SlideShare a Scribd company logo

Leonard - (Security & Risk Stream) Discovering Optimum Risk Solution for Banks

Knowledge Group
Knowledge Group

6th BankTech Asia Conference - Leonard's Presentation

Business
1 of 24
1! Discovering Optimum Risk Solutions Leonard Ong CPP, CFE, PMP, CISA, CISM, CRISC, CISSP CSSLP, CIPM, GSNA, GCIH, GCFA, GCIA All rights reserved. 2013. © Leonard Ong.
Leonard Ong CPP, CFE, PMP, CISA, CISM, CRISC, CISSP CSSLP, CIPM, GSNA, GCIH, GCFA, GCIA •! More than 14 years experience in Security Management, Information Security and Corporate Security. •! Honorary Chairman, ASIS International (Singapore Chapter) •! Immediate Past President, Director-Research ISACA Singapore Chapter •! Crisis Management and Business Continuity Management Council, ASIS International •! IT Security Council, ASIS International •! Professional Influence / Advocacy Committee, ISACA
3! Threat Horizon 2016 Defining an era of heightened risk and uncertainty 1 Proliferation of threats and vulnerability Sophisticated Threat Enhancing Risk Management Enterprise Governance of IT Continuous Compliance Concept, processes and tools 2 3 5 6 QCounecesptti, oprnosce sasnesd a Andn tsoowlse rs 45 All rights reserved. 2013. © Leonard Ong.
Current state Banks Challenges Sophisticated threats Tougher penalties Increased regulations Controls Enterprise Risk Management All rights reserved. 2013. © Leonard Ong. 4!
Key Trends Cyber Threats
!"#$%&'()#*+),'-./0'!"#$%&'()'*$+#,-.$,&/0/$0"#$0#1$1#.$0")#'0/$0-$23456$70$&/$&*8-)0'10$0"'0$-)('1&/'Ɵ$-1/$91-.$."'0$&/$-1$0"#$"-)&:-1$;-)$2345$'/$.#,,$'/$0"#$)#/<,0$&1$)#8<0'Ɵ$-1',$'1%$+)'1%$%'*'(#?$%'0'$,#'9'(#$'1%B-)$*-1#0')>$!$1#/?$0-$1'*#$'$;#.6$!"#$%"&'()'*+)&,'-.)%')*$Ɵ)*'/)&.-,)#,,#'Ɵ!"#"$%&'%()&)"&)*+,)&-$&./0%*,12.% ))))))))))2%Ɵ)*'3,.%.#)4%56#7)#,$&*'%(#)(*#,)8%&',."#%8 ))))!)) Threat Horizon 2016 ) !"#. 9"$!&5%$.%&-$&2..%1)%5&,"'+)-"$,&.*+80'%, ))))))))))I#"B&5#)$"*B&7#",)4#5*8#)%)6#H)B>0'#"%4&0&.H ) ')) +)='071758%>7),0D+%')1? B6,+%07+%:)%B;,60>)(,+77> /0+)(0*1 +'()*+, 4)?6+*+;70%;,%*%0)@% +*(5)+%A7(%=8:)(%*++*=<, 98:)(%(;,<%;,%='*11)05;05 +7%60>)(,+*0>%*0>%*>>(),, 4)561*+7(8%+'()*+, 23+)(0*1%+'()*+, 9(;B;0*1,%C*16) 876(%()?6+*+;70 &')%='*05;05%?*=)%7A &')%(71)%7A%57C)(0B)0+% !"#$ %$&'()*'+)"( !"#$ (ISF, 2014)
Threat Horizon 2016 7&'#($%(4*43),4.&$43%(#)+#+$)+$ 1),+8)%#$*).2(#+$62(."#( dŚĞKĚŽĞƐŶ͛ƚŐĞƚŝƚ EĂƟŽŶͲƐƚĂƚĞďĂĐŬĞĚĞƐƉŝŽŶĂŐĞ (ISF, 2014) 1'),'$'$23$')4'#56 0)#'0/$0'0$')#$'+-0$0-$0$1$234=6$71$0/$.'?$-)('1/'Ɵ$-1/$@'1$+,%$0#)$)#/,#1@#$0-$'$.%#$)'1(#$-;$0)#'0/6$A',)#$0-$%-$/-$@-,%$ 01) KƵƚƐŽƵƌĐŝŶŐƐĞĐƵƌŝƚLJďĂĐŬĮƌĞƐ /ŶƐŝĚĞƌƐĨƵĞůĐŽƌƉŽƌĂƚĞĂĐƟǀŝƐŵ ƌŝŵĞĂƐĂ^ĞƌǀŝĐĞ;ĂĂƐͿ ƵƉŐƌĂĚĞƐƚŽǀϮ͘Ϭ 42-'+*%)5%'-6%*)7%./0%**%,-'-%$.%1*8-,% )))))))))))))$))) ) CD#)EFG)(#.,)./)'*+)H*)D%B#).*)7#0B# 80'%, !#$%'()*+, !#-%'()*+, !#.%'()*+, ! # $ % ' ( ) !* ! # $ % ' ( ) !* ! # $ % ' ( ) !* !#$%'#($)(*+$()%#$,#)-+$./$)$ %'#($%/,-$0)( 1/(#$%)2+#+$%/*#$/3,43#5$ ĂĐƟǀŝƐƚƐŐĞƚŵŽƌĞĂĐƟǀĞ LJďĞƌƐƉĂĐĞŐĞƚƐƉŚLJƐŝĐĂů EĞǁƌĞƋƵŝƌĞŵĞŶƚƐƐŚŝŶĞĂůŝŐŚƚŝŶ ĚĂƌŬĐŽƌŶĞƌƐ͕ĞdžƉŽƐŝŶŐǁĞĂŬŶĞƐƐĞƐ ĨŽĐƵƐŽŶƉƌŝǀĂĐLJĚŝƐƚƌĂĐƚƐĨƌŽŵ ŽƚŚĞƌƐĞĐƵƌŝƚLJĞīŽƌƚƐ ŽƐƚƉƌĞƐƐƵƌĞƐƐƟŇĞĐƌŝƟĐĂů ŝŶǀĞƐƚŵĞŶƚ͖ĂŶƵŶĚĞƌǀĂůƵĞĚ ĨƵŶĐƟŽŶĐĂŶ͛ƚŬĞĞƉƵƉ ĐůŽƵĚĞĚƵŶĚĞƌƐƚĂŶĚŝŶŐůĞĂĚƐƚŽ )3$/2.+/2(%#-$*#++ EĞǁƚĞĐŚŶŽůŽŐŝĞƐŽǀĞƌǁŚĞůŵ dŚĞƐƵƉƉůLJĐŚĂŝŶƐƉƌŝŶŐƐĂůĞĂŬĂƐ .#$43+4-#($.(#).$%/*#+$6(/*$ /2.+4-# ŐŽĞƐŵĂŝŶƐƚƌĞĂŵ 9$:),;)34#-$=3.#(3#.$ %/*8,4%).#+$'2+43#++ 343.#3-#-$%/3+#?2#3%#+$/6$ ƐƚĂƚĞŝŶƚĞƌǀĞŶƟŽŶ ^ĞƌǀŝĐĞƉƌŽǀŝĚĞƌƐďĞĐŽŵĞĂŬĞLJ ǀƵůŶĞƌĂďŝůŝƚLJ ŝŐĚĂƚĂсďŝŐƉƌŽďůĞŵƐ 1/'4,#$)88+$'#%/*#$.#$*)43$ (/2.#$6/($%/*8(/*4+# ŶĐƌLJƉƟŽŶĨĂŝůƐ dŚĞKŐĞƚƐŝƚ͕ŶŽǁLJŽƵŚĂǀĞ ƚŽĚĞůŝǀĞƌ ^ŬŝůůƐŐĂƉďĞĐŽŵĞƐĂĐŚĂƐŵ /ŶĨŽƌŵĂƟŽŶƐĞĐƵƌŝƚLJĨĂŝůƐƚŽ ǁŽƌŬǁŝƚŚŶĞǁŐĞŶĞƌĂƟŽŶƐ KƌŐĂŶŝƐĂƟŽŶĐĂŶ͛ƚŐĞƚƚŚĞ ƌŝŐŚƚƉĞŽƉůĞ ,ĂĐŬƟǀŝƐƚƐĐƌĞĂƚĞĨĞĂƌ͕ 23%#(.)43.$)3-$-/2'. /ŶĨŽƌŵĂƟŽŶůĞĂŬƐĂůůƚŚĞƟŵĞ zK;ďƌŝŶŐLJŽƵƌŽǁŶĐůŽƵĚͿĂĚĚƐ ƵŶŵĂŶĂŐĞĚƌŝƐŬ ƌŝŶŐLJŽƵƌŽǁŶĚĞǀŝĐĞĨƵƌƚŚĞƌ ŝŶĐƌĞĂƐĞƐŝŶĨŽƌŵĂƟŽŶƌŝƐŬ #@8/+2(# 'ŽǀĞƌŶŵĞŶƚĂŶĚƌĞŐƵůĂƚŽƌƐǁŽŶ͛ƚ -/$4.$6/($/2
0+)(0*1 +'()*+, Threat Horizon 2016 ) ')) )))())) ))))))) ) ')) )))())) ))))))) (ISF, 2014) ))))!)) ) ))))!)) ) !#$%'%()))*+,)-$./0%*,12.% ))))))))))))))!)) ) 2%Ɵ)*'3,.%.#)4%56#7)#,$*'%(#)(*#,)8%',.#%8 C-D#)1*#10$#/8-1'(#$'@Ɵ$DƟ$#/$0'0$.#)#$;-)*#),$*-/0,$@-D#)0$')#$1-.$-0$1$ 0#$-8#1?$#1@-)'(1($',,$1'Ɵ$-1$/0'0#/$0-$E-1$1$0#$('*#6$!#$)#/,0$.,,$+#$'1$ #D#1$*-)#$1),$@+#)/8'@#$0)'%1($#1D)-1*#106 95Ɵ)*',).*).%6#)'*+: 3$ F')Ɵ$@8'0#$ 1$ 0)#'0$ 10#,,(#1@#$ /')1($ ;-)*/$ '1%$ +,%$ )#,'Ɵ$-1/8/$ .0$ -0#)$-)('1/'Ɵ$-1/$.01$'1%$'@)-//$1%/0)$/#@0-)/6 3$ G1/)#$ '88)-8)'0#$ 1;-)*'Ɵ$-1$ /#@)0$ 91-.,#%(#$ '1%$ '.')#1#//$ /$ 1$ 8,'@#$ '@)-//$0#$-)('1/'Ɵ$-16 )))))))))))))))) ) 9);%06%'#7)='.#'#.)5*8$05%.#,)4,'#,, H'Ɵ$-1$/0'0#/$.,,$0'9#$'$,-@',$'88)-'@$0-$710#)1#0$(-D#)1'1@#?$'Ʃ$#*8Ɵ$1($0-$%)'.$ (#-8-,Ɵ$@',$+-)%#)/$-1$0#$710#)1#06$ 95Ɵ)*',).*).%6#)'*+: 3$ I--)%1'0#$ '1%$ *'10'1$ 8')01#)/8/$ ;-)$ 1;-)*'Ɵ$-1$ /')1($ '@)-//$ 1%/0)$ /#@0-)/$0-$/88-)0$@+#)$)#/,#1@#6 3$ G1('(#$1$#J0#)1',$*,Ɵ$K/0'9#-,%#)$(-D#)1'1@#$8)-@#//#/$0-$/')#$10#,,(#1@#6 )#))) ) )))))) ) )#))) ) )))))) ) )#))) ) ))))))))))?''.#'7#7)5*',#@#'5#,)*A),.%.#)'.#B#'Ɵ)*' L)('1/'Ɵ$-1/$ 0'0$ ')#$ 1-0$ %)#@0,$ *8,@'0#%$ 1$ .)-1(K%-1($ .,,$ 1@)#'/1(,$ /ī$#)$@-,,'0#)',$%'*'(#$'/$'0-)Ɵ$#/$0)$0-$8-,@#$M0#)$@-)1#)$-;$0#$710#)1#0N6 ) ')) 9$!5%$.%-$2..%1)%5,'+)-$,.*+))))))))))I#B5#)$*B7#,))))())) 4#5*8#)%)Q#)D@#$8)-D%#)/$.,,$+#@-*#$'$)'0#)$0'1$-)('1/'Ɵ$-1/$%)#@95Ɵ)*',).*).%6#)'*+: 3$ A-/0#)$/0)-1($.-)91($)#,'Ɵ$-3$ V1%#)/0'1%$@,#'),$.@$,#(',$))))))) ))))))))));()7%.%)J)4()$*40#8, L)('1/'Ɵ$-1/$0'0$80$+,1%$;'95Ɵ)*',).*).%6#)'*+: 3$ G1/)#$0#$-)('1/'Ɵ$-1$'/$'%#3$ L0,1#$'$8)-@#//$;-)$'88,1($+($%'))))))))))K*40#)%$$,)4#)) 5**)) 8#).) D#)!#$#D-,Ɵ$-1$-;$*-+,#$@-*8*'9#$*-+,#$'88/$'$8)*#$)-95Ɵ)*',).*).%6#)'*+: 3$ 71@-)8-)'0#$/#)$%#D@#/$10-$#3$ F)-*-0#$#%@'Ɵ$-1$'1%$'.')#))))))))))F'5H$Ɵ)*')A%0, )) *)) ) /!#$ !#$%'%()))*+,)-$./0%*,12.% ))))))))))2%Ɵ)*'3,.%.#)4%56#7)#,$*'%(#)(*#,)8%',.#%8 C-D#)1*#10$#/8-1'(#$'@Ɵ$DƟ$#/$0'0$.#)#$;-)*#),$*-/0,$@-D#)0$')#$1-.$-0$1$ 0#$-8#1?$#1@-)'(1($',,$1'Ɵ$-1$/0'0#/$0-$E-1$1$0#$('*#6$!#$)#/,0$.,,$+#$'1$ #D#1$*-)#$1),$@+#)/8'@#$0)'%1($#1D)-1*#106 95Ɵ)*',).*).%6#)'*+: 3$ F')Ɵ$@8'0#$ 1$ 0)#'0$ 10#,,(#1@#$ /')1($ ;-)*/$ '1%$ +,%$ )#,'Ɵ$-1/8/$ .0$ -0#)$-)('1/'Ɵ$-1/$.01$'1%$'@)-//$1%/0)$/#@0-)/6 3$ G1/)#$ '88)-8)'0#$ 1;-)*'Ɵ$-1$ /#@)0$ 91-.,#%(#$ '1%$ '.')#1#//$ /$ 1$ 8,'@#$ '@)-//$0#$-)('1/'Ɵ$-16 ))))))))))9);%06%'#7)='.#'#.)5*8$05%.#,)4,'#,, H'Ɵ$-1$/0'0#/$.,,$0'9#$'$,-@',$'88)-'@$0-$710#)1#0$(-D#)1'1@#?$'Ʃ$#*8Ɵ$1($0-$%)'.$ (#-8-,Ɵ$@',$+-)%#)/$-1$0#$710#)1#06$ 95Ɵ)*',).*).%6#)'*+: 3$ I--)%1'0#$ '1%$ *'10'1$ 8')01#)/8/$ ;-)$ 1;-)*'Ɵ$-1$ /')1($ '@)-//$ 1%/0)$ /#@0-)/$0-$/88-)0$@+#)$)#/,#1@#6 3$ G1('(#$1$#J0#)1',$*,Ɵ$K/0'9#-,%#)$(-D#)1'1@#$8)-@#//#/$0-$/')#$10#,,(#1@#6 ))))))))))?''.#'7#7)5*',#@#'5#,)*A),.%.#)'.#B#'Ɵ)*' L)('1/'Ɵ$-1/$ 0'0$ ')#$ 1-0$ %)#@0,$ *8,@'0#%$ 1$ .)-1(K%-1($ .,,$ 1@)#'/1(,$ /ī$#)$@-,,'0#)',$%'*'(#$'/$'0-)Ɵ$#/$0)$0-$8-,@#$M0#)$@-)1#)$-;$0#$710#)1#0N6 95Ɵ)*',).*).%6#)'*+: 3$ O,%$)#/,#1@#$'1%$*8,#*#10$8)-8-)Ɵ$-1',$/#@)0$*#'/)#/$1$0#$#D#10$0'0$ 0/$0)#'0$*'0#)',/#/6 3$ P-)9$ @,-/#,$ .0$ 8+,@$ )#,'Ɵ$-1/$ '1%$ *')9#Ɵ$1($ 0-$ 8)#8')#$ '$ *#//'(#$ ;-)$ 9$!5%$.%-$2..%))))))))))I#B5#)$*B7#,)Q#)D@#$8)-D%#)/$.,,$+#@-*#$'$)'0#)$0'1$-)('1/'95Ɵ)*',).*).%6#)'*+: 3$ A-/0#)$/0)-1($.-)3$ V1%#)/0'1%$@,#'),$.@$,#(',$))))))))));()7%.%)J)4()$*L)('1/'Ɵ$-1/$0'0$895Ɵ)*',).*).%6#)'*+: 3$ G1/)#$0#$-)('1/'3$ L0,1#$'$8)-@#//$;-)$'))))))))))K*40#)%$$,)4#!#$#D-,Ɵ$-1$-;$*-+,#$@-**'9#$*-+,#$'88/$'$95Ɵ)*',).*).%6#)'*+: 3$ 71@-)8-)'0#$/#)$%#3$ F)-*-0#$#%@'Ɵ$-)))))))))))) *)) ) F'5H$Ɵ)*')A%!#$%#;',0$'88)-'@$@-*8Ɵ$1($8-.#)$@-*+95Ɵ)*',).*).%6#)'*+: !#$%'%()))*+,)-$./0%*,12.% ))))))))))2%Ɵ)*'3,.%.#)4%56#7)#,$*'%(#)(*#,)8%',.#%8 C-D#)1*#10$#/8-1'(#$'@Ɵ$DƟ$#/$0'0$.#)#$;-)*#),$*-/0,$@-D#)0$')#$1-.$-0$1$ 0#$-8#1?$#1@-)'(1($',,$1'Ɵ$-1$/0'0#/$0-$E-1$1$0#$('*#6$!#$)#/,0$.,,$+#$'1$ #D#1$*-)#$1),$@+#)/8'@#$0)'%1($#1D)-1*#106 95Ɵ)*',).*).%6#)'*+: 3$ F')Ɵ$@8'0#$ 1$ 0)#'0$ 10#,,(#1@#$ /')1($ ;-)*/$ '1%$ +,%$ )#,'Ɵ$-1/8/$ .0$ -0#)$-)('1/'Ɵ$-1/$.01$'1%$'@)-//$1%/0)$/#@0-)/6 3$ G1/)#$ '88)-8)'0#$ 1;-)*'Ɵ$-1$ /#@)0$ 91-.,#%(#$ '1%$ '.')#1#//$ /$ 1$ 8,'@#$ '@)-//$0#$-)('1/'Ɵ$-16 ))))))))))9);%06%'#7)='.#'#.)5*8$05%.#,)4,'#,, H'Ɵ$-1$/0'0#/$.,,$0'9#$'$,-@',$'88)-'@$0-$710#)1#0$(-D#)1'1@#?$'Ʃ$#*8Ɵ$1($0-$%)'.$ (#-8-,Ɵ$@',$+-)%#)/$-1$0#$710#)1#06$ 95Ɵ)*',).*).%6#)'*+: 3$ I--)%1'0#$ '1%$ *'10'1$ 8')01#)/8/$ ;-)$ 1;-)*'Ɵ$-1$ /')1($ '@)-//$ 1%/0)$ /#@0-)/$0-$/88-)0$@+#)$)#/,#1@#6 3$ G1('(#$1$#J0#)1',$*,Ɵ$K/0'9#-,%#)$(-D#)1'1@#$8)-@#//#/$0-$/')#$10#,,(#1@#6 ))))))))))?''.#'7#7)5*',#@#'5#,)*A),.%.#)'.#B#')*' L)('1/'Ɵ$-1/$ 0'0$ ')#$ 1-0$ %)#@0,$ *8,@'0#%$ 1$ .)-1(K%-1($ .,,$ 1@)#'/1(,$ /ī$#)$@-,,'0#)',$%'*'(#$'/$'0-)Ɵ$#/$0)$0-$8-,@#$M0#)$@-)1#)$-;$0#$710#)1#0N6 95Ɵ)*',).*).%6#)'*+: 3$ O,%$)#/,#1@#$'1%$*8,#*#10$8)-8-)Ɵ$-1',$/#@)0$*#'/)#/$1$0#$#D#10$0'0$ 0/$0)#'0$*'0#)',/#/6 3$ P-)9$ @,-/#,$ .0$ 8+,@$ )#,'Ɵ$-1/$ '1%$ *')9#Ɵ$1($ 0-$ 8)#8')#$ '$ *#//'(#$ ;-)$ @/0-*#)/$1$0#$#D#10$0'0$@/0-*#)K;'@1($10#);'@#/$')#$0'9#1$-ŋ$$1#6 9$!5%$.%-$))))))))))I#BQ#)D@#$8)-)'0#)$0'95Ɵ)*',).*).%3$ A-/0#)$/3$ V1%#)/0'))))))))));()7%.%)L)('1/'Ɵ$-95Ɵ)*',).*).%3$ G1/)#$0#$-)('3$ L0,1#$'$))))))))))K*4!#$#D-,*'9#$*-+,#$'95Ɵ)*',).*).%3$ 71@-)8-)'3$ F)-*-0#$#%@'))))))))))F'5!#$%#;',@-*8Ɵ$1($95Ɵ)*',).*).%3$ I,'//;$*-/0$)/3$ 7%#1Ɵ$;$@))#0#)$*
'ŽǀĞƌŶŵĞŶƚĂŶĚƌĞŐƵůĂƚŽƌƐǁŽŶ͛ƚ -/$!#$ 'ŽǀĞƌŶŵĞŶƚĂŶĚƌĞŐƵůĂƚŽƌƐǁŽŶ͛ƚ -/$4.$!#$ ƌŝŶŐLJŽƵƌŽǁŶĚĞǀŝĐĞĨƵƌƚŚĞƌ ŝŶĐƌĞĂƐĞƐŝŶĨŽƌŵĂƟŽŶƌŝƐŬ #@8/+2(# 'ŽǀĞƌŶŵĞŶƚĂŶĚƌĞŐƵůĂƚŽƌƐǁŽŶ͛ƚ -/$4.$6/($/!#$ Threat Horizon 2016 EĞǁƚĞĐŚŶŽůŽŐŝĞƐŽǀĞƌǁŚĞůŵ (ISF, 2014) 1-.$-0$1$ 0$.,,$+#$'1$ 8/$ .0$ 1$ 8,'@#$ 0-$%)'.$ 1%/0)$ 10#,,(#1@#6 1@)#'/1(,$ 710#)1#0N6 )))$))) )))$))) )))$))) ) R%'42-'+*%)))))))))))CD#)!#$IGL$.,,$@',,$%#,D#)6 95Ɵ)*',).*).%3$ )))$))) ) )%))) Q88-)))))))))))='!#$ +//#@)0$/$95Ɵ)*',).*).%O,%$ @#10)#$-;$#3$ )%))) R,(1$)))))))))))%))) I6!#$ /9,,/$ -)('1/''1%$11-!)))) 95Ɵ)*',).*).%3$ !)))) S#D#,-#J/Ɵ$-88-)3$ !)))) !)))) 9$!5%$.%-$2..%1)%5,'+)-$,.*+80'%, ))))))))))) ')) I#B5#)$*B7#,)4#5*8#)%)6#H)B0'#%40.H Q#)D@#$8)-D%#)/$.,,$+#@-*#$'$9#$D,1#)'+,0$1$-)('1/'Ɵ$-1/N$/88,$@'1/$'/$@+#)@)*1',/$0')(#0$0#*$ )'0#)$0'1$-)('1/'Ɵ$-1/$%)#@0,6 95Ɵ)*',).*).%6#)'*+: 3$ A-/0#)$/0)-1($.-)91($)#,'Ɵ$-1/8/$.0$/#)D@#$8)-D%#)/$.0$0#$'*$-;$+#@-*1($8')01#)/6 3$ V1%#)/0'1%$@,#'),$.@$,#(',$E)/%@Ɵ$-1/$(-D#)1$-)$-)('1/'Ɵ$-1N/$1;-)*'Ɵ$-16 ))))))))));())))())) 7%.%)J)4()$*40#8, L)('1/'Ɵ$-1/$0'0$80$+,1%$;'0$1$+($%'0'$.,,$+'/#$/0)'0#(@$%#@/-1/$-1$;',0$-)$1@-*8,#0#$%'0'/#0/6 95Ɵ)*',).*).%6#)'*+: 3$ G1/)#$0#$-)('1/'Ɵ$-1$'/$'%#W'0#$/9,,/#0$0-$'1',/#$+($%'0'6$ 3$ L0,1#$'$8)-@#//$;-)$'88,1($+($%'0'$'1',Ɵ$@/$0-$1;-)*'Ɵ$-1$/#@)0$8)-+,#*6$ ))))))))))))))))) K*40#)%$$,)4#5*8#).D#)8%')*.#)A*)5*8$*8,# !#$#D-,Ɵ$-1$-;$*-+,#$@-*8Ɵ$1(?$0/$;'/0K8'@#%$%#D#,-8*#10$@@,#$'1%$,'@9$-;$/#@)0$@-1/%#)'Ɵ$-1/?$.,,$ *'9#$*-+,#$'88/$'$8)*#$)-0#$;-)$@+#)@)*1',/$'1%$'@9#)/6 95Ɵ)*',).*).%6#)'*+: 3$ 71@-)8-)'0#$/#)$%#D@#/$10-$#J/Ɵ$1($/0'1%')%/$;-)$'@@#//$*'1'(#*#106 3$ F)-*-0#$#%@'Ɵ$-1$'1%$'.')#1#//$-;$OTLJ$XO)1($T-)$L.1$R101(Y$)/9$1$11-D'Ɵ$D#$.'/6 )))))))))))) *)) ) F'5H$Ɵ)*')A%0, !#$%#;',0$'88)-'@$0-$/#@)#$710#)1#0$10#)'@Ɵ$-1/?$#1@)8Ɵ$-1?$.,,$;',$0-$%#,D#)$%#$0-$D'/0,$*8)-D#%$ ( ) !* ) !* ĐůŽƵĚĞĚƵŶĚĞƌƐƚĂŶĚŝŶŐůĞĂĚƐƚŽ )3$/2.+/2(%#-$*#++ dŚĞƐƵƉƉůLJĐŚĂŝŶƐƉƌŝŶŐƐĂůĞĂŬĂƐ .#$43+4-#($.(#).$%/*#+$6(/*$ /2.+4-# 1-.$-0$1$ 0$.,,$+#$'1$ 1/8/$ .0$ /$ 1$ 8,'@#$ 1($0-$%)'.$ '@)-//$ 1%/0)$ 10#,,(#1@#6 1@)#'/1(,$ 710#)1#0N6 0#$#D#10$0'0$ 42-'+*%)))))))))))CD#)!#$IGL$.,,$@',,$%#,D#)95Ɵ)*',).*).%3$ O,%$ @#10)#$-;$#3$ R,())))))))))I6!#$ /9,,/$ -)('1/''1%$11-95Ɵ)*',).*).%3$ S#D#,-#J/-88-)3$ Q88-)))))))))))='!#$ +//#@)95Ɵ)*',).*).%3$ V1%#)/')#$ 9$!5%$.%-$2..%1)%5,'+)-$,.*+80'%, ))))))))))) ')) I#B5#)$*B7#,)4#5*8#)%)6#H)B0'#%40.H Q#)D@#$8)-D%#)/$.,,$+#@-*#$'$9#$D,1#)'+,0$1$-)('1/'Ɵ$-1/N$/88,$@'1/$'/$@+#)@)*1',/$0')(#0$0#*$ )'0#)$0'1$-)('1/'Ɵ$-1/$%)#@0,6 95Ɵ)*',).*).%6#)'*+: 3$ A-/0#)$/0)-1($.-)91($)#,'Ɵ$-1/8/$.0$/#)D@#$8)-D%#)/$.0$0#$'*$-;$+#@-*1($8')01#)/6 3$ V1%#)/0'1%$@,#'),$.@$,#(',$E)/%@Ɵ$-1/$(-D#)1$-)$-)('1/'Ɵ$-1N/$1;-)*'Ɵ$-16 ))))))))));())))())) 7%.%)J)4()$*40#8, L)('1/'Ɵ$-1/$0'0$80$+,1%$;'0$1$+($%'0'$.,,$+'/#$/0)'0#(@$%#@/-1/$-1$;',0$-)$1@-*8,#0#$%'0'/#0/6 95Ɵ)*',).*).%6#)'*+: 3$ G1/)#$0#$-)('1/'Ɵ$-1$'/$'%#W'0#$/9,,/#0$0-$'1',/#$+($%'0'6$ 3$ L0,1#$'$8)-@#//$;-)$'88,1($+($%'0'$'1',Ɵ$@/$0-$1;-)*'Ɵ$-1$/#@)0$8)-+,#*6$ ))))))))))))))))) K*40#)%$$,)4#5*8#).D#)8%')*.#)A*)5*8$*8,# !#$#D-,Ɵ$-1$-;$*-+,#$@-*8Ɵ$1(?$0/$;'/0K8'@#%$%#D#,-8*#10$@@,#$'1%$,'@9$-;$/#@)0$@-1/%#)'Ɵ$-1/?$.,,$ *'9#$*-+,#$'88/$'$8)*#$)-0#$;-)$@+#)@)*1',/$'1%$'@9#)/6 95Ɵ)*',).*).%6#)'*+: 3$ 71@-)8-)'0#$/#)$%#D@#/$10-$#J/Ɵ$1($/0'1%')%/$;-)$'@@#//$*'1'(#*#106 3$ F)-*-0#$#%@'Ɵ$-1$'1%$'.')#1#//$-;$OTLJ$XO)1($T-)$L.1$R101(Y$)/9$1$11-D'Ɵ$D#$.'/6 )))))))))))) *)) ) F'5H$Ɵ)*')A%0, !#$%#;',0$'88)-'@$0-$/#@)#$710#)1#0$10#)'@Ɵ$-1/?$#1@)8Ɵ$-1?$.,,$;',$0-$%#,D#)$%#$0-$D'/0,$*8)-D#%$ @-*8Ɵ$1($8-.#)$@-*+1#%$.0$+'@9K%--)/$1$/-Ō$.')#6 !* !* dŚĞƐƵƉƉůLJĐŚĂŝŶƐƉƌŝŶŐƐĂůĞĂŬĂƐ .#$43+4-#($.(#).$%/*#+$6(/*$ /2.+4-# 0$')#$1-.$-0$1$ 6$!#$)#/,0$.,,$+#$'1$ Ɵ$-1/8/$ .0$ 1#//$ /$ 1$ 8,'@#$ $#*8Ɵ$1($0-$%)'.$ '@)-//$ 1%/0)$ 0-$/')#$10#,,(#1@#6 .,,$ 1@)#'/1(,$ 0#$710#)1#0N6 0#$#D#10$0'0$ '$ *#//'(#$ ;-)$ ŋ$$1#6 42-'+*%)))))))))))!#$%#,95Ɵ3$ O,%$ @#3$ R,())))))))))!#$ -)(''1%$95Ɵ3$ S##-3$ Q))))))))))='!#$ /#@)95Ɵ3$ V1%#)/')#$ 0)'%3$ 9$!5%$.%-$2..%1)%5,'+)-$,.*+80'%, ))))))))))) ')) I#B5#)$*B7#,)4#5*8#)%)6#H)B0'#%40.H Q#)D@#$8)-D%#)/$.,,$+#@-*#$'$9#$D,1#)'+,0$1$-)('1/'Ɵ$-1/N$/88,$@'1/$'/$@+#)@)*1',/$0')(#0$0#*$ )'0#)$0'1$-)('1/'Ɵ$-1/$%)#@0,6 95Ɵ)*',).*).%6#)'*+: 3$ A-/0#)$/0)-1($.-)91($)#,'Ɵ$-1/8/$.0$/#)D@#$8)-D%#)/$.0$0#$'*$-;$+#@-*1($8')01#)/6 3$ V1%#)/0'1%$@,#'),$.@$,#(',$E)/%@Ɵ$-1/$(-D#)1$-)$-)('1/'Ɵ$-1N/$1;-)*'Ɵ$-16 ))))))))));())))())) 7%.%)J)4()$*40#8, L)('1/'Ɵ$-1/$0'0$80$+,1%$;'0$1$+($%'0'$.,,$+'/#$/0)'0#(@$%#@/-1/$-1$;',0$-)$1@-*8,#0#$%'0'/#0/6 95Ɵ)*',).*).%6#)'*+: 3$ G1/)#$0#$-)('1/'Ɵ$-1$'/$'%#W'0#$/9,,/#0$0-$'1',/#$+($%'0'6$ 3$ L0,1#$'$8)-@#//$;-)$'88,1($+($%'0'$'1',Ɵ$@/$0-$1;-)*'Ɵ$-1$/#@)0$8)-+,#*6$ ))))))))))))))))) K*40#)%$$,)4#5*8#).D#)8%')*.#)A*)5*8$*8,# !#$#D-,Ɵ$-1$-;$*-+,#$@-*8Ɵ$1(?$0/$;'/0K8'@#%$%#D#,-8*#10$@@,#$'1%$,'@9$-;$/#@)0$@-1/%#)'Ɵ$-1/?$.,,$ *'9#$*-+,#$'88/$'$8)*#$)-0#$;-)$@+#)@)*1',/$'1%$'@9#)/6 95Ɵ)*',).*).%6#)'*+: 3$ 71@-)8-)'0#$/#)$%#D@#/$10-$#J/Ɵ$1($/0'1%')%/$;-)$'@@#//$*'1'(#*#106 3$ F)-*-0#$#%@'Ɵ$-1$'1%$'.')#1#//$-;$OTLJ$XO)1($T-)$L.1$R101(Y$)/9$1$11-D'Ɵ$D#$.'/6 )))))))))))) *)) ) F'5H$Ɵ)*')A%0, !#$%#;',0$'88)-'@$0-$/#@)#$710#)1#0$10#)'@Ɵ$-1/?$#1@)8Ɵ$-1?$.,,$;',$0-$%#,D#)$%#$0-$D'/0,$*8)-D#%$ @-*8Ɵ$1($8-.#)$@-*+1#%$.0$+'@9K%--)/$1$/-Ō$.')#6 95Ɵ)*',).*).%6#)'*+: 3$ I,'//;$1;-)*'Ɵ$-1$'1%$91-.$.#)#$0#$/#1/Ɵ$D#$1;-)*'Ɵ$-1$'//#0/$')#$0-$1%#)/0'1%$.#)#$-$;'@#$0#$ *-/0$)/96 !* !* dŚĞƐƵƉƉůLJĐŚĂŝŶƐƉƌŝŶŐƐĂůĞĂŬĂƐ .#$43+4-#($.(#).$%/*#+$6(/*$ /2.+4-# D#)0$')#$1-.$-0$1$ 6$!#$)#/,0$.,,$+#$'1$ )#,'Ɵ$-1/8/$ .0$ '.')#1#//$ /$ 1$ 8,'@#$ Ʃ$#*8Ɵ$1($0-$%)'.$ 1($ '@)-//$ 1%/0)$ 0-$/')#$10#,,(#1@#6 1($ .,,$ 1@)#'/1(,$ 1#)$-;$0#$710#)1#0N6 0$*#'/)#/$1$0#$#D#10$0'0$ 8')#$ '$ *#//'(#$ ;-)$ 9#1$-ŋ$$1#6 42-'+*%)))))))))))!#$%#,953$ 3$ ))))))))))!#$ -)(''953$ 3$ ))))))))))='!#$ /#@)953$ 3$ 9$!5%$.%-$2..%1)%5,'+)-$,.*+80'%, ))))))))))) ')) I#B5#)$*B7#,)4#5*8#)%)6#H)B0'#%40.H Q#)D@#$8)-D%#)/$.,,$+#@-*#$'$9#$D,1#)'+,0$1$-)('1/'Ɵ$-1/N$/88,$@'1/$'/$@+#)@)*1',/$0')(#0$0#*$ )'0#)$0'1$-)('1/'Ɵ$-1/$%)#@0,6 95Ɵ)*',).*).%6#)'*+: 3$ A-/0#)$/0)-1($.-)91($)#,'Ɵ$-1/8/$.0$/#)D@#$8)-D%#)/$.0$0#$'*$-;$+#@-*1($8')01#)/6 3$ V1%#)/0'1%$@,#'),$.@$,#(',$E)/%@Ɵ$-1/$(-D#)1$-)$-)('1/'Ɵ$-1N/$1;-)*'Ɵ$-16 ))))))))));())))())) 7%.%)J)4()$*40#8, L)('1/'Ɵ$-1/$0'0$80$+,1%$;'0$1$+($%'0'$.,,$+'/#$/0)'0#(@$%#@/-1/$-1$;',0$-)$1@-*8,#0#$%'0'/#0/6 95Ɵ)*',).*).%6#)'*+: 3$ G1/)#$0#$-)('1/'Ɵ$-1$'/$'%#W'0#$/9,,/#0$0-$'1',/#$+($%'0'6$ 3$ L0,1#$'$8)-@#//$;-)$'88,1($+($%'0'$'1',Ɵ$@/$0-$1;-)*'Ɵ$-1$/#@)0$8)-+,#*6$ ))))))))))))))))) K*40#)%$$,)4#5*8#).D#)8%')*.#)A*)5*8$*8,# !#$#D-,Ɵ$-1$-;$*-+,#$@-*8Ɵ$1(?$0/$;'/0K8'@#%$%#D#,-8*#10$@@,#$'1%$,'@9$-;$/#@)0$@-1/%#)'Ɵ$-1/?$.,,$ *'9#$*-+,#$'88/$'$8)*#$)-0#$;-)$@+#)@)*1',/$'1%$'@9#)/6 95Ɵ)*',).*).%6#)'*+: 3$ 71@-)8-)'0#$/#)$%#D@#/$10-$#J/Ɵ$1($/0'1%')%/$;-)$'@@#//$*'1'(#*#106 3$ F)-*-0#$#%@'Ɵ$-1$'1%$'.')#1#//$-;$OTLJ$XO)1($T-)$L.1$R101(Y$)/9$1$11-D'Ɵ$D#$.'/6 )))))))))))) *)) ) F'5H$Ɵ)*')A%0, !#$%#;',0$'88)-'@$0-$/#@)#$710#)1#0$10#)'@Ɵ$-1/?$#1@)8Ɵ$-1?$.,,$;',$0-$%#,D#)$%#$0-$D'/0,$*8)-D#%$ @-*8Ɵ$1($8-.#)$@-*+1#%$.0$+'@9K%--)/$1$/-Ō$.')#6 95Ɵ)*',).*).%6#)'*+: 3$ I,'//;$1;-)*'Ɵ$-1$'1%$91-.$.#)#$0#$/#1/Ɵ$D#$1;-)*'Ɵ$-1$'//#0/$')#$0-$1%#)/0'1%$.#)#$-$;'@#$0#$ *-/0$)/96 3$ 7%#1Ɵ$;$@))#10$@)80-()'8@$/-,Ɵ$-1/$/#%$'@)-//$0#$-)('1/'Ɵ$-16$S#0#)*1#$'$/0)'0#($;-)$*8)-D1($ 0#)$*8,#*#10'Ɵ$-16$$
ƵŶŵĂŶĂŐĞĚƌŝƐŬ ƌŝŶŐLJŽƵƌŽǁŶĚĞǀŝĐĞĨƵƌƚŚĞƌ )))$))) ) ŝŶĐƌĞĂƐĞƐŝŶĨŽƌŵĂƟŽŶƌŝƐŬ #@8/+2(# 'ŽǀĞƌŶŵĞŶƚĂŶĚƌĞŐƵůĂƚŽƌƐǁŽŶ͛ƚ -/$42-'+*%)4.$6/($/2 5%'-6%*)7%./0%**%,-'-%$.%1*8-,% ))))))))))CD#)EFG)(#.,)./)'*+)H*)D%B#).*)7#0B# !#$IGL$.,,$@',,$8-1$0#$I7QL$0-$%#*-1/0)'0#$D',#$0'0$0#$*'$+#$1'+,#$0-$ %#,D#)6 95Ɵ)*',).*).%6#)'*+: 3$ O,%$ /0)-1($ @)#%+,0$ ;-)$ 0#$ I7QL$ +$ 8-/Ɵ$-11($ 0#$ /#@)0$ ;1@Ɵ$-1$ '/$ '$ Threat Horizon 2016 (ISF, 2014) )))$))) ) 42-'+*%)5%'-6%*)7%./0%**%,-'-%$.%1*8-,% )))))))))))))$))) ) CD#)EFG)(#.,)./)'*+)H*)D%B#).*)7#0B# !#$IGL$.,,$@',,$8-1$0#$I7QL$0-$%#*-1/0)'0#$D',#$0'0$0#$*'$+#$1'+,#$0-$ %#,D#)6 95Ɵ)*',).*).%6#)'*+: 3$ O,%$ /0)-1($ @)#%+,0$ ;-)$ 0#$ I7QL$ +$ 8-/Ɵ$-11($ 0#$ /#@)0$ ;1@Ɵ$-1$ '/$ '$ @#10)#$-;$#J@#,,#1@#6 3$ R,(1$0#$/#@)0$;1@Ɵ$-1$.0$0#$-)('1/'Ɵ$-1N/$'88)-'@$0-$)/9$*'1'(#*#106 )))))))))))%))) I600,)(%$)4#5*8#,)%)5D%,8 !#$ /9,,/$ ('8$ .,,$ .%#16$ R0$ 0#$ /'*#$ Ɵ$*#$ 0$ '/$ 1#D#)$ +##1$ *-)#$ 8)#//1($ ;-)$ -)('1/'Ɵ$-1/$0-$(#0$0#$)(0$8#-8,#$0-$+#$'+,#$0-$(#0$'#'%$-;$0#$@-*8#Ɵ$Ɵ$-1$ '1%$11-D'0#$/#@)#,6 95Ɵ)*',).*).%6#)'*+: 3$ S#D#,-8$ 0',#10$ .01$ 0#$ -)('1/'Ɵ$-1$ '1%$ @)#'0#$ 1@#1Ɵ$D#/$ 0-$ )#0'1$ #J/Ɵ$1($ 0',#10?$ +$ 8ƫ$$1($ 1$ 8,'@#$ *#10-)1($ 8)-()'**#/?$ #J0#)1',$ @-'@1($ -88-)01Ɵ$#/?$'1%$8)-*-Ɵ$1($;)-*$.016 3$ Q88-)0$#J0#)1',$1Ɵ$'Ɵ$D#/$0-$%#D#,-8$'1%$/-)@#$1#.$0',#106 ))))))))))='!)))) A*8%Ɵ)*'),#5.H)A%0,).*)+*6)+.D)'#+)(#'#%Ɵ)*', !#$ +/1#//$ .,,$ #*+)'@#$ (#1#)'Ɵ$-1/$ T$ '1%$ U$ .-/#$ '88)-'@$ 0-$ 1;-)*'Ɵ$-1$ EĞǁƚĞĐŚŶŽůŽŐŝĞƐŽǀĞƌǁŚĞůŵ 0$0#*$ 0/6 1/?$.,,$ ( ) !* ( ) !* ĐůŽƵĚĞĚƵŶĚĞƌƐƚĂŶĚŝŶŐůĞĂĚƐƚŽ dŚĞƐƵƉƉůLJĐŚĂŝŶƐƉƌŝŶŐƐĂůĞĂŬĂƐ 6(/*$ dŚĞKŐĞƚƐŝƚ͕ŶŽǁLJŽƵŚĂǀĞ ƚŽĚĞůŝǀĞƌ ^ŬŝůůƐŐĂƉďĞĐŽŵĞƐĂĐŚĂƐŵ /ŶĨŽƌŵĂƟŽŶƐĞĐƵƌŝƚLJĨĂŝůƐƚŽ ǁŽƌŬǁŝƚŚŶĞǁŐĞŶĞƌĂƟŽŶƐ @#10)#$-;$#J@#,,#1@#6 3$ R,(1$0#$/#@)0$;1@Ɵ$-1$.0$0#$-)('1/'Ɵ$-1N/$'88)-'@$0-$)/9$*'1'(#*#106 )))))))))))%))) I600,)(%$)4#5*8#,)%)5D%,8 !#$ /9,,/$ ('8$ .,,$ .%#16$ R0$ 0#$ /'*#$ Ɵ$*#$ 0$ '/$ 1#D#)$ +##1$ *-)#$ 8)#//1($ ;-)$ -)('1/'Ɵ$-1/$0-$(#0$0#$)(0$8#-8,#$0-$+#$'+,#$0-$(#0$'#'%$-;$0#$@-*8#Ɵ$Ɵ$-1$ '1%$11-D'0#$/#@)#,6 95Ɵ)*',).*).%6#)'*+: 3$ S#D#,-8$ 0',#10$ .01$ 0#$ -)('1/'Ɵ$-1$ '1%$ @)#'0#$ 1@#1Ɵ$D#/$ 0-$ )#0'1$ #J/Ɵ$1($ 0',#10?$ +$ 8ƫ$$1($ 1$ 8,'@#$ *#10-)1($ 8)-()'**#/?$ #J0#)1',$ @-'@1($ -88-)01Ɵ$#/?$'1%$8)-*-Ɵ$1($;)-*$.016 3$ Q88-)0$#J0#)1',$1Ɵ$'Ɵ$D#/$0-$%#D#,-8$'1%$/-)@#$1#.$0',#106 ))))))))))='!)))) A*8%Ɵ)*'),#5.H)A%0,).*)+*6)+.D)'#+)(#'#%Ɵ)*', !#$ +/1#//$ .,,$ #*+)'@#$ (#1#)'Ɵ$-1/$ T$ '1%$ U$ .-/#$ '88)-'@$ 0-$ 1;-)*'Ɵ$-1$ /#@)0$/$1$/')8$@-10)'/0$0-$@))#10$*#0-%/?$@',,#1(1($I7QL/6 95Ɵ)*',).*).%6#)'*+: 0')(#0$0#*$ 0'/#0/6 $-1/?$.,,$ 0,$*8)-D#%$ !* !* 4-#($.(#).$%/*#+$6(/*$ /ŶĨŽƌŵĂƟŽŶƐĞĐƵƌŝƚLJĨĂŝůƐƚŽ ǁŽƌŬǁŝƚŚŶĞǁŐĞŶĞƌĂƟŽŶƐ 'ŽǀĞƌŶŵĞŶƚĂŶĚƌĞŐƵůĂƚŽƌƐǁŽŶ͛ƚ -/$4.$6/($/2 ))))))))))CD#)EFG)(#.,)./)'*+)H*)D%B#).*)7#0B# !#$IGL$.,,$@',,$8-1$0#$I7QL$0-$%#*-1/0)'0#$D',#$0'0$0#$*'$+#$1'+,#$0-$ %#,D#)6 95Ɵ)*',).*).%6#)'*+: 3$ O,%$ /0)-1($ @)#%+,0$ ;-)$ 0#$ I7QL$ +$ 8-/Ɵ$-11($ 0#$ /#@)0$ ;1@Ɵ$-1$ '/$ '$ @#10)#$-;$#J@#,,#1@#6 3$ R,(1$0#$/#@)0$;1@Ɵ$-1$.0$0#$-)('1/'Ɵ$-1N/$'88)-'@$0-$)/9$*'1'(#*#106 )))))))))))%))) I600,)(%$)4#5*8#,)%)5D%,8 !#$ /9,,/$ ('8$ .,,$ .%#16$ R0$ 0#$ /'*#$ Ɵ$*#$ 0$ '/$ 1#D#)$ +##1$ *-)#$ 8)#//1($ ;-)$ -)('1/'Ɵ$-1/$0-$(#0$0#$)(0$8#-8,#$0-$+#$'+,#$0-$(#0$'#'%$-;$0#$@-*8#Ɵ$Ɵ$-1$ '1%$11-D'0#$/#@)#,6 95Ɵ)*',).*).%6#)'*+: 3$ S#D#,-8$ 0',#10$ .01$ 0#$ -)('1/'Ɵ$-1$ '1%$ @)#'0#$ 1@#1Ɵ$D#/$ 0-$ )#0'1$ #J/Ɵ$1($ 0',#10?$ +$ 8ƫ$$1($ 1$ 8,'@#$ *#10-)1($ 8)-()'**#/?$ #J0#)1',$ @-'@1($ -88-)01Ɵ$#/?$'1%$8)-*-Ɵ$1($;)-*$.016 3$ Q88-)0$#J0#)1',$1Ɵ$'Ɵ$D#/$0-$%#D#,-8$'1%$/-)@#$1#.$0',#106 ))))))))))='!)))) A*8%Ɵ)*'),#5.H)A%0,).*)+*6)+.D)'#+)(#'#%Ɵ)*', !#$ +/1#//$ .,,$ #*+)'@#$ (#1#)'Ɵ$-1/$ T$ '1%$ U$ .-/#$ '88)-'@$ 0-$ 1;-)*'Ɵ$-1$ /#@)0$/$1$/')8$@-10)'/0$0-$@))#10$*#0-%/?$@',,#1(1($I7QL/6 95Ɵ)*',).*).%6#)'*+: 3$ V1%#)/0'1%$0'0$0#$1#.$(#1#)'Ɵ$-1/N$'88)-'@$0-$.-)9?$/-@',/1($'1%$8)D'@$ ')#$ D'/0,$ %ī$#)#10$ ;)-*$ 8)#D-/$ (#1#)'Ɵ$-1/N$ '1%$ 0'0$ 0#$ .-1N0$ !$0$ .0$ 0)'%Ɵ$-1',$/#@)0$*-%#,/6$ 3$ R%'80$#J/Ɵ$1($8-,@#/$'1%$8)-@#%)#/$0-$#1('(#$.0$(#1#)'Ɵ$-1/$T$'1%$U6 1',/$0')(#0$0#*$ 0#$%'0'/#0/6 1/%#)'Ɵ$-1/?$.,,$ 0,$*8)-D#%$ 1%$.#)#$-$;'@#$0#$
QCounecesptti, oprnosce sasnesd a Andn tsoowlse rs 45 11! Threat Horizon 2016 Defining an era of heightened risk and uncertainty 1 Proliferation of threats and vulnerability Public networks Enhancing Risk Management Enterprise Governance of IT Continuous Compliance Concept, processes and tools 2 3 5 6 All rights reserved. 2013. © Leonard Ong.
WatchGuard, 2014
APT in Action Operation Aurora, 2010 StuxNet, 2010 RSA/Lockheed Martin, 2011 Duqu, Flame, 2011-12 New York Times, 2013 -- Adobe, 2013 -- Korean Banks, 2013 Against the unknown Reputation Risk Customer Confidence Remediation Cost Effort
14! A Troubling ! Lack of Initiative There aren’t enough precautions being taken against the threat of an APT. Up to 81.8% of survey takers have not updated their agreements with vendors who provide protection against APT. And 67.3% reported that they haven’t held any APT awareness training programs for their employees. Has your enterprise increased security training as a result of APTs? 0% 20% 40% 60% 80% Very Likely Likely Not Very likely Not at All Likely ISACA, 2014 Yes No
QCounecesptti, oprnosce sasnesd a Andn tsoowlse rs 45 15! Threat Horizon 2016 Defining an era of heightened risk and uncertainty 1 Proliferation of threats and vulnerability Public networks Enhancing Risk Management Enterprise Governance of IT Continuous Compliance Concept, processes and tools 2 3 5 6 All rights reserved. 2013. © Leonard Ong.
management of enterprise information technology (IT). Simply stated, COBIT 5 helps enterprises to create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking into account the full end-to- end CoBIT business and IT stakeholders. 5 functional areas of responsibility and considering the IT-related interests of internal and external COBIT 5 for Risk, highlighted in figure 1, builds on the COBIT 5 framework by focusing on risk and providing more detailed and practical guidance for risk professionals and other interested parties at all levels of the enterprise. 16! Figure 1—COBIT 5 Product Family COBIT® 5 COBIT 5 Enabler Guides COBIT® 5: Enabling Processes COBIT 5 Professional Guides COBIT® 5 Implementation COBIT® 5: Enabling Information COBIT® 5 for Assurance COBIT® 5 for Information Security COBIT® 5 for Risk COBIT 5 Online Collaborative Environment Other Enabler Guides Other Professional Guides Terminology ISACA, 2014 COBIT 5 for Risk discusses IT-related risk. Section 1, chapter 2 defines what is meant by IT-related risk; however, for ease of reading, the term ‘risk’ is used throughout the publication, which refers to IT-related risk. The guidance and principles that are explained throughout this publication are applicable to any type of enterprise, whether it operates in a commercial
CoBIT 5 17! Product Family Framework Enabling Processes Implementation COBIT 5 is the overarching business and management framework for governance and management of enterprise IT. A detailed reference guide to the processes defined in the COBIT 5 process reference model. Provides a good practice approach for implementing GEIT based on a continual improvement life cycle Information Security Assurance Risk Specific focus on Information Security Practical guidance for assurance professionals on how to use COBIT 5 to support a variety of IT assurance activities. Specific focus on Risk ISACA, 2014
Risk Duality 18! FOR RISK Figure 6—Risk Duality Positive Outcomes: Value Creation or Preservation Negative Outcomes: Value Destruction or Fail to Gain Well governed and managed information and technology delivers business benefits and/or preserves value Poorly governed and managed information and technology will destroy value or fail to deliver benefits. • New IT-enabled business opportunities • Enhanced business opportunities • Sustainable competitive advantage • Unrealised or reduced business value • Missed IT-enabled business opprtunities • Adverse IT-related events destroying value ISACA, 2014 Risk is not always to be avoided. Doing business is about taking risk that is consistent with the risk appetite, i.e., many business propositions require IT risk to be taken to achieve the value proposition and realise enterprise goals and objectives, and this risk should be managed but not necessarily avoided.
19! Processes for Governance of Enterprise IT Processes for Management of Enterprise IT Evaluate, Direct and Monitor EDM01 Ensure Governance Framework Setting and Maintenance Align, Plan and Organise Monitor, Evaluate and Assess APO01 Manage the IT Management Framework APO08 Manage Relationships APO02 Manage Strategy APO09 Manage Service Agreements Build, Acquire and Implement Deliver, Service and Support APO03 Manage Enterprise Architecture APO10 Manage Suppliers APO04 Manage Innovation APO11 Manage Quality APO05 Manage Portfolio APO12 Manage Risk APO06 Manage Budget and Costs APO07 Manage Human Resources MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA03 Monitor, Evaluate and Assess Compliance With External Requirements APO13 Manage Security DSS01 Manage Operations DSS02 Manage Service Requests and Incidents DSS03 Manage Problems DSS04 Manage Continuity DSS05 Manage Security Services DSS06 Manage Business Process Controls BAI01 Manage Programmes and Projects BAI08 Manage Knowledge BAI02 Manage Requirements Definition BAI09 Manage Assets BAI03 Manage Solutions Identification and Build BAI10 Manage Configuration BAI04 Manage Availability and Capacity BAI05 Manage Organisational Change Enablement BAI06 Manage Changes BAI07 Manage Change Acceptance and Transitioning EDM02 Ensure Benefits Delivery EDM03 Ensure Risk Optimisation EDM04 Ensure Resource Optimisation EDM05 Ensure Stakeholder Transparency Figure 18—Supporting Processes for the Risk Function The processes listed in figure 19 are key supporting processes for the risk function in the enterprise. ISACA, 2014
Risk Scenario Event • Disclosure • Interruption • Modification • Theft • Destruction • Ineffective design • Ineffective execution • Rules and regulations • Inappropriate use Risk Scenario 20! Asset/Resource • People and skills • Organisational structures • Process • Infrastructure (facilities) • IT infrastructure • Information • Applications Time • Duration • Timing occurrence (critical or non-critical) • Detection • Time lag ISACA, 2014 several years?) It is important to stay aware of the differences between loss events, threat events and vulnerability events. When a risk scenario materialises, a loss event occurs. The loss event has been triggered by a threat event (threat type plus event in figure 36. The frequency of the threat event leading to a loss event is influenced by the risk factors or vulnerability. Vulnerability is usually a state and can be increased/decreased by vulnerability events, e.g., the weakening of controls or by the threat strength. One should not mix these three types of events into one big ‘risk list’. Figure 36—Risk Scenario Structure Threat Type • Malicious • Accidental • Error • Failure • Nature • External requirement Actor • Internal (staff, contractor) • External (competitor, outsider, business partner, regulator, market) Chapter 3 contains a set of generic IT risk scenarios that are built in line with the model described in the previous paragraphs. The set of generic scenarios contains examples of negative outcomes, but also examples where a risk, when managed well, can lead to a positive outcome.
Magnitude C A B Frequency Risk Heat Map and Aggregation 21! ISACA, 2014 77 Figure 40—Aggregation of Risk Maps—Shared Risk Magnitude Frequency Magnitude Frequency D B Magnitude Frequency B C A B A D C B A C Personal Copy of: Mr. Leonard Ong
Key takeaways 1. Be aware the current and future trends of cyber threats 2. Prepare for the unknown 3. Adopt Enterprise Governance approach 4. Develop Risk profile before selecting solution 22
References Threat Horizon 2016. Information Security Forum, 2014. Advanced Persistent Threat Awareness Study Results, ISACA, 2014 CoBIT 5 Framework, ISACA, 2014 Contact ! sg.linkedin.com/in/ongleonard leonard_ong
Questions All rights reserved. 2013. © Leonard Ong. 24

Recommended

Rotacion de cuerpo rigido
Rotacion de cuerpo rigidoRotacion de cuerpo rigido
Rotacion de cuerpo rigidoemanuel toconas
 
Brodet
BrodetBrodet
BrodetAnochi.com.
 
Carta de atenas_1933
Carta de atenas_1933Carta de atenas_1933
Carta de atenas_1933Diego Alves
 
Online Communities - why do consumers participate - why should marketers care...
Online Communities - why do consumers participate - why should marketers care...Online Communities - why do consumers participate - why should marketers care...
Online Communities - why do consumers participate - why should marketers care...Purple Spinnaker
 
10 информ ривкінд_лисенко_академ_2010_укр
10 информ ривкінд_лисенко_академ_2010_укр10 информ ривкінд_лисенко_академ_2010_укр
10 информ ривкінд_лисенко_академ_2010_укрAira_Roo
 
Informatika 10-klas-rivkind-profilnijj-riven
Informatika 10-klas-rivkind-profilnijj-rivenInformatika 10-klas-rivkind-profilnijj-riven
Informatika 10-klas-rivkind-profilnijj-rivenfreegdz
 
02 EJB구조의 이해
02 EJB구조의 이해02 EJB구조의 이해
02 EJB구조의 이해Alex Yang
 
Decreto 1257
Decreto 1257Decreto 1257
Decreto 1257EJimenez62
 

Recommended

Rotacion de cuerpo rigido
Rotacion de cuerpo rigidoRotacion de cuerpo rigido
Rotacion de cuerpo rigidoemanuel toconas
 
Brodet
BrodetBrodet
BrodetAnochi.com.
 
Carta de atenas_1933
Carta de atenas_1933Carta de atenas_1933
Carta de atenas_1933Diego Alves
 
Online Communities - why do consumers participate - why should marketers care...
Online Communities - why do consumers participate - why should marketers care...Online Communities - why do consumers participate - why should marketers care...
Online Communities - why do consumers participate - why should marketers care...Purple Spinnaker
 
10 информ ривкінд_лисенко_академ_2010_укр
10 информ ривкінд_лисенко_академ_2010_укр10 информ ривкінд_лисенко_академ_2010_укр
10 информ ривкінд_лисенко_академ_2010_укрAira_Roo
 
Informatika 10-klas-rivkind-profilnijj-riven
Informatika 10-klas-rivkind-profilnijj-rivenInformatika 10-klas-rivkind-profilnijj-riven
Informatika 10-klas-rivkind-profilnijj-rivenfreegdz
 
02 EJB구조의 이해
02 EJB구조의 이해02 EJB구조의 이해
02 EJB구조의 이해Alex Yang
 
Decreto 1257
Decreto 1257Decreto 1257
Decreto 1257EJimenez62
 
Susret sa poznatim ličnostima
Susret sa poznatim ličnostimaSusret sa poznatim ličnostima
Susret sa poznatim ličnostimaBic Sop
 
Folleto Dengue
Folleto DengueFolleto Dengue
Folleto DengueAMSAFE Unidad Educativa
 
Guías básicas para auditoria en el mejoramiento de la calidad
Guías básicas para auditoria en el mejoramiento de la calidadGuías básicas para auditoria en el mejoramiento de la calidad
Guías básicas para auditoria en el mejoramiento de la calidadviluvedu
 
-The-Gurus-Guide-To-Better-Search-Engine-Marketing
-The-Gurus-Guide-To-Better-Search-Engine-Marketing-The-Gurus-Guide-To-Better-Search-Engine-Marketing
-The-Gurus-Guide-To-Better-Search-Engine-MarketingEğitişim Kariyer Enstitüsü
 
Guia en seis pasos para pintar tu casa (inglés)
Guia en seis pasos para pintar tu casa (inglés)Guia en seis pasos para pintar tu casa (inglés)
Guia en seis pasos para pintar tu casa (inglés)Saul Carreter Raso
 
ArabNet Presentation | العرض التقديمي لعرب نت
ArabNet Presentation | العرض التقديمي لعرب نتArabNet Presentation | العرض التقديمي لعرب نت
ArabNet Presentation | العرض التقديمي لعرب نتRayz Co.
 
Make a choice - Eng.Shady Eneim
Make a choice - Eng.Shady EneimMake a choice - Eng.Shady Eneim
Make a choice - Eng.Shady Eneimengamrhamed
 
Mansfield U3A Newsletter: November 2013
Mansfield U3A Newsletter: November 2013Mansfield U3A Newsletter: November 2013
Mansfield U3A Newsletter: November 2013dlpruk
 
Jannat-ul-Naeem Shumara 2
Jannat-ul-Naeem Shumara 2Jannat-ul-Naeem Shumara 2
Jannat-ul-Naeem Shumara 2Zubair Memon
 
رَجَب جون بهارون ۽ نفل روزن جون برڪتون
رَجَب جون بهارون ۽ نفل روزن جون برڪتونرَجَب جون بهارون ۽ نفل روزن جون برڪتون
رَجَب جون بهارون ۽ نفل روزن جون برڪتونdawateislami
 
2do cuadernotrabajomatemáticas
2do cuadernotrabajomatemáticas2do cuadernotrabajomatemáticas
2do cuadernotrabajomatemáticasNoemi Escalante
 
Gazette s14 06-06
Gazette s14 06-06Gazette s14 06-06
Gazette s14 06-06npsnewsp
 
Jejaring sosial pendidikan (edmodo) by SEAMOLEC
Jejaring sosial pendidikan (edmodo) by SEAMOLECJejaring sosial pendidikan (edmodo) by SEAMOLEC
Jejaring sosial pendidikan (edmodo) by SEAMOLECNovel Helybra
 
Mansfield U3A November 2015 newsletter
Mansfield U3A November 2015 newsletterMansfield U3A November 2015 newsletter
Mansfield U3A November 2015 newsletterdlpruk
 
160757618604s
160757618604s160757618604s
160757618604sWidusaraCDN
 
كتاب الناسخ والمنسوخ للنحاس الجزء الاول والثاني
كتاب الناسخ والمنسوخ للنحاس الجزء الاول والثاني كتاب الناسخ والمنسوخ للنحاس الجزء الاول والثاني
كتاب الناسخ والمنسوخ للنحاس الجزء الاول والثاني ssuser2e4a96
 
A Data Commons in the Exchange Space
A Data Commons in the Exchange SpaceA Data Commons in the Exchange Space
A Data Commons in the Exchange SpaceDevin Foley
 
Italo calvino-as-cidades-invisiveis
Italo calvino-as-cidades-invisiveisItalo calvino-as-cidades-invisiveis
Italo calvino-as-cidades-invisiveisJose Roberto Gonzalez
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Knowledge Group
 
Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh Knowledge Group
 
National Strategies against Cyber Attacks - Philip Victor
National Strategies against Cyber Attacks - Philip VictorNational Strategies against Cyber Attacks - Philip Victor
National Strategies against Cyber Attacks - Philip VictorKnowledge Group
 
Managing & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengManaging & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengKnowledge Group
 

More Related Content

What's hot

Susret sa poznatim ličnostima
Susret sa poznatim ličnostimaSusret sa poznatim ličnostima
Susret sa poznatim ličnostimaBic Sop
 
Guías básicas para auditoria en el mejoramiento de la calidad
Guías básicas para auditoria en el mejoramiento de la calidadGuías básicas para auditoria en el mejoramiento de la calidad
Guías básicas para auditoria en el mejoramiento de la calidadviluvedu
 
Guia en seis pasos para pintar tu casa (inglés)
Guia en seis pasos para pintar tu casa (inglés)Guia en seis pasos para pintar tu casa (inglés)
Guia en seis pasos para pintar tu casa (inglés)Saul Carreter Raso
 
ArabNet Presentation | العرض التقديمي لعرب نت
ArabNet Presentation | العرض التقديمي لعرب نتArabNet Presentation | العرض التقديمي لعرب نت
ArabNet Presentation | العرض التقديمي لعرب نتRayz Co.
 
Make a choice - Eng.Shady Eneim
Make a choice - Eng.Shady EneimMake a choice - Eng.Shady Eneim
Make a choice - Eng.Shady Eneimengamrhamed
 
Mansfield U3A Newsletter: November 2013
Mansfield U3A Newsletter: November 2013Mansfield U3A Newsletter: November 2013
Mansfield U3A Newsletter: November 2013dlpruk
 
Jannat-ul-Naeem Shumara 2
Jannat-ul-Naeem Shumara 2Jannat-ul-Naeem Shumara 2
Jannat-ul-Naeem Shumara 2Zubair Memon
 
رَجَب جون بهارون ۽ نفل روزن جون برڪتون
رَجَب جون بهارون ۽ نفل روزن جون برڪتونرَجَب جون بهارون ۽ نفل روزن جون برڪتون
رَجَب جون بهارون ۽ نفل روزن جون برڪتونdawateislami
 
2do cuadernotrabajomatemáticas
2do cuadernotrabajomatemáticas2do cuadernotrabajomatemáticas
2do cuadernotrabajomatemáticasNoemi Escalante
 
Gazette s14 06-06
Gazette s14 06-06Gazette s14 06-06
Gazette s14 06-06npsnewsp
 
Jejaring sosial pendidikan (edmodo) by SEAMOLEC
Jejaring sosial pendidikan (edmodo) by SEAMOLECJejaring sosial pendidikan (edmodo) by SEAMOLEC
Jejaring sosial pendidikan (edmodo) by SEAMOLECNovel Helybra
 
Mansfield U3A November 2015 newsletter
Mansfield U3A November 2015 newsletterMansfield U3A November 2015 newsletter
Mansfield U3A November 2015 newsletterdlpruk
 
كتاب الناسخ والمنسوخ للنحاس الجزء الاول والثاني
كتاب الناسخ والمنسوخ للنحاس الجزء الاول والثاني كتاب الناسخ والمنسوخ للنحاس الجزء الاول والثاني
كتاب الناسخ والمنسوخ للنحاس الجزء الاول والثاني ssuser2e4a96
 
A Data Commons in the Exchange Space
A Data Commons in the Exchange SpaceA Data Commons in the Exchange Space
A Data Commons in the Exchange SpaceDevin Foley
 

What's hot (18)

Susret sa poznatim ličnostima
Susret sa poznatim ličnostimaSusret sa poznatim ličnostima
Susret sa poznatim ličnostima
 
Folleto Dengue
Folleto DengueFolleto Dengue
Folleto Dengue
 
Guías básicas para auditoria en el mejoramiento de la calidad
Guías básicas para auditoria en el mejoramiento de la calidadGuías básicas para auditoria en el mejoramiento de la calidad
Guías básicas para auditoria en el mejoramiento de la calidad
 
-The-Gurus-Guide-To-Better-Search-Engine-Marketing
-The-Gurus-Guide-To-Better-Search-Engine-Marketing-The-Gurus-Guide-To-Better-Search-Engine-Marketing
-The-Gurus-Guide-To-Better-Search-Engine-Marketing
 
Guia en seis pasos para pintar tu casa (inglés)
Guia en seis pasos para pintar tu casa (inglés)Guia en seis pasos para pintar tu casa (inglés)
Guia en seis pasos para pintar tu casa (inglés)
 
ArabNet Presentation | العرض التقديمي لعرب نت
ArabNet Presentation | العرض التقديمي لعرب نتArabNet Presentation | العرض التقديمي لعرب نت
ArabNet Presentation | العرض التقديمي لعرب نت
 
Make a choice - Eng.Shady Eneim
Make a choice - Eng.Shady EneimMake a choice - Eng.Shady Eneim
Make a choice - Eng.Shady Eneim
 
Mansfield U3A Newsletter: November 2013
Mansfield U3A Newsletter: November 2013Mansfield U3A Newsletter: November 2013
Mansfield U3A Newsletter: November 2013
 
Jannat-ul-Naeem Shumara 2
Jannat-ul-Naeem Shumara 2Jannat-ul-Naeem Shumara 2
Jannat-ul-Naeem Shumara 2
 
رَجَب جون بهارون ۽ نفل روزن جون برڪتون
رَجَب جون بهارون ۽ نفل روزن جون برڪتونرَجَب جون بهارون ۽ نفل روزن جون برڪتون
رَجَب جون بهارون ۽ نفل روزن جون برڪتون
 
2do cuadernotrabajomatemáticas
2do cuadernotrabajomatemáticas2do cuadernotrabajomatemáticas
2do cuadernotrabajomatemáticas
 
Gazette s14 06-06
Gazette s14 06-06Gazette s14 06-06
Gazette s14 06-06
 
Jejaring sosial pendidikan (edmodo) by SEAMOLEC
Jejaring sosial pendidikan (edmodo) by SEAMOLECJejaring sosial pendidikan (edmodo) by SEAMOLEC
Jejaring sosial pendidikan (edmodo) by SEAMOLEC
 
Mansfield U3A November 2015 newsletter
Mansfield U3A November 2015 newsletterMansfield U3A November 2015 newsletter
Mansfield U3A November 2015 newsletter
 
160757618604s
160757618604s160757618604s
160757618604s
 
كتاب الناسخ والمنسوخ للنحاس الجزء الاول والثاني
كتاب الناسخ والمنسوخ للنحاس الجزء الاول والثاني كتاب الناسخ والمنسوخ للنحاس الجزء الاول والثاني
كتاب الناسخ والمنسوخ للنحاس الجزء الاول والثاني
 
A Data Commons in the Exchange Space
A Data Commons in the Exchange SpaceA Data Commons in the Exchange Space
A Data Commons in the Exchange Space
 
Italo calvino-as-cidades-invisiveis
Italo calvino-as-cidades-invisiveisItalo calvino-as-cidades-invisiveis
Italo calvino-as-cidades-invisiveis
 

More from Knowledge Group

Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Knowledge Group
 
Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh Knowledge Group
 
National Strategies against Cyber Attacks - Philip Victor
National Strategies against Cyber Attacks - Philip VictorNational Strategies against Cyber Attacks - Philip Victor
National Strategies against Cyber Attacks - Philip VictorKnowledge Group
 
Managing & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengManaging & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengKnowledge Group
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraCyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraKnowledge Group
 
Cyber Security Landscape and Systems Resiliency – Challenges & Priorities - T...
Cyber Security Landscape and Systems Resiliency – Challenges & Priorities - T...Cyber Security Landscape and Systems Resiliency – Challenges & Priorities - T...
Cyber Security Landscape and Systems Resiliency – Challenges & Priorities - T...Knowledge Group
 
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin SukardiAddressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin SukardiKnowledge Group
 
Evaluating Cloud Computing Risk :Recounting PBB’s Journey into the Cloud - Ke...
Evaluating Cloud Computing Risk :Recounting PBB’s Journey into the Cloud - Ke...Evaluating Cloud Computing Risk :Recounting PBB’s Journey into the Cloud - Ke...
Evaluating Cloud Computing Risk :Recounting PBB’s Journey into the Cloud - Ke...Knowledge Group
 
Suresh - Mobile Banking (Corporate Banking Stream)
Suresh - Mobile Banking (Corporate Banking Stream) Suresh - Mobile Banking (Corporate Banking Stream)
Suresh - Mobile Banking (Corporate Banking Stream) Knowledge Group
 
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...Knowledge Group
 
Lisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce Fraud
Lisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce FraudLisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce Fraud
Lisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce FraudKnowledge Group
 
Harry Singh (Security & Risk Management Stream)- Managing Technology Risk in...
Harry Singh (Security & Risk Management Stream)- Managing Technology Risk in...Harry Singh (Security & Risk Management Stream)- Managing Technology Risk in...
Harry Singh (Security & Risk Management Stream)- Managing Technology Risk in...Knowledge Group
 
Steven Gan - Signifying The Need for Speed Banking
Steven Gan - Signifying The Need for Speed BankingSteven Gan - Signifying The Need for Speed Banking
Steven Gan - Signifying The Need for Speed BankingKnowledge Group
 
David Wortley - Gamification Is Not Funny!
David Wortley - Gamification Is Not Funny!David Wortley - Gamification Is Not Funny!
David Wortley - Gamification Is Not Funny!Knowledge Group
 
Andrew Fell, Harnessing the Customer Experience via New Technology
Andrew Fell, Harnessing the Customer Experience via New TechnologyAndrew Fell, Harnessing the Customer Experience via New Technology
Andrew Fell, Harnessing the Customer Experience via New TechnologyKnowledge Group
 
Aman Narain, Viva La Revolution -How Banking Should and Will be Disrupted an...
Aman Narain, Viva La Revolution -How Banking Should and Will be Disrupted an...Aman Narain, Viva La Revolution -How Banking Should and Will be Disrupted an...
Aman Narain, Viva La Revolution -How Banking Should and Will be Disrupted an...Knowledge Group
 

More from Knowledge Group (16)

Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
 
Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh
 
National Strategies against Cyber Attacks - Philip Victor
National Strategies against Cyber Attacks - Philip VictorNational Strategies against Cyber Attacks - Philip Victor
National Strategies against Cyber Attacks - Philip Victor
 
Managing & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee SengManaging & Securing the Online and Mobile banking - Chew Chee Seng
Managing & Securing the Online and Mobile banking - Chew Chee Seng
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraCyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
 
Cyber Security Landscape and Systems Resiliency – Challenges & Priorities - T...
Cyber Security Landscape and Systems Resiliency – Challenges & Priorities - T...Cyber Security Landscape and Systems Resiliency – Challenges & Priorities - T...
Cyber Security Landscape and Systems Resiliency – Challenges & Priorities - T...
 
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin SukardiAddressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
 
Evaluating Cloud Computing Risk :Recounting PBB’s Journey into the Cloud - Ke...
Evaluating Cloud Computing Risk :Recounting PBB’s Journey into the Cloud - Ke...Evaluating Cloud Computing Risk :Recounting PBB’s Journey into the Cloud - Ke...
Evaluating Cloud Computing Risk :Recounting PBB’s Journey into the Cloud - Ke...
 
Suresh - Mobile Banking (Corporate Banking Stream)
Suresh - Mobile Banking (Corporate Banking Stream) Suresh - Mobile Banking (Corporate Banking Stream)
Suresh - Mobile Banking (Corporate Banking Stream)
 
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...
 
Lisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce Fraud
Lisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce FraudLisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce Fraud
Lisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce Fraud
 
Harry Singh (Security & Risk Management Stream)- Managing Technology Risk in...
Harry Singh (Security & Risk Management Stream)- Managing Technology Risk in...Harry Singh (Security & Risk Management Stream)- Managing Technology Risk in...
Harry Singh (Security & Risk Management Stream)- Managing Technology Risk in...
 
Steven Gan - Signifying The Need for Speed Banking
Steven Gan - Signifying The Need for Speed BankingSteven Gan - Signifying The Need for Speed Banking
Steven Gan - Signifying The Need for Speed Banking
 
David Wortley - Gamification Is Not Funny!
David Wortley - Gamification Is Not Funny!David Wortley - Gamification Is Not Funny!
David Wortley - Gamification Is Not Funny!
 
Andrew Fell, Harnessing the Customer Experience via New Technology
Andrew Fell, Harnessing the Customer Experience via New TechnologyAndrew Fell, Harnessing the Customer Experience via New Technology
Andrew Fell, Harnessing the Customer Experience via New Technology
 
Aman Narain, Viva La Revolution -How Banking Should and Will be Disrupted an...
Aman Narain, Viva La Revolution -How Banking Should and Will be Disrupted an...Aman Narain, Viva La Revolution -How Banking Should and Will be Disrupted an...
Aman Narain, Viva La Revolution -How Banking Should and Will be Disrupted an...
 

Leonard - (Security & Risk Stream) Discovering Optimum Risk Solution for Banks

  • 1. 1! Discovering Optimum Risk Solutions Leonard Ong CPP, CFE, PMP, CISA, CISM, CRISC, CISSP CSSLP, CIPM, GSNA, GCIH, GCFA, GCIA All rights reserved. 2013. © Leonard Ong.
  • 2. Leonard Ong CPP, CFE, PMP, CISA, CISM, CRISC, CISSP CSSLP, CIPM, GSNA, GCIH, GCFA, GCIA •! More than 14 years experience in Security Management, Information Security and Corporate Security. •! Honorary Chairman, ASIS International (Singapore Chapter) •! Immediate Past President, Director-Research ISACA Singapore Chapter •! Crisis Management and Business Continuity Management Council, ASIS International •! IT Security Council, ASIS International •! Professional Influence / Advocacy Committee, ISACA
  • 3. 3! Threat Horizon 2016 Defining an era of heightened risk and uncertainty 1 Proliferation of threats and vulnerability Sophisticated Threat Enhancing Risk Management Enterprise Governance of IT Continuous Compliance Concept, processes and tools 2 3 5 6 QCounecesptti, oprnosce sasnesd a Andn tsoowlse rs 45 All rights reserved. 2013. © Leonard Ong.
  • 4. Current state Banks Challenges Sophisticated threats Tougher penalties Increased regulations Controls Enterprise Risk Management All rights reserved. 2013. © Leonard Ong. 4!
  • 6. !"#$%&'()#*+),'-./0'!"#$%&'()'*$+#,-.$,&/0/$0"#$0#1$1#.$0")#'0/$0-$23456$70$&/$&*8-)0'10$0"'0$-)('1&/'Ɵ$-1/$91-.$."'0$&/$-1$0"#$"-)&:-1$;-)$2345$'/$.#,,$'/$0"#$)#/<,0$&1$)#8<0'Ɵ$-1',$'1%$+)'1%$%'*'(#?$%'0'$,#'9'(#$'1%B-)$*-1#0')>$!$1#/?$0-$1'*#$'$;#.6$!"#$%"&'()'*+)&,'-.)%')*$Ɵ)*'/)&.-,)#,,#'Ɵ!"#"$%&'%()&)"&)*+,)&-$&./0%*,12.% ))))))))))2%Ɵ)*'3,.%.#)4%56#7)#,$&*'%(#)(*#,)8%&',."#%8 ))))!)) Threat Horizon 2016 ) !"#. 9"$!&5%$.%&-$&2..%1)%5&,"'+)-"$,&.*+80'%, ))))))))))I#"B&5#)$"*B&7#",)4#5*8#)%)6#H)B>0'#"%4&0&.H ) ')) +)='071758%>7),0D+%')1? B6,+%07+%:)%B;,60>)(,+77> /0+)(0*1 +'()*+, 4)?6+*+;70%;,%*%0)@% +*(5)+%A7(%=8:)(%*++*=<, 98:)(%(;,<%;,%='*11)05;05 +7%60>)(,+*0>%*0>%*>>(),, 4)561*+7(8%+'()*+, 23+)(0*1%+'()*+, 9(;B;0*1,%C*16) 876(%()?6+*+;70 &')%='*05;05%?*=)%7A &')%(71)%7A%57C)(0B)0+% !"#$ %$&'()*'+)"( !"#$ (ISF, 2014)
  • 7. Threat Horizon 2016 7&'#($%(4*43),4.&$43%(#)+#+$)+$ 1),+8)%#$*).2(#+$62(."#( dŚĞKĚŽĞƐŶ͛ƚŐĞƚŝƚ EĂƟŽŶͲƐƚĂƚĞďĂĐŬĞĚĞƐƉŝŽŶĂŐĞ (ISF, 2014) 1'),'$'$23$')4'#56 0)#'0/$0'0$')#$'+-0$0-$0$1$234=6$71$0/$.'?$-)('1/'Ɵ$-1/$@'1$+,%$0#)$)#/,#1@#$0-$'$.%#$)'1(#$-;$0)#'0/6$A',)#$0-$%-$/-$@-,%$ 01) KƵƚƐŽƵƌĐŝŶŐƐĞĐƵƌŝƚLJďĂĐŬĮƌĞƐ /ŶƐŝĚĞƌƐĨƵĞůĐŽƌƉŽƌĂƚĞĂĐƟǀŝƐŵ ƌŝŵĞĂƐĂ^ĞƌǀŝĐĞ;ĂĂƐͿ ƵƉŐƌĂĚĞƐƚŽǀϮ͘Ϭ 42-'+*%)5%'-6%*)7%./0%**%,-'-%$.%1*8-,% )))))))))))))$))) ) CD#)EFG)(#.,)./)'*+)H*)D%B#).*)7#0B# 80'%, !#$%'()*+, !#-%'()*+, !#.%'()*+, ! # $ % ' ( ) !* ! # $ % ' ( ) !* ! # $ % ' ( ) !* !#$%'#($)(*+$()%#$,#)-+$./$)$ %'#($%/,-$0)( 1/(#$%)2+#+$%/*#$/3,43#5$ ĂĐƟǀŝƐƚƐŐĞƚŵŽƌĞĂĐƟǀĞ LJďĞƌƐƉĂĐĞŐĞƚƐƉŚLJƐŝĐĂů EĞǁƌĞƋƵŝƌĞŵĞŶƚƐƐŚŝŶĞĂůŝŐŚƚŝŶ ĚĂƌŬĐŽƌŶĞƌƐ͕ĞdžƉŽƐŝŶŐǁĞĂŬŶĞƐƐĞƐ ĨŽĐƵƐŽŶƉƌŝǀĂĐLJĚŝƐƚƌĂĐƚƐĨƌŽŵ ŽƚŚĞƌƐĞĐƵƌŝƚLJĞīŽƌƚƐ ŽƐƚƉƌĞƐƐƵƌĞƐƐƟŇĞĐƌŝƟĐĂů ŝŶǀĞƐƚŵĞŶƚ͖ĂŶƵŶĚĞƌǀĂůƵĞĚ ĨƵŶĐƟŽŶĐĂŶ͛ƚŬĞĞƉƵƉ ĐůŽƵĚĞĚƵŶĚĞƌƐƚĂŶĚŝŶŐůĞĂĚƐƚŽ )3$/2.+/2(%#-$*#++ EĞǁƚĞĐŚŶŽůŽŐŝĞƐŽǀĞƌǁŚĞůŵ dŚĞƐƵƉƉůLJĐŚĂŝŶƐƉƌŝŶŐƐĂůĞĂŬĂƐ .#$43+4-#($.(#).$%/*#+$6(/*$ /2.+4-# ŐŽĞƐŵĂŝŶƐƚƌĞĂŵ 9$:),;)34#-$=3.#(3#.$ %/*8,4%).#+$'2+43#++ 343.#3-#-$%/3+#?2#3%#+$/6$ ƐƚĂƚĞŝŶƚĞƌǀĞŶƟŽŶ ^ĞƌǀŝĐĞƉƌŽǀŝĚĞƌƐďĞĐŽŵĞĂŬĞLJ ǀƵůŶĞƌĂďŝůŝƚLJ ŝŐĚĂƚĂсďŝŐƉƌŽďůĞŵƐ 1/'4,#$)88+$'#%/*#$.#$*)43$ (/2.#$6/($%/*8(/*4+# ŶĐƌLJƉƟŽŶĨĂŝůƐ dŚĞKŐĞƚƐŝƚ͕ŶŽǁLJŽƵŚĂǀĞ ƚŽĚĞůŝǀĞƌ ^ŬŝůůƐŐĂƉďĞĐŽŵĞƐĂĐŚĂƐŵ /ŶĨŽƌŵĂƟŽŶƐĞĐƵƌŝƚLJĨĂŝůƐƚŽ ǁŽƌŬǁŝƚŚŶĞǁŐĞŶĞƌĂƟŽŶƐ KƌŐĂŶŝƐĂƟŽŶĐĂŶ͛ƚŐĞƚƚŚĞ ƌŝŐŚƚƉĞŽƉůĞ ,ĂĐŬƟǀŝƐƚƐĐƌĞĂƚĞĨĞĂƌ͕ 23%#(.)43.$)3-$-/2'. /ŶĨŽƌŵĂƟŽŶůĞĂŬƐĂůůƚŚĞƟŵĞ zK;ďƌŝŶŐLJŽƵƌŽǁŶĐůŽƵĚͿĂĚĚƐ ƵŶŵĂŶĂŐĞĚƌŝƐŬ ƌŝŶŐLJŽƵƌŽǁŶĚĞǀŝĐĞĨƵƌƚŚĞƌ ŝŶĐƌĞĂƐĞƐŝŶĨŽƌŵĂƟŽŶƌŝƐŬ #@8/+2(# 'ŽǀĞƌŶŵĞŶƚĂŶĚƌĞŐƵůĂƚŽƌƐǁŽŶ͛ƚ -/$4.$6/($/2
  • 8. 0+)(0*1 +'()*+, Threat Horizon 2016 ) ')) )))())) ))))))) ) ')) )))())) ))))))) (ISF, 2014) ))))!)) ) ))))!)) ) !#$%'%()))*+,)-$./0%*,12.% ))))))))))))))!)) ) 2%Ɵ)*'3,.%.#)4%56#7)#,$*'%(#)(*#,)8%',.#%8 C-D#)1*#10$#/8-1'(#$'@Ɵ$DƟ$#/$0'0$.#)#$;-)*#),$*-/0,$@-D#)0$')#$1-.$-0$1$ 0#$-8#1?$#1@-)'(1($',,$1'Ɵ$-1$/0'0#/$0-$E-1$1$0#$('*#6$!#$)#/,0$.,,$+#$'1$ #D#1$*-)#$1),$@+#)/8'@#$0)'%1($#1D)-1*#106 95Ɵ)*',).*).%6#)'*+: 3$ F')Ɵ$@8'0#$ 1$ 0)#'0$ 10#,,(#1@#$ /')1($ ;-)*/$ '1%$ +,%$ )#,'Ɵ$-1/8/$ .0$ -0#)$-)('1/'Ɵ$-1/$.01$'1%$'@)-//$1%/0)$/#@0-)/6 3$ G1/)#$ '88)-8)'0#$ 1;-)*'Ɵ$-1$ /#@)0$ 91-.,#%(#$ '1%$ '.')#1#//$ /$ 1$ 8,'@#$ '@)-//$0#$-)('1/'Ɵ$-16 )))))))))))))))) ) 9);%06%'#7)='.#'#.)5*8$05%.#,)4,'#,, H'Ɵ$-1$/0'0#/$.,,$0'9#$'$,-@',$'88)-'@$0-$710#)1#0$(-D#)1'1@#?$'Ʃ$#*8Ɵ$1($0-$%)'.$ (#-8-,Ɵ$@',$+-)%#)/$-1$0#$710#)1#06$ 95Ɵ)*',).*).%6#)'*+: 3$ I--)%1'0#$ '1%$ *'10'1$ 8')01#)/8/$ ;-)$ 1;-)*'Ɵ$-1$ /')1($ '@)-//$ 1%/0)$ /#@0-)/$0-$/88-)0$@+#)$)#/,#1@#6 3$ G1('(#$1$#J0#)1',$*,Ɵ$K/0'9#-,%#)$(-D#)1'1@#$8)-@#//#/$0-$/')#$10#,,(#1@#6 )#))) ) )))))) ) )#))) ) )))))) ) )#))) ) ))))))))))?''.#'7#7)5*',#@#'5#,)*A),.%.#)'.#B#'Ɵ)*' L)('1/'Ɵ$-1/$ 0'0$ ')#$ 1-0$ %)#@0,$ *8,@'0#%$ 1$ .)-1(K%-1($ .,,$ 1@)#'/1(,$ /ī$#)$@-,,'0#)',$%'*'(#$'/$'0-)Ɵ$#/$0)$0-$8-,@#$M0#)$@-)1#)$-;$0#$710#)1#0N6 ) ')) 9$!5%$.%-$2..%1)%5,'+)-$,.*+))))))))))I#B5#)$*B7#,))))())) 4#5*8#)%)Q#)D@#$8)-D%#)/$.,,$+#@-*#$'$)'0#)$0'1$-)('1/'Ɵ$-1/$%)#@95Ɵ)*',).*).%6#)'*+: 3$ A-/0#)$/0)-1($.-)91($)#,'Ɵ$-3$ V1%#)/0'1%$@,#'),$.@$,#(',$))))))) ))))))))));()7%.%)J)4()$*40#8, L)('1/'Ɵ$-1/$0'0$80$+,1%$;'95Ɵ)*',).*).%6#)'*+: 3$ G1/)#$0#$-)('1/'Ɵ$-1$'/$'%#3$ L0,1#$'$8)-@#//$;-)$'88,1($+($%'))))))))))K*40#)%$$,)4#)) 5**)) 8#).) D#)!#$#D-,Ɵ$-1$-;$*-+,#$@-*8*'9#$*-+,#$'88/$'$8)*#$)-95Ɵ)*',).*).%6#)'*+: 3$ 71@-)8-)'0#$/#)$%#D@#/$10-$#3$ F)-*-0#$#%@'Ɵ$-1$'1%$'.')#))))))))))F'5H$Ɵ)*')A%0, )) *)) ) /!#$ !#$%'%()))*+,)-$./0%*,12.% ))))))))))2%Ɵ)*'3,.%.#)4%56#7)#,$*'%(#)(*#,)8%',.#%8 C-D#)1*#10$#/8-1'(#$'@Ɵ$DƟ$#/$0'0$.#)#$;-)*#),$*-/0,$@-D#)0$')#$1-.$-0$1$ 0#$-8#1?$#1@-)'(1($',,$1'Ɵ$-1$/0'0#/$0-$E-1$1$0#$('*#6$!#$)#/,0$.,,$+#$'1$ #D#1$*-)#$1),$@+#)/8'@#$0)'%1($#1D)-1*#106 95Ɵ)*',).*).%6#)'*+: 3$ F')Ɵ$@8'0#$ 1$ 0)#'0$ 10#,,(#1@#$ /')1($ ;-)*/$ '1%$ +,%$ )#,'Ɵ$-1/8/$ .0$ -0#)$-)('1/'Ɵ$-1/$.01$'1%$'@)-//$1%/0)$/#@0-)/6 3$ G1/)#$ '88)-8)'0#$ 1;-)*'Ɵ$-1$ /#@)0$ 91-.,#%(#$ '1%$ '.')#1#//$ /$ 1$ 8,'@#$ '@)-//$0#$-)('1/'Ɵ$-16 ))))))))))9);%06%'#7)='.#'#.)5*8$05%.#,)4,'#,, H'Ɵ$-1$/0'0#/$.,,$0'9#$'$,-@',$'88)-'@$0-$710#)1#0$(-D#)1'1@#?$'Ʃ$#*8Ɵ$1($0-$%)'.$ (#-8-,Ɵ$@',$+-)%#)/$-1$0#$710#)1#06$ 95Ɵ)*',).*).%6#)'*+: 3$ I--)%1'0#$ '1%$ *'10'1$ 8')01#)/8/$ ;-)$ 1;-)*'Ɵ$-1$ /')1($ '@)-//$ 1%/0)$ /#@0-)/$0-$/88-)0$@+#)$)#/,#1@#6 3$ G1('(#$1$#J0#)1',$*,Ɵ$K/0'9#-,%#)$(-D#)1'1@#$8)-@#//#/$0-$/')#$10#,,(#1@#6 ))))))))))?''.#'7#7)5*',#@#'5#,)*A),.%.#)'.#B#'Ɵ)*' L)('1/'Ɵ$-1/$ 0'0$ ')#$ 1-0$ %)#@0,$ *8,@'0#%$ 1$ .)-1(K%-1($ .,,$ 1@)#'/1(,$ /ī$#)$@-,,'0#)',$%'*'(#$'/$'0-)Ɵ$#/$0)$0-$8-,@#$M0#)$@-)1#)$-;$0#$710#)1#0N6 95Ɵ)*',).*).%6#)'*+: 3$ O,%$)#/,#1@#$'1%$*8,#*#10$8)-8-)Ɵ$-1',$/#@)0$*#'/)#/$1$0#$#D#10$0'0$ 0/$0)#'0$*'0#)',/#/6 3$ P-)9$ @,-/#,$ .0$ 8+,@$ )#,'Ɵ$-1/$ '1%$ *')9#Ɵ$1($ 0-$ 8)#8')#$ '$ *#//'(#$ ;-)$ 9$!5%$.%-$2..%))))))))))I#B5#)$*B7#,)Q#)D@#$8)-D%#)/$.,,$+#@-*#$'$)'0#)$0'1$-)('1/'95Ɵ)*',).*).%6#)'*+: 3$ A-/0#)$/0)-1($.-)3$ V1%#)/0'1%$@,#'),$.@$,#(',$))))))))));()7%.%)J)4()$*L)('1/'Ɵ$-1/$0'0$895Ɵ)*',).*).%6#)'*+: 3$ G1/)#$0#$-)('1/'3$ L0,1#$'$8)-@#//$;-)$'))))))))))K*40#)%$$,)4#!#$#D-,Ɵ$-1$-;$*-+,#$@-**'9#$*-+,#$'88/$'$95Ɵ)*',).*).%6#)'*+: 3$ 71@-)8-)'0#$/#)$%#3$ F)-*-0#$#%@'Ɵ$-)))))))))))) *)) ) F'5H$Ɵ)*')A%!#$%#;',0$'88)-'@$@-*8Ɵ$1($8-.#)$@-*+95Ɵ)*',).*).%6#)'*+: !#$%'%()))*+,)-$./0%*,12.% ))))))))))2%Ɵ)*'3,.%.#)4%56#7)#,$*'%(#)(*#,)8%',.#%8 C-D#)1*#10$#/8-1'(#$'@Ɵ$DƟ$#/$0'0$.#)#$;-)*#),$*-/0,$@-D#)0$')#$1-.$-0$1$ 0#$-8#1?$#1@-)'(1($',,$1'Ɵ$-1$/0'0#/$0-$E-1$1$0#$('*#6$!#$)#/,0$.,,$+#$'1$ #D#1$*-)#$1),$@+#)/8'@#$0)'%1($#1D)-1*#106 95Ɵ)*',).*).%6#)'*+: 3$ F')Ɵ$@8'0#$ 1$ 0)#'0$ 10#,,(#1@#$ /')1($ ;-)*/$ '1%$ +,%$ )#,'Ɵ$-1/8/$ .0$ -0#)$-)('1/'Ɵ$-1/$.01$'1%$'@)-//$1%/0)$/#@0-)/6 3$ G1/)#$ '88)-8)'0#$ 1;-)*'Ɵ$-1$ /#@)0$ 91-.,#%(#$ '1%$ '.')#1#//$ /$ 1$ 8,'@#$ '@)-//$0#$-)('1/'Ɵ$-16 ))))))))))9);%06%'#7)='.#'#.)5*8$05%.#,)4,'#,, H'Ɵ$-1$/0'0#/$.,,$0'9#$'$,-@',$'88)-'@$0-$710#)1#0$(-D#)1'1@#?$'Ʃ$#*8Ɵ$1($0-$%)'.$ (#-8-,Ɵ$@',$+-)%#)/$-1$0#$710#)1#06$ 95Ɵ)*',).*).%6#)'*+: 3$ I--)%1'0#$ '1%$ *'10'1$ 8')01#)/8/$ ;-)$ 1;-)*'Ɵ$-1$ /')1($ '@)-//$ 1%/0)$ /#@0-)/$0-$/88-)0$@+#)$)#/,#1@#6 3$ G1('(#$1$#J0#)1',$*,Ɵ$K/0'9#-,%#)$(-D#)1'1@#$8)-@#//#/$0-$/')#$10#,,(#1@#6 ))))))))))?''.#'7#7)5*',#@#'5#,)*A),.%.#)'.#B#')*' L)('1/'Ɵ$-1/$ 0'0$ ')#$ 1-0$ %)#@0,$ *8,@'0#%$ 1$ .)-1(K%-1($ .,,$ 1@)#'/1(,$ /ī$#)$@-,,'0#)',$%'*'(#$'/$'0-)Ɵ$#/$0)$0-$8-,@#$M0#)$@-)1#)$-;$0#$710#)1#0N6 95Ɵ)*',).*).%6#)'*+: 3$ O,%$)#/,#1@#$'1%$*8,#*#10$8)-8-)Ɵ$-1',$/#@)0$*#'/)#/$1$0#$#D#10$0'0$ 0/$0)#'0$*'0#)',/#/6 3$ P-)9$ @,-/#,$ .0$ 8+,@$ )#,'Ɵ$-1/$ '1%$ *')9#Ɵ$1($ 0-$ 8)#8')#$ '$ *#//'(#$ ;-)$ @/0-*#)/$1$0#$#D#10$0'0$@/0-*#)K;'@1($10#);'@#/$')#$0'9#1$-ŋ$$1#6 9$!5%$.%-$))))))))))I#BQ#)D@#$8)-)'0#)$0'95Ɵ)*',).*).%3$ A-/0#)$/3$ V1%#)/0'))))))))));()7%.%)L)('1/'Ɵ$-95Ɵ)*',).*).%3$ G1/)#$0#$-)('3$ L0,1#$'$))))))))))K*4!#$#D-,*'9#$*-+,#$'95Ɵ)*',).*).%3$ 71@-)8-)'3$ F)-*-0#$#%@'))))))))))F'5!#$%#;',@-*8Ɵ$1($95Ɵ)*',).*).%3$ I,'//;$*-/0$)/3$ 7%#1Ɵ$;$@))#0#)$*
  • 9. 'ŽǀĞƌŶŵĞŶƚĂŶĚƌĞŐƵůĂƚŽƌƐǁŽŶ͛ƚ -/$!#$ 'ŽǀĞƌŶŵĞŶƚĂŶĚƌĞŐƵůĂƚŽƌƐǁŽŶ͛ƚ -/$4.$!#$ ƌŝŶŐLJŽƵƌŽǁŶĚĞǀŝĐĞĨƵƌƚŚĞƌ ŝŶĐƌĞĂƐĞƐŝŶĨŽƌŵĂƟŽŶƌŝƐŬ #@8/+2(# 'ŽǀĞƌŶŵĞŶƚĂŶĚƌĞŐƵůĂƚŽƌƐǁŽŶ͛ƚ -/$4.$6/($/!#$ Threat Horizon 2016 EĞǁƚĞĐŚŶŽůŽŐŝĞƐŽǀĞƌǁŚĞůŵ (ISF, 2014) 1-.$-0$1$ 0$.,,$+#$'1$ 8/$ .0$ 1$ 8,'@#$ 0-$%)'.$ 1%/0)$ 10#,,(#1@#6 1@)#'/1(,$ 710#)1#0N6 )))$))) )))$))) )))$))) ) R%'42-'+*%)))))))))))CD#)!#$IGL$.,,$@',,$%#,D#)6 95Ɵ)*',).*).%3$ )))$))) ) )%))) Q88-)))))))))))='!#$ +//#@)0$/$95Ɵ)*',).*).%O,%$ @#10)#$-;$#3$ )%))) R,(1$)))))))))))%))) I6!#$ /9,,/$ -)('1/''1%$11-!)))) 95Ɵ)*',).*).%3$ !)))) S#D#,-#J/Ɵ$-88-)3$ !)))) !)))) 9$!5%$.%-$2..%1)%5,'+)-$,.*+80'%, ))))))))))) ')) I#B5#)$*B7#,)4#5*8#)%)6#H)B0'#%40.H Q#)D@#$8)-D%#)/$.,,$+#@-*#$'$9#$D,1#)'+,0$1$-)('1/'Ɵ$-1/N$/88,$@'1/$'/$@+#)@)*1',/$0')(#0$0#*$ )'0#)$0'1$-)('1/'Ɵ$-1/$%)#@0,6 95Ɵ)*',).*).%6#)'*+: 3$ A-/0#)$/0)-1($.-)91($)#,'Ɵ$-1/8/$.0$/#)D@#$8)-D%#)/$.0$0#$'*$-;$+#@-*1($8')01#)/6 3$ V1%#)/0'1%$@,#'),$.@$,#(',$E)/%@Ɵ$-1/$(-D#)1$-)$-)('1/'Ɵ$-1N/$1;-)*'Ɵ$-16 ))))))))));())))())) 7%.%)J)4()$*40#8, L)('1/'Ɵ$-1/$0'0$80$+,1%$;'0$1$+($%'0'$.,,$+'/#$/0)'0#(@$%#@/-1/$-1$;',0$-)$1@-*8,#0#$%'0'/#0/6 95Ɵ)*',).*).%6#)'*+: 3$ G1/)#$0#$-)('1/'Ɵ$-1$'/$'%#W'0#$/9,,/#0$0-$'1',/#$+($%'0'6$ 3$ L0,1#$'$8)-@#//$;-)$'88,1($+($%'0'$'1',Ɵ$@/$0-$1;-)*'Ɵ$-1$/#@)0$8)-+,#*6$ ))))))))))))))))) K*40#)%$$,)4#5*8#).D#)8%')*.#)A*)5*8$*8,# !#$#D-,Ɵ$-1$-;$*-+,#$@-*8Ɵ$1(?$0/$;'/0K8'@#%$%#D#,-8*#10$@@,#$'1%$,'@9$-;$/#@)0$@-1/%#)'Ɵ$-1/?$.,,$ *'9#$*-+,#$'88/$'$8)*#$)-0#$;-)$@+#)@)*1',/$'1%$'@9#)/6 95Ɵ)*',).*).%6#)'*+: 3$ 71@-)8-)'0#$/#)$%#D@#/$10-$#J/Ɵ$1($/0'1%')%/$;-)$'@@#//$*'1'(#*#106 3$ F)-*-0#$#%@'Ɵ$-1$'1%$'.')#1#//$-;$OTLJ$XO)1($T-)$L.1$R101(Y$)/9$1$11-D'Ɵ$D#$.'/6 )))))))))))) *)) ) F'5H$Ɵ)*')A%0, !#$%#;',0$'88)-'@$0-$/#@)#$710#)1#0$10#)'@Ɵ$-1/?$#1@)8Ɵ$-1?$.,,$;',$0-$%#,D#)$%#$0-$D'/0,$*8)-D#%$ ( ) !* ) !* ĐůŽƵĚĞĚƵŶĚĞƌƐƚĂŶĚŝŶŐůĞĂĚƐƚŽ )3$/2.+/2(%#-$*#++ dŚĞƐƵƉƉůLJĐŚĂŝŶƐƉƌŝŶŐƐĂůĞĂŬĂƐ .#$43+4-#($.(#).$%/*#+$6(/*$ /2.+4-# 1-.$-0$1$ 0$.,,$+#$'1$ 1/8/$ .0$ /$ 1$ 8,'@#$ 1($0-$%)'.$ '@)-//$ 1%/0)$ 10#,,(#1@#6 1@)#'/1(,$ 710#)1#0N6 0#$#D#10$0'0$ 42-'+*%)))))))))))CD#)!#$IGL$.,,$@',,$%#,D#)95Ɵ)*',).*).%3$ O,%$ @#10)#$-;$#3$ R,())))))))))I6!#$ /9,,/$ -)('1/''1%$11-95Ɵ)*',).*).%3$ S#D#,-#J/-88-)3$ Q88-)))))))))))='!#$ +//#@)95Ɵ)*',).*).%3$ V1%#)/')#$ 9$!5%$.%-$2..%1)%5,'+)-$,.*+80'%, ))))))))))) ')) I#B5#)$*B7#,)4#5*8#)%)6#H)B0'#%40.H Q#)D@#$8)-D%#)/$.,,$+#@-*#$'$9#$D,1#)'+,0$1$-)('1/'Ɵ$-1/N$/88,$@'1/$'/$@+#)@)*1',/$0')(#0$0#*$ )'0#)$0'1$-)('1/'Ɵ$-1/$%)#@0,6 95Ɵ)*',).*).%6#)'*+: 3$ A-/0#)$/0)-1($.-)91($)#,'Ɵ$-1/8/$.0$/#)D@#$8)-D%#)/$.0$0#$'*$-;$+#@-*1($8')01#)/6 3$ V1%#)/0'1%$@,#'),$.@$,#(',$E)/%@Ɵ$-1/$(-D#)1$-)$-)('1/'Ɵ$-1N/$1;-)*'Ɵ$-16 ))))))))));())))())) 7%.%)J)4()$*40#8, L)('1/'Ɵ$-1/$0'0$80$+,1%$;'0$1$+($%'0'$.,,$+'/#$/0)'0#(@$%#@/-1/$-1$;',0$-)$1@-*8,#0#$%'0'/#0/6 95Ɵ)*',).*).%6#)'*+: 3$ G1/)#$0#$-)('1/'Ɵ$-1$'/$'%#W'0#$/9,,/#0$0-$'1',/#$+($%'0'6$ 3$ L0,1#$'$8)-@#//$;-)$'88,1($+($%'0'$'1',Ɵ$@/$0-$1;-)*'Ɵ$-1$/#@)0$8)-+,#*6$ ))))))))))))))))) K*40#)%$$,)4#5*8#).D#)8%')*.#)A*)5*8$*8,# !#$#D-,Ɵ$-1$-;$*-+,#$@-*8Ɵ$1(?$0/$;'/0K8'@#%$%#D#,-8*#10$@@,#$'1%$,'@9$-;$/#@)0$@-1/%#)'Ɵ$-1/?$.,,$ *'9#$*-+,#$'88/$'$8)*#$)-0#$;-)$@+#)@)*1',/$'1%$'@9#)/6 95Ɵ)*',).*).%6#)'*+: 3$ 71@-)8-)'0#$/#)$%#D@#/$10-$#J/Ɵ$1($/0'1%')%/$;-)$'@@#//$*'1'(#*#106 3$ F)-*-0#$#%@'Ɵ$-1$'1%$'.')#1#//$-;$OTLJ$XO)1($T-)$L.1$R101(Y$)/9$1$11-D'Ɵ$D#$.'/6 )))))))))))) *)) ) F'5H$Ɵ)*')A%0, !#$%#;',0$'88)-'@$0-$/#@)#$710#)1#0$10#)'@Ɵ$-1/?$#1@)8Ɵ$-1?$.,,$;',$0-$%#,D#)$%#$0-$D'/0,$*8)-D#%$ @-*8Ɵ$1($8-.#)$@-*+1#%$.0$+'@9K%--)/$1$/-Ō$.')#6 !* !* dŚĞƐƵƉƉůLJĐŚĂŝŶƐƉƌŝŶŐƐĂůĞĂŬĂƐ .#$43+4-#($.(#).$%/*#+$6(/*$ /2.+4-# 0$')#$1-.$-0$1$ 6$!#$)#/,0$.,,$+#$'1$ Ɵ$-1/8/$ .0$ 1#//$ /$ 1$ 8,'@#$ $#*8Ɵ$1($0-$%)'.$ '@)-//$ 1%/0)$ 0-$/')#$10#,,(#1@#6 .,,$ 1@)#'/1(,$ 0#$710#)1#0N6 0#$#D#10$0'0$ '$ *#//'(#$ ;-)$ ŋ$$1#6 42-'+*%)))))))))))!#$%#,95Ɵ3$ O,%$ @#3$ R,())))))))))!#$ -)(''1%$95Ɵ3$ S##-3$ Q))))))))))='!#$ /#@)95Ɵ3$ V1%#)/')#$ 0)'%3$ 9$!5%$.%-$2..%1)%5,'+)-$,.*+80'%, ))))))))))) ')) I#B5#)$*B7#,)4#5*8#)%)6#H)B0'#%40.H Q#)D@#$8)-D%#)/$.,,$+#@-*#$'$9#$D,1#)'+,0$1$-)('1/'Ɵ$-1/N$/88,$@'1/$'/$@+#)@)*1',/$0')(#0$0#*$ )'0#)$0'1$-)('1/'Ɵ$-1/$%)#@0,6 95Ɵ)*',).*).%6#)'*+: 3$ A-/0#)$/0)-1($.-)91($)#,'Ɵ$-1/8/$.0$/#)D@#$8)-D%#)/$.0$0#$'*$-;$+#@-*1($8')01#)/6 3$ V1%#)/0'1%$@,#'),$.@$,#(',$E)/%@Ɵ$-1/$(-D#)1$-)$-)('1/'Ɵ$-1N/$1;-)*'Ɵ$-16 ))))))))));())))())) 7%.%)J)4()$*40#8, L)('1/'Ɵ$-1/$0'0$80$+,1%$;'0$1$+($%'0'$.,,$+'/#$/0)'0#(@$%#@/-1/$-1$;',0$-)$1@-*8,#0#$%'0'/#0/6 95Ɵ)*',).*).%6#)'*+: 3$ G1/)#$0#$-)('1/'Ɵ$-1$'/$'%#W'0#$/9,,/#0$0-$'1',/#$+($%'0'6$ 3$ L0,1#$'$8)-@#//$;-)$'88,1($+($%'0'$'1',Ɵ$@/$0-$1;-)*'Ɵ$-1$/#@)0$8)-+,#*6$ ))))))))))))))))) K*40#)%$$,)4#5*8#).D#)8%')*.#)A*)5*8$*8,# !#$#D-,Ɵ$-1$-;$*-+,#$@-*8Ɵ$1(?$0/$;'/0K8'@#%$%#D#,-8*#10$@@,#$'1%$,'@9$-;$/#@)0$@-1/%#)'Ɵ$-1/?$.,,$ *'9#$*-+,#$'88/$'$8)*#$)-0#$;-)$@+#)@)*1',/$'1%$'@9#)/6 95Ɵ)*',).*).%6#)'*+: 3$ 71@-)8-)'0#$/#)$%#D@#/$10-$#J/Ɵ$1($/0'1%')%/$;-)$'@@#//$*'1'(#*#106 3$ F)-*-0#$#%@'Ɵ$-1$'1%$'.')#1#//$-;$OTLJ$XO)1($T-)$L.1$R101(Y$)/9$1$11-D'Ɵ$D#$.'/6 )))))))))))) *)) ) F'5H$Ɵ)*')A%0, !#$%#;',0$'88)-'@$0-$/#@)#$710#)1#0$10#)'@Ɵ$-1/?$#1@)8Ɵ$-1?$.,,$;',$0-$%#,D#)$%#$0-$D'/0,$*8)-D#%$ @-*8Ɵ$1($8-.#)$@-*+1#%$.0$+'@9K%--)/$1$/-Ō$.')#6 95Ɵ)*',).*).%6#)'*+: 3$ I,'//;$1;-)*'Ɵ$-1$'1%$91-.$.#)#$0#$/#1/Ɵ$D#$1;-)*'Ɵ$-1$'//#0/$')#$0-$1%#)/0'1%$.#)#$-$;'@#$0#$ *-/0$)/96 !* !* dŚĞƐƵƉƉůLJĐŚĂŝŶƐƉƌŝŶŐƐĂůĞĂŬĂƐ .#$43+4-#($.(#).$%/*#+$6(/*$ /2.+4-# D#)0$')#$1-.$-0$1$ 6$!#$)#/,0$.,,$+#$'1$ )#,'Ɵ$-1/8/$ .0$ '.')#1#//$ /$ 1$ 8,'@#$ Ʃ$#*8Ɵ$1($0-$%)'.$ 1($ '@)-//$ 1%/0)$ 0-$/')#$10#,,(#1@#6 1($ .,,$ 1@)#'/1(,$ 1#)$-;$0#$710#)1#0N6 0$*#'/)#/$1$0#$#D#10$0'0$ 8')#$ '$ *#//'(#$ ;-)$ 9#1$-ŋ$$1#6 42-'+*%)))))))))))!#$%#,953$ 3$ ))))))))))!#$ -)(''953$ 3$ ))))))))))='!#$ /#@)953$ 3$ 9$!5%$.%-$2..%1)%5,'+)-$,.*+80'%, ))))))))))) ')) I#B5#)$*B7#,)4#5*8#)%)6#H)B0'#%40.H Q#)D@#$8)-D%#)/$.,,$+#@-*#$'$9#$D,1#)'+,0$1$-)('1/'Ɵ$-1/N$/88,$@'1/$'/$@+#)@)*1',/$0')(#0$0#*$ )'0#)$0'1$-)('1/'Ɵ$-1/$%)#@0,6 95Ɵ)*',).*).%6#)'*+: 3$ A-/0#)$/0)-1($.-)91($)#,'Ɵ$-1/8/$.0$/#)D@#$8)-D%#)/$.0$0#$'*$-;$+#@-*1($8')01#)/6 3$ V1%#)/0'1%$@,#'),$.@$,#(',$E)/%@Ɵ$-1/$(-D#)1$-)$-)('1/'Ɵ$-1N/$1;-)*'Ɵ$-16 ))))))))));())))())) 7%.%)J)4()$*40#8, L)('1/'Ɵ$-1/$0'0$80$+,1%$;'0$1$+($%'0'$.,,$+'/#$/0)'0#(@$%#@/-1/$-1$;',0$-)$1@-*8,#0#$%'0'/#0/6 95Ɵ)*',).*).%6#)'*+: 3$ G1/)#$0#$-)('1/'Ɵ$-1$'/$'%#W'0#$/9,,/#0$0-$'1',/#$+($%'0'6$ 3$ L0,1#$'$8)-@#//$;-)$'88,1($+($%'0'$'1',Ɵ$@/$0-$1;-)*'Ɵ$-1$/#@)0$8)-+,#*6$ ))))))))))))))))) K*40#)%$$,)4#5*8#).D#)8%')*.#)A*)5*8$*8,# !#$#D-,Ɵ$-1$-;$*-+,#$@-*8Ɵ$1(?$0/$;'/0K8'@#%$%#D#,-8*#10$@@,#$'1%$,'@9$-;$/#@)0$@-1/%#)'Ɵ$-1/?$.,,$ *'9#$*-+,#$'88/$'$8)*#$)-0#$;-)$@+#)@)*1',/$'1%$'@9#)/6 95Ɵ)*',).*).%6#)'*+: 3$ 71@-)8-)'0#$/#)$%#D@#/$10-$#J/Ɵ$1($/0'1%')%/$;-)$'@@#//$*'1'(#*#106 3$ F)-*-0#$#%@'Ɵ$-1$'1%$'.')#1#//$-;$OTLJ$XO)1($T-)$L.1$R101(Y$)/9$1$11-D'Ɵ$D#$.'/6 )))))))))))) *)) ) F'5H$Ɵ)*')A%0, !#$%#;',0$'88)-'@$0-$/#@)#$710#)1#0$10#)'@Ɵ$-1/?$#1@)8Ɵ$-1?$.,,$;',$0-$%#,D#)$%#$0-$D'/0,$*8)-D#%$ @-*8Ɵ$1($8-.#)$@-*+1#%$.0$+'@9K%--)/$1$/-Ō$.')#6 95Ɵ)*',).*).%6#)'*+: 3$ I,'//;$1;-)*'Ɵ$-1$'1%$91-.$.#)#$0#$/#1/Ɵ$D#$1;-)*'Ɵ$-1$'//#0/$')#$0-$1%#)/0'1%$.#)#$-$;'@#$0#$ *-/0$)/96 3$ 7%#1Ɵ$;$@))#10$@)80-()'8@$/-,Ɵ$-1/$/#%$'@)-//$0#$-)('1/'Ɵ$-16$S#0#)*1#$'$/0)'0#($;-)$*8)-D1($ 0#)$*8,#*#10'Ɵ$-16$$
  • 10. ƵŶŵĂŶĂŐĞĚƌŝƐŬ ƌŝŶŐLJŽƵƌŽǁŶĚĞǀŝĐĞĨƵƌƚŚĞƌ )))$))) ) ŝŶĐƌĞĂƐĞƐŝŶĨŽƌŵĂƟŽŶƌŝƐŬ #@8/+2(# 'ŽǀĞƌŶŵĞŶƚĂŶĚƌĞŐƵůĂƚŽƌƐǁŽŶ͛ƚ -/$42-'+*%)4.$6/($/2 5%'-6%*)7%./0%**%,-'-%$.%1*8-,% ))))))))))CD#)EFG)(#.,)./)'*+)H*)D%B#).*)7#0B# !#$IGL$.,,$@',,$8-1$0#$I7QL$0-$%#*-1/0)'0#$D',#$0'0$0#$*'$+#$1'+,#$0-$ %#,D#)6 95Ɵ)*',).*).%6#)'*+: 3$ O,%$ /0)-1($ @)#%+,0$ ;-)$ 0#$ I7QL$ +$ 8-/Ɵ$-11($ 0#$ /#@)0$ ;1@Ɵ$-1$ '/$ '$ Threat Horizon 2016 (ISF, 2014) )))$))) ) 42-'+*%)5%'-6%*)7%./0%**%,-'-%$.%1*8-,% )))))))))))))$))) ) CD#)EFG)(#.,)./)'*+)H*)D%B#).*)7#0B# !#$IGL$.,,$@',,$8-1$0#$I7QL$0-$%#*-1/0)'0#$D',#$0'0$0#$*'$+#$1'+,#$0-$ %#,D#)6 95Ɵ)*',).*).%6#)'*+: 3$ O,%$ /0)-1($ @)#%+,0$ ;-)$ 0#$ I7QL$ +$ 8-/Ɵ$-11($ 0#$ /#@)0$ ;1@Ɵ$-1$ '/$ '$ @#10)#$-;$#J@#,,#1@#6 3$ R,(1$0#$/#@)0$;1@Ɵ$-1$.0$0#$-)('1/'Ɵ$-1N/$'88)-'@$0-$)/9$*'1'(#*#106 )))))))))))%))) I600,)(%$)4#5*8#,)%)5D%,8 !#$ /9,,/$ ('8$ .,,$ .%#16$ R0$ 0#$ /'*#$ Ɵ$*#$ 0$ '/$ 1#D#)$ +##1$ *-)#$ 8)#//1($ ;-)$ -)('1/'Ɵ$-1/$0-$(#0$0#$)(0$8#-8,#$0-$+#$'+,#$0-$(#0$'#'%$-;$0#$@-*8#Ɵ$Ɵ$-1$ '1%$11-D'0#$/#@)#,6 95Ɵ)*',).*).%6#)'*+: 3$ S#D#,-8$ 0',#10$ .01$ 0#$ -)('1/'Ɵ$-1$ '1%$ @)#'0#$ 1@#1Ɵ$D#/$ 0-$ )#0'1$ #J/Ɵ$1($ 0',#10?$ +$ 8ƫ$$1($ 1$ 8,'@#$ *#10-)1($ 8)-()'**#/?$ #J0#)1',$ @-'@1($ -88-)01Ɵ$#/?$'1%$8)-*-Ɵ$1($;)-*$.016 3$ Q88-)0$#J0#)1',$1Ɵ$'Ɵ$D#/$0-$%#D#,-8$'1%$/-)@#$1#.$0',#106 ))))))))))='!)))) A*8%Ɵ)*'),#5.H)A%0,).*)+*6)+.D)'#+)(#'#%Ɵ)*', !#$ +/1#//$ .,,$ #*+)'@#$ (#1#)'Ɵ$-1/$ T$ '1%$ U$ .-/#$ '88)-'@$ 0-$ 1;-)*'Ɵ$-1$ EĞǁƚĞĐŚŶŽůŽŐŝĞƐŽǀĞƌǁŚĞůŵ 0$0#*$ 0/6 1/?$.,,$ ( ) !* ( ) !* ĐůŽƵĚĞĚƵŶĚĞƌƐƚĂŶĚŝŶŐůĞĂĚƐƚŽ dŚĞƐƵƉƉůLJĐŚĂŝŶƐƉƌŝŶŐƐĂůĞĂŬĂƐ 6(/*$ dŚĞKŐĞƚƐŝƚ͕ŶŽǁLJŽƵŚĂǀĞ ƚŽĚĞůŝǀĞƌ ^ŬŝůůƐŐĂƉďĞĐŽŵĞƐĂĐŚĂƐŵ /ŶĨŽƌŵĂƟŽŶƐĞĐƵƌŝƚLJĨĂŝůƐƚŽ ǁŽƌŬǁŝƚŚŶĞǁŐĞŶĞƌĂƟŽŶƐ @#10)#$-;$#J@#,,#1@#6 3$ R,(1$0#$/#@)0$;1@Ɵ$-1$.0$0#$-)('1/'Ɵ$-1N/$'88)-'@$0-$)/9$*'1'(#*#106 )))))))))))%))) I600,)(%$)4#5*8#,)%)5D%,8 !#$ /9,,/$ ('8$ .,,$ .%#16$ R0$ 0#$ /'*#$ Ɵ$*#$ 0$ '/$ 1#D#)$ +##1$ *-)#$ 8)#//1($ ;-)$ -)('1/'Ɵ$-1/$0-$(#0$0#$)(0$8#-8,#$0-$+#$'+,#$0-$(#0$'#'%$-;$0#$@-*8#Ɵ$Ɵ$-1$ '1%$11-D'0#$/#@)#,6 95Ɵ)*',).*).%6#)'*+: 3$ S#D#,-8$ 0',#10$ .01$ 0#$ -)('1/'Ɵ$-1$ '1%$ @)#'0#$ 1@#1Ɵ$D#/$ 0-$ )#0'1$ #J/Ɵ$1($ 0',#10?$ +$ 8ƫ$$1($ 1$ 8,'@#$ *#10-)1($ 8)-()'**#/?$ #J0#)1',$ @-'@1($ -88-)01Ɵ$#/?$'1%$8)-*-Ɵ$1($;)-*$.016 3$ Q88-)0$#J0#)1',$1Ɵ$'Ɵ$D#/$0-$%#D#,-8$'1%$/-)@#$1#.$0',#106 ))))))))))='!)))) A*8%Ɵ)*'),#5.H)A%0,).*)+*6)+.D)'#+)(#'#%Ɵ)*', !#$ +/1#//$ .,,$ #*+)'@#$ (#1#)'Ɵ$-1/$ T$ '1%$ U$ .-/#$ '88)-'@$ 0-$ 1;-)*'Ɵ$-1$ /#@)0$/$1$/')8$@-10)'/0$0-$@))#10$*#0-%/?$@',,#1(1($I7QL/6 95Ɵ)*',).*).%6#)'*+: 0')(#0$0#*$ 0'/#0/6 $-1/?$.,,$ 0,$*8)-D#%$ !* !* 4-#($.(#).$%/*#+$6(/*$ /ŶĨŽƌŵĂƟŽŶƐĞĐƵƌŝƚLJĨĂŝůƐƚŽ ǁŽƌŬǁŝƚŚŶĞǁŐĞŶĞƌĂƟŽŶƐ 'ŽǀĞƌŶŵĞŶƚĂŶĚƌĞŐƵůĂƚŽƌƐǁŽŶ͛ƚ -/$4.$6/($/2 ))))))))))CD#)EFG)(#.,)./)'*+)H*)D%B#).*)7#0B# !#$IGL$.,,$@',,$8-1$0#$I7QL$0-$%#*-1/0)'0#$D',#$0'0$0#$*'$+#$1'+,#$0-$ %#,D#)6 95Ɵ)*',).*).%6#)'*+: 3$ O,%$ /0)-1($ @)#%+,0$ ;-)$ 0#$ I7QL$ +$ 8-/Ɵ$-11($ 0#$ /#@)0$ ;1@Ɵ$-1$ '/$ '$ @#10)#$-;$#J@#,,#1@#6 3$ R,(1$0#$/#@)0$;1@Ɵ$-1$.0$0#$-)('1/'Ɵ$-1N/$'88)-'@$0-$)/9$*'1'(#*#106 )))))))))))%))) I600,)(%$)4#5*8#,)%)5D%,8 !#$ /9,,/$ ('8$ .,,$ .%#16$ R0$ 0#$ /'*#$ Ɵ$*#$ 0$ '/$ 1#D#)$ +##1$ *-)#$ 8)#//1($ ;-)$ -)('1/'Ɵ$-1/$0-$(#0$0#$)(0$8#-8,#$0-$+#$'+,#$0-$(#0$'#'%$-;$0#$@-*8#Ɵ$Ɵ$-1$ '1%$11-D'0#$/#@)#,6 95Ɵ)*',).*).%6#)'*+: 3$ S#D#,-8$ 0',#10$ .01$ 0#$ -)('1/'Ɵ$-1$ '1%$ @)#'0#$ 1@#1Ɵ$D#/$ 0-$ )#0'1$ #J/Ɵ$1($ 0',#10?$ +$ 8ƫ$$1($ 1$ 8,'@#$ *#10-)1($ 8)-()'**#/?$ #J0#)1',$ @-'@1($ -88-)01Ɵ$#/?$'1%$8)-*-Ɵ$1($;)-*$.016 3$ Q88-)0$#J0#)1',$1Ɵ$'Ɵ$D#/$0-$%#D#,-8$'1%$/-)@#$1#.$0',#106 ))))))))))='!)))) A*8%Ɵ)*'),#5.H)A%0,).*)+*6)+.D)'#+)(#'#%Ɵ)*', !#$ +/1#//$ .,,$ #*+)'@#$ (#1#)'Ɵ$-1/$ T$ '1%$ U$ .-/#$ '88)-'@$ 0-$ 1;-)*'Ɵ$-1$ /#@)0$/$1$/')8$@-10)'/0$0-$@))#10$*#0-%/?$@',,#1(1($I7QL/6 95Ɵ)*',).*).%6#)'*+: 3$ V1%#)/0'1%$0'0$0#$1#.$(#1#)'Ɵ$-1/N$'88)-'@$0-$.-)9?$/-@',/1($'1%$8)D'@$ ')#$ D'/0,$ %ī$#)#10$ ;)-*$ 8)#D-/$ (#1#)'Ɵ$-1/N$ '1%$ 0'0$ 0#$ .-1N0$ !$0$ .0$ 0)'%Ɵ$-1',$/#@)0$*-%#,/6$ 3$ R%'80$#J/Ɵ$1($8-,@#/$'1%$8)-@#%)#/$0-$#1('(#$.0$(#1#)'Ɵ$-1/$T$'1%$U6 1',/$0')(#0$0#*$ 0#$%'0'/#0/6 1/%#)'Ɵ$-1/?$.,,$ 0,$*8)-D#%$ 1%$.#)#$-$;'@#$0#$
  • 11. QCounecesptti, oprnosce sasnesd a Andn tsoowlse rs 45 11! Threat Horizon 2016 Defining an era of heightened risk and uncertainty 1 Proliferation of threats and vulnerability Public networks Enhancing Risk Management Enterprise Governance of IT Continuous Compliance Concept, processes and tools 2 3 5 6 All rights reserved. 2013. © Leonard Ong.
  • 13. APT in Action Operation Aurora, 2010 StuxNet, 2010 RSA/Lockheed Martin, 2011 Duqu, Flame, 2011-12 New York Times, 2013 -- Adobe, 2013 -- Korean Banks, 2013 Against the unknown Reputation Risk Customer Confidence Remediation Cost Effort
  • 14. 14! A Troubling ! Lack of Initiative There aren’t enough precautions being taken against the threat of an APT. Up to 81.8% of survey takers have not updated their agreements with vendors who provide protection against APT. And 67.3% reported that they haven’t held any APT awareness training programs for their employees. Has your enterprise increased security training as a result of APTs? 0% 20% 40% 60% 80% Very Likely Likely Not Very likely Not at All Likely ISACA, 2014 Yes No
  • 15. QCounecesptti, oprnosce sasnesd a Andn tsoowlse rs 45 15! Threat Horizon 2016 Defining an era of heightened risk and uncertainty 1 Proliferation of threats and vulnerability Public networks Enhancing Risk Management Enterprise Governance of IT Continuous Compliance Concept, processes and tools 2 3 5 6 All rights reserved. 2013. © Leonard Ong.
  • 16. management of enterprise information technology (IT). Simply stated, COBIT 5 helps enterprises to create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking into account the full end-to- end CoBIT business and IT stakeholders. 5 functional areas of responsibility and considering the IT-related interests of internal and external COBIT 5 for Risk, highlighted in figure 1, builds on the COBIT 5 framework by focusing on risk and providing more detailed and practical guidance for risk professionals and other interested parties at all levels of the enterprise. 16! Figure 1—COBIT 5 Product Family COBIT® 5 COBIT 5 Enabler Guides COBIT® 5: Enabling Processes COBIT 5 Professional Guides COBIT® 5 Implementation COBIT® 5: Enabling Information COBIT® 5 for Assurance COBIT® 5 for Information Security COBIT® 5 for Risk COBIT 5 Online Collaborative Environment Other Enabler Guides Other Professional Guides Terminology ISACA, 2014 COBIT 5 for Risk discusses IT-related risk. Section 1, chapter 2 defines what is meant by IT-related risk; however, for ease of reading, the term ‘risk’ is used throughout the publication, which refers to IT-related risk. The guidance and principles that are explained throughout this publication are applicable to any type of enterprise, whether it operates in a commercial
  • 17. CoBIT 5 17! Product Family Framework Enabling Processes Implementation COBIT 5 is the overarching business and management framework for governance and management of enterprise IT. A detailed reference guide to the processes defined in the COBIT 5 process reference model. Provides a good practice approach for implementing GEIT based on a continual improvement life cycle Information Security Assurance Risk Specific focus on Information Security Practical guidance for assurance professionals on how to use COBIT 5 to support a variety of IT assurance activities. Specific focus on Risk ISACA, 2014
  • 18. Risk Duality 18! FOR RISK Figure 6—Risk Duality Positive Outcomes: Value Creation or Preservation Negative Outcomes: Value Destruction or Fail to Gain Well governed and managed information and technology delivers business benefits and/or preserves value Poorly governed and managed information and technology will destroy value or fail to deliver benefits. • New IT-enabled business opportunities • Enhanced business opportunities • Sustainable competitive advantage • Unrealised or reduced business value • Missed IT-enabled business opprtunities • Adverse IT-related events destroying value ISACA, 2014 Risk is not always to be avoided. Doing business is about taking risk that is consistent with the risk appetite, i.e., many business propositions require IT risk to be taken to achieve the value proposition and realise enterprise goals and objectives, and this risk should be managed but not necessarily avoided.
  • 19. 19! Processes for Governance of Enterprise IT Processes for Management of Enterprise IT Evaluate, Direct and Monitor EDM01 Ensure Governance Framework Setting and Maintenance Align, Plan and Organise Monitor, Evaluate and Assess APO01 Manage the IT Management Framework APO08 Manage Relationships APO02 Manage Strategy APO09 Manage Service Agreements Build, Acquire and Implement Deliver, Service and Support APO03 Manage Enterprise Architecture APO10 Manage Suppliers APO04 Manage Innovation APO11 Manage Quality APO05 Manage Portfolio APO12 Manage Risk APO06 Manage Budget and Costs APO07 Manage Human Resources MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA03 Monitor, Evaluate and Assess Compliance With External Requirements APO13 Manage Security DSS01 Manage Operations DSS02 Manage Service Requests and Incidents DSS03 Manage Problems DSS04 Manage Continuity DSS05 Manage Security Services DSS06 Manage Business Process Controls BAI01 Manage Programmes and Projects BAI08 Manage Knowledge BAI02 Manage Requirements Definition BAI09 Manage Assets BAI03 Manage Solutions Identification and Build BAI10 Manage Configuration BAI04 Manage Availability and Capacity BAI05 Manage Organisational Change Enablement BAI06 Manage Changes BAI07 Manage Change Acceptance and Transitioning EDM02 Ensure Benefits Delivery EDM03 Ensure Risk Optimisation EDM04 Ensure Resource Optimisation EDM05 Ensure Stakeholder Transparency Figure 18—Supporting Processes for the Risk Function The processes listed in figure 19 are key supporting processes for the risk function in the enterprise. ISACA, 2014
  • 20. Risk Scenario Event • Disclosure • Interruption • Modification • Theft • Destruction • Ineffective design • Ineffective execution • Rules and regulations • Inappropriate use Risk Scenario 20! Asset/Resource • People and skills • Organisational structures • Process • Infrastructure (facilities) • IT infrastructure • Information • Applications Time • Duration • Timing occurrence (critical or non-critical) • Detection • Time lag ISACA, 2014 several years?) It is important to stay aware of the differences between loss events, threat events and vulnerability events. When a risk scenario materialises, a loss event occurs. The loss event has been triggered by a threat event (threat type plus event in figure 36. The frequency of the threat event leading to a loss event is influenced by the risk factors or vulnerability. Vulnerability is usually a state and can be increased/decreased by vulnerability events, e.g., the weakening of controls or by the threat strength. One should not mix these three types of events into one big ‘risk list’. Figure 36—Risk Scenario Structure Threat Type • Malicious • Accidental • Error • Failure • Nature • External requirement Actor • Internal (staff, contractor) • External (competitor, outsider, business partner, regulator, market) Chapter 3 contains a set of generic IT risk scenarios that are built in line with the model described in the previous paragraphs. The set of generic scenarios contains examples of negative outcomes, but also examples where a risk, when managed well, can lead to a positive outcome.
  • 21. Magnitude C A B Frequency Risk Heat Map and Aggregation 21! ISACA, 2014 77 Figure 40—Aggregation of Risk Maps—Shared Risk Magnitude Frequency Magnitude Frequency D B Magnitude Frequency B C A B A D C B A C Personal Copy of: Mr. Leonard Ong
  • 22. Key takeaways 1. Be aware the current and future trends of cyber threats 2. Prepare for the unknown 3. Adopt Enterprise Governance approach 4. Develop Risk profile before selecting solution 22
  • 23. References Threat Horizon 2016. Information Security Forum, 2014. Advanced Persistent Threat Awareness Study Results, ISACA, 2014 CoBIT 5 Framework, ISACA, 2014 Contact ! sg.linkedin.com/in/ongleonard leonard_ong
  • 24. Questions All rights reserved. 2013. © Leonard Ong. 24