Presentation is loading. Please wait.

Presentation is loading. Please wait.

IIA – Cyber Security Event Cyber Risks James Humbles June 2016.

Published bySibyl Malone Modified over 8 years ago

Similar presentations

Presentation on theme: "IIA – Cyber Security Event Cyber Risks James Humbles June 2016."— Presentation transcript:

1 IIA – Cyber Security Event Cyber Risks James Humbles June 2016

2 Understand what “Cyber Risk” is Come to a common understanding on Cyber Risk Evaluate are some example Cyber Risks Build an audit plan that considers Cyber Risk Understand where to find more information on Cyber Risks Learning Outcomes © Aviva PLC - PUBLIC2

3 Contact Details james.humbles@aviva.com An experienced and accomplished IT Audit Manager, I now have over 10 years experience in the fields of Internal Audit, IT Audit and Information Security, specialising in Financial Services for the last 7 years. I have had a varied career with roles in both Financial Services and the public sector, both in and outside IT Audit. Explaining risk to and control to people as varied as bin men through to CIOs has given me some unique and interesting insights. This broad range of experience enables me to provide effective challenge to management on how they manage risk and control. I have also obtained professional certifications in both Auditing and IT Auditing, and have great pride in being able to straddle the worlds of Internal Audit, IT Audit and Information Security. Qualifications BSc in Law with Legal Practice Management Diploma in Internal Audit (PIIA) Certified Information Systems Auditor (CISA) K ey skills Auditing. Computers. Security. Drinking Coffee. James Humbles, IT Audit Manager © Aviva PLC - PUBLIC

4 4 from some sort of failure of its IT systems Cyber Risk means any risk of Financial loss, disruption or damage to the reputation of an organisation

5 © Aviva PLC - PUBLIC5 “the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise”. In its broadest form, cyber risk is synonymous with IT risk - That is

6 Common Understanding?

7 © Aviva PLC - PUBLIC7 Feedback What is Cyber Risk?

8 © Aviva PLC - PUBLIC8 Defined in the news media, and therefore by popular understanding? Online world and hacking –TalkTalk Information Security? –Confidentiality –Integrity –Availability Cyber Risk is… Cyber Risk is…. Is there a common Understanding?

9 © Aviva PLC - PUBLIC9 like anything else that could damage a firm’s business – by understanding it…” “cyber risk is one of many risks. it is certainly serious, but it can be understood, and it can be quantified. So it needs to be managed

10 Example Cyber Risks Inadequately defined incident response procedures If an incident does occur then this process helps you act and respond in the right way for your organisation. A lack of or bad response process = Talktalk. IT Security Perimeter Failure The worst case scenario. A hacker gets in through the security you have and steals data/IP/financial information causing a loss to the organisation Security failure at a third party This is how Target in the USA was attacked. Via their air conditioning supplier, who was connected to their network and had a much lower standard of security. Loss arising from internal compromise Internal employees that use access maliciously or accidentally and cause a cyber event. © Aviva PLC - PUBLIC10

11 Example Cyber Risk Register © Aviva PLC - PUBLIC11 InherentResidual NoRisk Title ImpactProbabilityImpactProbability 1Malicious Disruption of Services Very HighVery LikelyVery HighPossible 2Non compliance with regulation and legislation Very HighLikelyHighRemote 3IT Service Management failure HighLikelyMediumRemote 4External Hacker / Cyber Criminal Very HighVery LikelyHighVery Likely 5Malicious Insider Very HighLikelyHighRemote 6IT Resilience and Disaster Recovery Very HighPossibleMediumRemote 7Managing Suppliers – Security Failure MediumPossibleMediumRemote 8Shadow IT Failure leading to Cyber Event HighPossibleHighPossible 9IT Development and Implementation HighPossibleMediumRemote 10Business Disruption Very HighLikelyHighPossible

12 Risk Map © Aviva PLC - PUBLIC12 Very High High Medium Low Remote <10% Possible 10% to 30% Likely 31% to 50% Very Likely > 50% 2 1 8 7 6 4 3 5 10 9

13 Audit Plan © Aviva PLC - PUBLIC13

14 Assurance Map Where do we get assurance from? Questioning risk register. IT Resilience and Disaster Recovery Questioning residual risk Scope is very wide in here Proactiive v Reactive Controls Risk Culture Audit Higher level audit to look at risk mgmt. Audit Plan © Aviva PLC - PUBLIC14

15 C.S.T.P. Cyber Audits in Aviva © Aviva PLC PUBLIC15 Cyber Security Transformation Programme A review designed to look at the constant innovation required to stay ahead in the security business, and Aviva’s work to be ahead. Includes Programme Governance, as well as detailed workstream audits looking at specific topics such as… Firewalls An audit to look at the specific work stream within our CSTP. This would include looking at Project Management, but also A review of the technical set up of our firewalls. For example, using Data Analytics (CAATS) techniques to interrogate the firewall rulebase. As well as additional review of firewall management processes Disaster Recovery A review of DR capabilities, and control review to ensure these are managed and updated appropriately. Data Goverance Data Governance is an important element of Cyber Risk. To really help mitigate Cyber Risk it is important to know what Data you hold, where it is, and how it is managed. This then allows mitigating controls to be correctly scoped and specified.

16 Where to go next © Aviva PLC PUBLIC16 ISACA.org SANS NIST. GOV IT Security Blogs Isaca.org/ cyber ISC2

17 Thank you james.humbles@aviva.com

Download ppt "IIA – Cyber Security Event Cyber Risks James Humbles June 2016."

Similar presentations

A Joint Code of Practice Objectives and Summary Presentation

A Joint Code of Practice Objectives and Summary Presentation
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
What is Corporate Governance?

What is Corporate Governance?
TECHNICAL VOCATIONAL EDUCATIONAL AND TRAINING COLLEGES AN INTRODUCTION TO THE IMPEMENTATION OF A COMPLIANT RISK MANAGEMENT PROCESS July 2014.

TECHNICAL VOCATIONAL EDUCATIONAL AND TRAINING COLLEGES AN INTRODUCTION TO THE IMPEMENTATION OF A COMPLIANT RISK MANAGEMENT PROCESS July 2014.
Security and Personnel

Security and Personnel
Auditing Computer Systems

Auditing Computer Systems
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
ISEB Qualifications an evolving framework for the future.

ISEB Qualifications an evolving framework for the future.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ISO General Awareness Training

ISO General Awareness Training
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
Systemise your compliance management Peter Scott Consulting www.peterscottconsult.co.uk.

Systemise your compliance management Peter Scott Consulting
Security Certification

Security Certification
Information Security Risk Management

Information Security Risk Management
Coastal Community Resilience Elements Socio-economy and Livelihoods and Disaster Recovery Ramraj Narasimhan Disaster Management Specialist Asian Disaster.

Coastal Community Resilience Elements Socio-economy and Livelihoods and Disaster Recovery Ramraj Narasimhan Disaster Management Specialist Asian Disaster.
Internal auditing for credit unions Nuala Comerford, Chair IIA Irish Region Committee Pamela McDonald Council Member IIA Credit Union Summer School Thursday,

Internal auditing for credit unions Nuala Comerford, Chair IIA Irish Region Committee Pamela McDonald Council Member IIA Credit Union Summer School Thursday,
Performance Audit Fraud management in local government Report 19: 2014-15 David Toma Manager 24 July 2015.

Performance Audit Fraud management in local government Report 19: David Toma Manager 24 July 2015.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Similar presentations

Ads by Google