Risk mngt gov compliance security cyber

Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
STKI is here to serve you………
1

Technology Risk Management:
Governance, Compliance,
Security & Cyber
ENGAGE
&
INNOVATE
GOVERN
&
PROTECT
DELIVER
&
MAINTAIN
2

IT Complexity
SocialAPIs
Systems
of Records Systems of
Engagement
Legacy
Cost Center
eCommerce
Enterprise
App Store
Enterprise
Mobility
Engage &
Innovate
Govern &
Protect
Deliver &
Maintain
Engage &
Innovate
Govern &
Protect
Deliver &
Maintain
IT
strategy
3

Govern and Protect
4

Strategic direction may change by
the time a final budget is approved
Increasing Pace Of Business Changes
5
Traditional IT Governance methods:
no longer work in a business world
demanding speed & value

Bi-model IT
6
Invest
in new
systems
Reduce
Operating
Expenses
Long development and
deployment cycles
Touch people
In-moment decisions
Personalized & in-context
Social and analytics driven
Short & rapid releases
Doing IT right,
efficiency, safely
Doing IT fast
IT don't have to be
perfect, just quick
IT with different
⁻ people,
⁻ set of skills
⁻ processes,
⁻ tools
supporting each
Systems of
Records
evolving
to
Transactions
Systems of
Engagement
evolving
to
Immersion

Balance and re-balance IT assets allocation
7
70%
30%
Email, upgrade,
maintenance, operations
Transformational investments,
new capabilities

Provide visibility into IT
“…And that in quick view what
we have in our IT today”
Programs
& projects
HW & SW
assets
ContractsVendors
Partners
Costs
Accountability is ultimately more important today
than cost cutting 8

IT Governance – Office of the CIO
9
Programs
& projects
HW & SW
assets
ContractsVendors
Partners
CostsChargeback
Service catalog
Business models
Financial stability
Vendor evaluation
& mngt
Demand mngt
Agility
Project mngt
EA
Asset mgt
Agreement mgt
Benchmarks
SOW
SLA mngt
Skill mngt
Resource
mngt
ITIL
Risk
mngt
Accountability
Future roadmaps
Business – IT
Orchestrator
Navigator
IT

Highest business value possible
10
Internal
IT
XaaSExternal
provider
• Demand identification
shaping, aggregation
& prioritization;
• Expectation mngt
• Business value
• Business changes
hatmaa
• Services & products
supply in terms of
quality and capacity
• Resources coordination
• IT services & products
catalog
• Agility
Explore technology trends and
new potential business review
Align to business strategy
and risk appetite
BRM
Internal impact
External impact
LoB
LoBLoB

IT Governance evolvement: 3 types of CIOs
11
Conservative
CIO
PMO
Modern
CIO
Early adaptor
CIO
Strategic
BRM
• Demand mngt
• Portfolio mngt
• Project mngt
• Resource mngt to ensure
correct services & products supply
• Project tool
• Reporting
• Project risk mngt
• Demand coordination and
aggregation, PPM
• Enterprise architecture
• Resource mngt
• PPM / Governance tool
• Business & IT executives
dashboards
• Technology risk mngt –
compliance & reliable reporting
• Facilitate business and IT
convergence
• Removing boundaries – embeds
IT capabilities with LoBs to
increase agility and business value
• Innovation
• Enterprise architecture
• PPM
• Holistic IT Governance tool
• Proactive technology risk mngt
Tactical
Office of the CIO

Technology
Risk
Management
12

The dark side of innovation & new business models
13
• Emerging technologies bring completely new and often unknown challenges and risks:
 Digital information is growing exponentially
 Access to enterprise info is often done from customers and employees' private smart devices
 Boundaries between customer and organization are blurred
• Same is with new business models:
 Managing privacy, regulatory compliance and legal aspects
in public cloud technology.
 On demand or sharing economy leads us to a necessity
to manage our own online reputation
• Growing risk of security breach or data loss

Start with your own personal data
14
Ministry of Defense's personal security online educational campaign:
'Think Before You... Share'

Sharing (on-demand) economy
15
share our living spaces
share our knowledge
share our cars
share our parking space
How do I know Airbnb guest won’t ransack my apartment?
Is it guaranteed that a Getaround user will return my car?

Reputation economy
16
- portable measure of trust

Who are you Galit Fein?
Who is responsible for the
personal risk management? 17

Why Manage Risks?
Corporate catastrophes are all too common
18
BP will plead guilty to manslaughter charges stemming from the 2010 Deepwater Horizon explosion
and oil spill in the Gulf of Mexico, and agreed to pay $4.5 billion in government penalties, Attorney
General Eric Holder announced Thursday.

Risk equals new opportunity
19

What is Risk?
• Risk is intentional interaction with uncertainty
• Enterprise risk is the effect of uncertainty on
objectives and organization goals
• Risk mngt - In today’s uncertain times we have
to prepare response for unwanted events
in advance
• Accepting risk is OK; ignoring risk is tragic
20

Managing technology risk is now a business priority
• With the increasing importance of technology and business
reliance on technology – focus is shifting to
technology risk
• It’s not about project risks, it will continue to run in PMO
• It’s not limited to security
• For the first time business executives ask IT:
“What may be the impact on the organization,
from all IT-related risks?”
21
Source: Riskjournal

22

Technology risks
Project related
• Entering (NOT) to new technology
• Difficulties related to new technology
hatmaa
• Big project failure
• Is the project technically feasible?
• Could the technology be obsolete
before a useful product be produced?
• Late project delivery
Non project related
• Obsolete or inflexible IT architecture
• Cloud based solution
• Unstable systems
• Not achieving enough value from IT
• Compliance
• Misalignment
• IT service delivery problems
• Employee related fraud
23

Tsunami of Regulations
•Data Privacy Laws
•Freedom of Information Act
•HIPAA
•Payment Card Industry Data Security Standard
•Homeland Security
•Sarbanes-Oxley
•BAZEL II
•Industry specific regulations (HACCP)
•Federal Rules of Civil Procedure
24
Legal costs, fines and
damages could be
reduced by 25% if
organizations applied
best practice
procedures to records
management, security
and e-Discovery.
Source: Monica Crocker, Land O’Lakes at #AIIM13

Technology Risks Compliance
•Technology Risks Compliance = legal requirements + industry standards +
organizational policies and guidelines, and more...
• Finding and retrieving information on demand
• Controlling access and confidentiality
• Monitoring and reporting for enforcement
• Comprehensive auditing
• Secure retention and destruction
25
Compliance is key:
deceptive marketing,
debt traps, dead ends,
discrimination, retailer
data breaches,
emerging technologies
protections
There’s a huge price
for non-compliance!

Technology Risk Mngt evolvement: 3 types of CIOs
26
Conservative
CIO
Modern
CIO
Early adaptor
CIO
IT risk mngt: their own risk
department
• Risks being managed in silos
per specific project, tech, etc.
• GRC as unnecessary and
burdensome reactions to
regulations and risk events
• Policy & methodology
• Random risk assessment
• Regulatory Compliance
• Holistic & continues approach
• Substantial need
• Proper processes & activities of
the IT supporting & promoting
business goals
Strategic & proactive
technology risk mngt
Risks being managed
as part of IT projects
or security
ValueBurden
Risk mngtCrisis mngt

And Remember:
27
AND
WHEN IT WENT WRONG
DO YOU KNOW THE RISK?

Why effective cyber security platform is a vital component of risk management?
2828
ENGAGE
& INNOVATE
GOVERN
&
PROTECT
DELIVER
&
MAINTAIN
IT Strategy

Cyber Insurance
Cybersecurity insurance is designed to mitigate losses from a variety of cyber
incidents, including data breaches, business interruption, and network damage.
A cybersecurity insurance market could help reduce the number of successful cyber
attacks by:
(1) promoting the adoption of preventative measures in return for more coverage;
(2) encouraging the implementation of best practices by basing premiums on an
insured’s level of self-protection.
29

Cyber insurance solutions
30

IT GRCs General Control Areas
Source: Menny Barzilay
31

Be prepared for the worst
32Source: http://id.lockheedmartin.com/blog/risky-business-the-role-of-risk-management-in-cyber-security
Cyber security executives can leverage the risk management toolset to communicate
clearly to their executive teams and more importantly secure funding for important
security programs.

Which “Security” type are you? Your winning hand is…
33
Conservative CIO
Systems to support clients’
functional needs efficiently
Customers IDM
API security
Common technologies
NAC
SIEM
DLP
FW+IPS
SSL+ OTP
IDM
Application Security Testing
Modern CIO
Systems to spur intimacy
with customers and turns
them into advocates
Adaptive Access Control
Security as a service
Cyber risk management
Security analysis
behavior
Cyber SOC
Cyber intelligence
Early adopter CIO
Systems that bond with
customers and immerses them
into the company’s story
Big data cyber analytics
IoT and wearables
Cyber insurance
Cloud security
SDN security
Open source security
Systems of
records
Systems of
Engagement
Systems of
Immersion

A Changing Battle-Space: Prevention Is Not Enough
Source:http://www.battery.com/powered/general/2014/09/11/why-
breach-detection-is-your-new-must-have-cyber-security-tool/
34

Security Risks in house
Sensitive Data
leak (SCADA)
System Admins
BYOD
35

SIEM
Access
Management-IDM
Forensic Tools
DLP
Malware scanning
& Sandbox -WAF
Endpoint security
Steps to govern Security inside threats
Mobile Security
Next generation SOC
36

Cyber threats outside
S.O.S
Zero day
malware & APT
37

FW+IPS
Access
Management
IDM
Cyber
intelligence
Malware scanning
& Sandbox
API Security
Steps to govern Cyber external threats
Network security
virtualization
Cloud application
Security
38

Cyber Risks
Any organization that:
(1) uses technology in its operations &/or
(2) handles/collects/stores confidential information has Cyber Risks:
 Legal liability to others for computer security breaches
 Legal liability to others for privacy breaches of confidential information
 Regulatory actions, fines and scrutiny
 Loss or damage to data / information
 Loss of revenue due to a computer attack
 Extra expense to recover / respond to a computer attack
 Loss or damage to reputation
 Cyber-extortion
 Cyber-terrorism 39

2015 cybersecurity predictions
40

Cloud Security
41

Data Breaches Data Loss
Account
Hijacking
Insecure APIs
Denial Of
Service
Malicious
Insiders
Abuse of
Cloud Services
Insufficient
Due Diligence
Shared
Technology
issues
Source: https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
Moshe Ferber, Cloud Security Alliance Israel
The notorious 9 Cloud computing threats
As described the Cloud Security Alliance
40

Cloud
attack
vectors
Provider
administration
Management
console
Multi tenancy
&
virtualization
Automation
& API
Chain of
supply
Side
channel
attack
Insecure
instances
Source:MosheFerber,CloudSecurityAllianceIsrael
41

Israel cloud adoption - by sector
Private
Cloud
Army, Banks,
Government,
Utility
Cloud curious
checking the
technology
Government
Finance
Telecom
Operators
Health
Cloud adopters
running 2-5 application in
cloud
Telecom
Vendor
Industry
services
Utilities
Cloud focus
most application in
the cloud
High-Tech
Startups
SMB
42

Regulations, ordinances and laws in Israel
Laws
• The privacy
laws are
currently
address cloud
as form of
outsourcing.
State level
efforts
• INCB are
working on
cyber
guidelines for
SMB and
private sector.
Sector level
efforts
• Finance: Bank
of Israel
published draft
of guidelines
for Cloud
adoption.
45

Tools & Technologies to secure cloud services:
• Encryption gateways
• Governance and compliance
• Identity gateway
SaaS
• Database monitoring and
encryption
• Dynamic and static analysis tools
PaaS
• Governance & compliance
• Encryption
• Multi cloud management
IaaS
46

Security is NOT obstacle
 Identify information assets
 Conduct periodic risk assessments to identify the specific
vulnerabilities your company faces
 Develop and implement a security program to manage and control
the risks identified
 Monitor and test the program to ensure that it is effective
 Continually review and adjust the program in light of ongoing
changes
 Oversee third party service provider arrangements
 Maintain training for all staff on Information Security
47

Which “Security” type are you? Your winning hand is…
48
Conservative CIO
Systems to support clients’
functional needs efficiently
Customers IDM
API security
Common technologies
NAC
SIEM
DLP
FW+IPS
SSL+ OTP
IDM
Application Security Testing
Modern CIO
Systems to spur intimacy
with customers and turns
them into advocates
Adaptive Access Control
Security as a service
Cyber risk management
Security analysis
behavior
Cyber SOC
Cyber intelligence
Early adopter CIO
Systems that bond with
customers and immerses them
into the company’s story
Big data cyber analytics
IoT and wearables
Cyber insurance
Cloud security
SDN security
Open source security
Systems of
records
Systems of
Engagement
Systems of
Immersion

Technology Risk Mngt evolvement: 3 types of CIOs
49
Conservative
CIO
Modern
CIO
Early adaptor
CIO
IT risk mngt: their own risk
department
• Risks being managed in silos
per specific project, tech, etc.
• GRC as unnecessary and
burdensome reactions to
regulations and risk events
• Policy & methodology
• Random risk assessment
• Regulatory Compliance
• Holistic & continues approach
• Substantial need
• Proper processes & activities of
the IT supporting & promoting
business goals
Strategic & proactive
technology risk mngt
Risks being managed
as part of IT projects
or security
ValueBurden
Risk mngtCrisis mngt

Sigal Russin
Sigalr@stki.info
50
Galit Fein
Galit@stki.info

Risk mngt gov compliance security cyber

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (8)

Ähnlich wie Risk mngt gov compliance security cyber

Ähnlich wie Risk mngt gov compliance security cyber (20)

Mehr von Ariel Evans

Mehr von Ariel Evans (18)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Risk mngt gov compliance security cyber