1 Introduction Welcome! Format of day Response to previous requests from clients Amendment to schedule Using Information Security for Business Advantage.

Slides:



Advertisements
Similar presentations
ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.
Advertisements

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Develop an Information Strategy Plan
Computer Fraud Chapter 5.
Computer Fraud Chapter 5.
Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.
Learning Objectives LO1 Describe the finance and investment process: risk assessment, typical transactions, source documents, controls, and account balances.
Security Controls – What Works
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Return On Investment Integrated Monitoring and Evaluation Framework.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
The Information Systems Audit Process
1 Pertemuan 17 Organisational Back Up Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
Joint Business Plan Madhurjya K. Dutta 1mk_dutta Sept 2010.
Gain Executive Support in Measuring the Effectiveness of Your BCM Program -Cheyene Haase BC Management, Inc.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Did You Hear That Alarm? The impacts of hitting the information security snooze button.
Information Systems Security Risk Management. © G. Dhillon All Rights Reserved Alignment Glenmeade Vision To provide a personalized experience to our.
Professional Certificate – Managing Public Accounts Committees Ian “Ren” Rennie.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
Roles and Responsibilities
Professional Values and Basic Business Legislation.
Institutional Development for Improved Water Quality | November 2010 Operation and Maintenance for Safe Drinking Water – Institutional development to achieve.
CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
Geneva Association/International Insurance Society Research Presentation, Chicago Enterprise Risk Management in the Insurance Industry Madhusudan.
ISO9004:2000 Introduction workshop ISO9004:2000 Introduction Workshop Version GC.10.1-UK Oct 03  The High Performance Organisation Ltd.
Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.
FACILITATOR Prof. Dr. Mohammad Majid Mahmood Art of Leadership & Motivation HRM – 760 Lecture - 25.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
TMS - Cooperation partner of TÜV SÜD EFFECTIVE SERVICE MANAGEMENT based on ISO/IEC & ISO/IEC
Chapter 8 Auditing in an E-commerce Environment
1 Banking Risks Management Chapter 8 Issues in Bank Management.
Chapter 5 Evaluating the Integrity and Effectiveness of the Client’s Control Systems.
Internal Controls For Municipalities Vermont State Auditor’s Office – August 2008.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Dolly Dhamodiwala CEO, Business Beacon Management Consultants
Project Management in Marketing Deirdre Makepeace Level Verifier – Professional Diploma Assignment brief June and September 2014.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
IT Audit and Penetration Testing What’s the difference and why should I care?
REPUBLIC OF BULGARIA MINISTRY OF FINANCE CURRENT CHALLENGES IN BUDGET REFORM SOFIAMR. LYUBOMIR DATZOV 03 DECEMBER 2004DEPUTY MINISTER
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
What is ISO Certification? Information is a valuable asset that can make or break your business. When properly managed it allows you to operate.
S ECURE E-S YSTEMS AS A COMPETITIVE ADVANTAGE IN A GLOBAL MARKETS By Cade Zvavanjanja Cybersecurity Strategist By Cade Zvavanjanja Cybersecurity Strategist.
An Overview on Risk Management
Internal Control Principles
Risk management.
Chris Lintern Co-operative Financial Services
Risk Management and the Treasury Function
Learn Your Information Security Management System
The Internal Audit Role in assessing Cybersecurity
COSO and ERM Committee of Sponsoring Organizations (COSO) is an organization dedicated to providing thought leadership and guidance on internal control,
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Chapter 9 Control, security and audit
Energy Risk Management Credit Rating Perspective
Kuveyt Turk Participation Bank
Managing Quality and Performance
MSCOA Risk management Inculcating ethical culture through
Cyber Risk & Cyber Insurance - Overview
Finance for Non-Financial Managers
Cyber Security in a Risk Management Framework
Accounting Information Systems & Computer Fraud
Operational Risk Management
Presentation transcript:

1 Introduction Welcome! Format of day Response to previous requests from clients Amendment to schedule Using Information Security for Business Advantage

MWR InfoSecurity The Business Case for Information Security 12 March 2009 Alex Fidgen Ian Shaw

3 What will we achieve? Help you gain organisational commitment and justify required spend Introduction Part 1 - Visualisation techniques Part 2 - Communication techniques Part 3 - Supporting frameworks Using Information Security for Business Advantage

4 Introduction Communicating security risk can be very hard in environments without structured metrics The classic chicken and egg scenario We did not want to concentrate on the is there/isn’t there argument for ROI.

5 Problems Senior Management and Board directors need to increase shareholder value Mature metrics makes it easy to communicate shareholder value based risk Associating technical risks with revenue is impossible without a business context Information security managers with IT backgrounds find it hard to communicate risk at a business level The business seldom understands the value of its information assets

6 Communication! This is a communication issue!

7 Part 1 – Protecting Traditional Assets (Opening the Board’s Eyes to Information Security Spend – Is information security spending in line with traditional asset protection?) Using Information Security for Business Advantage

8 Questions your Board may be asking Why do we need to worry about this information security issue? Why is Malware Protection so expensive? Are these costs of doing business online justified? I don’t understand whether this expenditure is justified The following examples have been developed to demonstrate how security is integrated seamlessly into existing business models Try to ignore any immediate reaction to industry sector! Using Information Security for Business Advantage

9 Typical Retail Organisation (Asset Protection) Shops Warehouse / Distribution Human Resources Finance CCTV Counterfeit Detection Store Detectives Security Guards RFID Safes / Alarms Secure Cash Handling Vetting / References Disciplinary Procedure Internal Audit External Audit Stock Control Credit Control Accounting Policies / Standards Financial Reconciliations Product Integrity* * For example: tamper evident jars Cardwatch Local Crime Schemes

10 Typical Retail Organisation (Asset Protection) Using Information Security for Business Advantage Shops Warehouse / Distribution Human Resources Finance CCTV Counterfeit Detection Store Detectives Security Guards RFID Safes / Alarms Secure Cash Handling Vetting / References Disciplinary Procedure Internal Audit External Audit Stock Control Credit Control Accounting Policies / Standards Financial Reconciliations Product Integrity* * For example: tamper evident jars Cardwatch Local Crime Schemes

11 Typical E-Retail (Information Asset Protection) Using Information Security for Business Advantage Ecommerce Site Data Storage Business Interfaces IT/IS/ Development IT/IS/ Development Anti-Virus Firewalls Encryption Security in SDLC Threat Modelling Build Standards Information Security Policies Legislative Compliance Configuration Reviews Patch Management Access Control Reviews Application Testing Penetration Testing Monitoring / Intrusion Detection Vulnerability Assessment Vetting / References Disciplinary Procedure InfoSec Awareness Training

12 In Summary Information asset protection still lags behind traditional asset protection Opening the organisation’s eyes to traditional security measures can ‘set the scene’ to introduce information security A simple visualisation technique helps soften attitudes to information security spend Using Information Security for Business Advantage

13 Part 2 – A model for information asset identification and classification Using Information Security for Business Advantage

14 Part 2 - Communication of risk High level abstract link… How best to communicate the risk from this point forward Need to highlight risks that may impact shareholder value Must be flexible and expose risks not currently perceived One technique is threat modelling…plenty of others however Using Information Security for Business Advantage

15 Risk – A quick reminder An event that could have a detrimental effect on an asset A conduit that could be exploited by a threat An item of value The effect on a business of a risk being realised BUSINESS IMPACT Asset Threats Vulnerability Risks

16 What is threat modelling Threat Modelling: Grades Threats Allows identification of vulnerabilities Enhances the final calculation of risk Very powerful and business focussed Using Information Security for Business Advantage

17 Using Information Security for Business Advantage What it can provide: Defence in depth Effective controls with efficient expenditure Asset protection is proportional to the business value Greater measurable returns on security investment

18 Case Study – Insurance Company In excess of 600 systems Business run in a federated sense There is/was no centralised security management function, Some security testing in the past against core systems No set budget for security Some basic security training, around physical security and access control Using Information Security for Business Advantage

19 How the model was formed.. identified the systems and the assets, a high level risk assessment based on the business risk and potential business impact Assignation of a commercial revenue value to each system Using Information Security for Business Advantage

20 How the model was formed.. cont All revenue streams documented the most important systems quickly became evident, Allowed focus on the most financially important assets Intangible assets were also assessed (reputation, client satisfaction, employee happiness etc.).

21 What did this do? This made an actual and tangible link to the management team connecting the value of the information assets (within systems) with the value of assigned security spend to identify and manage the risk It open their eyes to the asset value, and made justification of budget almost self fulfilling

22 Using Information Security for Business Advantage Part 3 – Effecting Change (Operational Information Security)

23 Where are we? Using Information Security for Business Advantage Information Assets Threats Vulnerabilities Risks = Existing Controls Current Position =+

24 What is the appetite for risk? Using Information Security for Business Advantage Current Position Where we want to be -= STAGE 1 Organisational Changes STAGE 1 Organisational Changes

25 Stage 1 – Organisational Change What is required for successful organisational change Change Plan – how will we know when we arrive? Resources – do we have the resources to achieve the change? Sponsorship – do we have executives backing for change? Support (Culture) – important if exec sponsorship is broken? Using Information Security for Business Advantage

26 Stage 2 - Operation Measure performance (results not activities) Make changes as necessary Periodically review performance Review measures Using Information Security for Business Advantage

27 Summary Your organisation is protecting its assets, but probably not adequately protecting its information assets The risks may be different from the perceived risks. Communicate this by identifying assets and the threats to them You can only manage what your measure. Identify the changes necessary, measure transition Using Information Security for Business Advantage

28 Questions? Using Information Security for Business Advantage

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.