SlideShare a Scribd company logo

Information Security vs IT - Key Roles & Responsibilities

Download as PPTX, PDF
Kroll
Kroll

Marc Brawner is a Principal with Kroll's Cyber Security & Investigations team. In this presentation to the Tennessee Bankers Association, Marc explains the key roles & responsibilities of the information security and information technology teams for increased cyber security

Technology
1 of 40
Who has the ball in [Cyber | IT | Information] Security? Marc Brawner Principal Cyber Security and Investigations Nashville, TN
Proprietary and Confidential — External Use Only2 Marc Brawner With over 23 years of experience in information technology, including 18 years focused on cyber security, Marc is a true expert in cyber risk management, incident response, and forensic investigations. He brings an extraordinary level of experience and knowledge, having led or participated in hundreds of cyber security matters at organizations around the USA and abroad. Today, Marc oversees the practice's endpoint threat monitoring and analysis team, while also leading and supporting complex incident investigations, and providing guidance on a range of technology and cyber security matters to Kroll colleagues and clients worldwide. Marc returned to Kroll in 2013 after spending seven years at Marsh & McLennan Companies, a Fortune 200 firm, where he led its global information security incident response and risk assessment teams. Earlier in his career at Kroll, Marc implemented and managed a variety of technology and security solutions, developed and implemented policy and regulatory compliance programs, and managed information technology teams. Marc is a Tennessee native and holds a bachelor’s degree in Computer Science from Lipscomb University, along with several industry certifications, including: Core PCI Forensic Investigator and Qualified Security Assessor, PCI Security Standards Council (PFI/QSA); Certified Information Systems Security Professional (CISSP); Certified in Risk and Information Systems Control (CRISC). Principal Cyber Security & Investigations mbrawner@kroll.com
Proprietary and Confidential — External Use Only3 Who we are Kroll is the leading global provider of risk and investigative services, helping clients anticipate, detect, mitigate, and respond to risk. TRUSTEDPARTNER +40 • Help clients make confident risk management decisions about: people, assets, operations and security • Provide an unparalleled range of services and solutions 77% DIVERSE years EXPERTISEFORTUNE100 • Regularly work on the most complex and highest profile matters in the world • Extensive global network allows us to efficiently and effectively address challenging situations Former members of law enforcement agencies including the FBI, US Secret Service, Dept. of Homeland Security, Dept. of Defense, Dept. of Justice, Ministry of Defense. Other expertise includes: computer forensic analysts, forensic accountants, information security analysts, former prosecutors, business intelligence analysts, and investigative journalists.
Proprietary and Confidential — External Use Only4 Global, expert team Kroll has offices in 20 countries and more than 30 cities Language fluency includes: Arabic, Bengali, Chinese, English, French, German, Hindi, Japanese, Portuguese, Punjabi, Russian, and Spanish Expertise includes: Cyber Risk Management, Due Diligence & Compliance Management, Business Intelligence & Investigations, Security Risk Management Licenses / Certifications include: Payment Card Industry Data Security Standard (PCI DSS), Qualified Security Assessor (QSA), Certified Information Systems Security Professional (CISSP), Certified Business Continuity Professional (CBCP)
Proprietary and Confidential — External Use Only5 Best Cyber Security Provider 2017 National Law Journal Reader Choice Survey “[Kroll] is capable of being a one- stop shop for multiple services relating to breach response, from forensic investigations to support for clients in litigation issues. THE FORRESTER WAVE™: CUSTOMER DATA BREACH NOTIFICATION AND RESPONSE SERVICES, Q4 2017 Best Litigation Dispute Advisory Services Consultant 2017 National Law Journal Reader Choice Survey Cyber security solutions Some recent awards and recognitions Best Corporate Investigations Provider 2017 National Law Journal Reader Choice Survey “Leader” in Customer Data Breach and Notification THE FORRESTER WAVE™: CUSTOMER DATA BREACH NOTIFICATION AND RESPONSE SERVICES, Q4 2017
Proprietary and Confidential — External Use Only6  Why does your institution need an information technology program?  Why does your institution need an information security program?  Understand key differences between Information Technology and Cyber/Information Security  Review roles and responsibilities  Review industry guidance and trends  Review board level considerations  Discuss modern threats and defenses Session Agenda
Proprietary and Confidential — External Use Only7 Why do we need IT?
Proprietary and Confidential — External Use Only8 Information Technology  Design, implement and operate critical business technology  Servers  Workstations  Networks  Telephony and communication tools  Business applications  Manage electronic data and information storage  Develop strategic technology plans and objectives consistent with business needs
Proprietary and Confidential — External Use Only9 Why do we need Security?
Proprietary and Confidential — External Use Only10 Information Security  Security  Resilience from harm  Information Security  Program, process, and activities designed to protect the confidentiality, integrity, and availability of information.  Cyber Security  Focus on digital information and systems
Proprietary and Confidential — External Use Only11 Information Security Triad Confidentiality IntegrityAvailability
Proprietary and Confidential — External Use Only12  Information security  …is the process by which a financial institution protects the creation, collection, storage, use, transmission, and disposal of sensitive information, including the protection of hardware and infrastructure used to store and transmit such information.  …promotes the commonly accepted objectives of confidentiality, integrity, and availability of information and is essential to the overall safety and soundness of an institution. FFIEC Guidance
Proprietary and Confidential — External Use Only13  Information security exists to provide protection from malicious and non- malicious actions that increase the risk of adverse effects on earnings, capital, or enterprise value.  The potential adverse effects can arise from the following:  Disclosure of information to unauthorized individuals.  Unavailability or degradation of services.  Misappropriation or theft of information or services.  Modification or destruction of systems or information.  Records that are not timely, accurate, complete, or consistent. Source: FFIEC IT Examination Handbook (2016) FFIEC Guidance
Proprietary and Confidential — External Use Only14 IT Operations • Store • Process • Transmit • Access Information Security • Understand Risk • Appropriately Secure • Monitor Information Security and IT Ops
Proprietary and Confidential — External Use Only15 IT Operations IT Security/Risk Management Confidentiality Integrity Delivery Availability Balancing Act
Proprietary and Confidential — External Use Only16  Develop and implement IT strategy  Oversee IT budget  IT acquisition, development, training  IT architecture  Planning  Supporting lines of business strategy Roles and Responsibilities – CIO/CTO/IT Manager
Proprietary and Confidential — External Use Only17  Management and mitigation of information security risks  Implementing information security strategy  Address current and emerging risks  Work with business on information flows, risks, and protection  Championing security awareness and training Roles and Responsibilities – CISO/ISO/Risk Mgr
Proprietary and Confidential — External Use Only18 Roles and Responsibilities  Develop and implement IT strategy  Oversee IT budget  IT acquisition, development, training  IT architecture  Planning  Supporting lines of business strategy  Management and mitigation of information security risks  Implementing information security strategy  Address current and emerging risks  Work with business on information flows, risks, and protection  Championing security awareness and training  Building external relationships  IR Planning CIO/CTO/IT Manager CISO/CSO/Risk Manager
Proprietary and Confidential — External Use Only19  “While in the past, the office of the CISO was considered a technology function, the role has become a strategic and integral part of the business management team.”  “The CISO should be an enterprise-wide risk manager, rather than a production resource devoted to IT operations.” Why? CISO Evolution
Infosec Theory Evolution Perimeter Defense In Depth Assumption of Breach
Proprietary and Confidential — External Use Only21 Tool Based Strategy? Technical Controls Operations Governance Most Data Breaches Occur When This Strategy Is Used!
Proprietary and Confidential — External Use Only22 Most Effective Strategy to Mitigate Risk! Governance Operations Technical Controls
Proprietary and Confidential — External Use Only23  Information security officers should report directly to the board or senior management  NOT IT operations management  Ensures appropriate segregation of duties  Information security officers should be responsible for responding to security events by ordering emergency actions to protect the institution and its customers from imminent loss of information; managing the negative effects on the confidentiality, integrity, availability, or value of information; and minimizing the disruption or degradation of critical services. FFIEC: Reporting Structure
Proprietary and Confidential — External Use Only24  Frequent conflicts of interest  Too many ‘hats’ for one person, team, or role  Increased complexity of technology  Increased complexity of threats and vulnerabilities  Different skills, education and training paths  Often follows tool-based strategy  Often minimizes or misses subtle clues of exposure  Incident management  What happens during a crisis? Pitfalls of IT driven information security
Proprietary and Confidential — External Use Only25  The board, or designated board committee, should be responsible for:  overseeing the development, implementation, and maintenance of the institution’s information security program;  holding senior management accountable for its actions. FFIEC: Role of the Board of Directors
Proprietary and Confidential — External Use Only26  Consider prior evolution of board to address and validate financial statement accuracy  Proliferation of cybersecurity risks now trumps financial accounting risks Increasing Board Oversight
Proprietary and Confidential — External Use Only27  Cybersecurity risks pose grave threats to investors, our capital markets, and our country…  Regulation S-K ... Require a company to disclose the extent of its board of directors’ role in the risk oversight of the company…  “To the extent cybersecurity risks are material to a company’s business, we believe this discussion should include the nature of the board’s role in overseeing the management of that risk.”  “We believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility…” https://www.sec.gov/rules/interp/2018/33-10459.pdf Recent SEC Guidance – February 26, 2018
Proprietary and Confidential — External Use Only28  A key question in 2018 is not, “Do we have a security program”  Rather, “Is our program actually working to reduce risk as intended?” Board Oversight
Proprietary and Confidential — External Use Only29  Create a cyber security committee (similar to audit committee)  Add cyber expertise to board  Engage third party to conduct annual review (similar to accounting audit) and participate in strategy  Require management reporting and feedback Board Modernization https://corpgov.law.harvard.edu/2018/03/31/cybersecurity-the-secs-wake-up- call-to-corporate-directors/
Proprietary and Confidential — External Use Only30  Absolutely!   Leading security advisory and incident response firms offer  Exposure to ongoing threats, real-world incidents, and what works (or doesn’t)  Neutral understanding of business risk without politics  Articulate effective risk management priorities and practices based on experience  Can’t fully shift responsibility, however. What about Outsourcing?
Proprietary and Confidential — External Use Only31 Information Security Funding?
Proprietary and Confidential — External Use Only32 Where is your sensitive/ regulated data? Creation Transmission Reproduction Physical Transport Storage Disposal Intellectual Property
Proprietary and Confidential — External Use Only33 20 CSC is Minimum Standard The 20 Critical Security Controls “identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security. California Data Breach Report (Feb 2016) Attorney Gen. Kamala D. Harris
Cyber Threat Landscape THREATS • Criminals / criminal organizations • Terrorists / non- government organizations • Hacktivists • Foreign governments • Employees • Regulatory penalties • Reputational damage • Financial loss TARGETED ASSETS • Customer • Personal information • Health Data • Account data • Financial system functions- AR & AP • Financial assets • Employee PII • Intellectual property • Network bandwidth ATTACK METHODS • Spearphishing • Web site attacks • Social engineering • DDoS • Data destruction • Data alteration
TRADITIONAL TOOLS • Antivirus • Network Firewall • IDS • Helpdesk • Policies • SOC MODERN TOOLS • Endpoint Monitoring • Threat Hunting • Managed Detection/IR • Application firewall • User Behavior Analytics Modern Cyber Tools Building a higher level cyber security program
Proprietary and Confidential — External Use Only36 What is Your Narrative?  Reasonable Measures Implemented  Attacker Used Extraordinary Methods  Able to Rapidly Detect and Respond Effectively Assumption of Breach
Proprietary and Confidential — External Use Only37 Narrative  Have a narrative before an incident  Choose and implement a cybersecurity framework  Use governance structures to operationalize the framework  Fund appropriately based on risk tolerance  Infosec Maturity = detect and respond capability
Proprietary and Confidential — External Use Only38 Summary  Cybersecurity today is a board-level issue, more than ever  IT is not the primary stakeholder for managing cybersecurity risk  Dedicated resources are required  Leverage independent third party expertise to right-size program and validate effectiveness  Modern tools are essential, but governance comes first  Assume breach – have a response plan and defensible narrative
Proprietary and Confidential — External Use Only39 Additional Kroll Resources https://www.kroll.com/en-us/intelligence-center
Kroll.com Marc Brawner Principal Cyber Security Investigations mbrawner@kroll.com

Recommended

Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxChandanChandu928137
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Network security
Network securityNetwork security
Network securityfatimasaham
 

Recommended

Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxChandanChandu928137
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Network security
Network securityNetwork security
Network securityfatimasaham
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Edureka!
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Network security
Network security Network security
Network security Madhumithah Ilango
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...Edureka!
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber SecurityNikunj Thakkar
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityEng Hasan Shamroukh CISCO Exams Author
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Cyber security and current trends
Cyber security and current trendsCyber security and current trends
Cyber security and current trendsShreedeep Rayamajhi
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceCharles Lim
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Types of attacks
Types of attacksTypes of attacks
Types of attacksVivek Gandhi
 
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Edureka!
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptxkishore golla
 
Corporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses LinkedinCorporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses LinkedinSteve Phelps
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...EC-Council
 

More Related Content

What's hot

Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Edureka!
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...Edureka!
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber SecurityNikunj Thakkar
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Cyber security and current trends
Cyber security and current trendsCyber security and current trends
Cyber security and current trendsShreedeep Rayamajhi
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceCharles Lim
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Edureka!
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptxkishore golla
 

What's hot (20)

Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Security policy
Security policySecurity policy
Security policy
 
Network security
Network security Network security
Network security
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber Security
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
 
Cyber security and current trends
Cyber security and current trendsCyber security and current trends
Cyber security and current trends
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security Governance
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
 
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptx
 

Similar to Information Security vs IT - Key Roles & Responsibilities

Corporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses LinkedinCorporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses LinkedinSteve Phelps
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...EC-Council
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service PresentationWilliam McBorrough
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationWilliam McBorrough
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceSurfWatch Labs
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseGeorge Goodall
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeShawn Tuma
 
Meeting the cyber risk challenge
Meeting the cyber risk challengeMeeting the cyber risk challenge
Meeting the cyber risk challengeFERMA
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016Prime Infoserv
 
Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015sarah kabirat
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Shawn Tuma
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
Final Exam Case Study (3)
Final Exam Case Study (3)Final Exam Case Study (3)
Final Exam Case Study (3)Kathy_67
 

Similar to Information Security vs IT - Key Roles & Responsibilities (20)

Corporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses LinkedinCorporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses Linkedin
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
 
CCA study group
CCA study groupCCA study group
CCA study group
 
Meeting the cyber risk challenge
Meeting the cyber risk challengeMeeting the cyber risk challenge
Meeting the cyber risk challenge
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 
S Rod Simpson Resume
S Rod Simpson ResumeS Rod Simpson Resume
S Rod Simpson Resume
 
Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
Final Exam Case Study (3)
Final Exam Case Study (3)Final Exam Case Study (3)
Final Exam Case Study (3)
 

Recently uploaded

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Information Security vs IT - Key Roles & Responsibilities

  • 1. Who has the ball in [Cyber | IT | Information] Security? Marc Brawner Principal Cyber Security and Investigations Nashville, TN
  • 2. Proprietary and Confidential — External Use Only2 Marc Brawner With over 23 years of experience in information technology, including 18 years focused on cyber security, Marc is a true expert in cyber risk management, incident response, and forensic investigations. He brings an extraordinary level of experience and knowledge, having led or participated in hundreds of cyber security matters at organizations around the USA and abroad. Today, Marc oversees the practice's endpoint threat monitoring and analysis team, while also leading and supporting complex incident investigations, and providing guidance on a range of technology and cyber security matters to Kroll colleagues and clients worldwide. Marc returned to Kroll in 2013 after spending seven years at Marsh & McLennan Companies, a Fortune 200 firm, where he led its global information security incident response and risk assessment teams. Earlier in his career at Kroll, Marc implemented and managed a variety of technology and security solutions, developed and implemented policy and regulatory compliance programs, and managed information technology teams. Marc is a Tennessee native and holds a bachelor’s degree in Computer Science from Lipscomb University, along with several industry certifications, including: Core PCI Forensic Investigator and Qualified Security Assessor, PCI Security Standards Council (PFI/QSA); Certified Information Systems Security Professional (CISSP); Certified in Risk and Information Systems Control (CRISC). Principal Cyber Security & Investigations mbrawner@kroll.com
  • 3. Proprietary and Confidential — External Use Only3 Who we are Kroll is the leading global provider of risk and investigative services, helping clients anticipate, detect, mitigate, and respond to risk. TRUSTEDPARTNER +40 • Help clients make confident risk management decisions about: people, assets, operations and security • Provide an unparalleled range of services and solutions 77% DIVERSE years EXPERTISEFORTUNE100 • Regularly work on the most complex and highest profile matters in the world • Extensive global network allows us to efficiently and effectively address challenging situations Former members of law enforcement agencies including the FBI, US Secret Service, Dept. of Homeland Security, Dept. of Defense, Dept. of Justice, Ministry of Defense. Other expertise includes: computer forensic analysts, forensic accountants, information security analysts, former prosecutors, business intelligence analysts, and investigative journalists.
  • 4. Proprietary and Confidential — External Use Only4 Global, expert team Kroll has offices in 20 countries and more than 30 cities Language fluency includes: Arabic, Bengali, Chinese, English, French, German, Hindi, Japanese, Portuguese, Punjabi, Russian, and Spanish Expertise includes: Cyber Risk Management, Due Diligence & Compliance Management, Business Intelligence & Investigations, Security Risk Management Licenses / Certifications include: Payment Card Industry Data Security Standard (PCI DSS), Qualified Security Assessor (QSA), Certified Information Systems Security Professional (CISSP), Certified Business Continuity Professional (CBCP)
  • 5. Proprietary and Confidential — External Use Only5 Best Cyber Security Provider 2017 National Law Journal Reader Choice Survey “[Kroll] is capable of being a one- stop shop for multiple services relating to breach response, from forensic investigations to support for clients in litigation issues. THE FORRESTER WAVE™: CUSTOMER DATA BREACH NOTIFICATION AND RESPONSE SERVICES, Q4 2017 Best Litigation Dispute Advisory Services Consultant 2017 National Law Journal Reader Choice Survey Cyber security solutions Some recent awards and recognitions Best Corporate Investigations Provider 2017 National Law Journal Reader Choice Survey “Leader” in Customer Data Breach and Notification THE FORRESTER WAVE™: CUSTOMER DATA BREACH NOTIFICATION AND RESPONSE SERVICES, Q4 2017
  • 6. Proprietary and Confidential — External Use Only6  Why does your institution need an information technology program?  Why does your institution need an information security program?  Understand key differences between Information Technology and Cyber/Information Security  Review roles and responsibilities  Review industry guidance and trends  Review board level considerations  Discuss modern threats and defenses Session Agenda
  • 7. Proprietary and Confidential — External Use Only7 Why do we need IT?
  • 8. Proprietary and Confidential — External Use Only8 Information Technology  Design, implement and operate critical business technology  Servers  Workstations  Networks  Telephony and communication tools  Business applications  Manage electronic data and information storage  Develop strategic technology plans and objectives consistent with business needs
  • 9. Proprietary and Confidential — External Use Only9 Why do we need Security?
  • 10. Proprietary and Confidential — External Use Only10 Information Security  Security  Resilience from harm  Information Security  Program, process, and activities designed to protect the confidentiality, integrity, and availability of information.  Cyber Security  Focus on digital information and systems
  • 11. Proprietary and Confidential — External Use Only11 Information Security Triad Confidentiality IntegrityAvailability
  • 12. Proprietary and Confidential — External Use Only12  Information security  …is the process by which a financial institution protects the creation, collection, storage, use, transmission, and disposal of sensitive information, including the protection of hardware and infrastructure used to store and transmit such information.  …promotes the commonly accepted objectives of confidentiality, integrity, and availability of information and is essential to the overall safety and soundness of an institution. FFIEC Guidance
  • 13. Proprietary and Confidential — External Use Only13  Information security exists to provide protection from malicious and non- malicious actions that increase the risk of adverse effects on earnings, capital, or enterprise value.  The potential adverse effects can arise from the following:  Disclosure of information to unauthorized individuals.  Unavailability or degradation of services.  Misappropriation or theft of information or services.  Modification or destruction of systems or information.  Records that are not timely, accurate, complete, or consistent. Source: FFIEC IT Examination Handbook (2016) FFIEC Guidance
  • 14. Proprietary and Confidential — External Use Only14 IT Operations • Store • Process • Transmit • Access Information Security • Understand Risk • Appropriately Secure • Monitor Information Security and IT Ops
  • 15. Proprietary and Confidential — External Use Only15 IT Operations IT Security/Risk Management Confidentiality Integrity Delivery Availability Balancing Act
  • 16. Proprietary and Confidential — External Use Only16  Develop and implement IT strategy  Oversee IT budget  IT acquisition, development, training  IT architecture  Planning  Supporting lines of business strategy Roles and Responsibilities – CIO/CTO/IT Manager
  • 17. Proprietary and Confidential — External Use Only17  Management and mitigation of information security risks  Implementing information security strategy  Address current and emerging risks  Work with business on information flows, risks, and protection  Championing security awareness and training Roles and Responsibilities – CISO/ISO/Risk Mgr
  • 18. Proprietary and Confidential — External Use Only18 Roles and Responsibilities  Develop and implement IT strategy  Oversee IT budget  IT acquisition, development, training  IT architecture  Planning  Supporting lines of business strategy  Management and mitigation of information security risks  Implementing information security strategy  Address current and emerging risks  Work with business on information flows, risks, and protection  Championing security awareness and training  Building external relationships  IR Planning CIO/CTO/IT Manager CISO/CSO/Risk Manager
  • 19. Proprietary and Confidential — External Use Only19  “While in the past, the office of the CISO was considered a technology function, the role has become a strategic and integral part of the business management team.”  “The CISO should be an enterprise-wide risk manager, rather than a production resource devoted to IT operations.” Why? CISO Evolution
  • 20. Infosec Theory Evolution Perimeter Defense In Depth Assumption of Breach
  • 21. Proprietary and Confidential — External Use Only21 Tool Based Strategy? Technical Controls Operations Governance Most Data Breaches Occur When This Strategy Is Used!
  • 22. Proprietary and Confidential — External Use Only22 Most Effective Strategy to Mitigate Risk! Governance Operations Technical Controls
  • 23. Proprietary and Confidential — External Use Only23  Information security officers should report directly to the board or senior management  NOT IT operations management  Ensures appropriate segregation of duties  Information security officers should be responsible for responding to security events by ordering emergency actions to protect the institution and its customers from imminent loss of information; managing the negative effects on the confidentiality, integrity, availability, or value of information; and minimizing the disruption or degradation of critical services. FFIEC: Reporting Structure
  • 24. Proprietary and Confidential — External Use Only24  Frequent conflicts of interest  Too many ‘hats’ for one person, team, or role  Increased complexity of technology  Increased complexity of threats and vulnerabilities  Different skills, education and training paths  Often follows tool-based strategy  Often minimizes or misses subtle clues of exposure  Incident management  What happens during a crisis? Pitfalls of IT driven information security
  • 25. Proprietary and Confidential — External Use Only25  The board, or designated board committee, should be responsible for:  overseeing the development, implementation, and maintenance of the institution’s information security program;  holding senior management accountable for its actions. FFIEC: Role of the Board of Directors
  • 26. Proprietary and Confidential — External Use Only26  Consider prior evolution of board to address and validate financial statement accuracy  Proliferation of cybersecurity risks now trumps financial accounting risks Increasing Board Oversight
  • 27. Proprietary and Confidential — External Use Only27  Cybersecurity risks pose grave threats to investors, our capital markets, and our country…  Regulation S-K ... Require a company to disclose the extent of its board of directors’ role in the risk oversight of the company…  “To the extent cybersecurity risks are material to a company’s business, we believe this discussion should include the nature of the board’s role in overseeing the management of that risk.”  “We believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility…” https://www.sec.gov/rules/interp/2018/33-10459.pdf Recent SEC Guidance – February 26, 2018
  • 28. Proprietary and Confidential — External Use Only28  A key question in 2018 is not, “Do we have a security program”  Rather, “Is our program actually working to reduce risk as intended?” Board Oversight
  • 29. Proprietary and Confidential — External Use Only29  Create a cyber security committee (similar to audit committee)  Add cyber expertise to board  Engage third party to conduct annual review (similar to accounting audit) and participate in strategy  Require management reporting and feedback Board Modernization https://corpgov.law.harvard.edu/2018/03/31/cybersecurity-the-secs-wake-up- call-to-corporate-directors/
  • 30. Proprietary and Confidential — External Use Only30  Absolutely!   Leading security advisory and incident response firms offer  Exposure to ongoing threats, real-world incidents, and what works (or doesn’t)  Neutral understanding of business risk without politics  Articulate effective risk management priorities and practices based on experience  Can’t fully shift responsibility, however. What about Outsourcing?
  • 31. Proprietary and Confidential — External Use Only31 Information Security Funding?
  • 32. Proprietary and Confidential — External Use Only32 Where is your sensitive/ regulated data? Creation Transmission Reproduction Physical Transport Storage Disposal Intellectual Property
  • 33. Proprietary and Confidential — External Use Only33 20 CSC is Minimum Standard The 20 Critical Security Controls “identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security. California Data Breach Report (Feb 2016) Attorney Gen. Kamala D. Harris
  • 34. Cyber Threat Landscape THREATS • Criminals / criminal organizations • Terrorists / non- government organizations • Hacktivists • Foreign governments • Employees • Regulatory penalties • Reputational damage • Financial loss TARGETED ASSETS • Customer • Personal information • Health Data • Account data • Financial system functions- AR & AP • Financial assets • Employee PII • Intellectual property • Network bandwidth ATTACK METHODS • Spearphishing • Web site attacks • Social engineering • DDoS • Data destruction • Data alteration
  • 35. TRADITIONAL TOOLS • Antivirus • Network Firewall • IDS • Helpdesk • Policies • SOC MODERN TOOLS • Endpoint Monitoring • Threat Hunting • Managed Detection/IR • Application firewall • User Behavior Analytics Modern Cyber Tools Building a higher level cyber security program
  • 36. Proprietary and Confidential — External Use Only36 What is Your Narrative?  Reasonable Measures Implemented  Attacker Used Extraordinary Methods  Able to Rapidly Detect and Respond Effectively Assumption of Breach
  • 37. Proprietary and Confidential — External Use Only37 Narrative  Have a narrative before an incident  Choose and implement a cybersecurity framework  Use governance structures to operationalize the framework  Fund appropriately based on risk tolerance  Infosec Maturity = detect and respond capability
  • 38. Proprietary and Confidential — External Use Only38 Summary  Cybersecurity today is a board-level issue, more than ever  IT is not the primary stakeholder for managing cybersecurity risk  Dedicated resources are required  Leverage independent third party expertise to right-size program and validate effectiveness  Modern tools are essential, but governance comes first  Assume breach – have a response plan and defensible narrative
  • 39. Proprietary and Confidential — External Use Only39 Additional Kroll Resources https://www.kroll.com/en-us/intelligence-center
  • 40. Kroll.com Marc Brawner Principal Cyber Security Investigations mbrawner@kroll.com

Editor's Notes

  1. A Classic
  2. Discuss examples of how we’ve done this – finsvcs CISO advisory services FFIEC: Although the use of outsourcing may change the location of certain activities from financial institutions to thirdparty service providers, outsourcing does not change the regulatory expectations for an effective information security program
  3. CSC recently updated this year --
  4. Finally