SlideShare una empresa de Scribd logo

Cyber presentation spet 2019 v8sentfor upload

S
savassociates1

An accountant is a valuable asset to any organization. He or she is a professional who performs accounting functions. Accounting is not only confined to tax and financial matters as per what people generally think.

Empresariales
1 de 23
Descargar para leer sin conexión
SAV LLP FOR INFORMATION ONLY - DISTRIBUTION IS PROHIBITED WITHOUT PERMISSION Weakest links of an organization’s Cybersecurity Chain and Mitigation Options An Auditor’s Perspective SEPTEMBER 09, 2019
SAV LLP This material is for educational purposes only. As it deals with technical matters which have broad application, it is not practical to include all situations. As well, this material and the references contained therein may reflect laws and practices which are subject to change. Some content of this presentation has been copied or obtained from other sources, hence the preparer takes no responsibility on content’s validity and accuracy. For this reason a particular fact situation should be reviewed by a qualified professional. The references can be shared upon formal request. Although the presentation material has been carefully prepared, none of the persons involved in the preparation of the material accepts any legal responsibility for its contents or for any consequences arising from its use. Distribution of this presentation for commercial purposes is prohibited. Disclaimer
SAV LLP Cyber Security There is a wide range of currently accepted cybersecurity definitions. The National Institute of Standards and Technology defines cybersecurity as "the process of protecting information by preventing, detecting, and responding to attacks." Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers. Myth about Cyber Security – Cyber risk can be reduced, security posture can be improved, by purchasing products and outsourcing support.  There is no absolute security. The only way to prevent death is to already be dead, otherwise there is always a risk.  Security is a balancing act of defending an organization according to the organization’s risk tolerance and profile. In Summary - Cybersecurity is the combination of processes, practice and technologies designed to protect network, computers, programs, data and information from attack, damage or unauthorized access.
SAV LLP 4 Cyber Threat A cyber threat is an activity intended to compromise the security of an information system by altering the availability, integrity, or confidentiality of a system or the information it contains. Define what is at Risk (Physical and Digital)?  Do you know what your “worst possible day” looks like? (not being able to transact, theft of sensitive information, inability to perform physical function)  Once an organization identifies and qualifies risk and assets associated with their key functions, it becomes inherently easier to identify potential causes of a critically impactful incident.  Consequently , the organization will be better prepared to appropriately mitigate risks and spend security resources sensibly.
SAV LLP Threat Landscape As per ENISA ( European Union Agency For Network and Information Security) some of the main trends in the 2018’s cyberthreat landscape are:  Mail and phishing messages.  Staff retention  Raising awareness at the level of security and executive management.  Automated attacks through novel approaches  IoT environments
SAV LLP Is Cybersecurity an IT Problem or a Human Problem? DNA OF AN ATTACKER  Attackers are humans, with human goals  Humans are not perfect – some are good, some are bad, but they aren’t perfect  Perfection doesn’t exist in offence or defense To defend against attack, your strategy must have capabilities to detect, respond and build back up controls to prevent next steps. However it is very important to know what is mission critical and what is trivial?
War Games Learnings from conventional war to mitigate Cyber Threat Cu Chi Tunnels in Ho Chi Minh City during Vietnam War https://www.reddit.com/r/secretcompartments/comments/82fhg3/tunnels_used_by_viet_cong_forces_during_the/
SAV LLP Role of a CFO / Head of Finance  The CFO’s role has always ranged from a fiduciary one (a custodian preserving value) to a visionary one (an architect creating value). This role is becoming much more about strategy and the future rather than stewardship and even more about value realization and optimization.  IFAC (International Federation of Accountants) explains that a professional CFO should: 1. Be an effective organizational leader and a key member of senior management 2. Balance the responsibilities of stewardship with business partnership 3. Act as the integrator and navigator for the organization
SAV LLP Cybersecurity – What do CFOs need to know? Planning and Management • How do we identify our critical assets and associated risks and vulnerabilities? • How do we meet our critical infrastructure operations and regulatory requirements? • What is our strategy and plan to protect our assets? • How robust are our incident response and communication plans? Assets • How do we track what digital information is leaving our organization and where that information is going? • How do we know who’s really logging into our network, and from where? • How do we control what software is running on our devices? • How do we limit the information we voluntarily make available to a cyber adversary?
SAV LLP Cybersecurity Frameworks What is a Framework The framework is voluntary guidelines, and practices for organizations to better manage and reduce cybersecurity risk Well accepted Cybersecurity Frameworks Most frequent adopted cybersecurity frameworks are:  NIST Framework  PCI DSS (Payment Card Industry Data Security Standard),  ISO 27001/27002 (International Organization for Standardization),  CIS Critical Security Controls,  COBIT 2019  TSP 2017 (SOC2) Why adopt a security framework  Framework takes out a lot of guesswork and shows you often with supporting evidence, where to apply the pressure.  Planning and implementing a framework can help organizations understand the operational maturity level and provide matrices that will feedback into the organization.
SAV LLP SOC SOC (Service Organization Control) Reports for outsourced services and SOC For Cybersecurity A high level introduction
Weakest links of the Cybersecurity Chain
SAV LLP Weakest Links of the Cybersecurity Chain Cybersecurity is a shared responsibility – people, processes, tools, and technologies work together to protect an organization's assets. Few of the common Weakest Links in cybersecurity chain are (and it is not tools) - 1. Weak tone at the top - Governance framework 2. Poor user management and access controls 3. Weak asset management 4. Lack of cyber policy 5. Lack of awareness regarding information sharing and breach reporting 6. Lack of monitoring of service providers
The Recommended Risk Mitigation Strategies
SAV LLP Tone at the Top - Governance Framework Governance Framework  Key initial steps  Who should be involved in the development of a cybersecurity program.  Identify known risks and established controls.  Establish a cross-organizational committee of senior executives that brings together the full range of enterprise knowledge and capabilities. This should include IT and corporate security, as well as business owners.  Leadership is key  Selecting an executive with broad cross-functional responsibilities such as the CFO or COO to lead this committee can help broader corporate adoption.  This effort should report to a specialized committee, such as the Audit or the Risk Committees, or in some cases, to the board itself. Board and Senior Management involvement The National Association of Corporate Directors (NACD) cites five cybersecurity principles for boards: 1. Cybersecurity is an enterprise-wide risk management issue, not just an IT issue 2. Legal implications of cyber risks 3. Adequate access to cybersecurity expertise, and regular discussions about cyber-risk management. 4. Establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. 5. Identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
SAV LLP User Account Management and Access Control Need to Know basis The following are recommendations for user account management and access control:  Centrally manage all user accounts e.g. Active directory, UUID.  Disable system accounts that cannot be associated with a business process and owner.  Disabling accounts upon termination of an employee or contractor  Periodic user access review  Force users to automatically re-login after a standard period of inactivity.  Require strong passwords  Limit the number of privileged accounts.  Require two-factor authentication for privileged accounts  Control access to the computer system’s audit logs.  Make cybersecurity training and awareness mandatory for all personnel
SAV LLP Asset Management You can’t control something that you don’t know The following are recommendations for asset management:  Deploy and maintain an automated asset inventory discovery tool that will also assist the entity in building an inventory of systems connected to the organization's private and public network.  Use Dynamic Host Configuration Protocol (DHCP) server logging for asset inventory - it can help detect unknown systems through this DHCP information.  Ensure that the inventory system is updated when newly acquired and approved equipment connects to the network.  Deploy Network level authentication and Network Access Control (NAC). These services will assist in preventing unauthorized devices from connecting to the network.  Utilize client certificates to validate and authenticate systems prior to connecting to an organization’s network.
SAV LLP Cyber Policy Some of the key elements of a good cyber policy:  Scope – all information, systems, facilities, programs, data networks, and all users of technology in the organization (both internal and external), without exception  Information classification – should provide content-specific definitions, rather than more generic “confidential” or “restricted”  Management goals for secure handling of information in each classification category  Specific instruction on organization-wide security mandates (e.g. no sharing of passwords)  Specific designation of established roles and responsibilities  Consequences for non-compliance (e.g. up to and including dismissal or termination of contract) The implementation of a policy is not a single event, but rather an iterative process revisited as business models, relationships, and technology changes. Absent policy, there can be no effective governance of the cybersecurity program as there can be no clear guidance upon which to make program decisions.
SAV LLP Information Sharing and Breach Reporting Requirements Microsoft makes the following eight recommendations for information sharing. 1. Develop a strategy for information sharing and collaboration. 2. Design with privacy protections in mind. 3. Establish a meaningful governance process. 4. Focus sharing on actionable threat, vulnerability, and mitigation information. 5. Build interpersonal relationships. 6. Require mandatory information sharing only in limited circumstances. 7. Make full use of information shared, by conducting analyses on long-term trends. 8. Encourage the sharing of best practices. The exchange of best practices with peer organizations can allow organizations to play a proactive role, by engaging with each other as well as external organizations.
SAV LLP Vendor Risk Management Service Risks:  Volume of transactions processed  Concentration associated with service  Sensitivity risk of the data to which the vendor could potentially have access  Compliance and regulatory risk related to the service  Customer and financial impact Vendor Risks:  Location of the vendor (subject to multinational laws, regulations, etc.)  Previous data or security breaches  Extent of outsourcing performed by the vendor  Performance history Common Deficiencies with 3rd Party Vendors:  Incident Response Management Plan  Inadequate Security Awareness  Data Loss Prevention  Encryption for data at rest and in transit  Administrator Privilege Lockdown  Vulnerability testing or penetration testing Common approaches to evaluating Third Party Vendors and ongoing oversight Include:  Perform vendor evaluation as part of RFP  Desk assessments to evaluate requested information  On-site visits as appropriate by either in- house or contacted experts  Penetration tests of potential vendors  Outside independent reporting company to continuously monitor the cyber posture of any third-party vendor and ensure it’s on par with the security risk level that the evaluating organization accepts.  Process to alert the organization of infractions or breaches, so that they can easily work with vendors to correct and improve their security posture. To be successful, vendor risk management should be an element of an enterprise risk management program with established, repeatable processes in place that are consistent for all areas within the firm.
SAV LLP Key Takeaways Adversaries will always improve their tactics to compensate for emerging security technologies. The only real defense is a layered approach, combining security products, risk management, sensible policies and procedures, proper disaster recovery planning and human expertise.  A sound governance framework with strong leadership is essential to effective enterprise-wide cybersecurity. Board-level and senior management-level engagement is critical to the success of firms’ cybersecurity programs, along with a clear chain of accountability.  A well-trained staff can serve as the first line of defense against cyber attacks. Effective training helps to reduce the likelihood of a successful attack by providing well-intentioned staff with the knowledge to avoid becoming inadvertent attack vectors (for example, by unintentionally downloading malware).  One size doesn’t fit all. The level of sophistication of technical controls employed by an individual firm is highly contingent on that firm’s individual situation. While a smaller firm may not be positioned to implement the included controls in their entirety, these strategies can serve a critical benchmarking function to support an understanding of vulnerabilities relative to industry standards.  Many organizations typically use third-party vendors for services, which requires vendor access to sensitive firm or client information, or access to firm systems. At the same time, the number of security incidents at companies attributed to partners and vendors has risen consistently, year on year. Firms should manage cybersecurity risk exposures that arise from these relationships by exercising strong due diligence and developing clear performance and verification policies.  Cybersecurity is not only an IT problem, it is an enterprise-wide problem that requires an interdisciplinary approach, and a comprehensive governance commitment to ensure that all aspects of the business are aligned to support effective cybersecurity practices. Security isn’t simply one team’s job – it’s everyone’s job however security team need to lead the role to improve overall organization’s security deployment
SAV LLP Summary of Best Practices  Tone at the top – The business itself needs to take security seriously, not just write some policy, support security team with a budget and some people and tools.  Basic IT Security Foundation  Asset Management – What you have, what you value most and where are they now? (You can’t protect it if you can’t find it)  Process / Procedures -  Access Controls - Authentication, Limit Administrative Accounts on Systems, Least Privilege Principle for Access  Data Management, Change Management, Problem Management  Network Security – UTM (Unified Threat Management) tool, and maintain BYOD away from main network  Endpoint Security – EDR (Endpoint Detection & Response) or at least some protection from downloads, attacks, data leakage prevention  Security Operations – Detect, Act and Defend against future Attacks  Encryption - A process of converting data into an unreadable form to prevent unauthorized access and thus ensuring data protection  People - Hire and train people to defend the network (including critical data) and not solely rely on technology  System Updates - Keep your systems UpToDate. Turn on auto update on all devices. Remove legacy applications that are at a sunset stage and can’t be secured  Control Framework - Implement critical security controls framework such as NIST Cybersecurity Framework, PCI, COBIT, ISO 27K+
SAV LLP THERE IS NO SINGLE SILVER BULLET FOR CYBER THREAT Thank You PRESENTER – SANJAY CHADHA CPA, CA, LPA, CISA, CITP SAV LLP CHARTERED PROFESSIONAL ACCOUNTANTS HULLMARK CENTRE AT YONGE AND SHEPPARD 3M-4773 YONGE STREET, TORONTO, ON, M2N 0G2 TEL: 647.831.8322, 416.822.8570 EMAIL: INFO@SAVASSOCIATES.CA

Recomendados

Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
Adam Bulava GCC 2019
Adam Bulava GCC 2019Adam Bulava GCC 2019
Adam Bulava GCC 2019ImekDesign
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
 
Websense
WebsenseWebsense
WebsenseCMR WORLD TECH
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudHappiest Minds Technologies
 
Banks and cybersecurity v2
Banks and cybersecurity v2Banks and cybersecurity v2
Banks and cybersecurity v2Semir Ibrahimovic
 

Recomendados

Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
Adam Bulava GCC 2019
Adam Bulava GCC 2019Adam Bulava GCC 2019
Adam Bulava GCC 2019ImekDesign
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
 
Websense
WebsenseWebsense
WebsenseCMR WORLD TECH
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudHappiest Minds Technologies
 
Banks and cybersecurity v2
Banks and cybersecurity v2Banks and cybersecurity v2
Banks and cybersecurity v2Semir Ibrahimovic
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperBilha Diaz
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk ManagementDeepak Bansal, CPA CISSP
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk ManagementShaun Sloan
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Accounting_Whitepapers
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Inno Eroraha [NetSecurity]
 
Simple Safe Steps to Cyber Security
Simple Safe Steps to Cyber SecuritySimple Safe Steps to Cyber Security
Simple Safe Steps to Cyber SecurityHudson Valley Public Relations
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAmazon Web Services
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
What is WebSense?
What is WebSense?What is WebSense?
What is WebSense?touchdown777a
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityRahul Tyagi
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014Aladdin Dandis
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?manoharparakh
 
CISO Case Study 2011 V2
CISO Case Study 2011 V2CISO Case Study 2011 V2
CISO Case Study 2011 V2candy_alexander
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 

Más contenido relacionado

La actualidad más candente

speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperBilha Diaz
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk ManagementDeepak Bansal, CPA CISSP
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk ManagementShaun Sloan
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Accounting_Whitepapers
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Inno Eroraha [NetSecurity]
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAmazon Web Services
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityRahul Tyagi
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?manoharparakh
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 

La actualidad más candente (20)

speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaper
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk Management
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk Management
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
 
Simple Safe Steps to Cyber Security
Simple Safe Steps to Cyber SecuritySimple Safe Steps to Cyber Security
Simple Safe Steps to Cyber Security
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWS
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
What is WebSense?
What is WebSense?What is WebSense?
What is WebSense?
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe Security
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
 
CISO Case Study 2011 V2
CISO Case Study 2011 V2CISO Case Study 2011 V2
CISO Case Study 2011 V2
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 

Similar a Cyber presentation spet 2019 v8sentfor upload

For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...Richard Lawson
 
Department of Homeland Security Guidance
Department of Homeland Security GuidanceDepartment of Homeland Security Guidance
Department of Homeland Security GuidanceMeg Weber
 
DHS Guidelines
DHS GuidelinesDHS Guidelines
DHS GuidelinesMeg Weber
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018Open Security Summit
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0Vincent Toms
 
RH-ISAC_BuildingtheFoundation_WhitePaper.pdf
RH-ISAC_BuildingtheFoundation_WhitePaper.pdfRH-ISAC_BuildingtheFoundation_WhitePaper.pdf
RH-ISAC_BuildingtheFoundation_WhitePaper.pdfssuser2209e8
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Cybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness AssessmentCybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness AssessmentCBIZ, Inc.
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersMighty Guides, Inc.
 

Similar a Cyber presentation spet 2019 v8sentfor upload (20)

For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
 
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
Empowering Employees for Cyber Resilience: A Guide to Strengthening Your Orga...
 
Department of Homeland Security Guidance
Department of Homeland Security GuidanceDepartment of Homeland Security Guidance
Department of Homeland Security Guidance
 
DHS Guidelines
DHS GuidelinesDHS Guidelines
DHS Guidelines
 
CISO as a service in India | Senselearner
CISO as a service in India | SenselearnerCISO as a service in India | Senselearner
CISO as a service in India | Senselearner
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing Processes
 
Network Security
Network SecurityNetwork Security
Network Security
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0
 
RH-ISAC_BuildingtheFoundation_WhitePaper.pdf
RH-ISAC_BuildingtheFoundation_WhitePaper.pdfRH-ISAC_BuildingtheFoundation_WhitePaper.pdf
RH-ISAC_BuildingtheFoundation_WhitePaper.pdf
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Cybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness AssessmentCybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness Assessment
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
 

Último

Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesDipal Arora
 
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...noida100girls
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingShawn Pang
 
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurVIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurSuhani Kapoor
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Delhi Call girls
 
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdfCatalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdfOrient Homes
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewasmakika9823
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communicationskarancommunications
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLSeo
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfOrient Homes
 
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetCreating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetDenis Gagné
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Tina Ji
 

Último (20)

Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 
Best Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting PartnershipBest Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting Partnership
 
KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
BEST ✨ Call Girls In Indirapuram Ghaziabad ✔️ 9871031762 ✔️ Escorts Service...
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
 
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurVIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
 
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdfCatalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdf
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature SetCreating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
Creating Low-Code Loan Applications using the Trisotech Mortgage Feature Set
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
 

Cyber presentation spet 2019 v8sentfor upload

  • 1. SAV LLP FOR INFORMATION ONLY - DISTRIBUTION IS PROHIBITED WITHOUT PERMISSION Weakest links of an organization’s Cybersecurity Chain and Mitigation Options An Auditor’s Perspective SEPTEMBER 09, 2019
  • 2. SAV LLP This material is for educational purposes only. As it deals with technical matters which have broad application, it is not practical to include all situations. As well, this material and the references contained therein may reflect laws and practices which are subject to change. Some content of this presentation has been copied or obtained from other sources, hence the preparer takes no responsibility on content’s validity and accuracy. For this reason a particular fact situation should be reviewed by a qualified professional. The references can be shared upon formal request. Although the presentation material has been carefully prepared, none of the persons involved in the preparation of the material accepts any legal responsibility for its contents or for any consequences arising from its use. Distribution of this presentation for commercial purposes is prohibited. Disclaimer
  • 3. SAV LLP Cyber Security There is a wide range of currently accepted cybersecurity definitions. The National Institute of Standards and Technology defines cybersecurity as "the process of protecting information by preventing, detecting, and responding to attacks." Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers. Myth about Cyber Security – Cyber risk can be reduced, security posture can be improved, by purchasing products and outsourcing support.  There is no absolute security. The only way to prevent death is to already be dead, otherwise there is always a risk.  Security is a balancing act of defending an organization according to the organization’s risk tolerance and profile. In Summary - Cybersecurity is the combination of processes, practice and technologies designed to protect network, computers, programs, data and information from attack, damage or unauthorized access.
  • 4. SAV LLP 4 Cyber Threat A cyber threat is an activity intended to compromise the security of an information system by altering the availability, integrity, or confidentiality of a system or the information it contains. Define what is at Risk (Physical and Digital)?  Do you know what your “worst possible day” looks like? (not being able to transact, theft of sensitive information, inability to perform physical function)  Once an organization identifies and qualifies risk and assets associated with their key functions, it becomes inherently easier to identify potential causes of a critically impactful incident.  Consequently , the organization will be better prepared to appropriately mitigate risks and spend security resources sensibly.
  • 5. SAV LLP Threat Landscape As per ENISA ( European Union Agency For Network and Information Security) some of the main trends in the 2018’s cyberthreat landscape are:  Mail and phishing messages.  Staff retention  Raising awareness at the level of security and executive management.  Automated attacks through novel approaches  IoT environments
  • 6. SAV LLP Is Cybersecurity an IT Problem or a Human Problem? DNA OF AN ATTACKER  Attackers are humans, with human goals  Humans are not perfect – some are good, some are bad, but they aren’t perfect  Perfection doesn’t exist in offence or defense To defend against attack, your strategy must have capabilities to detect, respond and build back up controls to prevent next steps. However it is very important to know what is mission critical and what is trivial?
  • 7. War Games Learnings from conventional war to mitigate Cyber Threat Cu Chi Tunnels in Ho Chi Minh City during Vietnam War https://www.reddit.com/r/secretcompartments/comments/82fhg3/tunnels_used_by_viet_cong_forces_during_the/
  • 8. SAV LLP Role of a CFO / Head of Finance  The CFO’s role has always ranged from a fiduciary one (a custodian preserving value) to a visionary one (an architect creating value). This role is becoming much more about strategy and the future rather than stewardship and even more about value realization and optimization.  IFAC (International Federation of Accountants) explains that a professional CFO should: 1. Be an effective organizational leader and a key member of senior management 2. Balance the responsibilities of stewardship with business partnership 3. Act as the integrator and navigator for the organization
  • 9. SAV LLP Cybersecurity – What do CFOs need to know? Planning and Management • How do we identify our critical assets and associated risks and vulnerabilities? • How do we meet our critical infrastructure operations and regulatory requirements? • What is our strategy and plan to protect our assets? • How robust are our incident response and communication plans? Assets • How do we track what digital information is leaving our organization and where that information is going? • How do we know who’s really logging into our network, and from where? • How do we control what software is running on our devices? • How do we limit the information we voluntarily make available to a cyber adversary?
  • 10. SAV LLP Cybersecurity Frameworks What is a Framework The framework is voluntary guidelines, and practices for organizations to better manage and reduce cybersecurity risk Well accepted Cybersecurity Frameworks Most frequent adopted cybersecurity frameworks are:  NIST Framework  PCI DSS (Payment Card Industry Data Security Standard),  ISO 27001/27002 (International Organization for Standardization),  CIS Critical Security Controls,  COBIT 2019  TSP 2017 (SOC2) Why adopt a security framework  Framework takes out a lot of guesswork and shows you often with supporting evidence, where to apply the pressure.  Planning and implementing a framework can help organizations understand the operational maturity level and provide matrices that will feedback into the organization.
  • 11. SAV LLP SOC SOC (Service Organization Control) Reports for outsourced services and SOC For Cybersecurity A high level introduction
  • 12. Weakest links of the Cybersecurity Chain
  • 13. SAV LLP Weakest Links of the Cybersecurity Chain Cybersecurity is a shared responsibility – people, processes, tools, and technologies work together to protect an organization's assets. Few of the common Weakest Links in cybersecurity chain are (and it is not tools) - 1. Weak tone at the top - Governance framework 2. Poor user management and access controls 3. Weak asset management 4. Lack of cyber policy 5. Lack of awareness regarding information sharing and breach reporting 6. Lack of monitoring of service providers
  • 14. The Recommended Risk Mitigation Strategies
  • 15. SAV LLP Tone at the Top - Governance Framework Governance Framework  Key initial steps  Who should be involved in the development of a cybersecurity program.  Identify known risks and established controls.  Establish a cross-organizational committee of senior executives that brings together the full range of enterprise knowledge and capabilities. This should include IT and corporate security, as well as business owners.  Leadership is key  Selecting an executive with broad cross-functional responsibilities such as the CFO or COO to lead this committee can help broader corporate adoption.  This effort should report to a specialized committee, such as the Audit or the Risk Committees, or in some cases, to the board itself. Board and Senior Management involvement The National Association of Corporate Directors (NACD) cites five cybersecurity principles for boards: 1. Cybersecurity is an enterprise-wide risk management issue, not just an IT issue 2. Legal implications of cyber risks 3. Adequate access to cybersecurity expertise, and regular discussions about cyber-risk management. 4. Establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. 5. Identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
  • 16. SAV LLP User Account Management and Access Control Need to Know basis The following are recommendations for user account management and access control:  Centrally manage all user accounts e.g. Active directory, UUID.  Disable system accounts that cannot be associated with a business process and owner.  Disabling accounts upon termination of an employee or contractor  Periodic user access review  Force users to automatically re-login after a standard period of inactivity.  Require strong passwords  Limit the number of privileged accounts.  Require two-factor authentication for privileged accounts  Control access to the computer system’s audit logs.  Make cybersecurity training and awareness mandatory for all personnel
  • 17. SAV LLP Asset Management You can’t control something that you don’t know The following are recommendations for asset management:  Deploy and maintain an automated asset inventory discovery tool that will also assist the entity in building an inventory of systems connected to the organization's private and public network.  Use Dynamic Host Configuration Protocol (DHCP) server logging for asset inventory - it can help detect unknown systems through this DHCP information.  Ensure that the inventory system is updated when newly acquired and approved equipment connects to the network.  Deploy Network level authentication and Network Access Control (NAC). These services will assist in preventing unauthorized devices from connecting to the network.  Utilize client certificates to validate and authenticate systems prior to connecting to an organization’s network.
  • 18. SAV LLP Cyber Policy Some of the key elements of a good cyber policy:  Scope – all information, systems, facilities, programs, data networks, and all users of technology in the organization (both internal and external), without exception  Information classification – should provide content-specific definitions, rather than more generic “confidential” or “restricted”  Management goals for secure handling of information in each classification category  Specific instruction on organization-wide security mandates (e.g. no sharing of passwords)  Specific designation of established roles and responsibilities  Consequences for non-compliance (e.g. up to and including dismissal or termination of contract) The implementation of a policy is not a single event, but rather an iterative process revisited as business models, relationships, and technology changes. Absent policy, there can be no effective governance of the cybersecurity program as there can be no clear guidance upon which to make program decisions.
  • 19. SAV LLP Information Sharing and Breach Reporting Requirements Microsoft makes the following eight recommendations for information sharing. 1. Develop a strategy for information sharing and collaboration. 2. Design with privacy protections in mind. 3. Establish a meaningful governance process. 4. Focus sharing on actionable threat, vulnerability, and mitigation information. 5. Build interpersonal relationships. 6. Require mandatory information sharing only in limited circumstances. 7. Make full use of information shared, by conducting analyses on long-term trends. 8. Encourage the sharing of best practices. The exchange of best practices with peer organizations can allow organizations to play a proactive role, by engaging with each other as well as external organizations.
  • 20. SAV LLP Vendor Risk Management Service Risks:  Volume of transactions processed  Concentration associated with service  Sensitivity risk of the data to which the vendor could potentially have access  Compliance and regulatory risk related to the service  Customer and financial impact Vendor Risks:  Location of the vendor (subject to multinational laws, regulations, etc.)  Previous data or security breaches  Extent of outsourcing performed by the vendor  Performance history Common Deficiencies with 3rd Party Vendors:  Incident Response Management Plan  Inadequate Security Awareness  Data Loss Prevention  Encryption for data at rest and in transit  Administrator Privilege Lockdown  Vulnerability testing or penetration testing Common approaches to evaluating Third Party Vendors and ongoing oversight Include:  Perform vendor evaluation as part of RFP  Desk assessments to evaluate requested information  On-site visits as appropriate by either in- house or contacted experts  Penetration tests of potential vendors  Outside independent reporting company to continuously monitor the cyber posture of any third-party vendor and ensure it’s on par with the security risk level that the evaluating organization accepts.  Process to alert the organization of infractions or breaches, so that they can easily work with vendors to correct and improve their security posture. To be successful, vendor risk management should be an element of an enterprise risk management program with established, repeatable processes in place that are consistent for all areas within the firm.
  • 21. SAV LLP Key Takeaways Adversaries will always improve their tactics to compensate for emerging security technologies. The only real defense is a layered approach, combining security products, risk management, sensible policies and procedures, proper disaster recovery planning and human expertise.  A sound governance framework with strong leadership is essential to effective enterprise-wide cybersecurity. Board-level and senior management-level engagement is critical to the success of firms’ cybersecurity programs, along with a clear chain of accountability.  A well-trained staff can serve as the first line of defense against cyber attacks. Effective training helps to reduce the likelihood of a successful attack by providing well-intentioned staff with the knowledge to avoid becoming inadvertent attack vectors (for example, by unintentionally downloading malware).  One size doesn’t fit all. The level of sophistication of technical controls employed by an individual firm is highly contingent on that firm’s individual situation. While a smaller firm may not be positioned to implement the included controls in their entirety, these strategies can serve a critical benchmarking function to support an understanding of vulnerabilities relative to industry standards.  Many organizations typically use third-party vendors for services, which requires vendor access to sensitive firm or client information, or access to firm systems. At the same time, the number of security incidents at companies attributed to partners and vendors has risen consistently, year on year. Firms should manage cybersecurity risk exposures that arise from these relationships by exercising strong due diligence and developing clear performance and verification policies.  Cybersecurity is not only an IT problem, it is an enterprise-wide problem that requires an interdisciplinary approach, and a comprehensive governance commitment to ensure that all aspects of the business are aligned to support effective cybersecurity practices. Security isn’t simply one team’s job – it’s everyone’s job however security team need to lead the role to improve overall organization’s security deployment
  • 22. SAV LLP Summary of Best Practices  Tone at the top – The business itself needs to take security seriously, not just write some policy, support security team with a budget and some people and tools.  Basic IT Security Foundation  Asset Management – What you have, what you value most and where are they now? (You can’t protect it if you can’t find it)  Process / Procedures -  Access Controls - Authentication, Limit Administrative Accounts on Systems, Least Privilege Principle for Access  Data Management, Change Management, Problem Management  Network Security – UTM (Unified Threat Management) tool, and maintain BYOD away from main network  Endpoint Security – EDR (Endpoint Detection & Response) or at least some protection from downloads, attacks, data leakage prevention  Security Operations – Detect, Act and Defend against future Attacks  Encryption - A process of converting data into an unreadable form to prevent unauthorized access and thus ensuring data protection  People - Hire and train people to defend the network (including critical data) and not solely rely on technology  System Updates - Keep your systems UpToDate. Turn on auto update on all devices. Remove legacy applications that are at a sunset stage and can’t be secured  Control Framework - Implement critical security controls framework such as NIST Cybersecurity Framework, PCI, COBIT, ISO 27K+
  • 23. SAV LLP THERE IS NO SINGLE SILVER BULLET FOR CYBER THREAT Thank You PRESENTER – SANJAY CHADHA CPA, CA, LPA, CISA, CITP SAV LLP CHARTERED PROFESSIONAL ACCOUNTANTS HULLMARK CENTRE AT YONGE AND SHEPPARD 3M-4773 YONGE STREET, TORONTO, ON, M2N 0G2 TEL: 647.831.8322, 416.822.8570 EMAIL: INFO@SAVASSOCIATES.CA