Assocham conf grc sept 13

439 views

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
439
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 IT-Governanc e--> Corporate Governance 29th November 2005 Prof. K. Subramanian @2005
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 eGOV Project Governance Panel 06/10/13 Prof. KS@ sept 2007 ICISA New delhi
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Government is by the people, for the people, and of the people
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Cybr assurance-Tne need for Technologists & Business of 'morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Corporate Goverance & Assurance 29th November 2007 Prof. K. Subramanian @October 2007
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Corporate Governance & Assurance 29th November 2007 Prof. K. Subramanian @October 2007
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 IT-Governanc e--> Corporate Governance 29th November 2005 Prof. K. Subramanian @2005 06/29/06 Prof. KS@may 2006--NPC Sikkim Program eGOV Project Management
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 IT-Governanc e--> Corporate Governance 29th November 2005 Prof. K. Subramanian @2005 06/29/06 Prof. KS@may 2006--NPC Sikkim Program eGOV Project Management
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Corporate Goverance & Assurance 29th November 2007 Prof. K. Subramanian @October 2007
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 IT-Governanc e--> Corporate Governance 29th November 2005 Prof. K. Subramanian @2005
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 IT-Governanc e--> Corporate Governance 29th November 2005 Prof. K. Subramanian @2005
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 eGOV Project Governance Panel 06/10/13 Prof. KS@ sept 2007 ICISA New delhi
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 IT-Governanc e--> Corporate Governance 29th November 2005 Prof. K. Subramanian @2005
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 How do you handle, where do you start? Part of the SWOT analysis – strength, weakness, opportunity and threat analysis. Threat modeling just like any systems such as reliability is a good starting point Decompose your system, analyze component for susceptibility to the threats, and mitigate the threats.
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 By defining the scope of the threat one can identify the various attacks that can happen such as vulnerability exploitation, privilege abuse, social engineering, reaching for a jewel, etc.
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Cybr assurance-Tne need for Technologists & Business of 'morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Cybr assurance-Tne need for Technologists & Business of 'morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Cybr assurance-Tne need for Technologists & Business of 'morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Corporate Goverance & Assurance 29th November 2007 Prof. K. Subramanian @October 2007
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Cybr assurance-Tne need for Technologists & Business of 'morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Cybr assurance-Tne need for Technologists & Business of 'morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Cybr assurance-Tne need for Technologists & Business of 'morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Cybr assurance-Tne need for Technologists & Business of 'morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Cybr assurance-Tne need for Technologists & Business of 'morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Cybr assurance-Tne need for Technologists & Business of 'morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Cybr assurance-Tne need for Technologists & Business of 'morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007 The development was guided by the Software Engineering Institute’s efforts in the late 80’s in building maturity models for software development. By using such a scale, an organization can determine where it is, define where it wants to go and, if it identifies a gap, it can do an analysis to translate the findings into projects. Reference points can be added to the scale. Comparisons can be performed with what others are doing, if that data is available, and the organization can determine where emerging international standards and industry best practices are pointing for the effective management of security and control.
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Cybr assurance-Tne need for Technologists & Business of 'morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Corporate Goverance & Assurance 29th November 2007 Prof. K. Subramanian @October 2007
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013
  • Cyber Governance & AssuranceCyber Governance & Business Assurance september 10, 2013 Prof. KS@2013 Assocham lecture GRC sept 2013 Cybr assurance-Tne need for Technologists & Business of 'morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • Assocham conf grc sept 13

    1. 1. Cyber Governance & Business Assurance in Cyber Era- Challenges Before the Corporates Prof. K. Subramanian SM(IEEE, USA), SMACM(USA), FIETE,SM(IEEE, USA), SMACM(USA), FIETE, SMCSI,MAIMA,MAIS(USA),MCFE(USA)SMCSI,MAIMA,MAIS(USA),MCFE(USA) Founder Director & Professor, Advanced Center for Informatics & Innovative Learning (ACIIL), IGNOU EX- IT Adviser to CAG of India Ex-DDG(NIC), Ministry of Comm. & IT Emeritus President, eInformation Systems, Security, Audit Association Former President, Cyber Society of India
    2. 2. 2 2 Agenda • Introduction • Cyber Governance & Governance components • Risk assurance(Modelling & other approaches) • Standards & Compliance • Assurance Framework & PPP • Challenges for Technologists & Businesses
    3. 3. 3 Notable Quotes "The poor have sometimes objected to being governed badly; the rich have always objected to being governed at all." G. K. Chesterton “Ever since men began to modify their lives by using technology they have found themselves in a series of technological traps.” Roger Revelle  “The law is the last interpretation of the law given by the last judge.”- Anon. “Privacy is where technology and the law collide.” --Richard Smith (who traced the ‘I Love You’ and ‘Melissa viruses’) "Technology makes it possible for people to gain control over everything, except over technology" John Tudor
    4. 4. 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 44 MEDIATING FACTORS:MEDIATING FACTORS: EnvironmentEnvironment CultureCulture StructureStructure Standard ProceduresStandard Procedures PoliticsPolitics Management DecisionsManagement Decisions ChanceChance ORGANIZATIONSORGANIZATIONS INFORMATIONINFORMATION TECHNOLOGYTECHNOLOGY
    5. 5. 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 5 Principles of Good Governance Leadership Selflessness Integrity Objectivity Accountability Openness Honesty Humane Governance Should be Creative Uses Knowledge for National Wealth and Health creation Understands the economics of Knowledge High Morality
    6. 6. 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 66 Governance Components Project Governance IT Governance Legal Governance Security Governance Human & Humane Governance
    7. 7. 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 7 Cyber Governance Components Environmental & ICT Infrastructure  Operational (logistics Integration)  Technology (synergy & Convergence)  Network (multi Modal Network)  Management (HRM & SCM &CRM)  Impact (feed-back correction)  Operational Integration (Functional)  Professional Integration (HR)  Emotional/Cultural Integration  Technology Integration
    8. 8. 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 8 Corporate Governance Business Assurance Framework Global Phenomena Combines Code of UK and SOX of USA Basel II & III Project Governance IT Governance Human & Humane Governance India Initiatives 1. Clause 49 2. Basel II & III -RBI 3.SEBI- Corporate Governance Implementation directives 4.Risk management-RBI & TRAI 5. MCA Initiatives 8
    9. 9. 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 9 Global issues with Governance of Cyber Space Information Technology & Business: current status and future Does IT matter? IT--enabled Business - Role of Information, Information Systems - In business - Role of information technology in enabling business - IT dependence Changing Role of the CIO Web 2.0 and 3.0 and governing cyberspace eBusiness, eHealth, eBanking, eGovernance Current Challenges and Issues 9
    10. 10. Creating Trust in an Enterprise Today's information explosion is creating challenges for business and technology leaders at virtually every organization. The lack of trusted information and pressure to reduce costs is on the minds of CEOs and senior executives around the world. What's required to solve these challenges is a paradigm shift - from generating and managing silos - of information, of talent and skills, of technologies and of projects to an environment where information is a trusted, strategic asset that is shared across the company. 10
    11. 11. 11 Transition: InsuranceAudit Assurance & Assurance Layered Framework  Insurance  Audit Pre, Concurrent, Post  IT Audit  Environmental  Operational  Technology  Network  Financial  Management  Impact  Electronics Continuous Audit  Certification  Assurance  Management & Operational Assurance (Risk & ROI)  Technical Assurance (Availability, Serviceability & Maintainability) Financial ASSURANCE  Revenue Assurance (Leakage & Fraud)  Legal Compliance & Assurance (Governance)
    12. 12. Why Assurance? Competitive Threats & Way Forward  Internal Competition from Liberalization  World Competition from Globalization  Entrenched Competition Abroad  Asymmetry in Scale, Technology, Brands  Industry Shakeouts and Restructuring  Learn more about own Businesses.  Reach out to all Business & Function Heads.  Sharpen Internal Consultancy Competences.  Proactively Seize the Repertoire of MS & Partners  Foster two way flow of IS & Line Talent. 10th september 2013 12Prof. KS@2013 Assocham conf GRC 2013
    13. 13. 13 Key Areas of AssuranceKey Areas of Assurance • OrganizationalOrganizational - Systems in place to identify & mitigate differing risk perceptions of- Systems in place to identify & mitigate differing risk perceptions of stakeholders to meet business needsstakeholders to meet business needs • SupplierSupplier - Confidence that controls of third party suppliers adequate & meets- Confidence that controls of third party suppliers adequate & meets organization’s benchmarksorganization’s benchmarks • Business PartnersBusiness Partners - Confirmation that security arrangements with partners assess & mitigate- Confirmation that security arrangements with partners assess & mitigate business riskbusiness risk • Services & IT SystemsServices & IT Systems - Capability of developers, suppliers of IT services & systems to implement- Capability of developers, suppliers of IT services & systems to implement effective systems to manage risks to the organization’s businesseffective systems to manage risks to the organization’s business
    14. 14. 14 What and Why of Business AssuranceWhat and Why of Business Assurance • Manufacturing: Developing & implementing policies & procedures toManufacturing: Developing & implementing policies & procedures to ensure operations are efficient, consistent, effective &ensure operations are efficient, consistent, effective & compliant with lawcompliant with law • ServicesServices : Process that establishes uninterrupted delivery of: Process that establishes uninterrupted delivery of services to customer and protects interest &services to customer and protects interest & informationinformation • ProjectProject : Confirmation that business case viable and actual: Confirmation that business case viable and actual costs and time lines in line with plan costs & schedulescosts and time lines in line with plan costs & schedules • ObjectiveObjective : Delivers significant commercial value to the: Delivers significant commercial value to the business while fully compliant with regulatorybusiness while fully compliant with regulatory requirementsrequirements : To avoid Enron type scandals and comply with: To avoid Enron type scandals and comply with Sarbanes Oxley in US and Clause 49 in IndiaSarbanes Oxley in US and Clause 49 in India
    15. 15. 15 Assurance StakeholdersAssurance Stakeholders Stakeholders for business assurance Board of Directors Management Staff/Employees Organisation Customers Public Suppliers Enforcement & regulatory authorities Owner Creditors Shareholders Insurers Business partners
    16. 16. 16 Benefits of AssuranceBenefits of Assurance • Contributes to effectiveness & efficiency of business operationsContributes to effectiveness & efficiency of business operations • Ensures reliability & continuity of information systemsEnsures reliability & continuity of information systems • Assists in compliance with laws & regulationsAssists in compliance with laws & regulations • Assures that organizational risk exposure mitigatedAssures that organizational risk exposure mitigated • Confirms that internal information accurate & reliableConfirms that internal information accurate & reliable • Increases investor and lenders confidenceIncreases investor and lenders confidence
    17. 17. 17 Benefits of AssuranceBenefits of Assurance • Supports informed decision making at management and Board levelSupports informed decision making at management and Board level • Identifies and exploits areas of risk based advantageIdentifies and exploits areas of risk based advantage • Ability to aggregate business unit risk in multiple jurisdictions & locationsAbility to aggregate business unit risk in multiple jurisdictions & locations • Demonstrates proactive risk stewardshipDemonstrates proactive risk stewardship • Establishes a process to stabilize results by protecting them fromEstablishes a process to stabilize results by protecting them from disturbancedisturbance • Enables independent directors to decide with comfort and confidenceEnables independent directors to decide with comfort and confidence
    18. 18. 1818 Business - technicalGovernment regulatory Government developmental Business– financial Civilsociety- informational Civil society - technical ICT operations and maintenance ICT planning and design Investment in R & D Marketing and distributionProject management and construction Training Borrowing capacity Capital investment, eg network expansion ICT technical solutions Revenue collection ICT Risk/venture capital Sales and promotions Subsidies Access to development finance ICT Regulatory powers – price, quality, interconnections, competition) ICT Transaction/ concession design Investment promotion Legal framework for freedom of information ICT Infrastructure strategy ICT skills development Innovation (high risk), eg community telecentres Local customer knowledge Capacity to network A voice for the socially excluded Expertise in design of ‘relevant’ content Knowledge of user demand, eg technology and information gaps Capacity to mobilise civil society Civilsociety- informational Design Parameters
    19. 19. 1919 Operational Integration Professional Integration (HR) Emotional/Cultural Integration ICT & Government Business & Services Integration Multi Technology coexistence and seamless integration Information Assurance Quality, Currency, Customization/Personalization ICE is the sole integrator IT Governance is Important
    20. 20. Managing Interdependencies Critical Issues Infrastructure characteristics (Organizational, operational, temporal, spatial) Environment (economic, legal /regulatory, technical, social/political) Coupling and response behavior (adaptive, inflexible, loose/tight, linear/complex) Type of failure (common cause, cascading, escalating) Types of interdependencies (Physical, cyber, logical, geographic) State of operations (normal, stressed /disrupted, repair/restoration) 20
    21. 21. 21 Towards Information Assurance Increasingly, the goal isn't about information security but about information assurance, which deals with issues such as data availability and integrity. That means organizations should focus not only on risk avoidance but also on risk management, she said. "You have to be able to evaluate risks and articulate them in business terms“ --Jane Scott-Norris, CISO at the U.S. State Department
    22. 22. 22 Up The Value Chain
    23. 23. Enabling to rapidly move up the Governance Evolution Staircase Strategy/Policy People Process Technology 3. Transaction Competition Confidentiality/privacy Fee for transaction E-authentication Self-services Skill set changes Portfolio mgmt. Sourcing Inc. business staff BPR Relationship mgmt. Online interfaces Channel mgmt. Legacy sys. links Security Information access 24x7 infrastructure Sourcing Funding stream allocations Agency identity “Big Browser” Job structures Relocation/telecommuting Organization Performance accountability Multiple-programs skills Privacy reduces Integrated services Change value chain New processes/services Change relationships (G2G, G2B, G2C, G2E) New applications New data structures Time 2. Interaction Searchable Database Public response/ email Content mgmt. Increased support staff Governance Knowledge mgmt. E-mail best prac. Content mgmt. Metadata Data synch. Search engine E-mail 1. Presence Publish Existing Streamline processes Web site Markup Trigger 4. Transformation Cost/ Complexity Define policy and outsource execution Retain monitoring and control Outsource service delivery staff Outsource process execution staff Outsource customer facing processes Outsource backend processes Applications Infrastructure Value 5. Outsourcing Constituent Evolve PPP model 23
    24. 24. Why information security Governance is important  With security incidents and data breaches having a huge impact on corporations, security governance or oversight by the board and executive management, has assumed importance. Security governance refers to the strategic direction given by the board and executive management for managing information security risks to achieve corporate objectives by reducing losses and liabilities arising from security incidents 24
    25. 25. Towards Security Governance Security governance would lead to development of an information security strategy and an action plan for implementation through a well defined information security program. Governance would lead to establishment of organizational structures and processes and monitoring schemes  For the past few years, IT and security professionals have talked about information technology – and particularly information security – as a "business enabler." Today, it might also be called a "compliance enabler." IT and security organizations have both been on the front lines for compliance efforts and are now being asked to play two pivotal roles:  first, to provide a secure, well-controlled IT environment to improve business performance  and second, to assist the organization in strategically and tactically addressing its governance, risk and compliance requirements 2510th september 2013 Prof. KS@2013 Assocham conf GRC 2013
    26. 26. Threat & Vulnerability Management  Authenticating user identities with a range of mechanisms, such as tokens, biometrics and Public Key Infrastructure  Developing user access policies and procedures, rules and responsibilities and a standardized role structure that helps organizations meet and enforce security standards  Centralizing user data stores in a single enterprise directory that enables increased efficiencies in user administration, access control and authentication  Reducing IT operating costs and increasing efficiency by implementing effective user management to support self-service and automate workflow, and by provisioning and instituting flexible user administration  You need an integrated threat and vulnerability management solution to better monitor, report on and respond to complex security threats and vulnerabilities, as well as meet regulatory requirements.  You need to protect both your own information assets and those you are custodian of, such as sensitive customer data.  You want a real-time, integrated snapshot of your security posture.  You want to correlate events from data emerging from multiple security touch points.  You need support from a comprehensive inventory of known threat exposures.  You need to reduce the cost of ownership of your threat and vulnerability management system 2610th september 2013 Prof. KS@2013 Assocham conf GRC 2013
    27. 27. Risk Identification  Assess current security capabilities, including threat management, vulnerability management, compliance management, reporting and intelligence analysis.  Define c  Identify technology requirements for bridging security gaps  Integrated Security Information Management  Develop processes to evaluate and prioritize security intelligence information received from external sources, allowing organizations to minimize risks before an attack  Implement processes that support the ongoing maintenance, evolution and administration of security standards and policies  Determine asset attributes, such as direct and indirect associations, sensitivity and asset criticality, to help organizations allocate resources strategically  Assist in aggregating security data from multiple sources in a central repository or "dashboard" for user-friendly presentation to managers and auditors  Help design and implement a comprehensive security reporting system that provides a periodic, holistic view of all IT risk and compliance systems and outputs  Assist in developing governance programs to enforce policies and accountability 27
    28. 28. 28 9 Rules of Risk Management There is no return without risk  Rewards to go to those who take risks.  Be Transparent  Risk is measured, and managed by people, not mathematical models.  Know what you Don’t know  Question the assumptions you make  Communicate  Risk should be discussed openly  Diversify  Multiple risk will produce more consistent rewards  Sow Discipline  A consistent and rigorous approach will beat a constantly changing strategy  Use common sense  It is better to be approximately right, than to be precisely wrong.  Return is only half the question  Decisions to be made only by considering the risk and return of the possibilities. RiskMetrics Group 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013
    29. 29. 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 29 The Insider – Who are They?  Who is an insider?  Those who work for the target organization or those having relationships with the firm with some level of access  Employees, contractors, business partners, customers etc.  CSI/FBI Survey key findings (2007-2013)  average annual losses $billion in the past year, up sharply from the $350,000 reported previous year  Insider attacks have now surpassed viruses as the most common cause of security incidents in the enterprise  63 percent of respondents said that losses due to insider-related events accounted for 20 percent of their losses  (prevalence of insider criminals may be overblown by vendors of insider threat tools!)
    30. 30. 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 30 Solutions Based on Study Recommendations Prevention by Pre-hire screening of employees Training and education Early detection and treat the symptoms Attack precursors exist, some non-cyber events Establish good audit procedures Disable access at appropriate times Develop Best practices for the prevention and detection Separation of duties and least privilege Strict password and account management policies
    31. 31. 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 31 Threat Modeling Threat modeling is critical to address security Prevention, detection, mitigation There is no universal model yet Mostly case-by-case Efforts are under way Microsoft threat modeling tool  Allows one to uncover security flaws using STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege)  Decompose, analyze and mitigate Insider threat modeling essential
    32. 32. 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 32 Insider Threat Modeling How modeling can help you? An alternative to live vulnerability testing (which is not feasible) Modeling and analysis will reveal possible attack strategies of an insider Modeling and risk analysis can help answer the following questions statically: How secure is the existing setup? Which points are most vulnerable? What are likely attack strategies? Where must security systems be placed? What you cannot model Non-cyber events – disclosures, memory dumps, etc.
    33. 33. 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 33 Information-Centric Modeling  University at Buffalo- CEISARE Developed the concept of a Capability Acquisition Graph for insider threat assessment Part of a DARPA initiative Built a tool called ICMAP (Information-Centric Modeler and Auditor Program) Publications in ACSAC 2004, IEEE DSN 2005, JCO 2005, IEEE ICC 2006, IFIP 11.9 Digital Forensics Conference 2007 CURRICULUM: Computing, mathematical, legal, managerial and informatics Various CAEs (certified by NSA, DHS), USMA, Syracuse, Buffalo, Stony Brook, Polytechnic, Pace, RIT
    34. 34. 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 34  How is a model instance generated?  Define the scope of the threat  A step-by-step bottom up approach starting with potential targets  Who constructs the model instance?  A knowledgeable security analyst  How are costs defined?  Cryptographic access control mechanisms have well-defined costs  Use attack templates, vulnerability reports, attacker’s privilege and the resources that need to be protected  Low, Medium and High – relative cost assignment Practical Considerations
    35. 35. 35 Three Key Issues and 5 Major IT Decisions 1.The need to reduce IT Confusion and Chaos 2. Environment demands Accountability 3. Only most Productive organisations will thrive
    36. 36. 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 36 Calder- Moir IT Governance Framework
    37. 37. 3737  CIO & CEOCIO & CEO Business Led Info. strategyBusiness Led Info. strategy  CIO & CMOCIO & CMO Competitive Edge & CVPCompetitive Edge & CVP  CIO & CTOCIO & CTO Cost-Benefit OptimizationCost-Benefit Optimization  CIO & CFO Shareholder Value MaximizationCIO & CFO Shareholder Value Maximization  CIO & CHRO Employee Performance and RewardsCIO & CHRO Employee Performance and Rewards  CIO & Business Partners Virtual Extended EnterpriseCIO & Business Partners Virtual Extended Enterprise CXO Internal Strategic AlliancesCXO Internal Strategic Alliances
    38. 38. 3838  Capital Productivity (ROI, EVA, MVA)  Material Productivity (60% of Cost)  Managerial Productivity (Information Worker)  Labour Productivity (Enabled by IW)  Company Productivity Micro  Factor Productivity Macro The Productivity Promise
    39. 39. 39 CEO-CTO-CIO-CSO Responsibility "These systems should ensure that both business and technology managers are properly engaged in identifying compliance requirements and planning compliance initiatives which typically involve complementary adjustments in systems, practices, training and organization" CXO & IT Governance the roles and responsibilities for IT governance, highlighting the parts played by the CEO, business executives, CIO, IT steering committee, technology council, and IT architecture review board
    40. 40. 40 Four Faces of a CIO & CIO Management Framework
    41. 41. 41  For Visioning and Strategic Planning -For Visioning and Strategic Planning -  Scenarios & Simulations.Scenarios & Simulations.  World Class Project Management -World Class Project Management -  Hard and Soft.Hard and Soft.  Implementation andImplementation and  Operational ExcellenceOperational Excellence  DSS, EIS, CRM etc. forDSS, EIS, CRM etc. for  Optimization and Control.Optimization and Control. Information As Competitive AdvantageInformation As Competitive Advantage
    42. 42. 42  Learn more about own Businesses.Learn more about own Businesses.  Reach out to all Business & Function Heads.Reach out to all Business & Function Heads.  Sharpen Internal Consultancy Competences.Sharpen Internal Consultancy Competences.  Proactively Seize the Repertoire of MS &Proactively Seize the Repertoire of MS & PartnersPartners  Foster two way flow of IS & Line Talent.Foster two way flow of IS & Line Talent. Way ForwardWay Forward
    43. 43. 43 Process Governance 1. Develop an Aligned Strategic IT Plan: The step-by-step format of this methodology will walk you through our proven process for creating a strategic IT plan that is aligned with your organization's business objectives 2. Create a Collaborative Decision- Making Process As IT impacts more business procedures, more stakeholders will become involved in the decision making process. This methodology helps you develop a structured and efficient decision-making forum.
    44. 44. 44 44 Process Governance 3. Raise the Profile of IT: By aligning IT planning with organizational goals, IT will become a key player in evaluating the business issues that factor into enterprise-wide decision making 4. Get the Green Light: Keep going
    45. 45. 45 Measurement of IT Projects Value and Effectiveness IT Assessment 1.Validity or Relevance 2.Protectibility 3.Quantifiability 4.Informativeness 5.Generality 6.Transferability 7. Reliability to other parts of organization Effectiveness  Utility  Efficiency  Economy  Control  Security Assessment of IT Functions Strategy Delivery Technology People Systems 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013
    46. 46. Standards, Standards, Standards Security Audit Interoperability Interface (systems/devises/com m.) Architecture/Building Blocks/Reusable HCI (Human Computer Interface) Process Environmental (Physical, Safety) Data Interchange & mail messaging Layout/Imprint 4610th september 2013 Prof. KS@2013 Assocham conf GRC 2013
    47. 47. 47 Importance of Group Standards -no one standard meets all requirements ISO 27001/BS7799 Vs COBIT Vs CMM & PCMM Vs ITIL MissionMission Business ObjectivesBusiness Objectives Business RisksBusiness Risks Applicable RisksApplicable Risks Internal ControlsInternal Controls ReviewReview 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013
    48. 48. 48 “IT Regulations and Policies-Compliance & Management” Pre-requisites physical infrastructure and mind-set PAST: We have inherited a past, for which we cannot be held responsible ;  PRESENT: have fashioned the present on the basis of development models, which have undergone many mid-course corrections  FUTURE: The path to the future -- a future in which India and Indians will play a dominant role in world affairs -- is replete with opportunities and challenges. In a number of key areas, it is necessary Break from the past in order to achieve our Vision. We have within ourselves the capacity to succeed We have to embrace ICE for Innovation, Creativity, Management, Productivity & Governance
    49. 49. 49 “IT Regulations and Policies-Compliance & Management” CREATIVITY VS COMMAND CONTROL Too much Creativity  results in anarchy Too much command & control Kills Creativity We Need a Balancing Act In IT Regulations and Policies-Compliance & Management
    50. 50. 50 Gouvernance & AssuranceGouvernance & Assurance Maturity ModelMaturity Model
    51. 51. 10th september 2013 Prof. KS@2013 Assocham conf GRC 2013 51 Assurance in the PPP Environment
    52. 52. 52 Governance - Final Message “In Governance matters Past is no guarantee; Present is imperfect & Future is uncertain“ “Failure is not when we fall down, but when we fail to get up”
    53. 53. 53 Learning From Experience ========================1. The only source of knowledge is experience. -- Einstein 2. One must learn by doing the thing; for though you think you know it, you have no certainty, until you try. -- Sophocles 3. Experience is a hard teacher because she gives the test first, and the lesson afterwards. -- Vernon Sanders Law 4. Nothing is a waste of time if you use the experience wisely. -- Rodin
    54. 54. 54 “To determine how much is too much, so that we can implement appropriate security measures to build adequate confidence and trust” “To derive a powerful logic for implementing or not implementing a security measure” Security/Risk Assurance - Expectations
    55. 55. THANK YOU For Interaction: Prof. K. Subramanian ksdir@nic.in ksmanian48@gmail.com Tele: 011-22723557 Let us Assure Good Cyber Governance & Business Assurance in Cyber Era

    ×