"Like any information security processes, there should be an adequate and"
"reasonable level of assurance for cyber security, which completes the security perspective when combined with governance and management processes. Cyber security assurance requires a comprehensive set of controls that covers risk as well as management processes."
"These controls are supported by appropriate metrics and indicators for"
"security goals and factual security risk. This session will share the cybesecurity self assessment program in carrying out an audit or self- assessment review on cyber security controls and practices in a typical organisation. This assurance program will leverage on COBIT 5 framework"
"and COBIT 5 for Information Security as a baseline."
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
1. CYBERSECURITY
ASSURANCE
ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL
SPECIAL INTEREST GROUP 1
ISACA MALAYSIA CHAPTER
2. Like any information security processes, there should be an adequate and
reasonable level of assurance for cyber security, which completes the
security perspective when combined with governance and management
processes. Cyber security assurance requires a comprehensive set of
controls that covers risk as well as management processes.
These controls are supported by appropriate metrics and indicators for
security goals and factual security risk. This session will share the
cybesecurity self assessment program in carrying out an audit or self-
assessment review on cyber security controls and practices in a typical
organisation. This assurance program will leverage on COBIT 5 framework
and COBIT 5 for Information Security as a baseline.
CYBERSECURITY
ASSURANCE
2
3. CYBERSECURITY
ASSURANCE
3
<insert speaker organization logo>
This session aims to bring forth the following to the delegates:
• General understanding of cyber security assurance.
• Exposure to a cyber security assurance program, which is leveraging on
COBIT 5 as a baseline.
• Provide guideline in conducting cybersecurity audit
5. 5
AUDITING
&
REVIEWING
CYBERSECURITY
• Review is required to validate the controls are designed
and operating effectively.
• Audit & review universe is distributed across all 3 lines of
defense, which provides the required degree of
independence needed.
7. 7
AUDIT
UNIVERSE
• Include all control sets, management practices and GRC
provisions in force.
• Possible to be extended to 3rd parties – contract with audit
rights.
• Keep within the right boundaries –
! Corporate sphere of influence vs private sphere of
controls.
! Internal IT infrastructure vs external infrastructure.
! Corporate sovereignty vs legal provisions.
9. 9
AUDIT
OBJECTIVES
• Can range from high-level governance reviews to technical
reviews.
• Needs to be clearly defined and concise manner.
• Consider time and effort.
• Audit objectives are best defined in line with the
governance and management activities defined for cyber
security.
• For complex audits, the underlying audit program may
spans several years.
10. 10
KEY
CONSIDERATIONS
• Legal consideration
• Privacy and data protection
• Logging, data retention and archiving
• Audit data storage and archiving. Should be within the
standard criteria:
• Confidentiality
• Integrity
• Availability
15. 15
TRANSFORMING
CYBERSECURITY
–
COBIT
5
Eight
Key
Principles:
1. Understand
the
potenAal
impact
of
cybercrime
and
warfare
on
your
enterprise.
2. Understand
end
users,
their
cultural
values
and
their
behavior
paQerns.
3. Clearly
state
the
business
case
for
cybersecurity
and
the
risk
appeAte
of
the
enterprise.
4. Establish
cybersecurity
governance.
5. Manage
cybersecurity
using
principles
and
enablers.
(The
principles
and
enablers
found
in
COBIT
5
will
help
your
organizaAon
ensure
end-‐to-‐end
governance
that
meets
stakeholder
needs,
covers
the
enterprise
to
end
and
provides
a
holisAc
approach,
among
other
benefits.
The
processes,
controls,
acAviAes
and
key
performance
indicators
associated
with
each
enabler
will
provide
the
enterprise
with
a
comprehensive
picture
of
cybersecurity.)
6. Know
the
cybersecurity
assurance
universe
and
objecTves.
7. Provide
reasonable
assurance
over
cybersecurity.
(This
includes
monitoring,
internal
reviews,
audits
and,
as
needed,
invesAgaAve
and
forensic
analysis.)
8. Establish
and
evolve
systemic
cybersecurity.
18. 18
CYBERSECURITY
ASSURANCE
–
COBIT
5
EDM01:
ENSURE
GOVERNANCE
FRAMEWORK
SETTING
AND
MAINTENANCE
Key
Areas
/
Points
1
Cyber
security
management
is
supported
by
enAty
standards,
processes
and
procedures.
2
Cyber
security
prevenAon
is
monitored
on
a
regular
basis
by
senior
management.
3
Business
and
IT
Unit
Leaders
are
trained
and
acTvely
involved
in
the
oversight
and
significant
decisions
relaAng
to
cyber
security
preparedness
and
incidents.
4
A
cyber
security
task
force
/
panel
has
been
established
and
includes
appropriate
funcAonal
members.
5
Cyber
security
risks
and
vulnerabiliTes
are
idenTfied
and
evaluated
on
a
periodic
basis.
19. 19
CYBERSECURITY
ASSURANCE
–
COBIT
5
EDM01:
ENSURE
GOVERNANCE
FRAMEWORK
SETTING
AND
MAINTENANCE
Other
notable
cyber
security
assurance
concepts
1
IdenAfy
and
validate
governance
model
in
terms
of
cyber
security
aYacks
(e.g.
‘Zero
Tolerance’
vs
‘Living
with
it’).
This
model
should
be
aligned
with
the
enTty’s
overall
risk
appeTte.
2
Determine
an
opTmal
decision
making
model
for
cyber
security.
This
may
be
disAnct
and
different
from
the
‘ordinary’
informaAon
security
model.
3
Embed
cyber
security
transformaAon
acAviAes
that
is
driven
by
a
steering
commiQee.
These
acAviAes
should
be
included
in
the
overall
security
strategy.
4
Develop
and
foster
an
informaAon
security-‐posiTve
culture
and
environment
within
all
business
units.
5
Integrate
cyber
security
measures
measurements
and
metrics
into
rouAne
compliance
check
mechanisms.
20. 20
CYBERSECURITY
ASSURANCE
–
COBIT
5
APO01:
MANAGE
THE
IT
MANAGEMENT
FRAMEWORK
Key
Areas
/
Points
1
IT
management
establishes,
maintains
and
monitors
a
secure
infrastructure
2
IT
management
receives
and
reviews
key
reports
and
analysis
of
security,
vulnerability,
intrusions
and
penetraAon
test
results.
3
IT
management
supports
the
cyber
security
task
force
and
informaAon
security
iniAaAves
21. 21
CYBERSECURITY
ASSURANCE
–
COBIT
5
APO01:
MANAGE
THE
IT
MANAGEMENT
FRAMEWORK
Other
notable
cyber
security
assurance
concepts
1
Define
the
expectaAons
with
regard
to
cyber
security,
including
ethics
and
culture.
The
expectaAons
should
match
the
overall
governance
model.
2
IT
General
Controls
(‘ITGC’)
should
be
tested
and
updated
regularly.
IT
General
Controls
provides
the
support
and
baseline
assurance
for
cyber
security
specific
objecAves.
3
Controls
and
objecAves
that
are
performed
by
third
parAes
should
also
be
evaluated
periodically
by
management.
23. 23
CYBERSECURITY
ASSURANCE
–
COBIT
5
Security
Incident
Management
1
Policies
and
procedures
are
established
to
ensure
that
a
risk
analysis
and
asset
prioriAzaAon
is
part
of
the
evaluaAon
process
2
Asset
value
and
prioriAzaAon
are
components
of
the
incident
response
analysis
3
Incident
response
policies
and
processes
should
idenAfy
the
scope,
objecAves
and
requirements
defining
how
and
who
should
respond
to
an
incident,
what
consTtutes
an
incident,
and
the
specific
processes
for
monitoring
and
reporAng
the
incident
acAviAes.
4
An
incident
response
team
has
been
organized
with
appropriate
management,
staffing
and
senior
management
support.
5
Forensic
policies
and
procedures
should
ensure
that
documented
management
trails
are
preserved
to
permit
internal
invesTgaTons
and
support
any
legal
or
regulatory
invesTgaTons
(internal
and
external).
6
Incident
response
tools
should
be
installed,
scheduled,
monitored,
and
secured
to
avoid
unauthorised
access
to
invesAgaAon
acAviAes.
7
The
crisis
management
funcTon
is
part
of
the
cyber
security
preparedness
process.
AP013
MANAGE
SECURITY
(SECURITY
INCIDENT
MANAGEMENT)
25. 25
SUMMARY
• Understand CyberSecurity from a holistic,
organizational perspective
• Understand the approach to CyberSecurity Assurance
• Develop audit programmes by identifying risks and
relevant controls
• Know how to test controls related to CyberSecurity
26. ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL
SPECIAL INTEREST GROUP 1
ISACA MALAYSIA CHAPTER