SlideShare a Scribd company logo

Effective Information Security Risk and Controls Management

EyesOpen Association
EyesOpen Association

Author : Nathaniel Nguemeta Presented at EOCON 2022 Video of the presentation : https://youtu.be/3e_TNrTan_s

Presentations & Public Speaking
1 of 17
Download to read offline
1.Information Security Risk in a nutshell 2.Key Elements of Effective IS Risk Management 3.Do’s and Dont’s for Efficiency PLAN
Information Security Risk in a nutshell 1
Risk Threat • Threat Actor Asset Vulnerability Risk Probability x Impact • Threat Factor • Inherent weakness • Tools • Skills
Risk Scenario Citibank wired a $900 million loan payoff to the cosmetic company Revlon’s money lenders, in 2020. This was done mistakenly. Citibank reached out to the hedge funds to return the money, some did, others refused. Citibank decided to sue them. The federal judge ruled that Citibank can’t have its money back. As you would imagine, Citibank had multiple controls and policies in place to ensure that mistakes like this won’t happen. Initial reports said that the mistake could have happened because of compromised banking controls, but the problem was finally traced to a recently installed software that was rife with UI issues. The software didn’t have appropriate controls and it led to the error. US regulators fined Citibank $400 million to update their data governance, risk management, and compliance controls.
Key Elements of Effective IS Risk Management 2
✓ Know your environment and its constraints ✓ Inventoriate information assets ✓ Classify Information assets Key Elements
✓ Identify dependencies ✓ Identify and validate vulnerabilities and threats Key Elements
✓ Identify dependencies ✓ Identify and validate vulnerabilities and threats ✓ Identify and implement treatment Key Elements
✓ Check implementation ✓ Make adjustments and fine-tune ✓ Establish measurements (KRI, KPI) Key Elements
✓ Check implementation ✓ Make adjustments and fine-tune ✓ Establish measurements (KRI, KPI) Key Elements
✓ Establish monitoring ✓ Set measurement and reporting ✓ Repeat the cycle very often Key Elements
For Efficiency ❌Dont’s ✅and Do’s 3
❌Dont’s ❌ Dont Assume that Security controls are working properly ✅Set up monitoring and response mechanism (SIEM, SOC, Security Analysts) ✅Always check to identify issues with the controls and fine-tune if possible ✅Always test from every angle to ensure appropriateness of your control ❌Dont Over-rely on Compensating Controls ✅Set time limit to remediate the issue and remove the compensating control ✅Always review with management if the risk persists ❌ Dont Be hasty and/or try to cut corners ✅Be realistic with the treatment methods chosen ✅Get enough information for management to decide appropriately ✅and Do’s
❌Dont Assume that you know your inventory completely ✅Always carry out periodic inventory to update database, automate discovery ✅Block automatic entry of assets, control introduction of new assets ❌Dont Assume that your users will always understand controls ✅Training and security awareness on regular basis ✅Test their knowledge through Campaigns like Phishing Campaigns ❌Dont Try to re-invent the wheel ✅Use tried and proven methods such as standards and frameworks which are available ✅ISO 27005, NIST 800-37, EBIOS, MEHARI, OCTAVE, ISF RMF ❌Dont’s ✅and Do’s
Summary
M E R C I ! T H A N K Y O U ! QUESTIONS ?

Recommended

Practical Measures for Measuring Security
Practical Measures for Measuring SecurityPractical Measures for Measuring Security
Practical Measures for Measuring SecurityChris Mullins
 
TrustedAgent GRC for Vulnerability Management and Continuous Monitoring
TrustedAgent GRC for Vulnerability Management and Continuous MonitoringTrustedAgent GRC for Vulnerability Management and Continuous Monitoring
TrustedAgent GRC for Vulnerability Management and Continuous MonitoringTri Phan
 
General Employee Risk Management Course
General Employee Risk Management CourseGeneral Employee Risk Management Course
General Employee Risk Management Coursedavidcurriecia
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through SecurityEnergySec
 
module_1.pptx
module_1.pptxmodule_1.pptx
module_1.pptxssuser432862
 
Cisa_AB special top pointer’s, expect questions in exam form this topic
Cisa_AB special top pointer’s, expect questions in exam form this topicCisa_AB special top pointer’s, expect questions in exam form this topic
Cisa_AB special top pointer’s, expect questions in exam form this topicAbbasi Mirza, CA, CFE
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
Internal Controls
Internal ControlsInternal Controls
Internal ControlsNational Pork Board
 

Recommended

Practical Measures for Measuring Security
Practical Measures for Measuring SecurityPractical Measures for Measuring Security
Practical Measures for Measuring SecurityChris Mullins
 
TrustedAgent GRC for Vulnerability Management and Continuous Monitoring
TrustedAgent GRC for Vulnerability Management and Continuous MonitoringTrustedAgent GRC for Vulnerability Management and Continuous Monitoring
TrustedAgent GRC for Vulnerability Management and Continuous MonitoringTri Phan
 
General Employee Risk Management Course
General Employee Risk Management CourseGeneral Employee Risk Management Course
General Employee Risk Management Coursedavidcurriecia
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through SecurityEnergySec
 
module_1.pptx
module_1.pptxmodule_1.pptx
module_1.pptxssuser432862
 
Cisa_AB special top pointer’s, expect questions in exam form this topic
Cisa_AB special top pointer’s, expect questions in exam form this topicCisa_AB special top pointer’s, expect questions in exam form this topic
Cisa_AB special top pointer’s, expect questions in exam form this topicAbbasi Mirza, CA, CFE
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
Internal Controls
Internal ControlsInternal Controls
Internal ControlsNational Pork Board
 
Operational Risk : Take a look at the raw canvas
Operational Risk : Take a look at the raw canvasOperational Risk : Take a look at the raw canvas
Operational Risk : Take a look at the raw canvasTreat Risk
 
IT & the Auditor
IT & the AuditorIT & the Auditor
IT & the AuditorLinda Forbes
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSathishKumar960827
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Maintaining Credit Quality in Banks and Credit Unions
Maintaining Credit Quality in Banks and Credit UnionsMaintaining Credit Quality in Banks and Credit Unions
Maintaining Credit Quality in Banks and Credit UnionsLibby Bierman
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics ProgramCydney Davis
 
Partner Alliance Webinar - Sales Tax | Fixed Assets Solutions - An Overview
Partner Alliance Webinar - Sales Tax | Fixed Assets Solutions - An OverviewPartner Alliance Webinar - Sales Tax | Fixed Assets Solutions - An Overview
Partner Alliance Webinar - Sales Tax | Fixed Assets Solutions - An OverviewNet at Work
 
Operational Risk Management under BASEL era
Operational Risk Management under BASEL eraOperational Risk Management under BASEL era
Operational Risk Management under BASEL eraTreat Risk
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management WorkshopStacy Willis
 
Ingenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM complianceIngenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM complianceSami Benafia
 
2018 ValAct - Session 22 - Material Weakness
2018 ValAct - Session 22 - Material Weakness2018 ValAct - Session 22 - Material Weakness
2018 ValAct - Session 22 - Material WeaknessMarkSpong1
 
How Secure is your Business? Fraud Risk Analysis and Security Management
How Secure is your Business? Fraud Risk Analysis and Security ManagementHow Secure is your Business? Fraud Risk Analysis and Security Management
How Secure is your Business? Fraud Risk Analysis and Security Managementwhbrown5
 
Metrics, Risk Management & DLP
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLPRobert Kloots
 
OberservePoint - The Digital Data Quality Playbook
OberservePoint - The Digital Data Quality PlaybookOberservePoint - The Digital Data Quality Playbook
OberservePoint - The Digital Data Quality PlaybookObservePoint
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementIvanti
 
Merging forensics w data analytics
Merging forensics w data analyticsMerging forensics w data analytics
Merging forensics w data analyticschris75308
 
Broadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetBroadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetCSI Solutions
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTuan Phan
 
Sage Fixed Assets Accounting for Sage 100
Sage Fixed Assets Accounting for Sage 100Sage Fixed Assets Accounting for Sage 100
Sage Fixed Assets Accounting for Sage 100Net at Work
 
COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATION
COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATIONCOLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATION
COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATIONEyesOpen Association
 
Ransomware : Challenges and best practices
Ransomware : Challenges and best practices Ransomware : Challenges and best practices
Ransomware : Challenges and best practices EyesOpen Association
 

More Related Content

Similar to Effective Information Security Risk and Controls Management

Operational Risk : Take a look at the raw canvas
Operational Risk : Take a look at the raw canvasOperational Risk : Take a look at the raw canvas
Operational Risk : Take a look at the raw canvasTreat Risk
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSathishKumar960827
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Maintaining Credit Quality in Banks and Credit Unions
Maintaining Credit Quality in Banks and Credit UnionsMaintaining Credit Quality in Banks and Credit Unions
Maintaining Credit Quality in Banks and Credit UnionsLibby Bierman
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics ProgramCydney Davis
 
Partner Alliance Webinar - Sales Tax | Fixed Assets Solutions - An Overview
Partner Alliance Webinar - Sales Tax | Fixed Assets Solutions - An OverviewPartner Alliance Webinar - Sales Tax | Fixed Assets Solutions - An Overview
Partner Alliance Webinar - Sales Tax | Fixed Assets Solutions - An OverviewNet at Work
 
Operational Risk Management under BASEL era
Operational Risk Management under BASEL eraOperational Risk Management under BASEL era
Operational Risk Management under BASEL eraTreat Risk
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management WorkshopStacy Willis
 
Ingenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM complianceIngenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM complianceSami Benafia
 
2018 ValAct - Session 22 - Material Weakness
2018 ValAct - Session 22 - Material Weakness2018 ValAct - Session 22 - Material Weakness
2018 ValAct - Session 22 - Material WeaknessMarkSpong1
 
How Secure is your Business? Fraud Risk Analysis and Security Management
How Secure is your Business? Fraud Risk Analysis and Security ManagementHow Secure is your Business? Fraud Risk Analysis and Security Management
How Secure is your Business? Fraud Risk Analysis and Security Managementwhbrown5
 
Metrics, Risk Management & DLP
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLPRobert Kloots
 
OberservePoint - The Digital Data Quality Playbook
OberservePoint - The Digital Data Quality PlaybookOberservePoint - The Digital Data Quality Playbook
OberservePoint - The Digital Data Quality PlaybookObservePoint
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementIvanti
 
Merging forensics w data analytics
Merging forensics w data analyticsMerging forensics w data analytics
Merging forensics w data analyticschris75308
 
Broadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetBroadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetCSI Solutions
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTuan Phan
 
Sage Fixed Assets Accounting for Sage 100
Sage Fixed Assets Accounting for Sage 100Sage Fixed Assets Accounting for Sage 100
Sage Fixed Assets Accounting for Sage 100Net at Work
 

Similar to Effective Information Security Risk and Controls Management (20)

Operational Risk : Take a look at the raw canvas
Operational Risk : Take a look at the raw canvasOperational Risk : Take a look at the raw canvas
Operational Risk : Take a look at the raw canvas
 
IT & the Auditor
IT & the AuditorIT & the Auditor
IT & the Auditor
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdf
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
Maintaining Credit Quality in Banks and Credit Unions
Maintaining Credit Quality in Banks and Credit UnionsMaintaining Credit Quality in Banks and Credit Unions
Maintaining Credit Quality in Banks and Credit Unions
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
 
Partner Alliance Webinar - Sales Tax | Fixed Assets Solutions - An Overview
Partner Alliance Webinar - Sales Tax | Fixed Assets Solutions - An OverviewPartner Alliance Webinar - Sales Tax | Fixed Assets Solutions - An Overview
Partner Alliance Webinar - Sales Tax | Fixed Assets Solutions - An Overview
 
Operational Risk Management under BASEL era
Operational Risk Management under BASEL eraOperational Risk Management under BASEL era
Operational Risk Management under BASEL era
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
Ingenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM complianceIngenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM compliance
 
2018 ValAct - Session 22 - Material Weakness
2018 ValAct - Session 22 - Material Weakness2018 ValAct - Session 22 - Material Weakness
2018 ValAct - Session 22 - Material Weakness
 
How Secure is your Business? Fraud Risk Analysis and Security Management
How Secure is your Business? Fraud Risk Analysis and Security ManagementHow Secure is your Business? Fraud Risk Analysis and Security Management
How Secure is your Business? Fraud Risk Analysis and Security Management
 
Metrics, Risk Management & DLP
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLP
 
OberservePoint - The Digital Data Quality Playbook
OberservePoint - The Digital Data Quality PlaybookOberservePoint - The Digital Data Quality Playbook
OberservePoint - The Digital Data Quality Playbook
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability Management
 
Merging forensics w data analytics
Merging forensics w data analyticsMerging forensics w data analytics
Merging forensics w data analytics
 
Broadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetBroadening Your Cybersecurity Mindset
Broadening Your Cybersecurity Mindset
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
Sage Fixed Assets Accounting for Sage 100
Sage Fixed Assets Accounting for Sage 100Sage Fixed Assets Accounting for Sage 100
Sage Fixed Assets Accounting for Sage 100
 

More from EyesOpen Association

COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATION
COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATIONCOLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATION
COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATIONEyesOpen Association
 
Ransomware : Challenges and best practices
Ransomware : Challenges and best practices Ransomware : Challenges and best practices
Ransomware : Challenges and best practices EyesOpen Association
 
Gestion des Incidents: prendre le contrôle de votre processus
Gestion des Incidents: prendre le contrôle de votre processus Gestion des Incidents: prendre le contrôle de votre processus
Gestion des Incidents: prendre le contrôle de votre processus EyesOpen Association
 
Art du threat Modeling : Modéliser les menaces informatiques avec la méthode ...
Art du threat Modeling : Modéliser les menaces informatiques avec la méthode ...Art du threat Modeling : Modéliser les menaces informatiques avec la méthode ...
Art du threat Modeling : Modéliser les menaces informatiques avec la méthode ...EyesOpen Association
 
Case studies in cybersecurity strategies
Case studies in cybersecurity strategiesCase studies in cybersecurity strategies
Case studies in cybersecurity strategiesEyesOpen Association
 
Cyber and information security operations and assurance
Cyber and information security operations and assurance Cyber and information security operations and assurance
Cyber and information security operations and assurance EyesOpen Association
 
Internal and External threats to a corporate network : Bypassing perimeter de...
Internal and External threats to a corporate network : Bypassing perimeter de...Internal and External threats to a corporate network : Bypassing perimeter de...
Internal and External threats to a corporate network : Bypassing perimeter de...EyesOpen Association
 
Cybersecurity Competencies and the Future of Work
Cybersecurity Competencies and the Future of Work Cybersecurity Competencies and the Future of Work
Cybersecurity Competencies and the Future of Work EyesOpen Association
 
Approche de sécurisation des identités: Cas de Active Directory
Approche de sécurisation des identités: Cas de Active DirectoryApproche de sécurisation des identités: Cas de Active Directory
Approche de sécurisation des identités: Cas de Active DirectoryEyesOpen Association
 
Cyber threat intelligence avec Open CTI
Cyber threat intelligence avec Open CTI Cyber threat intelligence avec Open CTI
Cyber threat intelligence avec Open CTI EyesOpen Association
 
Le rôle de la sensibilisation et de la formation à la cybersécurité
Le rôle de la sensibilisation et de la formation à la cybersécuritéLe rôle de la sensibilisation et de la formation à la cybersécurité
Le rôle de la sensibilisation et de la formation à la cybersécuritéEyesOpen Association
 
Cyber psychology: Understand your cyber security mental health culture
Cyber psychology: Understand your cyber security mental health culture Cyber psychology: Understand your cyber security mental health culture
Cyber psychology: Understand your cyber security mental health culture EyesOpen Association
 
La sécurité des API: Quand les mauvais élèves entrent en piste.
La sécurité des API: Quand les mauvais élèves entrent en piste.La sécurité des API: Quand les mauvais élèves entrent en piste.
La sécurité des API: Quand les mauvais élèves entrent en piste.EyesOpen Association
 
Programme de cybersécurité : Implementer le framework NIST CSF en entreprise
Programme de cybersécurité : Implementer le framework NIST CSF en entrepriseProgramme de cybersécurité : Implementer le framework NIST CSF en entreprise
Programme de cybersécurité : Implementer le framework NIST CSF en entrepriseEyesOpen Association
 
Cyberguerre et Cyberdéfense: les nouveaux enjeux pour l’Afrique
Cyberguerre et Cyberdéfense: les nouveaux enjeux pour l’Afrique Cyberguerre et Cyberdéfense: les nouveaux enjeux pour l’Afrique
Cyberguerre et Cyberdéfense: les nouveaux enjeux pour l’Afrique EyesOpen Association
 
Report: Digital Transformation and Application Security Posture in West and C...
Report: Digital Transformation and Application Security Posture in West and C...Report: Digital Transformation and Application Security Posture in West and C...
Report: Digital Transformation and Application Security Posture in West and C...EyesOpen Association
 
Cybersecurity in Mergers and Acquisitions (M&A)
Cybersecurity in Mergers and Acquisitions (M&A) Cybersecurity in Mergers and Acquisitions (M&A)
Cybersecurity in Mergers and Acquisitions (M&A) EyesOpen Association
 

More from EyesOpen Association (20)

COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATION
COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATIONCOLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATION
COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATION
 
Ransomware : Challenges and best practices
Ransomware : Challenges and best practices Ransomware : Challenges and best practices
Ransomware : Challenges and best practices
 
Gestion des Incidents: prendre le contrôle de votre processus
Gestion des Incidents: prendre le contrôle de votre processus Gestion des Incidents: prendre le contrôle de votre processus
Gestion des Incidents: prendre le contrôle de votre processus
 
Art du threat Modeling : Modéliser les menaces informatiques avec la méthode ...
Art du threat Modeling : Modéliser les menaces informatiques avec la méthode ...Art du threat Modeling : Modéliser les menaces informatiques avec la méthode ...
Art du threat Modeling : Modéliser les menaces informatiques avec la méthode ...
 
Case studies in cybersecurity strategies
Case studies in cybersecurity strategiesCase studies in cybersecurity strategies
Case studies in cybersecurity strategies
 
Cyber and information security operations and assurance
Cyber and information security operations and assurance Cyber and information security operations and assurance
Cyber and information security operations and assurance
 
Zero Trust : How to Get Started
Zero Trust : How to Get StartedZero Trust : How to Get Started
Zero Trust : How to Get Started
 
CTFaaS pour la cybereducation
CTFaaS pour la cybereducationCTFaaS pour la cybereducation
CTFaaS pour la cybereducation
 
Phishing mails: Bonnes pratiques
Phishing mails: Bonnes pratiques Phishing mails: Bonnes pratiques
Phishing mails: Bonnes pratiques
 
Internal and External threats to a corporate network : Bypassing perimeter de...
Internal and External threats to a corporate network : Bypassing perimeter de...Internal and External threats to a corporate network : Bypassing perimeter de...
Internal and External threats to a corporate network : Bypassing perimeter de...
 
Cybersecurity Competencies and the Future of Work
Cybersecurity Competencies and the Future of Work Cybersecurity Competencies and the Future of Work
Cybersecurity Competencies and the Future of Work
 
Approche de sécurisation des identités: Cas de Active Directory
Approche de sécurisation des identités: Cas de Active DirectoryApproche de sécurisation des identités: Cas de Active Directory
Approche de sécurisation des identités: Cas de Active Directory
 
Cyber threat intelligence avec Open CTI
Cyber threat intelligence avec Open CTI Cyber threat intelligence avec Open CTI
Cyber threat intelligence avec Open CTI
 
Le rôle de la sensibilisation et de la formation à la cybersécurité
Le rôle de la sensibilisation et de la formation à la cybersécuritéLe rôle de la sensibilisation et de la formation à la cybersécurité
Le rôle de la sensibilisation et de la formation à la cybersécurité
 
Cyber psychology: Understand your cyber security mental health culture
Cyber psychology: Understand your cyber security mental health culture Cyber psychology: Understand your cyber security mental health culture
Cyber psychology: Understand your cyber security mental health culture
 
La sécurité des API: Quand les mauvais élèves entrent en piste.
La sécurité des API: Quand les mauvais élèves entrent en piste.La sécurité des API: Quand les mauvais élèves entrent en piste.
La sécurité des API: Quand les mauvais élèves entrent en piste.
 
Programme de cybersécurité : Implementer le framework NIST CSF en entreprise
Programme de cybersécurité : Implementer le framework NIST CSF en entrepriseProgramme de cybersécurité : Implementer le framework NIST CSF en entreprise
Programme de cybersécurité : Implementer le framework NIST CSF en entreprise
 
Cyberguerre et Cyberdéfense: les nouveaux enjeux pour l’Afrique
Cyberguerre et Cyberdéfense: les nouveaux enjeux pour l’Afrique Cyberguerre et Cyberdéfense: les nouveaux enjeux pour l’Afrique
Cyberguerre et Cyberdéfense: les nouveaux enjeux pour l’Afrique
 
Report: Digital Transformation and Application Security Posture in West and C...
Report: Digital Transformation and Application Security Posture in West and C...Report: Digital Transformation and Application Security Posture in West and C...
Report: Digital Transformation and Application Security Posture in West and C...
 
Cybersecurity in Mergers and Acquisitions (M&A)
Cybersecurity in Mergers and Acquisitions (M&A) Cybersecurity in Mergers and Acquisitions (M&A)
Cybersecurity in Mergers and Acquisitions (M&A)
 

Recently uploaded

The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringThe 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringSebastiano Panichella
 
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptPhilippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptssuser319dad
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AITatiana Gurgel
 
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...NETWAYS
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@vikas rana
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxFamilyWorshipCenterD
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfhenrik385807
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Salam Al-Karadaghi
 
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)Basil Achie
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Pooja Nehwal
 
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...NETWAYS
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...NETWAYS
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...NETWAYS
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Krijn Poppe
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...henrik385807
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )Pooja Nehwal
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSebastiano Panichella
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxmavinoikein
 

Recently uploaded (20)

The 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software EngineeringThe 3rd Intl. Workshop on NL-based Software Engineering
The 3rd Intl. Workshop on NL-based Software Engineering
 
Philippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.pptPhilippine History cavite Mutiny Report.ppt
Philippine History cavite Mutiny Report.ppt
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
 
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
Exploring protein-protein interactions by Weak Affinity Chromatography (WAC) ...
 
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
NATIONAL ANTHEMS OF AFRICA (National Anthems of Africa)
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
 
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation Track
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptx
 

Effective Information Security Risk and Controls Management

  • 1.
  • 2. 1.Information Security Risk in a nutshell 2.Key Elements of Effective IS Risk Management 3.Do’s and Dont’s for Efficiency PLAN
  • 3. Information Security Risk in a nutshell 1
  • 4. Risk Threat • Threat Actor Asset Vulnerability Risk Probability x Impact • Threat Factor • Inherent weakness • Tools • Skills
  • 5. Risk Scenario Citibank wired a $900 million loan payoff to the cosmetic company Revlon’s money lenders, in 2020. This was done mistakenly. Citibank reached out to the hedge funds to return the money, some did, others refused. Citibank decided to sue them. The federal judge ruled that Citibank can’t have its money back. As you would imagine, Citibank had multiple controls and policies in place to ensure that mistakes like this won’t happen. Initial reports said that the mistake could have happened because of compromised banking controls, but the problem was finally traced to a recently installed software that was rife with UI issues. The software didn’t have appropriate controls and it led to the error. US regulators fined Citibank $400 million to update their data governance, risk management, and compliance controls.
  • 6. Key Elements of Effective IS Risk Management 2
  • 7. ✓ Know your environment and its constraints ✓ Inventoriate information assets ✓ Classify Information assets Key Elements
  • 8. ✓ Identify dependencies ✓ Identify and validate vulnerabilities and threats Key Elements
  • 9. ✓ Identify dependencies ✓ Identify and validate vulnerabilities and threats ✓ Identify and implement treatment Key Elements
  • 10. ✓ Check implementation ✓ Make adjustments and fine-tune ✓ Establish measurements (KRI, KPI) Key Elements
  • 11. ✓ Check implementation ✓ Make adjustments and fine-tune ✓ Establish measurements (KRI, KPI) Key Elements
  • 12. ✓ Establish monitoring ✓ Set measurement and reporting ✓ Repeat the cycle very often Key Elements
  • 14. ❌Dont’s ❌ Dont Assume that Security controls are working properly ✅Set up monitoring and response mechanism (SIEM, SOC, Security Analysts) ✅Always check to identify issues with the controls and fine-tune if possible ✅Always test from every angle to ensure appropriateness of your control ❌Dont Over-rely on Compensating Controls ✅Set time limit to remediate the issue and remove the compensating control ✅Always review with management if the risk persists ❌ Dont Be hasty and/or try to cut corners ✅Be realistic with the treatment methods chosen ✅Get enough information for management to decide appropriately ✅and Do’s
  • 15. ❌Dont Assume that you know your inventory completely ✅Always carry out periodic inventory to update database, automate discovery ✅Block automatic entry of assets, control introduction of new assets ❌Dont Assume that your users will always understand controls ✅Training and security awareness on regular basis ✅Test their knowledge through Campaigns like Phishing Campaigns ❌Dont Try to re-invent the wheel ✅Use tried and proven methods such as standards and frameworks which are available ✅ISO 27005, NIST 800-37, EBIOS, MEHARI, OCTAVE, ISF RMF ❌Dont’s ✅and Do’s
  • 17. M E R C I ! T H A N K Y O U ! QUESTIONS ?