SlideShare ist ein Scribd-Unternehmen logo

Rob kloots presentation_issa_spain

Robert Kloots
Robert Kloots
Business
1 von 23
a step by step approach METRICS, RISK MANAGEMENT & DLP Rob Kloots Vice-President ISSA-BE ; Webmaster ISSA-BE Owner CSF b.v. - GRC Consulting Rob.Kloots@csf.nl
DISCUSSION ITEMS  Professionalise, Organise  Compliance Security Framework  Objectives  Metrics  Measures  Achieveable Markerpoints  Risk Management  Data Loss Prevention System  External Standards  Action list  Controls Conferencias ISSA de Seguridad 2010 15-04-2010 3
DATA LOSS PREVENTION  Data Loss Prevention (DLP) is a computer security term referring to systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing, recipient/destination, etc.), and with a centralized management framework. The systems are designed to detect and prevent the unauthorized use and transmission of confidential information.  It is also referred to by various vendors as Data Leak Prevention, Information Leak Detection and Prevention (ILDP), Information Leak Prevention (ILP), Content Monitoring and Filtering (CMF) or Extrusion Prevention System by analogy to Intrusion-prevention system. 4 Conferencias ISSA de Seguridad 2010 15-04-2010
FIREFIGHTING DLP INCIDENTS  Data breach causes  According to a Verizon 2009 report • 74% from external sources • 20% by insiders • 32% implicated business partners • 39% involved multiple parties  What damage can be done? • Loss of trust • Reputation damage • Loss of clients Conferencias ISSA de Seguridad 2010 15-04-2010 • Repair costs 5
FIREFIGHTING DLP INCIDENTS  DLP more then a Gartner-hype DLP  DLP key to GRC  European Commission enforces DLP in the 2008 Telecom Directive  DLP incidents are a given fact of operations  If or When? 6
ADAPT, ADOPT, IMPROVE  Firefighting  Maturity level Adopt  What steps?  Learning Management System  Metrics,  Measures, and Improve Adapt  Markerpoints. 7 Conferencias ISSA de Seguridad 2010 15-04-2010
MATURITYLEVELS o Predefined business process o Clear goals/performance req’s o Quantitative/qualitative measures Quantitatively Managed Managed Defined Repeatable Incomplete 8 Conferencias ISSA de Seguridad 2010 15-04-2010
Conferencias ISSA de Seguridad 2010 15-04-2010 COMPLIANCE SECURITY FRAMEWORK  A Compliance Security Framework should allow for team-effort for both  Mgt (2) and operators(3) to enter into a learning system  with respect to Compliance & Risk based 1 security measures (1). CS F 2 3 9 9 Conferencias ISSA de Seguridad 2010 15-04-2010
COMPLIANCE DEFINED  Compliance is either a state of being in accordance with established standards, specifications or legislation or the process of becoming so. 10 Conferencias ISSA de Seguridad 2010 15-04-2010
COMPLIANCE CAN PROVIDE OPPORTUNITIES  Compliance within Organisation can provide a positive Roi.  Investment  Compliance Management, based on an efficient control set (e.g. ISO27001/9001/20000) and audit methodology.  Return; by being compliant, Org.:  has a strong quality statement for existing customers and prospects;  mitigates risks;  improves quality of service delivery processes. 11 Conferencias ISSA de Seguridad 2010 15-04-2010
COMPLIANCE; AGAINST WHAT?  Company internal policies & standards  External rules and regulations  Industry standards  Customer (security) requirements … 12 Conferencias ISSA de Seguridad 2010 15-04-2010
WELL-CONTROLLED ORGANIZATIONS Key attributes of a well-controlled organization include : # 1. Leadership of Board # 2. Translation of strategic vision to day-to-day management # 3. Communication of objectives & values to all levels # 4. Individual accountability # 5. Risk management system # 6. Human resources reinforcement # 7. Independent, objective and competent oversight 13 Conferencias ISSA de Seguridad 2010 15-04-2010
14 pwc RISK & CONTROL : SYMBIOTIC SYSTEMS • Define strategic risk • Articulate risk philosophy Objective • Define values and behavioral expectations • Assess risk Risk • Manage risk • Assess existing controls Control • Select control model • Continuous communication • Continuous program for ORC Alignment • Develop a control improvement plan … Operations are dynamic and evolving... Conferencias ISSA de Seguridad 2010 15-04-2010 14
METRICS - 1  Metrics are simply a standard or system of measurement  Metric - A quantitative measure of the degree to which a system, component, or process possesses a given attribute [2]. A calculated or composite indicator based upon two or more measures. A quantified measure of the degree to which a system, component, or process possesses a given attribute [3]. 15 Conferencias ISSA de Seguridad 2010 15-04-2010
METRICS - 2  Characteristics & Classification  Process metrics  CSFs, KGIs and KPIs  Asset related vulnerability metrics  What value has Data, when static, dynamic, owned, stored, lost  Monetary value of Reputation  ? Market Capitalisation  ! Value of assets in Euro  ! Total asset value at Risk 16 Conferencias ISSA de Seguridad 2010 15-04-2010
MEASURES  Measure - To ascertain or appraise by comparing to a standard [1]. A standard or unit of measurement; the extent, dimensions, capacity, etc., of anything, especially as determined by a standard; an act or process of measuring; a result of measurement [3]. A related term is Measurement - The act or process of measuring. A figure, extent, or amount obtained by measuring [1]. The act or process of measuring something. Also a result, such as a figure expressing the extent or value that is obtained by measuring [3]. 17 Conferencias ISSA de Seguridad 2010 15-04-2010
ACHIEVEABLE MARKERPOINTS  How to set  Where to use  Purpose 18 Conferencias ISSA de Seguridad 2010 15-04-2010
RISK MANAGEMENT - 1 Qualitative Quantitative RM mechanics Mgt info 19 Conferencias ISSA de Seguridad 2010 15-04-2010
RISK MANAGEMENT - 2 Conferencias ISSA de Seguridad 2010 15-04-2010 20
WHAT STANDARDS? DLP Conferencias ISSA de Seguridad 2010 15-04-2010 21
DATA LOSS PREVENTION SYSTEM  1. Introduction to the DLPS 10%  2. Creating the Asset Inventory 8%  3. Establishing Information Risk Management process 8%  4. Establish a Continual Improvement process 10%  5. Developing Documentation 5%  6. Establishing a Legal Registry process 8%  7. Establishing a Compliance Management process 5%  8. Establishing an Audit process 10%  9. Establishing a Governance process 10%  10. Establishing Security & Privacy testing process 8%  11. Establishing the Incident Response process 8%  12. Establishing Training & Awareness process 10% Conferencias ISSA de Seguridad 2010 15-04-2010 22
DATA LOSS PREVENTION SANS Critical Security Controls  1: Inventory of Authorized and Unauthorized Devices  2: Inventory of Authorized and Unauthorized Software  3: Secure Configurations for Hardware and Software on Laptops, WorkstationsCritical, and Servers Control 15 Metric  4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches The5: Boundary Defense capable of identifying unauthorized data  system must be leaving the organization'sand Analysis whether via network file  6: Maintenance, Monitoring, systems of Audit Logs  7: Application Software Security transfers or removable media. Privileges  8: Controlled Use of Administrative 9: Controlled Access Based on Need to Know Control 15Test   10: Continuous Vulnerability Assessment and Remediation  11: Account Monitoring and Control  12: Malware Defenses  13: Limitation and Control of Network Ports, Protocols, and Services Associated NIST SP 800-53 Rev 3 Priority 1  14: Wireless Device Control 15: Data Loss Prevention Controls:  AC-4, MP-2 (2), MP-4 (1), SC-7 (6, 10), SC-9, SC-13, SC-28 (1), SI-4 (4, 11), PM-7 Conferencias ISSA de Seguridad 2010 15-04-2010 23
QUESTIONS, PLEASE! Conferencias ISSA de Seguridad 2010 15-04-2010 24

Empfohlen

Solvency II IT Impacts
Solvency II IT ImpactsSolvency II IT Impacts
Solvency II IT Impacts
Ali BELCAID
 
Riskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRiskpro Iso 31000 Services
Riskpro Iso 31000 Services
Rahul Bhan (CA, CIA, MBA)
 
2007 issa journal-building a comprehensive security control framework
2007 issa journal-building a comprehensive security control framework2007 issa journal-building a comprehensive security control framework
2007 issa journal-building a comprehensive security control framework
asundaram1
 
Inv306 going social in a world of grc v.1.1
Inv306 going social in a world of grc v.1.1Inv306 going social in a world of grc v.1.1
Inv306 going social in a world of grc v.1.1
Arthur Fontaine
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical Review
ISA Interchange
 
Building an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRCBuilding an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRC
Tuan Phan
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical Review
ISA Interchange
 
Information Governance
Information GovernanceInformation Governance
Information Governance
Vicky Makhija
 

Empfohlen

Solvency II IT Impacts
Solvency II IT ImpactsSolvency II IT Impacts
Solvency II IT Impacts
Ali BELCAID
 
Riskpro Iso 31000 Services
Riskpro Iso 31000 ServicesRiskpro Iso 31000 Services
Riskpro Iso 31000 Services
Rahul Bhan (CA, CIA, MBA)
 
2007 issa journal-building a comprehensive security control framework
2007 issa journal-building a comprehensive security control framework2007 issa journal-building a comprehensive security control framework
2007 issa journal-building a comprehensive security control framework
asundaram1
 
Inv306 going social in a world of grc v.1.1
Inv306 going social in a world of grc v.1.1Inv306 going social in a world of grc v.1.1
Inv306 going social in a world of grc v.1.1
Arthur Fontaine
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical Review
ISA Interchange
 
Building an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRCBuilding an Effective GRC Process with TrustedAgent GRC
Building an Effective GRC Process with TrustedAgent GRC
Tuan Phan
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical Review
ISA Interchange
 
Information Governance
Information GovernanceInformation Governance
Information Governance
Vicky Makhija
 
Valiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostValiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & Cost
GuardEra Access Solutions, Inc.
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
Andris Soroka
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed Proba
James McDonald
 
Health Informatics – Application of Clinical Risk Management to the Manufactu...
Health Informatics – Application of Clinical Risk Management to the Manufactu...Health Informatics – Application of Clinical Risk Management to the Manufactu...
Health Informatics – Application of Clinical Risk Management to the Manufactu...
Plan de Calidad para el SNS
 
ICAM Our Vision
ICAM Our VisionICAM Our Vision
ICAM Our Vision
Jonathan McGuinness
 
Enterprise Security Critical Security Functions version 1.0
Enterprise Security Critical Security Functions version 1.0Enterprise Security Critical Security Functions version 1.0
Enterprise Security Critical Security Functions version 1.0
Marc-Andre Heroux
 
HML Risk Transformation
HML Risk TransformationHML Risk Transformation
HML Risk Transformation
Andrew Smart
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
wardell henley
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
Sasha Nunke
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
newbie2019
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochure
guest8a430d
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcm
Robert Kloots
 
Metrics, Risk Management & DLP
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLP
Robert Kloots
 
Ta Security
Ta SecurityTa Security
Ta Security
jothsna
 
TA security
TA securityTA security
TA security
kesavars
 
Integrating Internal Controls
Integrating Internal Controls Integrating Internal Controls
Integrating Internal Controls
InnoTech
 
MAPPING_ISO27001_TO_COBIT4.1
MAPPING_ISO27001_TO_COBIT4.1MAPPING_ISO27001_TO_COBIT4.1
MAPPING_ISO27001_TO_COBIT4.1
Christopher OPARAUGO, MBA, CGEIT, CISM, CRISC
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention
Manish Dixit Ceh
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
GRCAlert Capabilities Deck - 2018
GRCAlert Capabilities Deck - 2018GRCAlert Capabilities Deck - 2018
GRCAlert Capabilities Deck - 2018
Richard Marti - Principal
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
newbie2019
 
Frameworks For Predictability
Frameworks For PredictabilityFrameworks For Predictability
Frameworks For Predictability
tlknecht
 

Weitere ähnliche Inhalte

Was ist angesagt?

Valiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostValiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & Cost
GuardEra Access Solutions, Inc.
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
Andris Soroka
 

Was ist angesagt? (11)

Valiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostValiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & Cost
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed Proba
 
Health Informatics – Application of Clinical Risk Management to the Manufactu...
Health Informatics – Application of Clinical Risk Management to the Manufactu...Health Informatics – Application of Clinical Risk Management to the Manufactu...
Health Informatics – Application of Clinical Risk Management to the Manufactu...
 
ICAM Our Vision
ICAM Our VisionICAM Our Vision
ICAM Our Vision
 
Enterprise Security Critical Security Functions version 1.0
Enterprise Security Critical Security Functions version 1.0Enterprise Security Critical Security Functions version 1.0
Enterprise Security Critical Security Functions version 1.0
 
HML Risk Transformation
HML Risk TransformationHML Risk Transformation
HML Risk Transformation
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochure
 

Ähnlich wie Rob kloots presentation_issa_spain

Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcm
Robert Kloots
 
Ta Security
Ta SecurityTa Security
Ta Security
jothsna
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention
Manish Dixit Ceh
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
Invensis Learning
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
proaxissolutions
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Alan Yau Ti Dun
 

Ähnlich wie Rob kloots presentation_issa_spain (20)

Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcm
 
Metrics, Risk Management & DLP
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLP
 
Ta Security
Ta SecurityTa Security
Ta Security
 
TA security
TA securityTA security
TA security
 
Integrating Internal Controls
Integrating Internal Controls Integrating Internal Controls
Integrating Internal Controls
 
MAPPING_ISO27001_TO_COBIT4.1
MAPPING_ISO27001_TO_COBIT4.1MAPPING_ISO27001_TO_COBIT4.1
MAPPING_ISO27001_TO_COBIT4.1
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
GRCAlert Capabilities Deck - 2018
GRCAlert Capabilities Deck - 2018GRCAlert Capabilities Deck - 2018
GRCAlert Capabilities Deck - 2018
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
 
Frameworks For Predictability
Frameworks For PredictabilityFrameworks For Predictability
Frameworks For Predictability
 
Third party independent test audit.
Third party independent test audit.Third party independent test audit.
Third party independent test audit.
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
 
Applying Lean for information security operations centre
Applying Lean for information security operations centreApplying Lean for information security operations centre
Applying Lean for information security operations centre
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP Program
 

Kürzlich hochgeladen

unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
uneakwhite
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
daisycvs
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 

Kürzlich hochgeladen (20)

Falcon Invoice Discounting: Aviate Your Cash Flow Challenges
Falcon Invoice Discounting: Aviate Your Cash Flow ChallengesFalcon Invoice Discounting: Aviate Your Cash Flow Challenges
Falcon Invoice Discounting: Aviate Your Cash Flow Challenges
 
Falcon Invoice Discounting: Tailored Financial Wings
Falcon Invoice Discounting: Tailored Financial WingsFalcon Invoice Discounting: Tailored Financial Wings
Falcon Invoice Discounting: Tailored Financial Wings
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
 
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdfTVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
 
Arti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdfArti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdf
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 

Rob kloots presentation_issa_spain

  • 1. a step by step approach METRICS, RISK MANAGEMENT & DLP Rob Kloots Vice-President ISSA-BE ; Webmaster ISSA-BE Owner CSF b.v. - GRC Consulting Rob.Kloots@csf.nl
  • 2. DISCUSSION ITEMS  Professionalise, Organise  Compliance Security Framework  Objectives  Metrics  Measures  Achieveable Markerpoints  Risk Management  Data Loss Prevention System  External Standards  Action list  Controls Conferencias ISSA de Seguridad 2010 15-04-2010 3
  • 3. DATA LOSS PREVENTION  Data Loss Prevention (DLP) is a computer security term referring to systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing, recipient/destination, etc.), and with a centralized management framework. The systems are designed to detect and prevent the unauthorized use and transmission of confidential information.  It is also referred to by various vendors as Data Leak Prevention, Information Leak Detection and Prevention (ILDP), Information Leak Prevention (ILP), Content Monitoring and Filtering (CMF) or Extrusion Prevention System by analogy to Intrusion-prevention system. 4 Conferencias ISSA de Seguridad 2010 15-04-2010
  • 4. FIREFIGHTING DLP INCIDENTS  Data breach causes  According to a Verizon 2009 report • 74% from external sources • 20% by insiders • 32% implicated business partners • 39% involved multiple parties  What damage can be done? • Loss of trust • Reputation damage • Loss of clients Conferencias ISSA de Seguridad 2010 15-04-2010 • Repair costs 5
  • 5. FIREFIGHTING DLP INCIDENTS  DLP more then a Gartner-hype DLP  DLP key to GRC  European Commission enforces DLP in the 2008 Telecom Directive  DLP incidents are a given fact of operations  If or When? 6
  • 6. ADAPT, ADOPT, IMPROVE  Firefighting  Maturity level Adopt  What steps?  Learning Management System  Metrics,  Measures, and Improve Adapt  Markerpoints. 7 Conferencias ISSA de Seguridad 2010 15-04-2010
  • 7. MATURITYLEVELS o Predefined business process o Clear goals/performance req’s o Quantitative/qualitative measures Quantitatively Managed Managed Defined Repeatable Incomplete 8 Conferencias ISSA de Seguridad 2010 15-04-2010
  • 8. Conferencias ISSA de Seguridad 2010 15-04-2010 COMPLIANCE SECURITY FRAMEWORK  A Compliance Security Framework should allow for team-effort for both  Mgt (2) and operators(3) to enter into a learning system  with respect to Compliance & Risk based 1 security measures (1). CS F 2 3 9 9 Conferencias ISSA de Seguridad 2010 15-04-2010
  • 9. COMPLIANCE DEFINED  Compliance is either a state of being in accordance with established standards, specifications or legislation or the process of becoming so. 10 Conferencias ISSA de Seguridad 2010 15-04-2010
  • 10. COMPLIANCE CAN PROVIDE OPPORTUNITIES  Compliance within Organisation can provide a positive Roi.  Investment  Compliance Management, based on an efficient control set (e.g. ISO27001/9001/20000) and audit methodology.  Return; by being compliant, Org.:  has a strong quality statement for existing customers and prospects;  mitigates risks;  improves quality of service delivery processes. 11 Conferencias ISSA de Seguridad 2010 15-04-2010
  • 11. COMPLIANCE; AGAINST WHAT?  Company internal policies & standards  External rules and regulations  Industry standards  Customer (security) requirements … 12 Conferencias ISSA de Seguridad 2010 15-04-2010
  • 12. WELL-CONTROLLED ORGANIZATIONS Key attributes of a well-controlled organization include : # 1. Leadership of Board # 2. Translation of strategic vision to day-to-day management # 3. Communication of objectives & values to all levels # 4. Individual accountability # 5. Risk management system # 6. Human resources reinforcement # 7. Independent, objective and competent oversight 13 Conferencias ISSA de Seguridad 2010 15-04-2010
  • 13. 14 pwc RISK & CONTROL : SYMBIOTIC SYSTEMS • Define strategic risk • Articulate risk philosophy Objective • Define values and behavioral expectations • Assess risk Risk • Manage risk • Assess existing controls Control • Select control model • Continuous communication • Continuous program for ORC Alignment • Develop a control improvement plan … Operations are dynamic and evolving... Conferencias ISSA de Seguridad 2010 15-04-2010 14
  • 14. METRICS - 1  Metrics are simply a standard or system of measurement  Metric - A quantitative measure of the degree to which a system, component, or process possesses a given attribute [2]. A calculated or composite indicator based upon two or more measures. A quantified measure of the degree to which a system, component, or process possesses a given attribute [3]. 15 Conferencias ISSA de Seguridad 2010 15-04-2010
  • 15. METRICS - 2  Characteristics & Classification  Process metrics  CSFs, KGIs and KPIs  Asset related vulnerability metrics  What value has Data, when static, dynamic, owned, stored, lost  Monetary value of Reputation  ? Market Capitalisation  ! Value of assets in Euro  ! Total asset value at Risk 16 Conferencias ISSA de Seguridad 2010 15-04-2010
  • 16. MEASURES  Measure - To ascertain or appraise by comparing to a standard [1]. A standard or unit of measurement; the extent, dimensions, capacity, etc., of anything, especially as determined by a standard; an act or process of measuring; a result of measurement [3]. A related term is Measurement - The act or process of measuring. A figure, extent, or amount obtained by measuring [1]. The act or process of measuring something. Also a result, such as a figure expressing the extent or value that is obtained by measuring [3]. 17 Conferencias ISSA de Seguridad 2010 15-04-2010
  • 17. ACHIEVEABLE MARKERPOINTS  How to set  Where to use  Purpose 18 Conferencias ISSA de Seguridad 2010 15-04-2010
  • 18. RISK MANAGEMENT - 1 Qualitative Quantitative RM mechanics Mgt info 19 Conferencias ISSA de Seguridad 2010 15-04-2010
  • 19. RISK MANAGEMENT - 2 Conferencias ISSA de Seguridad 2010 15-04-2010 20
  • 20. WHAT STANDARDS? DLP Conferencias ISSA de Seguridad 2010 15-04-2010 21
  • 21. DATA LOSS PREVENTION SYSTEM  1. Introduction to the DLPS 10%  2. Creating the Asset Inventory 8%  3. Establishing Information Risk Management process 8%  4. Establish a Continual Improvement process 10%  5. Developing Documentation 5%  6. Establishing a Legal Registry process 8%  7. Establishing a Compliance Management process 5%  8. Establishing an Audit process 10%  9. Establishing a Governance process 10%  10. Establishing Security & Privacy testing process 8%  11. Establishing the Incident Response process 8%  12. Establishing Training & Awareness process 10% Conferencias ISSA de Seguridad 2010 15-04-2010 22
  • 22. DATA LOSS PREVENTION SANS Critical Security Controls  1: Inventory of Authorized and Unauthorized Devices  2: Inventory of Authorized and Unauthorized Software  3: Secure Configurations for Hardware and Software on Laptops, WorkstationsCritical, and Servers Control 15 Metric  4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches The5: Boundary Defense capable of identifying unauthorized data  system must be leaving the organization'sand Analysis whether via network file  6: Maintenance, Monitoring, systems of Audit Logs  7: Application Software Security transfers or removable media. Privileges  8: Controlled Use of Administrative 9: Controlled Access Based on Need to Know Control 15Test   10: Continuous Vulnerability Assessment and Remediation  11: Account Monitoring and Control  12: Malware Defenses  13: Limitation and Control of Network Ports, Protocols, and Services Associated NIST SP 800-53 Rev 3 Priority 1  14: Wireless Device Control 15: Data Loss Prevention Controls:  AC-4, MP-2 (2), MP-4 (1), SC-7 (6, 10), SC-9, SC-13, SC-28 (1), SI-4 (4, 11), PM-7 Conferencias ISSA de Seguridad 2010 15-04-2010 23
  • 23. QUESTIONS, PLEASE! Conferencias ISSA de Seguridad 2010 15-04-2010 24