logging and system monitoring. • User management. • Password policy/standards • Test of adherence to policies • Network management and controls • Change management and version controls. • Backup systems and procedures • Business continuity and disaster recovery plan • Documentation for system processes • Security features such as access control network firewalls and virus protection measures. • Any other area/aspect which may be material for inclusion in the audit certificate and/or which may be specified by the Exchange from time to time.
ISO270001 Security Policy Organization of Access Information Control Security Information Physical and Security Environment Incident Security Managament Information Asset Systems Management Acquisition Development Maintenance Communicati on and Operations Management Human Resource Security
Bottom Line …. On Compliance To Be Or Not To Be. Should Compliance be the end goal or the catalyst of Information Security initiatives – in conclusion, we look at the options and issues.
Same Message Another Source! Compliance is one of the biggest drivers of information security initiatives. However, despite the findings, industry observers believe that compliance efforts aren't There is a necessarily making organizations rider ! more secure.. TechTarget survey of U.K. information security professionals
Corporate intellectual property comprises 62% of a company's data assets, but security programs are focused on compliance rather than data protection (CNET) This confuses the argument further
Strategy – Compliance / Security • Compliance is NOT Security • Security is NOT Compliance • Organizations must drive Compliance and NOT be driven by Compliance • Information Security to leverage Compliance FUD to get Management attention • Compliance provides good ROI numbers for reporting
Strategy – Compliance / Security • Security requires organizations to step up to extract benefits from both C and S initiatives • Build maturity, through awareness programs, among stakeholders to recognize and support intangible benefits • Identify and enforce C ><S balance through practical controls and measures
Remember
Thank You E: dinesh@opensecurityalliance.org E: dineshobareja@gmail.com M: 9769890505
References and Credits • CSO Online • Purpleslog on flickr • Internet Crime Complaint Center • flickr.com/GDS Infographics • freedigitalphotos.net/digitalart • Google Uncle !

Recomendados

ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & ComplianceAmazon Web Services
 

Recomendados

ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & ComplianceAmazon Web Services
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 ismsCraig Willetts ISO Expert
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
IT compliance
IT complianceIT compliance
IT compliancePhan Vuong
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness trainingSAROJ BEHERA
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Isms
IsmsIsms
Ismspenetration Tester
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Dinesh O Bareja
 
Business - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITBusiness - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITDinesh O Bareja
 

Más contenido relacionado

La actualidad más candente

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness trainingSAROJ BEHERA
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 

La actualidad más candente (20)

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
IT compliance
IT complianceIT compliance
IT compliance
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Isms
IsmsIsms
Isms
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 

Destacado

Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Dinesh O Bareja
 
Business - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITBusiness - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITDinesh O Bareja
 
Mind Your Manners On Linked In
Mind Your Manners On Linked InMind Your Manners On Linked In
Mind Your Manners On Linked InDinesh O Bareja
 
Community Disaster Incident Response
Community Disaster Incident ResponseCommunity Disaster Incident Response
Community Disaster Incident ResponseDinesh O Bareja
 
ISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionDinesh O Bareja
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires SuperhumansDinesh O Bareja
 
Indian Thoughts in Information Security
Indian Thoughts in Information SecurityIndian Thoughts in Information Security
Indian Thoughts in Information SecurityDinesh O Bareja
 
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Dinesh O Bareja
 
Bug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentBug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentDinesh O Bareja
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaDinesh O Bareja
 
Cyberwar - Is India Ready
Cyberwar - Is India ReadyCyberwar - Is India Ready
Cyberwar - Is India ReadyDinesh O Bareja
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
 
Common Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSCommon Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSDinesh O Bareja
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its PreventionDinesh O Bareja
 

Destacado (16)

Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document
 
Business - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITBusiness - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of IT
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Mind Your Manners On Linked In
Mind Your Manners On Linked InMind Your Manners On Linked In
Mind Your Manners On Linked In
 
Community Disaster Incident Response
Community Disaster Incident ResponseCommunity Disaster Incident Response
Community Disaster Incident Response
 
ISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introduction
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires Superhumans
 
Indian Thoughts in Information Security
Indian Thoughts in Information SecurityIndian Thoughts in Information Security
Indian Thoughts in Information Security
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance Awareness
 
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
 
Bug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentBug Bounty Programs : Good for Government
Bug Bounty Programs : Good for Government
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
 
Cyberwar - Is India Ready
Cyberwar - Is India ReadyCyberwar - Is India Ready
Cyberwar - Is India Ready
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
 
Common Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSCommon Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CS
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
 

Similar a Information Security It's All About Compliance

A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkPrecisely
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Precisely
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionPrecisely
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010joevest
 
Cyber Security in Manufacturing
Cyber Security in ManufacturingCyber Security in Manufacturing
Cyber Security in ManufacturingCentraComm
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIskcon Ahmedabad
 
Emids Morning Security Virtual India V3
Emids Morning Security Virtual India V3Emids Morning Security Virtual India V3
Emids Morning Security Virtual India V3techcouncil
 
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...Data Con LA
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about themBen Rothke
 

Similar a Information Security It's All About Compliance (20)

Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
 
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
 
ACFN vISO eBook
ACFN vISO eBookACFN vISO eBook
ACFN vISO eBook
 
Cyber Security in Manufacturing
Cyber Security in ManufacturingCyber Security in Manufacturing
Cyber Security in Manufacturing
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consulting
 
Emids Morning Security Virtual India V3
Emids Morning Security Virtual India V3Emids Morning Security Virtual India V3
Emids Morning Security Virtual India V3
 
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about them
 

Más de Dinesh O Bareja

WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers Dinesh O Bareja
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Can Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCCan Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCDinesh O Bareja
 
Finance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITFinance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITDinesh O Bareja
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Dinesh O Bareja
 
India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013Dinesh O Bareja
 
OSA - Internet Security in India
OSA - Internet Security in IndiaOSA - Internet Security in India
OSA - Internet Security in IndiaDinesh O Bareja
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security AwarenessDinesh O Bareja
 

Más de Dinesh O Bareja (9)

WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers
 
Cybersecurity 2.0
Cybersecurity 2.0Cybersecurity 2.0
Cybersecurity 2.0
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
Can Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCCan Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRC
 
Finance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITFinance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with IT
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0
 
India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013
 
OSA - Internet Security in India
OSA - Internet Security in IndiaOSA - Internet Security in India
OSA - Internet Security in India
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness
 

Último

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Último (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Information Security It's All About Compliance

  • 1. Information Security … Title Title Title Title Title Title Title Title Title Title Title Title Title Title simply perform as you expect It’s All About COMPLIANCE Honey! DINESH BAREJA DD MM YYYY 08 October 2011
  • 2. ME: Dinesh Bareja (dinesh.bareja@gridinfocom.com) AT: Grid Infocom Pvt Ltd, Gurgaon AS: VP and Principal Consultant (Information Security) CERTS: CISA, CISM, ITIL, BS7799, Cert in IPR, ERM ASSNS: ISACA, Indian Honeynet Project, NULL, ClubHack, NSD, Open Security Alliance, The FAQ Project. An InfoSec professional I believe real life provides most of the answers to the problems that ail cyberia. My heart is happily under constant attack by the dynamics / excitement of the security business, and I happily live in a state of constant surprise at the ignorance of those who think they are secure. Try to give back to the community, in my own small way, for the perennial flow of knowledge, learning and friends.
  • 3. This talk is about… • Information Security – where does it come into an organization, how…. Why, when.. • InfoSec Drivers – what drives IS • Analyst reports about IS drivers • International Regulations • India – Compliance Drivers
  • 4. Information Security… what, why, when … • Good Controls (thinking) • Awareness • Compliance (good habits) • Tools • Efficiency • Process Hygiene A LOT OF HARD WORK THAT • Technology Management IS NEVER ENOUGH • 24 x 7 x 365 IT’S ABOUT COMPLIANCE .. • Proactive … Real time You are never in order 
  • 5. Information Security Components • GOVERNANCE • RISK • COMPLIANCE • AVAILABILITY • ACCESSIBILITY • ACCOUNTABILITY
  • 6. And What Drives InfoSecurity • Technology Upgrades • Forward thinking management • CxO buy in • Optimized Processes • Customer Requirement • Post incident trauma • Organization Growth and Maturity
  • 7. Primary Driver for Information Security “Compliance with incident disclosure laws, Payment Card Industry Data Security Standard (PCI-DSS), and data privacy regulations is the primary driver of our data security.” “The Value Of Corporate Secrets,” a commissioned study conducted by Forrester Consulting on behalf of RSA and Microsoft, November 2009
  • 8. Primary Driver for Information Security “Compliance” of all types has become the primary driver of data security programs. Nearly 90% of surveyed enterprises agreed that compliance with PCI-DSS, Data Privacy laws, Data Breach regulations, and existing Data Security Policies is the primary driver of their data security programs “The Value Of Corporate Secrets,” a commissioned study conducted by Forrester Consulting on behalf of RSA and Microsoft, November 2009
  • 9. Why Regulations • Regulators impose rules to ensure that business risks are minimized • Corporate accounting scandals and frauds • Global financial crisis / recession • Corporate Governance • Accountability to shareholders • Guarantee of quality of service • Compliance rules may prescribe not only a code of conduct for employees, but also how compliance is to be verified • Non compliance may result in penalties
  • 10. Forrester The_Value_of_Corporate_Secrets : Source: A commissioned study conducted by Forrester Consulting on behalf of RSA and Microsoft, November 2009
  • 11. Regulatory compliance is the key driver of IT security adoption for 50 % of Indian financial services enterprises Symantec Security Check – Indian Financial Services Industry 2011 (Banking, Financial Services and Insurance industries).
  • 12.
  • 13. Why Should I Comply • Internal Revenue, New Zealand
  • 14.
  • 15. The Regulatory Cocktail IT Act, DSCI RBI Framework, Guidelines, ISO27001 BS25999, SEBI Guidelines, CTCL Audit Telecom Security, Clause 49, PCI DSS Compliance Requirements lead to Information Security
  • 16. Regulatory / Compliance Requirement Extracts • FISMA Section 3534 "(a) The head of each [Federal] agency shall delegate to the agency Chief Information Officer ensuring that the agency effectively implements and maintains information security policies, procedures, and control techniques;“ • ISO 27002 Section 5.1 "A written policy document should be available to all employees responsible for information security“ • HIPAA Security Final Rule, 164.316 (a) Policies and Procedures "(R) Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart.“
  • 18. Some Laws / Statutory Regulations • Health Insurance Portability and Accountability Act (HIPAA) of 1996 - requires health care providers, insurance providers and employers to safeguard the security and privacy of health data. • Gramm-Leach-Bliley Act of 1999 (GLBA), also known as the Financial Services Modernization Act of 1999, protects the privacy and security of private financial information that financial institutions collect, hold, and process. • Sarbanes-Oxley Act of 2002 (SOX). Section 404 - publicly traded companies assess the effectiveness of their internal controls for financial reporting. CIO responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. • Payment Card Industry Data Security Standard (PCI DSS) - requirements for enhancing payment account data security. • Personal Information Protection and Electronics Document Act (PIPEDA) –protecting personal information that is collected, used or disclosed
  • 19. Some Laws / Statutory Regulations • The Family Educational Rights and Privacy Act (USA Federal law) privacy of student education records. • UK Data Protection Act 1998 - provisions for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. • UK Computer Misuse Act 1990 - computer crime (e.g. cracking - sometimes incorrectly referred to as hacking) a criminal offence. • EU Data Protection Directive - adopt national regulations to standardize the protection of data privacy for citizens throughout the EU. • EU Data Retention – ISPs, phone companies keep data on every electronic message sent and phone call made for between six months and two years.
  • 20. INDIA… Some Statutory Regulations • IT Act • RBI Guidelines • Telecom Security Guidelines • SEBI • CTCL • Clause 49 • Environmental • IPC
  • 21. ATTACKS ARE COSTLY • 23% experienced external attacks (phishing attempts, IP theft, DoS attacks). • 67% experiencing a data breach lost man hours • 61% lost customers as a result • 80% faced downtime due to online attacks • Rs 6.86 crore avg losses due to security breaches at Financial services • Rs 12.6 crore avg losses at Indian banks • External theft of confidential information was faced an average of 1.5 times • Internal theft of information an average of 5.8 times. • 4 hours (average) to resume normal operations • 51% financial services enterprises in India cited compliance as the primary driver for adopting IT security. • 25% respondents that experienced a digital attack faced monetary penalization.
  • 22. The Consequences of Non-Compliance Dept of Telecommunication Rs 50cr for a security breach due to inadequacies Liability of criminal proceedings under Indian Telegraph Act, IT Act, IPC, CrPC License cancellation
  • 23. Cost of Non Compliance • 2010 … Example – Encryption (Ponemon Institute’s annual “U.S. Enterprise Encryption Trends Report” - 964 IT and business leaders surveyed) • In the past, protecting data and mitigating data breaches drove encryption adoption. • Now regulatory compliance became the top reason for implementing encryption technologies • 69% compliance is their primary driver for encryption • 63% mitigating data breaches was the driver for encryption adoption • The results show the growing realization that compliance is important as companies try to avoid post-breach legal noncompliance penalties.
  • 24. Business Benefits for InfoSec Vendors Over the last year, RBI has mandated two factor authentication at banks for all delivery channels. • In the past 12 months… – 31% of respondent-banks invested in identity management – Investment in technologies to address such regulations is likely to continue. • Survey finding.. – Technology investments during the next financial year will be made towards stronger governance, business continuity planning, securing mobile and wireless transactions, data loss prevention and network security.
  • 25. RBI Security Guidelines Framework (1) NINE areas identified from the use of IT in Banking Information Technology Governance Recommendations of the “Working Group on (5) IS Audit Information Security, Electronic Banking, (2) (8) Technology Risk Management and Cyber Frauds” Information Customer Security (6) Education Conduct current state Gap Analysis Cyber Frauds Plan for remediation and compliance (3) (9) IT Operations (7) Legal Issues Implement basic framework by Oct 31, 2011 and Business Continuity rest within a period of one year Planning (4) IT Services Report management oversight and review in bank Outsourcing Annual Report from 2011-12 onwards Continuously improve controls based on emerging risks and concerns
  • 26. Requirements & GIC Solution Policies and procedures Vulnerability Assessment • Develop and maintain security policies (Automated Risk Assessment Establishing on-going security monitoring processes Compliance) Inventory , information/data Patch Management: • Generation of meaningful security metrics of classification security performance (Archer) Defining roles and Change Management • Assignment of roles, responsibilities and responsibilities accountability for information security (Access Access Control Audit trails Manager) Information security and Information security reporting and • Development/maintenance of a security and control information asset life-cycle metrics framework that consists of standards, measures, Personnel security Information security and Critical service practices and procedures (Archer, enVision) providers/vendors Physical security Network Security • Classification and assignment of ownership of User Training and Awareness Remote Access: information assets (DLP) • Periodic risk assessments and ensuring adequate, Incident management Distributed Denial of service attacks(DDoS/DoS): effective and tested controls for people, processes Application Control and Implementation of ISO 27001 and technology to enhance information security Security Information Security Management (Consulting) System • Processes to monitor security incidents (SIEM) Migration controls Wireless Security • Effective identity and access management processes Implementation of new Business Continuity Considerations: (Access Manager) technologies: • IS awareness program for users/officials Encryption Information security assurance (2) Date Security General Information Security delivery Information channels Security
  • 27. Telecom Security … HIGHLIGHTS OF AMENDMENT TO NLD LICENSE AGREEMENT DATED 31 MAY 2011 23.7(i) 23.7(i) Security Responsibility Security - Complete and Total Responsibility for Security of Networks under which the following must Responsibility be done – Network Forensics, Network Hardening, Network PT, Risk Assessment 23.7(ii) Security Audit - Conduct a network security audit once a year by network audit certification agency, as per ISO15408 and ISO27001 23.7(iii) Security Testing - Network elements must be tested as per defined standards – IT and IT related against ISO15048, ISMS against ISO27001; Telecom elements against 3GPP 3GPP2 security . standards. Up to 31 Mar 2013 this can be done overseas and after this date in India 23.7(iv) Security Configuration - Include all security features, as per standards, while procuring equipment and implement the same. - Maintain list of all features while equipment is in use - List is subject to inspection by Licensing Authority 23.7(v) Security Personnel - CISO, System Administrators, Nodal Executives for handling NLD/ILD switches, central database, softswitches … all must be Indian Nationals.
  • 28. CTCL Audit – shall broadly cover… • Existing features and system parameters implemented in the trading system. • Identify the adequacy of input, processing and output controls • Identify the adequacy of the application security so that it commensurate to the size and nature of application. • Event logging and system monitoring. • User management. • Password policy/standards • Test of adherence to policies • Network management and controls • Change management and version controls. • Backup systems and procedures • Business continuity and disaster recovery plan • Documentation for system processes • Security features such as access control network firewalls and virus protection measures. • Any other area/aspect which may be material for inclusion in the audit certificate and/or which may be specified by the Exchange from time to time.
  • 29. ISO270001 Security Policy Organization of Access Information Control Security Information Physical and Security Environment Incident Security Managament Information Asset Systems Management Acquisition Development Maintenance Communicati on and Operations Management Human Resource Security
  • 30. Bottom Line …. On Compliance To Be Or Not To Be. Should Compliance be the end goal or the catalyst of Information Security initiatives – in conclusion, we look at the options and issues.
  • 31. Same Message Another Source! Compliance is one of the biggest drivers of information security initiatives. However, despite the findings, industry observers believe that compliance efforts aren't There is a necessarily making organizations rider ! more secure.. TechTarget survey of U.K. information security professionals
  • 32. Corporate intellectual property comprises 62% of a company's data assets, but security programs are focused on compliance rather than data protection (CNET) This confuses the argument further
  • 33. Strategy – Compliance / Security • Compliance is NOT Security • Security is NOT Compliance • Organizations must drive Compliance and NOT be driven by Compliance • Information Security to leverage Compliance FUD to get Management attention • Compliance provides good ROI numbers for reporting
  • 34. Strategy – Compliance / Security • Security requires organizations to step up to extract benefits from both C and S initiatives • Build maturity, through awareness programs, among stakeholders to recognize and support intangible benefits • Identify and enforce C ><S balance through practical controls and measures
  • 36. Thank You E: dinesh@opensecurityalliance.org E: dineshobareja@gmail.com M: 9769890505
  • 37. References and Credits • CSO Online • Purpleslog on flickr • Internet Crime Complaint Center • flickr.com/GDS Infographics • freedigitalphotos.net/digitalart • Google Uncle !