Prinya acis slide for swpark  - it & information security human resource development plan for aec 2015_TISA Pto-Talk 2-2554
Upcoming SlideShare
Loading in...5
×
 

Prinya acis slide for swpark - it & information security human resource development plan for aec 2015_TISA Pto-Talk 2-2554

on

  • 928 views

 

Statistics

Views

Total Views
928
Views on SlideShare
928
Embed Views
0

Actions

Likes
0
Downloads
18
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Prinya acis slide for swpark  - it & information security human resource development plan for aec 2015_TISA Pto-Talk 2-2554 Prinya acis slide for swpark - it & information security human resource development plan for aec 2015_TISA Pto-Talk 2-2554 Presentation Transcript

    • Strategic GRC & iSAT for Management Security intelligence “ AEC 2015” Prinya Hom-Anek CGEIT, CISSP, CSSLP, CISA, CISM, SSCP, SANS GIAC GCFW, ITIL Expert, CompTIA Security+, IRCA: ISMS Lead Auditor, BCMS Auditor (ISC)2 Asian Advisory Board; ISACA Thailand Committee, Thailand Information Security Association (TISA) Committee, ACIS Professional Center Co., Ltd. , President and Founder
    • Strategic GRC & iSAT for Management Security intelligence Top 10 Strategic Technology Areas 2009 Top 10 Strategic Technology Areas Technology Area Rank Virtualization 1 Cloud Computing 2 Beyond Blade Servers 3 Green IT 4 Web-Oriented Architectures 5 Enterprise Mashups 6 Specialized Systems 7 Social Software and Social Networking 8 Unified Communications (UC) 9 Business Intelligence (BI) 10 Source: Gartner Symposium/ITxpo © Copyright, ACIS Professional Center Company Limited, All rights reserved 2
    • Strategic GRC & iSAT for Management Security intelligence Top 10 Strategic Technology Areas 2010 Top 10 Strategic Technology Areas Technology Area Rank Cloud Computing 1 Advanced Analytics 2 Client Computing 3 IT for Green 4 Reshaping the Data Center 5 Social Computing 6 Security – Activity Monitoring 7 Flash Memory 8 Virtualization for Availability 9 Mobile Applications 10 Source: Gartner Symposium/ITxpo © Copyright, ACIS Professional Center Company Limited, All rights reserved 3
    • Strategic GRC & iSAT for Management Security intelligence Top 10 Strategic Technology Areas 2011 Top 10 Strategic Technologies for 2011 Technology Area Rank Cloud Computing 1 Mobile Applications and Media Tablets 2 Next Generation Analytics 3 Social Analytics 4 Social Communications and Collaboration 5 Video 6 Context-Aware Computing 7 Ubiquitous Computing 8 Storage Class Memory 9 Fabric-Based Infrastructure and Computers 10 Source: Gartner Symposium/Itxpo © Copyright, ACIS Professional Center Company Limited, All rights reserved 4
    • Strategic GRC & iSAT for Management Security intelligence IT Organizations and Users in 2010 and Beyond This Years Predictions Span 56 Markets, Topics and Industry Areas, January 2010 Gartner Highlights Key Predictions By 2012, 20 percent of businesses will own no IT assets. By 2012, India-centric IT services companies will represent 20 percent of the leading cloud aggregators in the market (through cloud service offerings). By 2012, Facebook will become the hub for social network integration and Web socialization. In 2012, 60 percent of a new PCs total life greenhouse gas emissions will have occurred before the user first turns the machine on. By 2013, mobile phones will overtake PCs as the most common Web access device worldwide. © Copyright, ACIS Professional Center Company Limited, All rights reserved 5
    • Strategic GRC & iSAT for Management Security intelligence IT Organizations and Users in 2010 and Beyond This Years Predictions Span 56 Markets, Topics and Industry Areas, January 2010 Gartner Highlights Key Predictions By 2014, most IT business cases will include carbon remediation costs. By 2014, over 3 billion of the worlds adult population will be able to transact electronically via mobile or Internet technology. By 2015, Internet marketing will be regulated, controlling more than $250 billion in Internet marketing spending worldwide. By 2015, context will be as influential to mobile consumer services and relationships as search engines are to the Web. © Copyright, ACIS Professional Center Company Limited, All rights reserved 6
    • Strategic GRC & iSAT for Management Security intelligence Prinya Hom-Anek Hom- CGEIT, CISSP, CRISC, CSSLP, CISA, CISM, SSCP, SANS GIAC GCFW, ITIL Expert, IRCA:ISMS Lead Auditor, BCMS Auditor (ISC)2 Asian Advisory Board, ISACA Thailand Committee Thailand Information Security Association (TISA) Committee ACIS Professional Center Co., Ltd.
    • Strategic GRC & iSAT for Management Security intelligence 1. Integrated GRC Implementation (Governance, Risk Management & Compliance) Corporate Governance using COSO ERM, COBIT 5 and ISO 31000 Corporate Governance for IT using ISO 38500 IT Governance/Management using COBIT, Val IT and Risk IT Framework Information Security Governance/Management using ISO/IEC 27001/27002 2. IT Service Management Implementation (ITSM, ITIL & ISO/IEC 20000) 3. Business Continuity Management (BCM) (BS25999 and ICT Continuity Management using BS25777) © Copyright, ACIS Professional Center Company Limited, All rights reserved 8
    • Strategic GRC & iSAT for Management Security intelligence 4. Tougher Regulatory Compliance, Risk Management and Internal/External IT Audits 5. The Rising of Information Security Awareness Training within organization (for Everyone) 6. The Need for Soft Skills Training/Education (Human Factors in IT/ Information Security Professionals) 7. The Rising of Cloud Computing, Virtualization, and Social & Mobile Computing © Copyright, ACIS Professional Center Company Limited, All rights reserved 9
    • Strategic GRC & iSAT for Management Security intelligence 8. Corporate Fraud and Internet Banking/Online Transaction Fraud Prevention and Detection 9. IT and Information Security Metrics Implementation 10. The Need for Creating “Culture of Security” and “Risk-Aware Culture in Organization” © Copyright, ACIS Professional Center Company Limited, All rights reserved 10
    • Strategic GRC & iSAT for Management Security intelligence Underlying Drivers Infrastructure Weakness Under- Under-investment in both organizational and national critical infrastructure has weakened the underlying IT platforms. They are poorly placed to support new and evolving business technology such as e-commerce, cloud computing and mobile working. e- Cultural Change The rise of the ‘Internet generation’, coupled with high levels of personal technology adoption, have caused an irreversible change in attitudes to protecting information. Globalization Continuing globalization means that organizations of all kinds are subject to greater threats, as a result of being seen as an attractive target, having to meet the needs of multiple legal jurisdictions, and becoming a more complex organization. © Copyright, ACIS Professional Center Company Limited, All rights reserved 11
    • Strategic GRC & iSAT for Management Security intelligence © Copyright, ACIS Professional Center Company Limited, All rights reserved 12
    • Strategic GRC & iSAT for Management Security intelligence 1. The Need for BCM/BIA (Over-reliance on the Internet) • SITUATION – over-reliance on the Internet for all forms of communications and transactions has resulted in a lack of choice for customers in how they interact with organizations such as banks, airlines and online retailers – and higher potential risk of business impact from sustained corporate/regional Internet failures. • THREATS – under-investment in critical infrastructure and/or unsecured critical infrastructure leads to poor resilience at network pinch points, with risk of complete loss of communications and transaction channels. • ACTIONS – evaluate business continuity management (BCM), contingency arrangements prior to contracting with providers; ensure Business Impact Analysis (BIA) are undertaken for Internet channels. © Copyright, ACIS Professional Center Company Limited, All rights reserved 13
    • Strategic GRC & iSAT for Management Security intelligence 2. The Rise of Cloud Computing and Virtualization (Platform-as-a-Service, Infrastructure-as-a-Service, and Security) • SITUATION – the business and cost benefits of cloud computing have led to short-cuts being taken, and security and compliance concerns being overridden. Using of virtualization increased “attack surface”, “virtualization software vulnerability” • THREATS – rising costs associated with proving cloud computing compliance and a rise in incidents associated with fraudulent activities and external attacks masked by the cloud. The virtualization attack is on the rise. • ACTIONS – develop strategies for virtualization, cloud computing security and compliance, covering identity and access mechanisms, disaster recovery, information classification, and contingency plans for retrenchment from the cloud if necessary. © Copyright, ACIS Professional Center Company Limited, All rights reserved 14
    • Strategic GRC & iSAT for Management Security intelligence 3. Pervasive Computing/Ubiquitous Computing (Eroding Network Boundaries) • SITUATION – mobile and remote working, outsourcing and cloud computing have combined to all but remove organizations’ network boundary with the outside world. • THREATS – point security solutions are unable to prevent widespread loading of software from untrusted sources; unauthorized system, network or information access; or compliance failures in areas such as security and privacy. • ACTIONS – consider architectural options for “working without a network boundary”, and investigate concepts of trusted zones and niche application of products such as digital rights management (DRMO and data loss prevention (DLP) © Copyright, ACIS Professional Center Company Limited, All rights reserved 15
    • Strategic GRC & iSAT for Management Security intelligence 4. The Rise of Mobile Computing (Smartphone is a new PC) • SITUATION – the predominance of Smartphones both corporate and private has blurred the line between business and personal usage, leading to unproven and untrusted software being used for business/private communications and transactions. • THREATS – theft or loss of equipment, along with potential distribution of mobile phone malware (Mitmo; Man-in-the-mobile), leads to increased risk of business/private information loss and fraud. • ACTIONS – establish security policies for use of mobile phones and access management across devices; establish asset management for smartphones and assess the security implications of their use; educate users by launching security awareness program © Copyright, ACIS Professional Center Company Limited, All rights reserved 16
    • Strategic GRC & iSAT for Management Security intelligence 5. The Rise of The Internet Generation (Changing Cultures of the Techno-Generation (Gen-Y)) • SITUATION – for the Internet generation, the boundaries between work and home life are even more indistinct; some even have difficulty distinguishing between real life and fantasy life (the ‘avatar effect’/’the matrix effect). Traditional information security awareness approaches are not properly applied. • THREATS – email, Internet access and Social network use bypasses corporate controls, increasing the risk of business information disclosure and compliance failure. Internet Banking Threat; MitB (Man-in-the-Browser) for example Zeus Trojan/SilentBanker Trojan. • ACTIONS – create a profile of users, enhance security awareness for all users, establish baseline policies and deploy technical controls in line with risk; evaluate the use of Internet reputation protection services. © Copyright, ACIS Professional Center Company Limited, All rights reserved 17
    • Strategic GRC & iSAT for Management Security intelligence 6. Privacy vs. Security (Corporate Fraud is on the rise, the need for Lawful Interception) • SITUATION – the conflict between the right to privacy and the need of government agencies to analyse personal information in crime prevention has reduced public confidence in organizations’ ability to safeguard personal information to an all-time low. Many countries banned Blackberry (Lawful Intercept issues) • THREATS – organizations need to perform a compliance across different jurisdictions with different levels of privacy protection, leading to a higher risk of compliance failure and business information disclosure. • ACTIONS – ensure privacy policies for employees and customers are clear and meet all jurisdictions’ needs; create a forum for discussing changes in the law with legal advisors and industry colleagues. © Copyright, ACIS Professional Center Company Limited, All rights reserved 18
    • Strategic GRC & iSAT for Management Security intelligence 7. A lack of Corporate Security Awareness Program (The LifeStyle Hacking, Integrated Hack vs. Integrated GRC) • SITUATION – Targeted attack and organized crime are on the rise. The next generation hacking is focusing on user lifestyle, many users on corporate unaware of Internet Security Threats. • THREATS – Blended Threats, Advanced Persistent Threat (APT), Remote Access Trojan , LifeStyle Hacking, “Drive-by Download”, • ACTIONS – Implement Corporate iSAT (Information Security Awareness Program) at least once a year, Train and educate all users, Study occupational fraud prevention and detection. © Copyright, ACIS Professional Center Company Limited, All rights reserved 19
    • Strategic GRC & iSAT for Management Security intelligence 8. The Rise of Social Computing (An insecure use of social software/social media) • SITUATION – The rise of using social media/social networking over high-speed Internet. The Viral marketing (the social marketing) techniques that use pre- existing social networks to produce increases in brand awareness or to achieve other marketing objectives through self-replicating viral processes, analogous to the spread of virus or computer viruses. • THREAT – rapid growth in use of home and mobile equipment has left the security function unable to cope with the need to manage and protect personally owned or remote equipment to a proper standard, leading to potential compliance failure and disclosure of business information. • ACTIONS – educate users and implement corporate social network security policy ; implement the application-level filtering technology to monitor/block all malicious software related with social network software. © Copyright, ACIS Professional Center Company Limited, All rights reserved 20
    • Strategic GRC & iSAT for Management Security intelligence 9. Insecure Coding and Application Development Practices (Application Security) • SITUATION – the vulnerabilities in application software today. Lack of system programmer/application developer security awareness when designing and developing application software; insufficient web application security knowledge. • THREATS – web application hacking is the common hacking method, criminals are targeting at application layer. Hackers know that you have firewalls and hackers are targeting a new way to ‘hack’ into your systems. Not convenient to hack the network. • ACTIONS – Today we are wiring the world with applications. Having a skilled professional capable of designing and deploying secure software is now critical to this evolving world © Copyright, ACIS Professional Center Company Limited, All rights reserved 21
    • Strategic GRC & iSAT for Management Security intelligence 10. The Threats Convergence (Integrated Hack) (Cyber Espionage /Advanced Persistent Threat (APT)) • SITUATION – while there is continued focus on mitigating information security threats, efforts are still largely siloed. Attackers have adopted strategies based on a combination of threats, some of which are outside the information security remit. the highly competitive global market has given rise to more sophisticated cyber- espionage attacks, both from commercial competitors and from organized criminals. • THREATS – the converged threat approach can be used to obtain authentication details, gain access to systems or networks, misuse systems to commit fraud, steal proprietary information and introduce malware. increased risk of loss of proprietary information through hacking and other cyber attacks, potentially leading to a loss of reputation and trust. • ACTIONS – establish common risk languages across the organization; seek pragmatic ways to assess and manage risk holistically; and report on converged threats to the organization. © Copyright, ACIS Professional Center Company Limited, All rights reserved 22
    • Strategic GRC & iSAT for Management Security intelligence Live Show in Cyber Defense Initiative Conference 2010 (CDIC 2010) Spear Phishing, PDF Embedded Exe Attack Spear Phishing, PDF embedded EXE Attack Phishing PDF AutoHack Penetration Testing Tools Become Hacker Aid AutoHack Penetration Testing Tool Hacker RFID Tag Counterfeiting: Case Study e-Passport RFID TAG Hack E-Passport Contactless (VISA Wave Hacking) © Copyright, ACIS Professional Center Company Limited, All rights reserved 23
    • Strategic GRC & iSAT for Management Security intelligence Live Show in Cyber Defense Initiative Conference 2010 (CDIC 2010) Credit Card and Magnetic Card Hacking GPUs and FPGAs in PC-Based Heterogeneous Systems DIY Supercomputer Crack GPGPU FPGA Wireless Rogue AP & WPA Hacking on Cloud Computing Rogue AP Crack Key EAP Cloud computing WPA The Return of BOT with CAPTCHA Attack BOT CAPTCHA Attack © Copyright, ACIS Professional Center Company Limited, All rights reserved 24
    • Strategic GRC & iSAT for Management Security intelligence Live Show in Cyber Defense Initiative Conference 2010 (CDIC 2010) Advanced, New and Unseen Social Networking Attacks Advanced Persistent Threats (APT), Spy Eye, Zeus, GhostNet, Kneber Botnet and SilentBanker Trojan Advanced Hacking on Smart Phone (iPad, iPhone, Android, BlackBerry, Smart Phone) (iPad, Android, iPhone, BlackBerry, Smartphone) © Copyright, ACIS Professional Center Company Limited, All rights reserved 25
    • Strategic GRC & iSAT for Management Security intelligence Why we need Hacking Technics for IT auditing © Copyright, ACIS Professional Center Company Limited, All rights reserved 26
    • Strategic GRC & iSAT for Management Security intelligence The Need for ITG : 7 IT Challenges Keeping IT Running 1 The Essentials of IT and Value 2 Information Security Standard, Best practices and Frameworks Costs 3 Mastering Complexity 4 Aligning IT With Business 5 Regulatory Compliance 6 Security 7 Organization IT Resources and Expenses © Copyright, ACIS Professional Center Company Limited, All rights reserved 27
    • Strategic GRC & iSAT for Management Security intelligence “GRC” not only “ITG” and “ISG” => “CG” Risk Governance Compliance Management (C) © Copyright, 2007-2009, ACIS Professional Limited, All rights reserved Copyright ACIS Professional Center Company Center Company Limited 28
    • Strategic GRC & iSAT for Management Security intelligence An Integrated Approach To Governance, Risk & Compliance Stakeholder Expectations Governance Key linkage Setting objectives, tone, policies, risk appetite Objectives & and accountabilities. Monitoring performance. Risk Appetite Enterprise Risk Management Key linkage Identifying and assessing risks that may affect the Risk ability to achieve objectives and determining risk Response & response strategies and control activities. Control Activities Compliance Operating in accordance with objectives and ensuring adherence with laws and regulations, internal policies and procedures, and stakeholder commitments. Laws Policies Procedures Processes/system People Tools &Technologies Source: A New Strategy for Success Through Integrated Governance, Risk and Compliance Management PWC white paper © Copyright, ACIS Professional Center Company Limited, All rights reserved 29
    • Strategic GRC & iSAT for Management Security intelligence Integrated GRC Framework Source: wikipedia.org/wiki/Governance,_Risk_Management,_and_Compliance © Copyright, ACIS Professional Center Company Limited, All rights reserved 30
    • Strategic GRC & iSAT for Management Security intelligence TOP MIDDLE BOTTOM © Copyright, ACIS Professional Center Company Limited, All rights reserved 31
    • Strategic GRC & iSAT for Management Security intelligence Enterprise Governance: Corporate Governance (CG) Drives IT Governance (ITG) and Information Security Governance (ISG) • Enterprise governance is about: Performance Improving profitability, efficiency, effectiveness, growth, and so on Conformance Adhering to legislation, internal policies, audit requirements, and so on • Enterprise governance and IT governance require a balance between the conformance and performance goals, as directed by the board. Conformance Performance © Copyright, ACIS Professional Center Company Limited, All Rights Reserved 32
    • Strategic GRC & iSAT for Management Security intelligence Integrated Frameworks on Business / IT Alignment CONFORMANCE PERFORMANCE: Drivers Business Goals Basel II, Sarbanes- Oxley Act, contracts etc. Enterprise Governance Scorecard and COSO IT Governance COBIT ISO ISO/IEC ISO/IEC Best Practice Standards 9001:2000 17799 20000/ITIL BS 25999 BS 25777 QA Security Service Delivery Processes and Procedures Procedures Principles procedures BCM procedure ICT CM procedure Source: modified from IT Governance (COBIT), ITGI © Copyright, ACIS Professional Center Company Limited, All rights reserved 33
    • Strategic GRC & iSAT for Management Security intelligence How to implement Standards and Best Practices in Thailand SOX, HIPAA, Thai E-Transaction Laws GLBA, PCI and Computer Crime Laws DSS, BASEL Balancing Strategies on Balancing Strategies on Process, People and Process, People and II COSO => ISO 31000 Thai OAG / TRIS/ Technology Technology (The Committee of Sponsoring Organizations of the BOT/ SEC/ OIC Treadway Commission) - Financial Reporting & Business Process Oriented requirements CobiT 4.1 => CobiT 5 Control Objectives for Information and related Technology IT oriented bridging the gap between business processes and IT controls ISG => ISO/IEC BS25999 ISO/IEC 20000 (ITSMS) & ITIL 27001 (ISMS) (BCMS) => => new SC27 ISO 22301
    • Strategic GRC & iSAT for Management Security intelligence GRC and Related IT Management Frameworks Organisations will consider and use a variety of IT models, standards and best practices. These must be understood in order to consider how they can be used together, with COBIT (IT Governance) acting as the consolidator (‘umbrella’). COSO COBIT ISO 17799 CMM ISO 27001 BCM ISO 9000 ITIL WHAT ISO 20000 HOW Source: ITGI SCOPE OF COVERAGE © Copyright, ACIS Professional Center Company Limited, All rights reserved 35
    • Strategic GRC & iSAT for Management Security intelligence Integrated GRC Related Standards & Best Practices © Copyright, ACIS Professional Center Company Limited, All rights reserved 36
    • Strategic GRC & iSAT for Management Security intelligence COBIT, COSO, ITIL & Compliance Process and Control Framework Control App Enterprise Business Processes Control Control App App Control Control Financial Processes IT Processes ITIL®/CMMi® App Control App Control Control App Control Company–Level Company–Level Application Application IT General Controls COSO Controls Controls Controls COBIT™ Controls Control Frameworks: COSO — Control and risk mgmt for corporate governance COBIT™— IT Control Objectives IT Process Frameworks: ITIL®/CMMi®—IT Best Practices COBIT™ Trademark of ISACA ITIL® Trademark of OGC CMMi® Trademark of SEI © Copyright, ACIS Professional Center Company Limited, All rights reserved 37
    • Strategic GRC & iSAT for Management Security intelligence COBIT, COSO, ITIL & Compliance How does it all put together? COSO Control What controls you should have CobiT Frameworks ITIL Process What processes you should implement CMMi Frameworks Tools IT Service How to implement the required Consulting controls and processes The Committee of Sponsoring Organizations of the Treadway Commission (COSO) COBIT (Control Objectives for Information and Related Technologies) CMMi - Capability Maturity Model Integration © Copyright, ACIS Professional Center Company Limited, All rights reserved 38
    • Strategic GRC & iSAT for Management Security intelligence Manage IT from a Business Perspective Applications Manage As Business Services Function 1 Function 2 Function 3 © Copyright, ACIS Professional Center Company Limited, All rights reserved 39
    • Strategic GRC & iSAT for Management Security intelligence Use Controls to Go Faster • Enable new services • Support growth • Lower risk • Reduce cost IT Controls • Cost • Availability • Performance © Copyright, ACIS Professional Center Company Limited, All rights reserved 40
    • Strategic GRC & iSAT for Management Security intelligenceHow to use COBIT, ISO/IEC 27001 , CMM and ITIL COBIT is based on and accommodates major international standards, and it is increasingly recognized as the de facto framework for IT governance. COBIT is focused on what is required to achieve this governance and control at a high level. It has been aligned with other best practices and can be used as the “integrator” of different guidance materials, such as ISO/IEC 27001 and ITIL. ISO/IEC 27001 Strategic COBIT Process Control CMM Process Execution ITIL • Work instruction • Work instruction • Work instruction • Work instruction • Work instruction • 2 • 2 • 2 • 2 • 2 Work Instruction • 3 • 3 • 3 • 3 • 3 • 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6…. © Copyright, ACIS Professional Center Company Limited, All rights reserved 41
    • Strategic GRC & iSAT for Management Security intelligence Big Picture of International Standards and Best Practices The relevance of standards and practices depends on the organization and its priorities and expectations. An organization may decide to adopt all, one, or part of one of the standards to improve the performance of a business process or enable business transformation. TCO ISO/IEC ITIL/ISO/IEC Specific CMM 27001 20000 COBIT Relevant to IT General Six Sigma ISO/IEC 9000 Malcolm Baldrige Award Holistic Scorecards Low (Process Improvement) Moderate High (Business Transformation) Improvement Goal COBIT is positioned centrally at the General level, helping integrate technical and specific practices with broader business practices. © Copyright, ACIS Professional Center Company Limited, All rights reserved 42
    • Strategic GRC & iSAT for Management Security intelligence Business Model for Information Security BMIS is primarily a three-dimensional model. It consists of four elements and six dynamic interconnections (DIs). © Copyright, ACIS Professional Center Company Limited, All rights reserved 43
    • Strategic GRC & iSAT for Management Security intelligence Recognizing Enterprise Architecture The security programme is subject to the overarching direction provided by enterprise governance and its subsidiary areas, namely governance of IT and—in some cases—detailed security governance provisions. The security programme implements a layer below the overall governance framework. Source: www.isaca.org, “BMIS”, the business model for information security, 2010 © Copyright, ACIS Professional Center Company Limited, All rights reserved 44
    • Strategic GRC & iSAT for Management Security intelligence Aligning Common Security Standards Source: www.isaca.org, “BMIS”, the business model for information security, 2010 © Copyright, ACIS Professional Center Company Limited, All rights reserved 45
    • Strategic GRC & iSAT for Management Security intelligence Aligning Generic Frameworks Source: www.isaca.org, “BMIS”, the business model for information security, 2010 © Copyright, ACIS Professional Center Company Limited, All rights reserved 46
    • Strategic GRC & iSAT for Management Security intelligence Zachman Enterprise Framework © Copyright, ACIS Professional Center Company Limited, All rights reserved 47
    • Strategic GRC & iSAT for Management Security intelligence Enterprise Architecture Framework Based on ‘The Open Group Architecture Forum’ (TOGAF)Business Risks What Business Vision & Drivers Business Architecture Business Organizational People Processes Data Application Architecture Architecture (Information) ( Services) Technology Architecture (Hardware, Software, Network) IT Risks How © Copyright, ACIS Professional Center Company Limited, All rights reserved 48
    • Strategic GRC & iSAT for Management Security intelligence Business drivers for an integrated approach to GRC Increased complexity due to globalisation Increasing Increased regulations competitive pressures Governance New Ethical and technologies Risk and financial scandals Compliance Integrity-driven Transparency and performance accountability expectations demands Increased demands from stakeholders © Copyright, ACIS Professional Center Company Limited, All rights reserved 49
    • Strategic GRC & iSAT for Management Security intelligence Hottest Cloud in 2011 © Copyright, ACIS Professional Center Company Limited, All rights reserved Page 50
    • Strategic GRC & iSAT for Management Security intelligence Apple New Data Center in NC ($1 Billions) © Copyright, ACIS Professional Center Company Limited, All rights reserved Page 51
    • Strategic GRC & iSAT for Management Security intelligence Apple New Data Center in NC ($1 Billions) © Copyright, ACIS Professional Center Company Limited, All rights reserved Page 52
    • Strategic GRC & iSAT for Management Security intelligence iCloud Features © Copyright, ACIS Professional Center Company Limited, All rights reserved Page 53
    • Strategic GRC & iSAT for Management Security intelligence Does iCloud Pose Security Risks To Users? Does iCloud make iPhones and iPads a security risk? © Copyright, ACIS Professional Center Company Limited, All rights reserved Page 54
    • Strategic GRC & iSAT for Management Security intelligence iCloud Raises Serious Data Security Concerns • Those intent on hacking into big systems will soon have a big new target. Apple announced its iCloud service that stores massive amounts of content, much like a giant storage system in the sky. iCloud users will be able to wirelessly access their music, photos, email, calendar and all kinds of other content on several devices. Its meant to eliminate the need to sync phones, computers, laptops and tablets. Its all about convenience. But is it safe? • The forthcoming free Apple service syncs among iCloud-enabled devices, moving data to devices and cloud servers outside your control • © Copyright, ACIS Professional Center Company Limited, All rights reserved Page 55
    • Strategic GRC & iSAT for Management Security intelligence iCloud Raises Serious Data Security Concerns • Simple phishing scam or socially engineered attack could easily dupe a user into surrendering username and password credentials that will expose the data stored in iCloud • In order for iCloud to be a success, Apple has to assure consumers and businesses that the data is protected • The convenience of having documents automatically synced to iCloud aside, what happens when the business wants to delete that information? © Copyright, ACIS Professional Center Company Limited, All rights reserved Page 56
    • Strategic GRC & iSAT for Management Security intelligence Concepts for New ITG Framework Life Cycle Approach 7 “IT Governance” “Enterprise Governance” Frameworks, Standards “Best Practices” “Adapt” “Adopt” © Copyright, ACIS Professional Center Company Limited, All rights reserved 57
    • Strategic GRC & iSAT for Management Security intelligence Concepts for New ITG Framework Implementation Life Cycle “Implementing and Continually Implementing IT Governance” 4 Components Create the right environment Programme Management Project Management Change Enablement Continual Improvement Life Cycle 7 © Copyright, ACIS Professional Center Company Limited, All rights reserved 58
    • Strategic GRC & iSAT for Management Security intelligence Inside COBIT 5 Design COBIT 5 ISACA Initiative “TGF” “Taking Governance Forward” COBIT 5 7 Framework Val IT, Risk IT, BMIS ITAF Framework Framework “Migrate” COBIT 4.1 COBIT 4.1 Enterprise Architecture (EA) Decision Making People Skill Organization Structure Charge Enablement Sustainability “Governance Process” “Management Process” “ ”“ “ “Standard” “Best Practice” © Copyright, ACIS Professional Center Company Limited, All rights reserved 59
    • Strategic GRC & iSAT for Management Security intelligence COBIT 5 Family of Products COBIT 5.0 COBIT 4.1 Internal Stakeholder External Stakeholder COBIT 5 Stakeholder COBIT 5 Family of Products COBIT 5 for Risk COBIT 5 for Value COBIT 5 for Security COBIT 5 for Compliance © Copyright, ACIS Professional Center Company Limited, All rights reserved 60
    • Strategic GRC & iSAT for Management Security intelligence COBIT 5 Objectives COBIT 5 will: • Provide a renewed and authoritative governance and management framework for enterprise information and related technology, building on the current widely recognized and accepted COBIT framework, linking together and reinforcing all other major ISACA frameworks and guidance such as: Val IT Risk IT BMIS ITAF Board Briefing Taking Governance Forward • Connect to other major frameworks and standards in the marketplace (ITIL, ISO standards, etc.) © Copyright, ACIS Professional Center Company Limited, All rights reserved 61
    • Strategic GRC & iSAT for Management Security intelligence Other Guidance Options The COBIT 5 product architecture will also contain practitioner guidance designed to support specific business requirements, the needs of ISACA constituent groups, specific content topic development and reference to the COBIT framework and specific framework as necessary. Such guidance could include: Getting Started Guides Mappings Surveys and Benchmarks Implementation Guides © Copyright, ACIS Professional Center Company Limited, All rights reserved 62
    • Strategic GRC & iSAT for Management Security intelligence COBIT 5 – Management of Enterprise IT COBIT 5 Standard Best Practice 60 ITIL V3, ISO 27000 Series, ISO 20000, ISO 38500:2008, TOGAF V9 ISO 9000:2008 COBIT 5 “Change” (Culture) (Behavior) ISACA Implement IT Governance Life Cycle CSI 6 Steps Model ITIL V3 7 Steps © Copyright, ACIS Professional Center Company Limited, All rights reserved 63
    • Strategic GRC & iSAT for Management Security intelligence COBIT 5 : ITG Focus Areas “IT Governance” 5 Strategic Alignment Value Delivery Risk Management Resource Management Performance Measurement © Copyright, ACIS Professional Center Company Limited, All rights reserved 64
    • Strategic GRC & iSAT for Management Security intelligence COBIT 5 : ITG Focus Areas 1. Strategic Alignment “ ” “Align” Strategic Alignment Aligning IT with Business © Copyright, ACIS Professional Center Company Limited, All rights reserved 65
    • Strategic GRC & iSAT for Management Security intelligence COBIT 5 : ITG Focus Areas 2. Value Delivery Value Creation “ ” , “ ” Value Delivery $ © Copyright, ACIS Professional Center Company Limited, All rights reserved 66
    • Strategic GRC & iSAT for Management Security intelligence ITG Focus Areas: Value Delivery Focus “Two Views of Control” © Copyright, ACIS Professional Center Company Limited, All rights reserved 67
    • Strategic GRC & iSAT for Management Security intelligence COBIT 5 : ITG Focus Areas 3. Risk Management Value Preservation “Value Delivery” (Value Creation) Risk Management (Value Preservation) (Assess) (Analysis) (Treatment) (Risk Reduction, Risk Retention, Risk Avoidance Risk Transfer) Risk Acceptance Criteria (ISO 27005:2008) Risk Management © Copyright, ACIS Professional Center Company Limited, All rights reserved 68
    • Strategic GRC & iSAT for Management Security intelligence COBIT 5 : ITG Focus Areas 3. Risk Management Value Preservation (cont.) (Risk Aware) “Risk Appetite” Risk Acceptance Level” “ ” IT Governance Governance, Risk Management and Compliance (GRC) “IT Risk” “Business Risk” “IT Risk “Business Risk” © Copyright, ACIS Professional Center Company Limited, All rights reserved 69
    • Strategic GRC & iSAT for Management Security intelligence COBIT 5 : ITG Focus Areas 4. Performance Management “IT KPI” “IT Metric” “IT Performance Management” “ ” “Metric” (Stakeholder) Performance Scorecard, Dashboard Benchmarking If you cannot measure it, { you cannot manage it. } Performance Measurement © Copyright, ACIS Professional Center Company Limited, All rights reserved 70
    • Strategic GRC & iSAT for Management Security intelligence COBIT 5 : ITG Focus Areas 4. Performance Management (cont.) “Measurement” “Manage” “If you cannot measure it, you cannot manage it” Certification Body (CB) ISO/IEC 27001 (Effectiveness) ISMS ISO/IEC 27001 © Copyright, ACIS Professional Center Company Limited, All rights reserved 71
    • Strategic GRC & iSAT for Management Security intelligence COBIT 5 : ITG Focus Areas 5. Resource Management 4 1. (People) 2. (Infrastructure) 3. (Application) Resource Management 4. (Information) “Human Resource Management” “Knowledge Worker” © Copyright, ACIS Professional Center Company Limited, All rights reserved 72
    • Strategic GRC & iSAT for Management Security intelligence COBIT 5 : ITG Focus Areas COBIT Framework IT Governance Implementation Guide COBIT IT Governance Implementation Guide “Solution” “Method” “Luc Kordel” “It’s a method, not the solution!” Framework “Adopt” “Adapt” Corporate Culture, Style People Skill © Copyright, ACIS Professional Center Company Limited, All rights reserved 73
    • Strategic GRC & iSAT for Management Security intelligence ISO/IEC 38500:2008 Corporate Governance of Information Technology ITG Framework ITG Principles: Principle 1: Responsibility Principle 2: Strategy Principle 3: Acquisition Principle 4: Performance Principle 5: Conformance Principle 6: Human Behavior ITG Model: a) Evaluate b) Direct c) Monitor © Copyright, ACIS Professional Center Company Limited, All rights reserved 74
    • Strategic GRC & iSAT for Management Security intelligence Aligning CobiT, ITIL and ISO 27002 for Business Benefit Source: ITGI © Copyright, ACIS Professional Center Company Limited, All rights reserved 75
    • Strategic GRC & iSAT for Management Security intelligence International Register of Certificated Auditors ACIS and TUV NORD : 3 IRCA Certified Training Courses © Copyright, ACIS Professional Center Company Limited, All rights reserved 76
    • Strategic GRC & iSAT for Management Security intelligence Information Security Governance Source: ITGI © Copyright, ACIS Professional Center Company Limited, All rights reserved 77
    • Strategic GRC & iSAT for Management Security intelligence Information Security Governance Conceptual Framework Source: ITGI © Copyright, ACIS Professional Center Company Limited, All rights reserved 78
    • Strategic GRC & iSAT for Management Security intelligence IT Risk vs. Risk IT Its Impacts to Business
    • Strategic GRC & iSAT for Management Security intelligence “IT Risk” Book from Harvard Business School © Copyright, ACIS Professional Center Company Limited, All rights reserved 80
    • Strategic GRC & iSAT for Management Security intelligence Categories of IT risk © Copyright, ACIS Professional Center Company Limited, All rights reserved 81
    • Strategic GRC & iSAT for Management Security intelligence IT Risk vs. IT Opportunity Techniques and Uses for Risk IT and its Supporting Materials for Risk and Opportunity Management (Using COBIT, Val IT and Risk IT) IT Risk IT Risk ⇒ Business Risk Value Inhibitor ⇒ Enterprise Risk IT Opportunity Value Enabler © Copyright, ACIS Professional Center Company Limited, All rights reserved 82
    • Strategic GRC & iSAT for Management Security intelligence The Core Disciplines of Risk Management © Copyright, ACIS Professional Center Company Limited, All rights reserved 83
    • Strategic GRC & iSAT for Management Security intelligence The Three Core Disciplines of Effective Risk Management 1. A well-structured, well-managed foundation of IT assets, people, and supporting processes 2. A well-designed risk governance process to identify, prioritize, and track risks 3. A risk-aware culture in which people understand causes and solutions for IT risks and are comfortable discussing risk © Copyright, ACIS Professional Center Company Limited, All rights reserved 84
    • Strategic GRC & iSAT for Management Security intelligence ISACA Risk IT Framework Risk IT Based on COBIT Objectives and Principles © Copyright, ACIS Professional Center Company Limited, All rights reserved 85
    • Strategic GRC & iSAT for Management Security intelligence Risk IT Framework Principles Defined around these building blocks is a process model for IT risk that will look familiar to users of COBIT and ValIT4 substantial guidance is provided on the key activities within each process, responsibilities for the process, information flows between processes and performance management of the process. The processes are divided in three domains – Risk Governance, Risk Evaluation and Risk Response – each containing three processes: o Establish and Maintain a Common Risk Governance o Integrate with Enterprise Risk Management o Make Risk-aware Business Decision o Collect Data Risk Evaluation o Analyze Risk o Maintain Risk Profile o Articulate Risk Risk Response o Manage Risk o React to Events © Copyright, ACIS Professional Center Company Limited, All rights reserved 86
    • Strategic GRC & iSAT for Management Security intelligence Risk IT Process Model © Copyright, ACIS Professional Center Company Limited, All rights reserved 87
    • Strategic GRC & iSAT for Management Security intelligence Elements of Risk Culture © Copyright, ACIS Professional Center Company Limited, All rights reserved 88
    • Strategic GRC & iSAT for Management Security intelligence © Copyright, ACIS Professional Center Company Limited, All rights reserved 89
    • Strategic GRC & iSAT for Management Security intelligence Embedding Standards & Best Practices in the organization’s culture © Copyright, ACIS Professional Center Company Limited, All rights reserved 90
    • Strategic GRC & iSAT for Management Security intelligence Awareness Training Information Security Awareness Program Development - Awareness (What) - Training (How) - Education (Why) © Copyright, ACIS Professional Center Company Limited, All rights reserved 91
    • Strategic GRC & iSAT for Management Security intelligence Competency, Knowledge, and Skills © Copyright, ACIS Professional Center Company Limited, All rights reserved 92
    • Strategic GRC & iSAT for Management Security intelligence The Seven Habits of Highly Effective People 1. (Be Proactive) 2. (Begin with the End in Mind) 3. (Put first things first) 4. / From “The Seven Habits of Highly Think Win-Win Effective People: Restoring the Character Ethic” by Stephen R. Covey, 5. Simon and Schuster, 1989 Seek First to Understand, Then to be Understood 6. Synergize 7. Sharpen the saw © Copyright, ACIS Professional Center Company Limited, All rights reserved 93
    • Strategic GRC & iSAT for Management Security intelligence Time Management 1 2 Put the 3 4 Big Rocks in First
    • Strategic GRC & iSAT for Management Security intelligence Six Thinking Hats Edward de Bono © Copyright, ACIS Professional Center Company Limited, All rights reserved 95
    • Strategic GRC & iSAT for Management Security intelligence “ 6” © Copyright, ACIS Professional Center Company Limited, All rights reserved 96
    • Strategic GRC & iSAT for Management Security intelligenceACIS eEnterprise Series I ISBN 978-974-401-593-8 . , (1987) ( ) 99/ 16-20 10400 . 0-2642-3400 3991-5 © Copyright, ACIS Professional Center Company Limited, All rights reserved 97
    • Strategic GRC & iSAT for Management Security intelligenceACIS eEnterprise Series II Strategic Roadmap with International Standards and Best Practices to integrated GRC .. ISBN xxx-xxx-xxx-xxx-x . , (1987) ( ) 99/ 16-20 10400 . 0-2642-3400 3991-5 © Copyright, ACIS Professional Center Company Limited, All rights reserved 98
    • Strategic GRC & iSAT for Management Security intelligence “360 Degree IT Management Book” Part 1 : Introduction to “GRC”, “IT GRC” and “Integrated GRC” Implementation Part 2 : IT Governance implementation using CobiT and New CobiT Framework Part 3 : Balancing in Improving Efficiency and Quality of IT Service Management with ISO/IEC 20000 and ITIL V3 Part 4 : Information Security Management Implementation with ISO/IEC 27001 Part 5 : Effective and Efficient Business Continuity Management on Crisis Management © Copyright, ACIS Professional Center Company Limited, All rights reserved 99
    • Strategic GRC & iSAT for Management Security intelligence What’s the future trend in Thailand? Audit => Forensic => Fraud Security => Privacy BIA (part of BCM) => PIA BIA = Business Impact Analysis PIA = Privacy Impact Assessment © Copyright, ACIS Professional Center Company Limited, All rights reserved 100
    • Strategic GRC & iSAT for Management Security intelligence “Social Networking Security” © Copyright, ACIS Professional Center Company Limited, All rights reserved 101
    • Strategic GRC & iSAT for Management Security intelligence “Social Networking Security” 1. Social Media / Social Networking 2. Facebook Twitter 3. 4. Facebook 5. 6. © Copyright, ACIS Professional Center Company Limited, All rights reserved 102
    • Strategic GRC & iSAT for Management Security intelligence
    • Strategic GRC & iSAT for Management Security intelligence www.cdicconference.com 29-30 November 2011 @BITEC © Copyright, ACIS Professional Center Company Limited, All rights reserved Page 104
    • Strategic GRC & iSAT for Management Security intelligence Future Trend 2012 (Conference Highlights) • The Latest Update Top Ten Cyber Security Threats and Emerging Trends in Year 2012 and Beyond • The Latest Update International Business-IT and Security-related Standards and Best Practices Trends, including New ISO/IEC 27001 and COBIT 5 • Practical Cloud Computing Implementation and its security concerns • Encountering and Balancing on Security vs. Privacy Issues, and Privacy Impact Assessment (PIA) • What else, when an enterprise needs a framework for “IT GRC”, “Security GRC” and “Integrated GRC”? © Copyright, ACIS Professional Center Company Limited, All rights reserved 105
    • Strategic GRC & iSAT for Management Security intelligence Future Trend 2012 (Conference Highlights) • Integrating Enterprise Governance with IT Governance (ITG) and Information Security Governance (ISG); Integrated Audit and Risk Assessment for High Performance Organization and Operational Excellence • How to drive a Strategic GRC implementation into Business Alignment: Conformance vs. Performance, Create Value vs. Preserve Value, and Corporate Social Responsibility (CSR) vs. Creating Shared Value (CSV) •The New Business Impact Analysis (BIA) and Risk Analysis (RA) from ISO 22301 (BCMS) for Critical Infrastructure •Layer 8 Exploitation: Lockn Load Target •IPv4 to IPv6 State Transition Vulnerabilities & Exploits © Copyright, ACIS Professional Center Company Limited, All rights reserved 106
    • Strategic GRC & iSAT for Management Security intelligence Future Trend 2012 (Conference Highlights) • Strategic Roadmap and Move on Enterprise Cloud Infrastructure • The New Patterns of Advanced Persistent Threats (APT) and Targeted Attacks from Anonymous and LulzSec Groups • Advanced Smart Phone Forensics • Mobile Malware Transformation • GSM Deception Episode II • In-depth Live Show Demonstration on New Advanced Cybercrime and Ethical Hacking Techniques, Gadgets and Tools • Real Case Studies from Professionals and the International Security Experts © Copyright, ACIS Professional Center Company Limited, All rights reserved 107
    • Strategic GRC & iSAT for Management Security intelligence www.snsconference.com SNSCON and MOBISCON 2011 28-29 June 2011 www.cdicconference.com Cyber Defense Initiative Conference 2011 29-30 November 2011
    • Strategic GRC & iSAT for Management Security intelligence www.TISA.or.th Thailand Information Security Association www.acisonline.net ACIS Professional Center Co., Ltd. prinya@acisonline.net
    • Strategic GRC & iSAT for Management Security intelligence RSA Conference 2011 (ISC)2 member reception © Copyright, ACIS Professional Center Company Limited, All rights reserved 110
    • Strategic GRC & iSAT for Management Security intelligence Risk Culture/Culture of Security When we look at the future of Internet Security with billions of devices online, the first thing we do is that we have to create the culture of security. CDIC 2008, Keynote Speech, Howard Schmidt CEO of The Information Security Forum Cyber-Security Coordinator of the Obama Administration © Copyright, ACIS Professional Center Company Limited, All rights reserved 111
    • Strategic GRC & iSAT for Management Security intelligence “Risk Culture/Culture of Security” © Copyright, ACIS Professional Center Company Limited, All rights reserved 112
    • Strategic GRC & iSAT for Management Security intelligence My Facebook and Twitter http://www.facebook.com/prinyah http://www.twitter.com/prinyaACIS CDIC Conference 2011 http://www.cdicconference.com ACIS Professional Center Co., Ltd. http://www.acisonline.net Thailand Information Security Association http://www.tisa.or.th 13-Oct-11
    • Strategic GRC & iSAT for Management Security intelligence