SlideShare a Scribd company logo

Cyber Security Governance

Priyanka Aash
Priyanka Aash

Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.

Technology
1 of 60
Download to read offline
Best Of The World In Security Conference Best Of The World In Security 12-13 November 2020 Cybersecurity Governance Zainab AL.Sheheimi Etteqa for Cybersecurity Chief Executive Officer Twitter: @zainab_oman
Best Of The World In Security Conference • Work experience more than 19 years • Interesting in ISO implementation and GRC - Team leader for GRC section - CISO for Implementing ISO27001:2013 • Master in management and entrepreneurship • Certified C|CISO, ISO27001 Lead Auditors, CISSP & Consultant Trainer • CEO & Training Consultant at Etteqa for Cybersecurity services LLC - Cyber Risk Management - ISO Internal Audit - Offering Trainers Zainab Al.Sheheimi
Best Of The World In Security Conference • What is Cybersecurity Governance? • Cybersecurity Governance Principles • Cybersecurity Transformation • Establishing Cybersecurity Governance Agenda
Best Of The World In Security Conference
Best Of The World In Security Conference The potential consequences of a realized threat are extensive, and that has catapulted cybersecurity into the boardroom. This increased focus on cybersecurity can mainly be attributed to the technological transformation we are going through with the emergence of cloud, analytics, mobile and social (CAMS) as a mainstream focus. It’s also creating a pressing need for some formal guidance and well-defined regulations, which can help organizations drive their cybersecurity defense programs more effectively. The National Institute of Standards and Technology (NIST) Cybersecurity Framework is one such effort to provide guidance in the field of cybersecurity. This framework is a good starting point for organizations who want to define, adopt and refine an infrastructure for their own needs while at the same time follow industry standards and norms. Introduction
Best Of The World In Security Conference Now that the importance of a cybersecurity governance framework has been established, I will focus on the key components of such a structure. A cybersecurity framework actually contains a whole set of management tools, a comprehensive risk management approach and, more importantly, a security awareness program covering everyone in the organization from top to bottom. In other words, every organization needs to have a complete cybersecurity governance framework to fully address all of their cybersecurity needs.
Best Of The World In Security Conference What is Cybersecurity Governance? • The approach to making cybersecurity, the responsibility and direction of upper levels of management, to include any boards of directors is called governance. • Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction ensuring that objectives are achieved ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.
Best Of The World In Security Conference • Information security governance needs to be integrated into the overall enterprise governance structure to ensure that the organizational goals are supported by the information security program. The governance framework is an outline or skeleton of interlinked items that supports a particular approach to a specific objective as stated in the strategy. Several governance frameworks may be suitable for an organization to implement, including COBIT 5 and ISO/IEC 27000. High-level architecture can serve as a framework as well. The framework will serve to integrate and guide activities needed to implement the information security strategy. • Information security governance is a subset of corporate governance and must be consistent with the enterprise’s governance. If enterprise governance is structured using a particular framework, it would make sense to use the same framework for information security governance to facilitate integration. What is Cybersecurity Governance?
Best Of The World In Security Conference As threats to cyber security become increasingly ominous, sophisticated and unpredictable, CIOs must address risks ranging from denial of service attacks to natural disasters to disgruntled employees. Global organizations must also manage complex networks of service providers and scores of third-party suppliers, many of whom have access to customers, sensitive data and critical technology. What is Cybersecurity Governance?
Best Of The World In Security Conference What is Cybersecurity Governance?
Best Of The World In Security Conference 1.Capital One breach 2.The Weather Channel ransomware 3.U.S. Customs and Border Protection/Perceptics 4.Citrix breach 5.Texas ransomware attacks 6.WannaCry 7.NotPetya 8.Ethereum 9.Equifax 10.Yahoo 11.GitHub Example of cyber attacks in recent history
Best Of The World In Security Conference In July of 2019, online banking giant Capitol One realized that its data had been hacked. Hundreds of thousands of credit card applications, which included personally identifying information like birthdates and Social Security numbers, were exposed. No bank account numbers were stolen, but the sheer scale was extremely worrying. Things followed the usual script, with Capitol One making shamefaced amends and offering credit monitoring to those affected. The Weather Channel ransomware The Weather Channel may not seem like a crucial piece of infrastructure, but for many people it's a lifeline — and in April 2019, during a stretch of tornado strikes across the American south, many people were tuning in. But one Thursday morning the channel ceased live broadcasting for nearly 90 minutes, something almost unheard of in the world of broadcast television. It turns out The Weather Channel had fallen victim to a ransomware attack, and while there's been no confirmation of the attack vector, rumors are that it was via phishing attack, one of the most common causes of ransomware infection. Example of cyber attacks in recent history
Best Of The World In Security Conference A subset of enterprise governance that provides strategic direction, ensures objectives are achieved, manages risk and uses organizational resources responsibility and monitors the success of failure of the enterprise security program. Top managment responsibility
Best Of The World In Security Conference Cybersecurity Governance Structure
Best Of The World In Security Conference • Virus and malware defence has long been viewed as a purely IT problem. Some organizations do appoint Chief Information Security Officers (CISO), however information security is often viewed as a challenge that lies well below board or C-level attention. • The events of recent years have highlighted the danger of this viewpoint. With the FBI warning corporations that they are at risk and so many high-profile victims in the news, organizations, led by their CEO, must integrate cyber risk management into day-to-day operations. • Additionally, companies must take reasonable measures to prevent cyber- incidents and mitigate the impact of inevitable breaches. The concept of acting “reasonably” is used in many state and federal laws in the United States, Australia, and other countries. • A cyber breach could potentially cause the loss of a bid on a large contract, could compromise intellectual property (IP) and loss of revenue, to name just a few of the repercussions. That places cybersecurity firmly at the top of the organizational chart, similar to all other forms of corporate risk. What is Cybersecurity Governance?
Best Of The World In Security Conference • Developing a cybersecurity governance strategy requires understanding and defining the enterprise’s risk posture in the context of the overall environment. • Many cybersecurity governance strategies adhere to an obsolete “weakest link” strategy of identifying and mitigating specific, discrete risks. The reality is that organizations today confront potentially dozens of constantly changing weakest links, each of which can pose a significant threat. What is Cybersecurity Governance?
Best Of The World In Security Conference The GRC Approach to Managing Cybersecurity
Best Of The World In Security Conference Governing, managing and maintaining cybersecurity arrangements are a challenge for business managers, security managers and auditors alike. To demonstrate the business value of cybersecurity and to balance the risk associated with attacks or breaches, the following guiding principles should be applied. While these principles are set at a high level and not exhaustive, they provide a reasonable basis for cybersecurity as an integral part of overall information security. Cybersecurity Governance Principles
Best Of The World In Security Conference The concept of cybersecurity should be seen considering potential damage and the wide-ranging impacts of cybercrime and cyberwarfare. To adequately manage cybersecurity, the tolerable levels of risk and business impact must be known or conservatively estimated. This includes in‐depth knowledge about the way in which end users may be targeted and affected by cybersecurity attacks and incidents. 1. Know the potential impact of cybercrime and cyberwarfare.
Best Of The World In Security Conference CYBERWARFARE •As part of the attack landscape, cyberwarfare extends the idea of APTs. Where nation states or agencies engage in attacks on critical infrastructures or organizations, the threats are augmented by the fact that the attackers may have—by definition— unlimited resources at their disposal. This includes time as a resource, given that military or government operations may take several years from the initial idea to deployment. •From a technical and managerial point of view, cyberwarfare nevertheless represents just another form of APT, notwithstanding the legal and social ramifications. •Cybersecurity should, therefore, include the possibility of direct or indirect consequences from targeted military or government activity directed against the organization, its associates or its surrounding critical infrastructure. In terms of impact, the results of open or covert warfare are fairly similar to those of criminal acts or politically motivated “hacktivism.” 1. Know the potential impact of cybercrime and cyberwarfare.
Best Of The World In Security Conference Business value and business risk relating to cybersecurity arrangements are strongly influenced by organizational and individual culture. This is expressed by end user behavior patterns, habits and social interactions. In governing and managing cybersecurity, these factors should be taken into account and incorporated into strategic, tactical and operational security measures. 2. Understand organizational and individual culture and behavior patterns.
Best Of The World In Security Conference The business case in terms of expected value and tolerable risk will determine the overall cybersecurity strategy adopted by the enterprise: the requisite effort and investment of zero tolerance vs. the corresponding residual risk of living with it. To provide adequate and appropriate security, the business case must be clearly defined and fully understood by all levels of management. This includes cost‐benefit considerations as well as the prevailing organizational culture and values relative to cybersecurity. 3. Clearly state the business case for cybersecurity, and the risk appetite of the enterprise.
Best Of The World In Security Conference Every organization has a particular risk capacity, defined as the objective amount of loss an enterprise can tolerate without its continued existence being called into question. Subject to the absolute maximum imposed by this risk capacity, the owners or board of directors of an organization set the risk appetite for the organization. Risk appetite is defined as the amount of risk, on a broad basis, that an entity is willing to accept in pursuit of its mission. In some cases, setting the risk appetite may be delegated by the board of directors to senior management as part of strategic planning. Acceptable risk determination or risk appetite and the criteria by which it can be assessed is an essential element for virtually all aspects of information security as well as most other aspects of organizational activities. It will determine many aspects of strategy including control objectives, control implementation, baseline security, cost benefit calculations, risk management options, severity criteria determinations, required incident response capabilities, insurance requirements and feasibility assessments, among others. Risk appetite is translated into a number of standards and policies to contain the risk level within the boundaries set by the risk appetite. 3. Clearly state the business case for cybersecurity, and the risk appetite of the enterprise.
Best Of The World In Security Conference 4. Establish cybersecurity governance. • Cybersecurity exists, and is transformed, within the values and objectives of the enterprise and its members. As such, cybersecurity is subject to clear governance rules that provide a sense of direction as well as reasonable boundaries. This includes adopting and improving the organizational governance framework for cybersecurity.
Best Of The World In Security Conference • Governance plays an extremely important role in achieving the security objective of the organization not only for current needs, but also to ensure well-drafted mitigation plans for future challenges. To address current issues, the governance framework covers improvements to security policies; the implementation of technical controls; audits and assessments; and driving awareness among people to shape their attitude toward secure behaviors. For future challenges, the governance framework must continually focus on emerging threat factors, fast-moving changes in the technological landscape, people’s views and behavior. 4. Establish cybersecurity governance.
Best Of The World In Security Conference How to establish cybersecurity program?
Best Of The World In Security Conference • Security policies are designed to mitigate risk and are usually developed in response to an actual or perceived threat. Policies state management intent and direction at a high level. With the development of an information security strategy, the policies have to be developed or modified to support the strategic objectives. Standards are developed or modified to set boundaries for people, processes, procedures and technologies to maintain compliance with policies and support the achievement of the organization’s goals and objectives. There are usually several standards for each policy, depending on the classification levels of the asset related to the standard. Collectively, standards are combined with other controls (i.e., technical, physical, administrative) to create the security baselines. 4. Establish cybersecurity governance.
Best Of The World In Security Conference • Baseline security, control objectives, acceptable risk, risk appetite and residual risk are related to one another. Control objectives are set to fall within the boundaries of acceptable risk. Risk mitigation should keep the organization within the level of acceptable risk and achieving the control objectives. Residual risk levels set the security baselines. • New information security projects should support the information security strategy. A business case is used to capture the business reasoning for initiating a project or task. In the context of information security, it should concisely identify the needs and the business purpose for implementing various governance processes, including technologies and the cost benefit (i.e., the value proposition) of doing so. 4. Establish cybersecurity governance.
Best Of The World In Security Conference Cybersecurity covers multiple aspects and specialized areas within overall information security. To provide assurance over cybersecurity, the assurance universe is known, defined and within the organizational sphere of interest. Assurance objectives are clear, plausible and manageable. As many cybersecurity aspects may be outside the organizational perimeter, the associated risk and assurance issues are considered. 5. Know the cybersecurity assurance universe and objectives.
Best Of The World In Security Conference • Taking the time to safeguard oneself and one’s organization, from all possible threats, is the best way to avoid the loss of identity, personal and confidential data, vital financial information, intellectual property, creations, money, etc. Perhaps the biggest burden of being the victim of a hack or cyberattack is the stress that comes with it. 5. Know the cybersecurity assurance universe and objectives.
Best Of The World In Security Conference Cybercrime, cyberwarfare and related attacks or breaches target the weakest link in the system. As a result, cybersecurity must be understood as a system of interdependent elements and links between these elements. Optimized cybersecurity requires complete understanding of this dynamic system and the realization that security governance, management and assurance cannot be seen in isolation. 6. Establish and evolve systemic cybersecurity.
Best Of The World In Security Conference •like any other long‐term process, is based on continuous improvement and a succession through various levels of maturity. •It is the strategy, and its detailed parts will need to be reviewed and validated at regular intervals, considering any changes to the risk profile as well as the risk appetite defined by the enterprise. •It is systemic shift from one stable state of the overall system to its next stable state. In between, any number of changes may happen spontaneously or in a controlled manner. Cybersecurity Transformation
Best Of The World In Security Conference •Cybersecurity transformation, just like any other long‐term process, is based on continuous improvement and a succession through various levels of maturity. This also means that the strategy and its detailed parts will need to be reviewed and validated at regular intervals, considering any changes to the risk profile as well as the risk appetite defined by the enterprise. Cybersecurity Transformation
Best Of The World In Security Conference •Transformation is usually defined as a systemic shift from one stable state of the overall system to its next stable state. In between, any number of changes may happen spontaneously or in a controlled manner. In cybersecurity, transformation can be defined as progressing the overall system of governing provisions, management activities, controls and other elements from its current state to the next (target) stable state, usually by means of controlled change to certain parts, processes and other components. While this is useful as a high‐level definition, some examples may help in understanding the transformation process. Cybersecurity Transformation
Best Of The World In Security Conference •As a first step, the current state of cybersecurity and the existing governance model should be assessed and established. This means that, beyond the assumptions that may have existed before, cybersecurity in its present state should be described “as is,” including all weaknesses and deficiencies. Typically, this includes any systemic weaknesses previously identified (see previous section) and the pain points that have triggered the need for transformation. The underlying objective is to go from the initial observation that “we cannot go on like this” to a more constructive view of existing information security governance, management and assurance. 1- ESTABLISH CURRENT STATE
Best Of The World In Security Conference •The current state review will also reveal any weaknesses in management attitudes. As described previously, neither the minimalist nor the “zero tolerance” attitude are likely to lead to success. Part of establishing the current state of cybersecurity is to identify the exact position of the enterprise in terms of attitudes, beliefs and security spending behavior. In summary, the governance model selected by the enterprise is likely to provide a lot of insight on what may have led to the, apparently unsatisfactory, current state. •Taking stock in this manner may be a painful exercise. However, it is indispensable as a starting point in transforming cybersecurity. Only where weaknesses have been recognized beyond doubt, and clearly articulated, will the enterprise be able to transition to an improved way of governing cybersecurity. 1- ESTABLISH CURRENT STATE
Best Of The World In Security Conference •Once the existing state of cybersecurity is known and fully acknowledged, the future or target state may be defined based on weaknesses and deficiencies, risk and vulnerabilities, and the extent to which the enterprise will be able to change and adapt to the trends in attacks, breaches and incidents. Where the target state is not clearly understood, it is unlikely that a transformation approach will be successful. •Typical pitfalls include: • Lack of realism—The target state is formulated as a wish list for perfection, rather than the next obvious (and stable) state of overall cybersecurity. 2. DEFINE TARGET STATE
Best Of The World In Security Conference •In transformation thinking, the target from a governance perspective is to identify the next stable—and, therefore, achievable—level at which cybersecurity will be able to meet the needs of stakeholders, and at which there will be a reasonable level of protection against attacks and breaches. Transforming cybersecurity is a repetitive and iterative exercise that resembles a life cycle rather than a one‐off project. 2. DEFINE TARGET STATE
Best Of The World In Security Conference • Escalating commitment—The target state is defined as “just a little more of what we are doing now,” without incorporating the changed threat and vulnerability landscape, not to mention actual attacks and breaches. • Blurred vision—The target state is defined based on wrong assumptions—e.g., where organizational management does not incorporate future trends in cybercrime and cyberwarfare. • Governance model bias—The current governance model (e.g., “zero tolerance” or “we are insured”) is maintained, ignoring strong signals that it may be dysfunctional. 2. DEFINE TARGET STATE
Best Of The World In Security Conference •The distance between the current and future states of overall cybersecurity is subject to governance as well as management. •Transforming cybersecurity in a systemic way also means that any changes will need to be examined with regard to unwelcome side effects. 3. STRATEGIC AND SYSTEMIC TRANSFORMATION
Best Of The World In Security Conference •The distance between the current and future states of overall cybersecurity is subject to governance as well as management. Once the target state has been identified and defined, there are two dimensions of change that need to be planned, managed and monitored. The strategic dimension covers setting strategy, planning and implementing high‐level steps, and initiating a program and related portfolio of cybersecurity projects. The systemic dimension addresses dependencies between parts of the cybersecurity system that will have an impact on how change will be achieved and what will be the immediate and secondary effects. 3. STRATEGIC AND SYSTEMIC TRANSFORMATION
Best Of The World In Security Conference •Transforming cybersecurity in a systemic way also means that any changes will need to be examined with regard to unwelcome side effects. As an example, the deployment of an awareness program for employees may be beneficial in terms of improving vigilance and attention to detail. However, an unwelcome secondary result might be that a large number of “false positives” increases the cost of incident management and distracts attention from real (but unobtrusive) APT attacks. More complex dependencies may exist in cybersecurity systems that will only come to light if the transformation is seen as a systemic and holistic exercise. 3. STRATEGIC AND SYSTEMIC TRANSFORMATION
Best Of The World In Security Conference •Information security governance in general sets the framework and boundaries for security management and related solutions. This necessarily includes formal policies, procedures and other elements of guidance that the agencies are required to follow. However, where governance in its best sense means “doing the right things,” it needs to take into account that a large part of cybersecurity is concerned with handling unexpected events and incidents. Establishing Cybersecurity Governance
Best Of The World In Security Conference •Cybersecurity governance is both preventive and corrective. It covers the preparations and precautions taken against cybercrime, cyberwarfare and other relevant forms of attack. At the same time, cybersecurity governance determines the processes and procedures needed to deal with actual incidents caused by an attack or security breach. In this context, governance principles and provisions must be reasonably flexible to allow for the fact that attacks are often unconventional, generally against the rules, and most often designed to circumvent exactly those procedures and common understandings within the organization that keep the business running. Establishing Cybersecurity Governance
Best Of The World In Security Conference Establish Cybersecurity governance with following six‐step approach as explained below: Step 1: IDENTIFY STAKEHOLDER NEEDS Step 2: MANAGE CYBERSECURITY TRANSFORMATION STRATEGY. Step 3: DEFINE CYBERSECURITY STRUCTURE Step 4: MANAGE CYBERSECURITY RISKS Step 5: OPTIMIZE CYBERSECURITY RESOURCES Step 6: MONITOR CYBERSECURITY EFFECTIVENESS Establish Cybersecurity governance
Best Of The World In Security Conference Step 1: IDENTIFY STAKEHOLDER NEEDS • Determine the internal and external (usually restricted) stakeholders and their interest in organizational Cybersecurity. • Incorporate confidentiality needs and mandated secrecy in the identification process. • Understand how cybersecurity should support overall enterprise objectives and protect stakeholder interests. • Identify reporting requirements for communicating and reporting about cybersecurity (contents, detail). • Clearly define and articulate instances of reliance on the work of others (for external auditors). • Define and formally note confidentiality and secrecy requirements for external auditors.
Best Of The World In Security Conference Step 2: MANAGE CYBERSECURITY TRANSFORMATION STRATEGY.
Best Of The World In Security Conference • Review legal and regulatory provisions in cybercrime and cyberwarfare • Identify the senior management tolerance level in relation to attacks and breaches. • Validate business needs (express and implied) with regard to attacks and breaches • Identify and articulate any game changers or paradigm shifts in cybersecurity. • Document systemic weaknesses in cybersecurity as regards the business and its objectives • Identify and validate strategy for cybersecurity (“zero tolerance” vs. “living with it”) Step 2: MANAGE CYBERSECURITY TRANSFORMATION STRATEGY.
Best Of The World In Security Conference • Identify adaptability, responsiveness and resilience of strategy in terms of cybersecurity attacks and breaches • Identify any rigid/brittle governance elements that may inadvertently be conducive to cybercrime and cyberwarfare (e.g., instances of over control) • Define the expectations, in alignment with strategy (“zero tolerance” vs. “living with it”), with regard to cybersecurity, including ethics and culture. • Highlight any ethical/cultural discontinuities that exist or emerge. • Define the target culture for cybersecurity, and develop a cybersecurity awareness program. • Obtain management commitment for the selected strategy Step 2: MANAGE CYBERSECURITY TRANSFORMATION STRATEGY.
Best Of The World In Security Conference Step 3: DEFINE CYBERSECURITY STRUCTURE
Best Of The World In Security Conference •Structure • Define the Cybersecurity organizational structure–an appropriate platform/committee, in alignment with information security and information risk functions. • Highlight any barriers or other organizational segregation of duties/information. • Mandate an appropriate cybersecurity function, including incident and attack response •Roles and Responsibilities • Determine an optimal decision‐making model for cybersecurity— this may be distinct and different from “ordinary” information security • Define high‐level RACI (responsible, accountable, consulted, informed) model for cybersecurity function, including any external resources. • Consider any extended decision rights that may be applicable in crisis/ incident handling situations. • Determinecybersecurity obligations, responsibilities and tasks of other organizational roles (including groups and individuals). • Ensure cybersecurity participation at the steering committee level. • Embed cybersecurity transformation activities in the steering committee agenda. Step 3: DEFINE CYBERSECURITY STRUCTURE
Best Of The World In Security Conference •Communications • Establish escalation points for attacks, breaches and incidents (information security, crisis management, etc.). • Define escalation paths for cybersecurity activities and transformational steps (e.g., new vulnerabilities and threats). • Establish fast‐track/crisis mode decision procedures with escalation to senior management. • Identify the means and channels to communicate cybersecurity issues and information. Step 3: DEFINE CYBERSECURITY STRUCTURE
Best Of The World In Security Conference •Integration • Integrate, to the appropriate extent, the cybersecurity direction into the overall information security direction, and highlight areas of cybersecurity that are deliberately kept separate and distinct. • Establish interfaces between the cybersecurity function and other information security roles. • Embed cybersecurity reporting into the generic reporting methods for information security. Step 3: DEFINE CYBERSECURITY STRUCTURE
Best Of The World In Security Conference • Determine risk appetite/tolerance levels in terms of cybercrime and cyberwarfare attacks and breaches at the board/management level. • Align risk tolerance levels against the overall strategy (“zero tolerance” vs. “living with it”). • Compare cybersecurity and generic information security risk tolerance levels and highlight inconsistencies. • Integrate cybersecurity risk assessment and management within overall information security management. Step 4: MANAGE CYBERSECURITY RISKS
Best Of The World In Security Conference • Evaluate the effectiveness of cybersecurity resources in comparison with information security and information risk needs. • Validate cybersecurity resources in terms of specific goals and objectives. • Ensure that cybersecurity resource management is aligned to overarching information security needs. • Include external resource management. Step 5: OPTIMIZE CYBERSECURITY RESOURCES
Best Of The World In Security Conference • Track cybersecurity outcomes and effects, particularly with a view to changes in attacks/breaches/incidents. • Compare outcomes against transformation steps and milestones – initial (current state) and future (target state) expectations. • Integrate cybersecurity measurements and metrics into routine compliance check mechanisms. • Evaluate threats and vulnerabilities relevant to cybersecurity, and incorporate the changing threat landscape into cybersecurity strategy. • Monitor the risk profile for attacks/breaches and the corresponding risk appetite to achieve optimal balance between cybersecurity risk and business opportunities. • Measure the effectiveness of cybersecurity resources (internal and external) against defined information security needs, goals and objectives Step 6: MONITOR CYBERSECURITY EFFECTIVENESS
Best Of The World In Security Conference Your Slide Title
Best Of The World In Security Conference Governance Desired Outcomes
Best Of The World In Security Conference • The first step in establishing information security governance is senior management determining the outcomes it wants from the information security program. Often, those outcomes are stated in terms of risk management and the levels of acceptable risk. This can be accomplished through a set of facilitated meetings with senior management and business unit leaders. The information security manager then has the information needed to develop a set of requirements for a security program. This is followed by setting a series of specific objectives that, when achieved, will satisfy the requirements. Governance Outcomes
Best Of The World In Security Conference Thank you Zainab AL.Sheheimi @zainab_oman www.etteqa.com

Recommended

Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 

Recommended

Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Soc
SocSoc
SocMukesh Chaudhari
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxChandanChandu928137
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and SecurityNoushad Hasan
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
Cyber security
Cyber securityCyber security
Cyber securityBhavin Shah
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber securityAnimesh Roy
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Cyber security
Cyber securityCyber security
Cyber securityAman Pradhan
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architectureBirendra Negi ☁️
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 

More Related Content

What's hot

Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and SecurityNoushad Hasan
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber securityAnimesh Roy
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architectureBirendra Negi ☁️
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 

What's hot (20)

Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Soc
SocSoc
Soc
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and Security
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 

Similar to Cyber Security Governance

A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards ComplianceDr. Prashant Vats
 
Defensive Cybersecurity: A Modern Approach to Safeguarding Digital Assets
Defensive Cybersecurity: A Modern Approach to Safeguarding Digital AssetsDefensive Cybersecurity: A Modern Approach to Safeguarding Digital Assets
Defensive Cybersecurity: A Modern Approach to Safeguarding Digital Assetscyberprosocial
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk ManagementHamed Moghaddam
 
111.pptx
111.pptx111.pptx
111.pptxJESUNPK
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...International Federation of Accountants
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber securitySAHANAHK
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016Ben Browning
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadsavassociates1
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainSanjay Chadha, CPA, CA
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15James Fisher
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...TraintechTde
 

Similar to Cyber Security Governance (20)

A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
 
Defensive Cybersecurity: A Modern Approach to Safeguarding Digital Assets
Defensive Cybersecurity: A Modern Approach to Safeguarding Digital AssetsDefensive Cybersecurity: A Modern Approach to Safeguarding Digital Assets
Defensive Cybersecurity: A Modern Approach to Safeguarding Digital Assets
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
111.pptx
111.pptx111.pptx
111.pptx
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
 
Cyber threat forecast 2018..
Cyber threat forecast 2018..Cyber threat forecast 2018..
Cyber threat forecast 2018..
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor upload
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chain
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
How Cyber Resilient are we?
How Cyber Resilient are we?How Cyber Resilient are we?
How Cyber Resilient are we?
 
Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 

Recently uploaded

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 

Cyber Security Governance

  • 1. Best Of The World In Security Conference Best Of The World In Security 12-13 November 2020 Cybersecurity Governance Zainab AL.Sheheimi Etteqa for Cybersecurity Chief Executive Officer Twitter: @zainab_oman
  • 2. Best Of The World In Security Conference • Work experience more than 19 years • Interesting in ISO implementation and GRC - Team leader for GRC section - CISO for Implementing ISO27001:2013 • Master in management and entrepreneurship • Certified C|CISO, ISO27001 Lead Auditors, CISSP & Consultant Trainer • CEO & Training Consultant at Etteqa for Cybersecurity services LLC - Cyber Risk Management - ISO Internal Audit - Offering Trainers Zainab Al.Sheheimi
  • 3. Best Of The World In Security Conference • What is Cybersecurity Governance? • Cybersecurity Governance Principles • Cybersecurity Transformation • Establishing Cybersecurity Governance Agenda
  • 4. Best Of The World In Security Conference
  • 5. Best Of The World In Security Conference The potential consequences of a realized threat are extensive, and that has catapulted cybersecurity into the boardroom. This increased focus on cybersecurity can mainly be attributed to the technological transformation we are going through with the emergence of cloud, analytics, mobile and social (CAMS) as a mainstream focus. It’s also creating a pressing need for some formal guidance and well-defined regulations, which can help organizations drive their cybersecurity defense programs more effectively. The National Institute of Standards and Technology (NIST) Cybersecurity Framework is one such effort to provide guidance in the field of cybersecurity. This framework is a good starting point for organizations who want to define, adopt and refine an infrastructure for their own needs while at the same time follow industry standards and norms. Introduction
  • 6. Best Of The World In Security Conference Now that the importance of a cybersecurity governance framework has been established, I will focus on the key components of such a structure. A cybersecurity framework actually contains a whole set of management tools, a comprehensive risk management approach and, more importantly, a security awareness program covering everyone in the organization from top to bottom. In other words, every organization needs to have a complete cybersecurity governance framework to fully address all of their cybersecurity needs.
  • 7. Best Of The World In Security Conference What is Cybersecurity Governance? • The approach to making cybersecurity, the responsibility and direction of upper levels of management, to include any boards of directors is called governance. • Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction ensuring that objectives are achieved ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.
  • 8. Best Of The World In Security Conference • Information security governance needs to be integrated into the overall enterprise governance structure to ensure that the organizational goals are supported by the information security program. The governance framework is an outline or skeleton of interlinked items that supports a particular approach to a specific objective as stated in the strategy. Several governance frameworks may be suitable for an organization to implement, including COBIT 5 and ISO/IEC 27000. High-level architecture can serve as a framework as well. The framework will serve to integrate and guide activities needed to implement the information security strategy. • Information security governance is a subset of corporate governance and must be consistent with the enterprise’s governance. If enterprise governance is structured using a particular framework, it would make sense to use the same framework for information security governance to facilitate integration. What is Cybersecurity Governance?
  • 9. Best Of The World In Security Conference As threats to cyber security become increasingly ominous, sophisticated and unpredictable, CIOs must address risks ranging from denial of service attacks to natural disasters to disgruntled employees. Global organizations must also manage complex networks of service providers and scores of third-party suppliers, many of whom have access to customers, sensitive data and critical technology. What is Cybersecurity Governance?
  • 10. Best Of The World In Security Conference What is Cybersecurity Governance?
  • 11. Best Of The World In Security Conference 1.Capital One breach 2.The Weather Channel ransomware 3.U.S. Customs and Border Protection/Perceptics 4.Citrix breach 5.Texas ransomware attacks 6.WannaCry 7.NotPetya 8.Ethereum 9.Equifax 10.Yahoo 11.GitHub Example of cyber attacks in recent history
  • 12. Best Of The World In Security Conference In July of 2019, online banking giant Capitol One realized that its data had been hacked. Hundreds of thousands of credit card applications, which included personally identifying information like birthdates and Social Security numbers, were exposed. No bank account numbers were stolen, but the sheer scale was extremely worrying. Things followed the usual script, with Capitol One making shamefaced amends and offering credit monitoring to those affected. The Weather Channel ransomware The Weather Channel may not seem like a crucial piece of infrastructure, but for many people it's a lifeline — and in April 2019, during a stretch of tornado strikes across the American south, many people were tuning in. But one Thursday morning the channel ceased live broadcasting for nearly 90 minutes, something almost unheard of in the world of broadcast television. It turns out The Weather Channel had fallen victim to a ransomware attack, and while there's been no confirmation of the attack vector, rumors are that it was via phishing attack, one of the most common causes of ransomware infection. Example of cyber attacks in recent history
  • 13. Best Of The World In Security Conference A subset of enterprise governance that provides strategic direction, ensures objectives are achieved, manages risk and uses organizational resources responsibility and monitors the success of failure of the enterprise security program. Top managment responsibility
  • 14. Best Of The World In Security Conference Cybersecurity Governance Structure
  • 15. Best Of The World In Security Conference • Virus and malware defence has long been viewed as a purely IT problem. Some organizations do appoint Chief Information Security Officers (CISO), however information security is often viewed as a challenge that lies well below board or C-level attention. • The events of recent years have highlighted the danger of this viewpoint. With the FBI warning corporations that they are at risk and so many high-profile victims in the news, organizations, led by their CEO, must integrate cyber risk management into day-to-day operations. • Additionally, companies must take reasonable measures to prevent cyber- incidents and mitigate the impact of inevitable breaches. The concept of acting “reasonably” is used in many state and federal laws in the United States, Australia, and other countries. • A cyber breach could potentially cause the loss of a bid on a large contract, could compromise intellectual property (IP) and loss of revenue, to name just a few of the repercussions. That places cybersecurity firmly at the top of the organizational chart, similar to all other forms of corporate risk. What is Cybersecurity Governance?
  • 16. Best Of The World In Security Conference • Developing a cybersecurity governance strategy requires understanding and defining the enterprise’s risk posture in the context of the overall environment. • Many cybersecurity governance strategies adhere to an obsolete “weakest link” strategy of identifying and mitigating specific, discrete risks. The reality is that organizations today confront potentially dozens of constantly changing weakest links, each of which can pose a significant threat. What is Cybersecurity Governance?
  • 17. Best Of The World In Security Conference The GRC Approach to Managing Cybersecurity
  • 18. Best Of The World In Security Conference Governing, managing and maintaining cybersecurity arrangements are a challenge for business managers, security managers and auditors alike. To demonstrate the business value of cybersecurity and to balance the risk associated with attacks or breaches, the following guiding principles should be applied. While these principles are set at a high level and not exhaustive, they provide a reasonable basis for cybersecurity as an integral part of overall information security. Cybersecurity Governance Principles
  • 19. Best Of The World In Security Conference The concept of cybersecurity should be seen considering potential damage and the wide-ranging impacts of cybercrime and cyberwarfare. To adequately manage cybersecurity, the tolerable levels of risk and business impact must be known or conservatively estimated. This includes in‐depth knowledge about the way in which end users may be targeted and affected by cybersecurity attacks and incidents. 1. Know the potential impact of cybercrime and cyberwarfare.
  • 20. Best Of The World In Security Conference CYBERWARFARE •As part of the attack landscape, cyberwarfare extends the idea of APTs. Where nation states or agencies engage in attacks on critical infrastructures or organizations, the threats are augmented by the fact that the attackers may have—by definition— unlimited resources at their disposal. This includes time as a resource, given that military or government operations may take several years from the initial idea to deployment. •From a technical and managerial point of view, cyberwarfare nevertheless represents just another form of APT, notwithstanding the legal and social ramifications. •Cybersecurity should, therefore, include the possibility of direct or indirect consequences from targeted military or government activity directed against the organization, its associates or its surrounding critical infrastructure. In terms of impact, the results of open or covert warfare are fairly similar to those of criminal acts or politically motivated “hacktivism.” 1. Know the potential impact of cybercrime and cyberwarfare.
  • 21. Best Of The World In Security Conference Business value and business risk relating to cybersecurity arrangements are strongly influenced by organizational and individual culture. This is expressed by end user behavior patterns, habits and social interactions. In governing and managing cybersecurity, these factors should be taken into account and incorporated into strategic, tactical and operational security measures. 2. Understand organizational and individual culture and behavior patterns.
  • 22. Best Of The World In Security Conference The business case in terms of expected value and tolerable risk will determine the overall cybersecurity strategy adopted by the enterprise: the requisite effort and investment of zero tolerance vs. the corresponding residual risk of living with it. To provide adequate and appropriate security, the business case must be clearly defined and fully understood by all levels of management. This includes cost‐benefit considerations as well as the prevailing organizational culture and values relative to cybersecurity. 3. Clearly state the business case for cybersecurity, and the risk appetite of the enterprise.
  • 23. Best Of The World In Security Conference Every organization has a particular risk capacity, defined as the objective amount of loss an enterprise can tolerate without its continued existence being called into question. Subject to the absolute maximum imposed by this risk capacity, the owners or board of directors of an organization set the risk appetite for the organization. Risk appetite is defined as the amount of risk, on a broad basis, that an entity is willing to accept in pursuit of its mission. In some cases, setting the risk appetite may be delegated by the board of directors to senior management as part of strategic planning. Acceptable risk determination or risk appetite and the criteria by which it can be assessed is an essential element for virtually all aspects of information security as well as most other aspects of organizational activities. It will determine many aspects of strategy including control objectives, control implementation, baseline security, cost benefit calculations, risk management options, severity criteria determinations, required incident response capabilities, insurance requirements and feasibility assessments, among others. Risk appetite is translated into a number of standards and policies to contain the risk level within the boundaries set by the risk appetite. 3. Clearly state the business case for cybersecurity, and the risk appetite of the enterprise.
  • 24. Best Of The World In Security Conference 4. Establish cybersecurity governance. • Cybersecurity exists, and is transformed, within the values and objectives of the enterprise and its members. As such, cybersecurity is subject to clear governance rules that provide a sense of direction as well as reasonable boundaries. This includes adopting and improving the organizational governance framework for cybersecurity.
  • 25. Best Of The World In Security Conference • Governance plays an extremely important role in achieving the security objective of the organization not only for current needs, but also to ensure well-drafted mitigation plans for future challenges. To address current issues, the governance framework covers improvements to security policies; the implementation of technical controls; audits and assessments; and driving awareness among people to shape their attitude toward secure behaviors. For future challenges, the governance framework must continually focus on emerging threat factors, fast-moving changes in the technological landscape, people’s views and behavior. 4. Establish cybersecurity governance.
  • 26. Best Of The World In Security Conference How to establish cybersecurity program?
  • 27. Best Of The World In Security Conference • Security policies are designed to mitigate risk and are usually developed in response to an actual or perceived threat. Policies state management intent and direction at a high level. With the development of an information security strategy, the policies have to be developed or modified to support the strategic objectives. Standards are developed or modified to set boundaries for people, processes, procedures and technologies to maintain compliance with policies and support the achievement of the organization’s goals and objectives. There are usually several standards for each policy, depending on the classification levels of the asset related to the standard. Collectively, standards are combined with other controls (i.e., technical, physical, administrative) to create the security baselines. 4. Establish cybersecurity governance.
  • 28. Best Of The World In Security Conference • Baseline security, control objectives, acceptable risk, risk appetite and residual risk are related to one another. Control objectives are set to fall within the boundaries of acceptable risk. Risk mitigation should keep the organization within the level of acceptable risk and achieving the control objectives. Residual risk levels set the security baselines. • New information security projects should support the information security strategy. A business case is used to capture the business reasoning for initiating a project or task. In the context of information security, it should concisely identify the needs and the business purpose for implementing various governance processes, including technologies and the cost benefit (i.e., the value proposition) of doing so. 4. Establish cybersecurity governance.
  • 29. Best Of The World In Security Conference Cybersecurity covers multiple aspects and specialized areas within overall information security. To provide assurance over cybersecurity, the assurance universe is known, defined and within the organizational sphere of interest. Assurance objectives are clear, plausible and manageable. As many cybersecurity aspects may be outside the organizational perimeter, the associated risk and assurance issues are considered. 5. Know the cybersecurity assurance universe and objectives.
  • 30. Best Of The World In Security Conference • Taking the time to safeguard oneself and one’s organization, from all possible threats, is the best way to avoid the loss of identity, personal and confidential data, vital financial information, intellectual property, creations, money, etc. Perhaps the biggest burden of being the victim of a hack or cyberattack is the stress that comes with it. 5. Know the cybersecurity assurance universe and objectives.
  • 31. Best Of The World In Security Conference Cybercrime, cyberwarfare and related attacks or breaches target the weakest link in the system. As a result, cybersecurity must be understood as a system of interdependent elements and links between these elements. Optimized cybersecurity requires complete understanding of this dynamic system and the realization that security governance, management and assurance cannot be seen in isolation. 6. Establish and evolve systemic cybersecurity.
  • 32. Best Of The World In Security Conference •like any other long‐term process, is based on continuous improvement and a succession through various levels of maturity. •It is the strategy, and its detailed parts will need to be reviewed and validated at regular intervals, considering any changes to the risk profile as well as the risk appetite defined by the enterprise. •It is systemic shift from one stable state of the overall system to its next stable state. In between, any number of changes may happen spontaneously or in a controlled manner. Cybersecurity Transformation
  • 33. Best Of The World In Security Conference •Cybersecurity transformation, just like any other long‐term process, is based on continuous improvement and a succession through various levels of maturity. This also means that the strategy and its detailed parts will need to be reviewed and validated at regular intervals, considering any changes to the risk profile as well as the risk appetite defined by the enterprise. Cybersecurity Transformation
  • 34. Best Of The World In Security Conference •Transformation is usually defined as a systemic shift from one stable state of the overall system to its next stable state. In between, any number of changes may happen spontaneously or in a controlled manner. In cybersecurity, transformation can be defined as progressing the overall system of governing provisions, management activities, controls and other elements from its current state to the next (target) stable state, usually by means of controlled change to certain parts, processes and other components. While this is useful as a high‐level definition, some examples may help in understanding the transformation process. Cybersecurity Transformation
  • 35. Best Of The World In Security Conference •As a first step, the current state of cybersecurity and the existing governance model should be assessed and established. This means that, beyond the assumptions that may have existed before, cybersecurity in its present state should be described “as is,” including all weaknesses and deficiencies. Typically, this includes any systemic weaknesses previously identified (see previous section) and the pain points that have triggered the need for transformation. The underlying objective is to go from the initial observation that “we cannot go on like this” to a more constructive view of existing information security governance, management and assurance. 1- ESTABLISH CURRENT STATE
  • 36. Best Of The World In Security Conference •The current state review will also reveal any weaknesses in management attitudes. As described previously, neither the minimalist nor the “zero tolerance” attitude are likely to lead to success. Part of establishing the current state of cybersecurity is to identify the exact position of the enterprise in terms of attitudes, beliefs and security spending behavior. In summary, the governance model selected by the enterprise is likely to provide a lot of insight on what may have led to the, apparently unsatisfactory, current state. •Taking stock in this manner may be a painful exercise. However, it is indispensable as a starting point in transforming cybersecurity. Only where weaknesses have been recognized beyond doubt, and clearly articulated, will the enterprise be able to transition to an improved way of governing cybersecurity. 1- ESTABLISH CURRENT STATE
  • 37. Best Of The World In Security Conference •Once the existing state of cybersecurity is known and fully acknowledged, the future or target state may be defined based on weaknesses and deficiencies, risk and vulnerabilities, and the extent to which the enterprise will be able to change and adapt to the trends in attacks, breaches and incidents. Where the target state is not clearly understood, it is unlikely that a transformation approach will be successful. •Typical pitfalls include: • Lack of realism—The target state is formulated as a wish list for perfection, rather than the next obvious (and stable) state of overall cybersecurity. 2. DEFINE TARGET STATE
  • 38. Best Of The World In Security Conference •In transformation thinking, the target from a governance perspective is to identify the next stable—and, therefore, achievable—level at which cybersecurity will be able to meet the needs of stakeholders, and at which there will be a reasonable level of protection against attacks and breaches. Transforming cybersecurity is a repetitive and iterative exercise that resembles a life cycle rather than a one‐off project. 2. DEFINE TARGET STATE
  • 39. Best Of The World In Security Conference • Escalating commitment—The target state is defined as “just a little more of what we are doing now,” without incorporating the changed threat and vulnerability landscape, not to mention actual attacks and breaches. • Blurred vision—The target state is defined based on wrong assumptions—e.g., where organizational management does not incorporate future trends in cybercrime and cyberwarfare. • Governance model bias—The current governance model (e.g., “zero tolerance” or “we are insured”) is maintained, ignoring strong signals that it may be dysfunctional. 2. DEFINE TARGET STATE
  • 40. Best Of The World In Security Conference •The distance between the current and future states of overall cybersecurity is subject to governance as well as management. •Transforming cybersecurity in a systemic way also means that any changes will need to be examined with regard to unwelcome side effects. 3. STRATEGIC AND SYSTEMIC TRANSFORMATION
  • 41. Best Of The World In Security Conference •The distance between the current and future states of overall cybersecurity is subject to governance as well as management. Once the target state has been identified and defined, there are two dimensions of change that need to be planned, managed and monitored. The strategic dimension covers setting strategy, planning and implementing high‐level steps, and initiating a program and related portfolio of cybersecurity projects. The systemic dimension addresses dependencies between parts of the cybersecurity system that will have an impact on how change will be achieved and what will be the immediate and secondary effects. 3. STRATEGIC AND SYSTEMIC TRANSFORMATION
  • 42. Best Of The World In Security Conference •Transforming cybersecurity in a systemic way also means that any changes will need to be examined with regard to unwelcome side effects. As an example, the deployment of an awareness program for employees may be beneficial in terms of improving vigilance and attention to detail. However, an unwelcome secondary result might be that a large number of “false positives” increases the cost of incident management and distracts attention from real (but unobtrusive) APT attacks. More complex dependencies may exist in cybersecurity systems that will only come to light if the transformation is seen as a systemic and holistic exercise. 3. STRATEGIC AND SYSTEMIC TRANSFORMATION
  • 43. Best Of The World In Security Conference •Information security governance in general sets the framework and boundaries for security management and related solutions. This necessarily includes formal policies, procedures and other elements of guidance that the agencies are required to follow. However, where governance in its best sense means “doing the right things,” it needs to take into account that a large part of cybersecurity is concerned with handling unexpected events and incidents. Establishing Cybersecurity Governance
  • 44. Best Of The World In Security Conference •Cybersecurity governance is both preventive and corrective. It covers the preparations and precautions taken against cybercrime, cyberwarfare and other relevant forms of attack. At the same time, cybersecurity governance determines the processes and procedures needed to deal with actual incidents caused by an attack or security breach. In this context, governance principles and provisions must be reasonably flexible to allow for the fact that attacks are often unconventional, generally against the rules, and most often designed to circumvent exactly those procedures and common understandings within the organization that keep the business running. Establishing Cybersecurity Governance
  • 45. Best Of The World In Security Conference Establish Cybersecurity governance with following six‐step approach as explained below: Step 1: IDENTIFY STAKEHOLDER NEEDS Step 2: MANAGE CYBERSECURITY TRANSFORMATION STRATEGY. Step 3: DEFINE CYBERSECURITY STRUCTURE Step 4: MANAGE CYBERSECURITY RISKS Step 5: OPTIMIZE CYBERSECURITY RESOURCES Step 6: MONITOR CYBERSECURITY EFFECTIVENESS Establish Cybersecurity governance
  • 46. Best Of The World In Security Conference Step 1: IDENTIFY STAKEHOLDER NEEDS • Determine the internal and external (usually restricted) stakeholders and their interest in organizational Cybersecurity. • Incorporate confidentiality needs and mandated secrecy in the identification process. • Understand how cybersecurity should support overall enterprise objectives and protect stakeholder interests. • Identify reporting requirements for communicating and reporting about cybersecurity (contents, detail). • Clearly define and articulate instances of reliance on the work of others (for external auditors). • Define and formally note confidentiality and secrecy requirements for external auditors.
  • 47. Best Of The World In Security Conference Step 2: MANAGE CYBERSECURITY TRANSFORMATION STRATEGY.
  • 48. Best Of The World In Security Conference • Review legal and regulatory provisions in cybercrime and cyberwarfare • Identify the senior management tolerance level in relation to attacks and breaches. • Validate business needs (express and implied) with regard to attacks and breaches • Identify and articulate any game changers or paradigm shifts in cybersecurity. • Document systemic weaknesses in cybersecurity as regards the business and its objectives • Identify and validate strategy for cybersecurity (“zero tolerance” vs. “living with it”) Step 2: MANAGE CYBERSECURITY TRANSFORMATION STRATEGY.
  • 49. Best Of The World In Security Conference • Identify adaptability, responsiveness and resilience of strategy in terms of cybersecurity attacks and breaches • Identify any rigid/brittle governance elements that may inadvertently be conducive to cybercrime and cyberwarfare (e.g., instances of over control) • Define the expectations, in alignment with strategy (“zero tolerance” vs. “living with it”), with regard to cybersecurity, including ethics and culture. • Highlight any ethical/cultural discontinuities that exist or emerge. • Define the target culture for cybersecurity, and develop a cybersecurity awareness program. • Obtain management commitment for the selected strategy Step 2: MANAGE CYBERSECURITY TRANSFORMATION STRATEGY.
  • 50. Best Of The World In Security Conference Step 3: DEFINE CYBERSECURITY STRUCTURE
  • 51. Best Of The World In Security Conference •Structure • Define the Cybersecurity organizational structure–an appropriate platform/committee, in alignment with information security and information risk functions. • Highlight any barriers or other organizational segregation of duties/information. • Mandate an appropriate cybersecurity function, including incident and attack response •Roles and Responsibilities • Determine an optimal decision‐making model for cybersecurity— this may be distinct and different from “ordinary” information security • Define high‐level RACI (responsible, accountable, consulted, informed) model for cybersecurity function, including any external resources. • Consider any extended decision rights that may be applicable in crisis/ incident handling situations. • Determinecybersecurity obligations, responsibilities and tasks of other organizational roles (including groups and individuals). • Ensure cybersecurity participation at the steering committee level. • Embed cybersecurity transformation activities in the steering committee agenda. Step 3: DEFINE CYBERSECURITY STRUCTURE
  • 52. Best Of The World In Security Conference •Communications • Establish escalation points for attacks, breaches and incidents (information security, crisis management, etc.). • Define escalation paths for cybersecurity activities and transformational steps (e.g., new vulnerabilities and threats). • Establish fast‐track/crisis mode decision procedures with escalation to senior management. • Identify the means and channels to communicate cybersecurity issues and information. Step 3: DEFINE CYBERSECURITY STRUCTURE
  • 53. Best Of The World In Security Conference •Integration • Integrate, to the appropriate extent, the cybersecurity direction into the overall information security direction, and highlight areas of cybersecurity that are deliberately kept separate and distinct. • Establish interfaces between the cybersecurity function and other information security roles. • Embed cybersecurity reporting into the generic reporting methods for information security. Step 3: DEFINE CYBERSECURITY STRUCTURE
  • 54. Best Of The World In Security Conference • Determine risk appetite/tolerance levels in terms of cybercrime and cyberwarfare attacks and breaches at the board/management level. • Align risk tolerance levels against the overall strategy (“zero tolerance” vs. “living with it”). • Compare cybersecurity and generic information security risk tolerance levels and highlight inconsistencies. • Integrate cybersecurity risk assessment and management within overall information security management. Step 4: MANAGE CYBERSECURITY RISKS
  • 55. Best Of The World In Security Conference • Evaluate the effectiveness of cybersecurity resources in comparison with information security and information risk needs. • Validate cybersecurity resources in terms of specific goals and objectives. • Ensure that cybersecurity resource management is aligned to overarching information security needs. • Include external resource management. Step 5: OPTIMIZE CYBERSECURITY RESOURCES
  • 56. Best Of The World In Security Conference • Track cybersecurity outcomes and effects, particularly with a view to changes in attacks/breaches/incidents. • Compare outcomes against transformation steps and milestones – initial (current state) and future (target state) expectations. • Integrate cybersecurity measurements and metrics into routine compliance check mechanisms. • Evaluate threats and vulnerabilities relevant to cybersecurity, and incorporate the changing threat landscape into cybersecurity strategy. • Monitor the risk profile for attacks/breaches and the corresponding risk appetite to achieve optimal balance between cybersecurity risk and business opportunities. • Measure the effectiveness of cybersecurity resources (internal and external) against defined information security needs, goals and objectives Step 6: MONITOR CYBERSECURITY EFFECTIVENESS
  • 57. Best Of The World In Security Conference Your Slide Title
  • 58. Best Of The World In Security Conference Governance Desired Outcomes
  • 59. Best Of The World In Security Conference • The first step in establishing information security governance is senior management determining the outcomes it wants from the information security program. Often, those outcomes are stated in terms of risk management and the levels of acceptable risk. This can be accomplished through a set of facilitated meetings with senior management and business unit leaders. The information security manager then has the information needed to develop a set of requirements for a security program. This is followed by setting a series of specific objectives that, when achieved, will satisfy the requirements. Governance Outcomes
  • 60. Best Of The World In Security Conference Thank you Zainab AL.Sheheimi @zainab_oman www.etteqa.com