Tech Today World
Monday 1 August 2022
INFOSEC
Delivering
the range of vCISO services for Nettitude including:
- Policies
and governance documentation
- Risk
assessments
- Internal
Audits
- Cyber
Incident Preparedness
- Cyber Resilience
strategies.
- Security
technology optimisation reviews
- Security
elements of Data Privacy and Protection
- Strategy
setting, program and project management
Working
with a global team of information security consultants on a variety of
consultancy, retained and embedded engagements such as Interim CISO (as well as
vCISO) , vDPO services, Third Party Risk Management (TPRM), Governance
documentation, incident response preparedness, cyber resilience strategies,
cyber risk assessments and board level cyber engagements both here in the UK
and around the world. Delivering ISO 27001, NCSC, PCI DSS, NIST CSF
assessments, analyses, reviews and remediation/improvement strategies.
- Policies,
Standards, Guideline and Procedures
- Risk
Assessments
- Third
Party risk management
- Framework
management and maintenance
- Incident
Response planning and management
- Reporting
Material for the office of the CISO Group
- Control
monitoring and surveillance
- Regulatory
Affairs / Audit Management
- Training
and Awareness
- Develop
and manage the IS Policies, Standards, Guidelines and Procedures in
alignment with the standard framework and Headquarter requirements.
- Lead
the development and implementation of effective and reasonable policies
and practices to secure sensitive data and ensure security and compliance
with contracts, regulatory requirements, and industry standards.
- Integrate
IS risk reporting and aggregate reporting into an Enterprise risk
framework. Provides a briefing to CISO and report critical issues that may
affect business or enterprise IS objectives.
- Develop
strategies and action plans to drive control maturity improvement in areas
where controls do not adequately mitigate risks.
- Partner
with cyber architecture and engineering teams to develop risk mitigation
strategies, solutions, and recommendations to reduce components, systems,
or enterprise security risk.
Manage the 3rd party’s IS risk assessments process to ensure risk transparency and business acceptance, contractual obligations, due diligence assessments and enable risk-based decision making to support the Bank’s Third Party Risk Program
- Develop,
assess, support and sustain IS framework ISO 27001, NIST 800-53, NIST
Cybersecurity Framework, FFIEC CAT, NYDFS 500, etc.
- Manage
IS framework using a GRC platform such as, Service Now, or any other
- Manage
Bank’s Incident Response Plan and the plan’s point-of-contact (POC).
- Working
with the other Bank departments to ensure respective play books are
properly developed and have aligned with the Bank’s Incident Response
Plan.
- Act
as the Bank’s IS Incident Response Handler responsible for responding to
security incidents, threats and vulnerabilities through analysis of event
logs, computer artifacts, and other data sources to contain and resolve
incidents or events, provide recommendations for remediation and determine
the root cause.
Develops and manages Information Security budget and expenses • Document and assess any security breaches and the resolution of those breaches. • Maintain and evolve Cybersecurity industry contacts • Educate colleagues about security software and best practices for information security.
NIST CSF
– The US National Institute of Standards
and Technology framework for
improving critical infrastructure cybersecurity
- CIS – The
Center for Internet Security critical security controls
- ISO/IEC 27001 and 27002 – The International Standards
Organization frameworks for best practices around security management
and controls
seven common cybersecurity
frameworks.
1. NIST
Cybersecurity Framework
3. SOC2
4. NERC-CIP
5. HIPAA
6. GDPR
7. FISMA
ISO 27001 and ISO 27002 certifications are considered the
international standard for validating a cybersecurity program — internally and
across third parties.
SOC2
Service Organization Control (SOC) Type 2 is
a trust-based cybersecurity framework and auditing standard developed by the
American Institute of Certified Public Accountants (AICPA) to help verify that
vendors and partners are securely managing client data.
SOC2 specifies more than 60 compliance
requirements and extensive auditing processes for third-party systems and
controls. Audits can take a year to complete. At that point, a report is issued
which attests to a vendors’ cybersecurity posture.
Because of its comprehensiveness,
SOC2 is one of the toughest frameworks to implement — especially for
organizations in the finance or banking sector who face a higher standard for
compliance than other sectors. Nevertheless, it’s an important framework that
should be central to any third-party
risk management program.
HIPAA
The Health
Insurance Portability and Accountability Act (HIPAA) is
a cybersecurity framework that requires healthcare organizations to implement
controls for securing and protecting the privacy of electronic health information.
Per HIPAA, in addition to demonstrating compliance against cyber best practices
— such as training employees — companies in the sector must also conduct risk
assessments to manage and identify emerging risk.
GDPR
GDPR
GDPR is a framework of security requirements that
global organizations must implement to protect the security and privacy of EU
citizens’ personal information. GDPR requirements include controls for restricting unauthorized access
to stored data and access control measures, such as least privilege, role-based access, and multifactor authentication.
The
General Data Protection Regulation (GDPR) was adopted
in 2016 to strengthen data protection procedures and practices for citizens of
the European Union (EU). The GDPR impacts all organizations that are
established in the EU or any business that collects and stores the private data
of EU citizens — including U.S. businesses.
The framework includes 99 articles
pertaining to a company’s compliance responsibilities including a consumer’s
data access rights, data protection policies and procedures, data breach
notification requirements (companies must notify their national regulator
within 72 hours of breach discovery), and more.
1. Organizational Framework and Governance model – An active
governance structure that drives accountability into the
day-to-day operating fabric ensures business owners have the proper degree of
granular visibility into risks that really matter. Armed with options on
what to do about them, business owners can make intelligent decisions on what
remediation efforts to fund.
2. Risk Profile and Reporting Framework – A set of
rationalized processes for the prioritization of key risk and compliance
requirements supports GRC reporting across the organization, and to the board.
A practical categorization of risk types, threat communities, information, and
data classification brings context to risk reporting and decision-making.
3. GRC Diagnostics – Qualitative and quantitative assessments that
follow a common risk and compliance identification and analysis process,
supported by consistent controls reviews and testing, provide objective
diagnostics required for meaningful decisions on treatment strategies.
4. Risk and Compliance Monitoring Program – Monitoring
policies, controls, threats and vulnerabilities against standards and
acceptable thresholds provides visibility into risk and compliance profiles on
a consistent basis. Key Performance Indicators (KPIs), Key Risk Indicators
(KRIs), Key Control Indicators (KCIs) provide early warning alerts that permit
organizations to be proactive in their response.
5. GRC Program Optimization – Continuous improvement, communication
and awareness programs drive adaption as the external environment presents new
and emerging risks and compliance requirements. Knowledge sharing across
stakeholders on the appropriate best practices supports evolution to a target
maturity level that is optimal for the organization.
6. Technology Enabling Platform and tools - A
technology eco-system that supports a central, secure repository of
requirements, policies, control standards, risk analysis, and control test
results provides a solid foundation for streamlined workflow, analytics, and
reporting.
A well-designed and
coherent GRC Framework helps organizations prioritize and respond to risks and
compliance requirements with a collaborative and efficient governance process.
Call to Action: An exercise I often use with clients is reviewing the framework,
element by element, and marking it up with red, yellow and green to see where
your organziation is weak – and then looking at what elements will be key
enablers for your GRC Program. Using a GRC Framework model in this way helps
prioritize what you need to focus on now in order to deliver real value.
Try this: Review
this GRC Framework (or something like it) with some of your key stakeholders
and get their assessment of what’s truly important, what they would like to see
good progress on, and how they can help. At the very least, you’ll get another
perspective on priorities and needs - that will keep you driving your GRC program
in the right direction.
An IT risk assessment involves four key components. We’ll discuss how to
assess each one in a moment, but here’s a brief definition of each:
- Threat — A threat is any
event that could harm an organization’s people or assets. Examples include
natural disasters, website failures and corporate espionage.
- Vulnerability — A vulnerability is
any potential weak point that could allow a threat to cause damage. For
example, outdated antivirus software is a vulnerability that can allow a
malware attack to succeed. Having a server room in the basement is a
vulnerability that increases the chances of a hurricane or flood ruining
equipment and causing downtime. Other examples of vulnerabilities include
disgruntled employees and aging hardware. The NIST National Vulnerability
Database maintains
a list of specific, code-based weaknesses.
- Impact — Impact is the total
damage the organization would incur if a vulnerability were exploited by a
threat. For example, a successful ransomware attack could result in not
just lost productivity and data recovery expenses, but also disclosure of
customer data or trade secrets that results in lost business, legal fees
and compliance penalties.
- Likelihood — This is the
probability that a threat will occur. It is usually not a specific number
but a range.
The risk equation
We can understand risk using the following equation
Risk
= Threat x Vulnerability x Asset
Although risk is represented here as a mathematical formula, it
is not about numbers; it is a logical construct. For example, suppose you want
to assess the risk associated with the threat of hackers compromising a
particular system. If your network is very vulnerable (perhaps because you have
no firewall and no antivirus solution), and the asset is critical, your risk is
high. However, if you have good perimeter defenses and your vulnerability is
low, and even though the asset is still critical, your risk will be medium.
This isn’t strictly a mathematical formula; it’s a model for
understanding the relationships among the components that feed into determining
risk:
- Threat is short for “threat
frequency,” or how often an adverse event is expected to occur. For
example, the threat of being struck by lightning in a given year is about
1 in 1,000,000.
- Vulnerability is shorthand for “the
likelihood that a vulnerability will be exploited and a threat will
succeed against an organization’s defenses.” What is the security
environment in the organization? How quickly can disaster be mitigated if
a breach does occur? How many employees are in the organization and what
is the probability of any given one becoming an internal threat to
security control?
- Cost is a measure of the total
financial impact of a security incident. It includes hard costs, like
damage to hardware, and soft costs, such as lost business and consumer
confidence. Other costs can include:
- Data loss — Theft of trade secrets
could cause you to lose business to your competitors. Theft of customer
information could result in loss of trust and customer attrition.
- System or application downtime — If a system fails to
perform its primary function, customers may be unable to place orders,
employees may be unable to do their jobs or communicate, and so on.
- Legal consequences — If somebody steals data from one of your databases, even if that data is not particularly valuable, you can incur fines and other legal costs because you failed to comply with the data protection security requirements of HIPAA, PCI DSS or other compliance
· Threat intelligence
team
· Information
technology
· Compliance and risk
management teams
· Business leaders
and SMEs
· Security
architecture and operations
· Audit team
What is SOC 2 and why do we need it?
SOC 2 is an auditing procedure and report that is part of the SSAE(Statement on Standards for Attestation Engagements) maintained by the AICPA. It is one of the more common compliance requirements that companies should meet today to be competitive in the market. SOC 2 report ensures that a company's information security measures are in line with the unique parameters of today's cloud requirements.
What are the 14
categories of ISO 27001 controls?
The 14 categories of Annex A controls cover
different security areas and dictate the objective of each control in improving
your information security. Annex A of ISO 27001 comprises 114 controls which
are grouped into the following 14 control categories:
As part of establishing an ISMS,
organizations need to consider additional ISO 27000 family standards such as:
- ISO/IEC 27002:2013 - Code of practice for
information security controls
- ISO/IEC 27003 - Information security
management system implementation guidance
- ISO/IEC 27004 - Information security
management - Measurement
- ISO 31000:2009 - Risk Management - Principles
and guidelines
1. Information Security Policies
2. Organisation of Information Security
3. Human Resources Security
4. Asset Management
5. Access Control
6. Cryptography
7. Physical and Environmental Security
8. Operational Security
9. Communications Security
10.Systems
Acquisition, Development and Maintenance
11.Supplier Relationships
12.Information
Security Incident Management
13.Information
Security aspects of Business Continuity Management
14.Compliance
Cloud Security Alliance (CSA) Cloud Controls Matrix
(CCM)
Consisting of 197 control objectives
organized into 17 domains, the CCM focuses solely on cloud computing. The 17
domains include:
- Audit & Assurance
- Application & Interface Security
- Business Continuity Management &
Operational Resilience
- Change Control & Configuration Management
- Cryptography, Encryption & Key Management
- Datacenter Security
- Data Security & Privacy Lifecycle
Management
- Governance, Risk Management & Compliance
- Human Resources
- Identity & Access Management
- Interoperability & Portability
- Infrastructure & Virtualization Security
- Logging & Monitoring
- Security Incident Management, E-Discovery,
& Cloud Forensics
- Supply Chain Management, Transparency &
Accountability
- Threat & Vulnerability Management
- Universal Endpoint Management