Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Security Management Lesson Introduction ●Understand organizational context for cyber security ●Understand the people, process and technology dimensions.

Published byMillicent Collins Modified over 8 years ago

Similar presentations

Presentation on theme: "Cyber Security Management Lesson Introduction ●Understand organizational context for cyber security ●Understand the people, process and technology dimensions."— Presentation transcript:

1 Cyber Security Management Lesson Introduction ●Understand organizational context for cyber security ●Understand the people, process and technology dimensions of cyber security management ●Assessing cyber risk and its relationship to security management

2 Managing Security ●Technical controls (authentication, access control etc.) are used to reduce the risk of attacks on valuable assets. ●What assets need to be secured and from whom?

3 Organizational Context ●Legal and compliance drivers for cyber security ●Financial and health data ●What technical controls should be deployed? ●Must understand risks posed by threats ●Costs and benefits of security measures

4 Key Challenges ●What assets are under risk? ●What are the threats and how serious is the risk posed by them? ●Likelihood of successful attack and its impact

5 Key Challenges ●What technological solutions/controls exist to counter threats? ●How can we address risk in a cost- effective manner? ●Cost is less than reduction in risk ●How do we understand people and process aspects of cyber security management?

6 Network Use Policy Quiz Cyber security planning and management in an enterprise must define allowed computer and network use by employees. Georgia Tech’s computer and network use policy strives to do this for students, faculty and staff. Check all that you think are required by this policy: Georgia Tech account passwords should be changed periodically. A compromise of a computer should be reported to someone responsible for cyber security at Georgia Tech. Georgia Tech computers cannot be used to download illegal content (e.g., child pornography).

7 Botnet Quiz A botnet operator compromises a number of computers in a company. The malware executed by the bots only sends large amounts of spam email but does not exfiltrate sensitive data or interfere with legitimate activities. Choose the appropriate action by the company in this situation: The company should detect and prevent abuse of its resources by unauthorized parties. Since it poses no risk to company’s sensitive data or normal operations, it can be ignored.

8 Security Planning ●What needs to be secured? ●Who is responsible for it? ●What technical/non-technical controls should be deployed? ●How are people supported to do what they need to do? ●What if something goes wrong? ●Response and recovery ●Accountability and consequences

9 ●What Needs to be Secured? ●Hardware, software and services Servers, routers, switches, laptops and mobile devices OS, databases, services and applications Data stored in databases or files ●From whom? ●Remote hackers? ●Insiders? Assets and Threats

10 The need to manage cyber security for over a million devices each running many services Lack of sense of urgency in fixing cyber vulnerabilities. Choosing to support key functions even when this could introduce vulnerabilities. Security Audit Quiz A news story in 2014 reported that an inspector general’s report gave Veteran Affairs (VA) a failing grade for 16 th straight year. The CIO of VA discussed a number of challenges that could explain this grade. Mark the ones that you think could be possible reasons: (See the instructor notes for a link to the article)

11 CISO Quiz Chief Information Security Officer (CISO) is the executive who is responsible for information security in a company. Did Target, the major retailer, have a CISO when it suffered the serious breach? Choose the best answer. Yes No

12 Security Planning: Controls ●Identity and access management (IAM) ●Credentialing, account creation and deletion ●Password policies ●Network and host defenses ●Firewalls, IDS, IPS ●Anti-virus ●VPN and BYOD ●Vulnerability patching ●User awareness and education ●Phishing attack awareness (Phishme)

13 Security Planning: Security Policy ●High level articulation of security objectives and goals ●Legal, business or regulatory rationale ●Do’s and don’ts for users –Password length –Web and email policies –Response to security events ●Address prevention, detection, response and remediation as it concerns/impacts users

14 Georgia Tech Computer and Network Use Policy ●States guiding principles ●Protect GT IT resources ●Ensure no state or federal laws are violated ●Some interesting highlights ●Copyright and IP ●Export control ●Who is responsible? ●Network – Office of Information Technology ●Devices – Units or individual

15 Computer Use Policy Quiz Does Georgia Tech’s computer and network use policy prohibit personal use of university resources? Choose the best answer. Yes No

16 Student Privacy Quiz Georgia Tech systems store student data such as grades. The Institute must protect such data due to... Choose the best answer. Regulatory reasons Because the data is sensitive it can only be disclosed to student and his/her family

17 Anthem Breach Quiz Anthem suffered from a major breach in 2015. Based on an analysis of its response to the breach, did Anthem respond well to the breach? (see the instructor notes for a link to the analysis) Choose the best answer. Yes No

18 Cyber Risk Assessment ●Investments in cyber security are driven by risk and how certain controls may reduce it ●Some risk will always remain ●How can risk be assessed?

19 Quantifying Cyber Risk Risk exposure = Prob. [Adverse security event] * Impact [ adverse event] Risk leverage > 1 for the control to make sense

20 Managing Cyber Risk How do we assess and reduce cyber risk? ●Impact ●Expected loss (reputational, recovery and response, legal, loss of business etc.) ●Risk management ●Accept, transfer (insurance) and reduce ●Reduction via technology solutions, education and awareness training

21 Security Breach Quiz A company stores sensitive customer data. The impact of a breach of such data must include... Mark all applicable choices. Cost of purchasing identify theft protection for customers Loss of business due to reduced customer confidence Compensation for new cyber security personnel the company hires to better manage cyber security in the future

22 Reducing Exposure Quiz A company is considering two possible IDS solutions to reduce its exposure to attacks on its network. The first one costs $100K and reduces risk exposure by $150K. The second one costs $250K but reduces risk exposure by $500K. Which solution would you recommend? Choose the best answer. Cheaper solution that costs $100K More expensive solution that costs $250K

23 Cyber Insurance Quiz Cyber insurance is still not very popular. Based on a 2014 survey, what percentage of customers of major insurance brokers were interested in buying cyber insurance? (see the instructor notes for a link to the survey) Choose the best answer. Less than 25% Over 50%

24 Enterprise Cyber Security Posture ●Reactive: ●Regulation/compliance ●Customer demands ●In response to a breach (Target or Home Depot) ●In response to events

25 Enterprise Cyber Security Posture ●Proactive: ●Champion of an organization who has influence ●Board level conversation about cyber security and risk

26 Enterprise Cyber Security Posture ●Economic value argument: ●Return on investment (RoI) ●Estimating costs and benefits is tricky ●Perception vs. data-driven risk

27 Security Planning and Management ●Values at risk ●Assets, reputation etc. ●Threats and attack vectors ●Plan, implement and manage ●Deploy appropriate controls ●Empower people and hold them responsible ●Plan for response and remediation (do not be surprised) ●User awareness ●Understand and proactively address risk Bringing It All Together!

28 Cyber Security Budgets Quiz Are cyber security budgets increasing as the number of reported incidents increases (see the instructor notes for a link to the PwC report)? Choose the best answer. Yes No

29 Proactive Security Quiz An example of proactive security measure is... Choose the best answer. Making sure the company complies with all regulatory requirements Chief risk officer (CRO) of the company addressing cyber risk regularly at highest level (e.g., board) when other risks are discussed

30 Cyber Security Management Lesson Summary ●Managing cyber security is a complex process that involves technology, people and processes ●Organizational context and cost/benefit analysis is necessary for security controls ●Risk based argument for cyber security

Download ppt "Cyber Security Management Lesson Introduction ●Understand organizational context for cyber security ●Understand the people, process and technology dimensions."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.

The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
1 Pertemuan 9 Network Security and E-Commerce Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi: >

1 Pertemuan 9 Network Security and E-Commerce Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi: >
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
ETHICS, POLICY & SECURITY ISSUES 1CIIT---ETHICS,POLICY AND SECURITY ISSUES.

ETHICS, POLICY & SECURITY ISSUES 1CIIT---ETHICS,POLICY AND SECURITY ISSUES.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Similar presentations

Ads by Google