SlideShare a Scribd company logo

Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains

Download as PPTX, PDF
Ollie Whitehouse
Ollie Whitehouse

A presentation given at the 2nd Annual Financial Services Cyber Security Summit in London. Looking at cyber security risk and how it has historically applied to the supply chain. We present a maturity model, where the best or the rest are on it and how it can be applied.

Technology
1 of 36
Assuring the Security of the Supply Chain Designing best practices for cybersecurity in supply chains Ollie Whitehouse, Technical Director
Agenda Supply Chains and the Cyber Challenge Regulatory (FCA) Outsourcing Requirements Historic Approaches Models for the Future – our maturity model 2
3 Supply chains… • Software: common-off-the-shelf (COTS) and proprietary • Equipment: the routers, servers, tablets, phones, storage, multi function devices, the doors, conditional access devices, building management system etc. • Services: business process outsourcing, data processing, IaaS, PaaS, SaaS, people, other generic terms like data feeds, cloud and managed service etc.
4 Supply chains…
5 Supply chains cyber risk ..
6 Supplier tiers.. Tiers of suppliers.. .. need to focus on tier 1 and 2 initially .. the tier a supplier exists in will be dictated by the business criticality of the what they supply
7 Supplier tiers.. Tiers of suppliers have tiers of suppliers it is an exponential problem creating inadvertent centralized hot pockets of data or function for certain roles (legal, HR etc.) or sector niches
8 Supply chains cyber risk ..
9 Suffice to say Suppliers are increasingly operating business critical functions
10 Today it is a challenge for customers Suppliers today need to show good will in order to support supply chain cyber maturity programs.. Legacy contractual cover is typically weak beyond compliance against standards such as ISO27001.. Cost of contract renegotiating is typically high.. If a supplier is unique or niche then commercial leverage evaporates..
11 FCA outsourcing regulatory requirements • Senior Management Arrangements, Systems and Controls • SYSC 8.1: General outsourcing requirements • SYSC 13.7.9: Geographic location considerations • Threshold Conditions • COND 2.4: Appropriate resources • COND 2.5: Suitability.. .. then there is the DPA etc… Handbook http://fshandbook.info/FS/
12 FCA outsourcing regulatory reality At the time of authorisation, a firm’s regulated activities must be supported by IT services which are effective, resilient and secure and have been appropriately designed to meet expected future as well as current business needs so as to avoid risks to our (the FCA’s) objectives. Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
13 FCA outsourcing regulatory reality Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf The firm must have undertaken sufficient preparatory work to provide reasonable assurance that each OSP will deliver its services effectively, resiliently and securely.
14 FCA outsourcing regulatory reality Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf The firm has established appropriate arrangements for the on-going oversight of its OSPs and the management of any associated risks such that the firm meets all its regulatory requirements.
15 FCA outsourcing regulatory reality Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf Above all, a regulated firm should be clear that it retains full accountability for discharging all of its regulatory responsibilities. It cannot delegate any part of its responsibility to a third party.
16 FCA protection considerations Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
17 FCA protection considerations Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
18 FCA protection considerations Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
19 FCA protection considerations Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
20 FCA protection considerations Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
21 Current approach to the supply chain today only the most mature
22 This is not enough… Resilience
23 What does cyber resilience mean? We will have incidents both of internal and external origin we will contend with accidents and malicious acts we will face an evolving set of threats requiring agility We will build services for the business which are appropriately secure and resilient … which frustrate threat actors and reduce likelihood of accidents … which minimize the impact of any incident whilst being useable We will be in a position to detect incidents in a timely fashion … whilst being able to answer who, what, when and how … and then recover
24 How we deal with risk today • Elements / Tenants: CIA and Parkerian Hexad etc. • Models / Indexes: custom or off the shelf. • Taxonomies / Frameworks: FAIR, NIST RMF, OCTAVE, TARA, EBIOS, ISO/IEC 13335-2, SP800-30 etc. • Standards / Regulation: ISO/IEC 27001, PCI, FCA/PRA, SOC-1, SOX etc. • Maturity Models: recognizing risk isn’t static nor do we need to be perfect • Audit: tell us the gaps against regulation, standards, taxonomies etc.
25 How we deal with risk today C AI this priority is good for your sensitive data C = confidentiality, I = integrity or A = availability
26 How we deal with risk today CA I this priority is good for your buildings management system
27 How we deal with risk today N I C this priority is good for high frequency trading A N = nonrepudiation
28 Biggest challenges today are still • Where will my organizations data or the ability to significantly impact my business end up (logically and physically)? • Who will have access to it? • What is my suppliers ability to protect themselves in the first instance? • What is their ability to detect an incident, respond and notify me? • How cyber resilient is my supplier?
29 A maturity model for the supply chain Immature Early Starter Progressive Semi-Mature Mature Cyber security strategy Approach to risk management Contractual cover / supplier relationship Standards and validation Overall cyber resilience Reactive Ad-hoc None Cyber Essentials None Regulatory (customer) driven Conformance and audit driven Minimal cyber security requirements Cyber Essentials + ISO 27001 Ability to defend against some attacks Regulatory, customer and maybe peer driven Audit and proactive Allows independent cyber security review CE+, ISO plus paper validation Ability to defend and detect common incidents Regulatory, customer, peer & threat driven Audit, proactive with dynamic risk models Independent validation / information shared CE+, ISO, paper & tech validation Ability to defend, detect and respond to most incidents Regulatory, peer, customer, threat and intelligence driven .. plus continual validation of risk models … plus requires pro- active notification of incidents CE+, ISO, paper, tech & end-to-end ongoing validation Ability to defend, detect, respond and gain intelligence Implementation NCC Group Supply Chain Cyber Security Maturity Model for Enterprise Risk Management
30 CBEST in this context As a critical supplier to the UK economy of an economic function it validates • Level of threat awareness of the supplier i.e. tier 1 institution • Their ability to protect their estate in the first instance • Their ability to detect an incident, respond and notify in the second • The end-to-end technical and soft defence countermeasure effectiveness including from vectors such as the Internet and trusted partners etc.
31 So where is the best supply chain today? Immature Early Starter Progressive Semi-Mature Mature Cyber security strategy Approach to risk management Contractual cover / supplier relationship Standards and validation Overall cyber resilience Reactive Ad-hoc None Cyber Essentials None Regulatory (customer) driven Conformance and audit driven Minimal cyber security requirements Cyber Essentials + ISO 27001 Ability to defend against some attacks Regulatory, customer and maybe peer driven Audit and proactive Allows independent cyber security review CE+, ISO plus paper validation Ability to defend and detect common incidents Regulatory, customer, peer & threat driven Audit, proactive with dynamic risk models Independent validation / information shared CE+, ISO, paper & tech validation Ability to defend, detect and respond to most incidents Regulatory, peer, customer, threat and intelligence driven .. plus continual validation of risk models … plus requires pro- active notification of incidents CE+, ISO, paper, tech & end-to-end ongoing validation Ability to defend, detect, respond and gain intelligence Implementation NCC Group Supply Chain Cyber Security Maturity Model for Enterprise Risk Management
32 Closing… CBEST is mature But we can expect it to be trickle down in terms of what is looked at in the supply chain…
33 Further reading / viewing… http://www.slideshare.net/OllieWhitehouse/red-teaming-and-the-supply-chainhttps://www.nccgroup.trust/uk/our-research/cyber-red- teaming-business-critical-systems-while-managing- operational-risk/
34 How we help our customers … Red Team Assessments STAR and CBEST Phishing Assessments Cyber Incident Response Cyber Defence Operations Regulatory Advice Cyber Resilience Risk & Governance Supply Chain Assurance Operational Support
35 Final thought… Maturity is happening globally in financial services… Israeli Cyber Defense Management directive , March 2015 Prescriptive in comparison including 24x7x365 SOCs, incident rooms, mandatory reporting of cyber incidents etc… http://www.bankisrael.gov.il/en/BankingSupervision/SupervisorsDirectives/ProperConductOfBankingBusinessRegulations/361_et.pdf?AspxAutoDetectCookieSupport=1
36 Europe Manchester - Head Office Amsterdam Cambridge Copenhagen Cheltenham Edinburgh Glasgow Leatherhead London Luxembourg Munich Zurich Australia Sydney North America Atlanta Austin Chicago New York San Francisco Seattle Sunnyvale Ollie Whitehouse ollie.whitehouse@nccgroup.trust

Recommended

Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio Management
Priyanka Aash
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
APNIC
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsSOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
Mark S. Mahre
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.
360factors
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk Management
Priyanka Aash
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
Anton Chuvakin
 

Recommended

Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio Management
Priyanka Aash
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
APNIC
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsSOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
Mark S. Mahre
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.
360factors
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk Management
Priyanka Aash
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
Anton Chuvakin
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
ControlCase
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
Ian-Edward Stafrace
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
Schellman & Company
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
IT Governance Ltd
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
Peter Wood
 
Third-Party Oversight & Governance
Third-Party Oversight & GovernanceThird-Party Oversight & Governance
Third-Party Oversight & Governance
EDR
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
Cisco Canada
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?
Global Manager Group
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity
 
Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)
Saras Singh
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
Journey to cyber resilience
Journey to cyber resilienceJourney to cyber resilience
Journey to cyber resilience
Andrew Bycroft
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
DSS RMF Training.pptx
DSS RMF Training.pptxDSS RMF Training.pptx
DSS RMF Training.pptx
Muhammad Mazhar
 
Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assurance
Ollie Whitehouse
 
Threat Intelligence - Routes to a Proactive Capability
Threat Intelligence - Routes to a Proactive CapabilityThreat Intelligence - Routes to a Proactive Capability
Threat Intelligence - Routes to a Proactive Capability
Ollie Whitehouse
 

More Related Content

What's hot

Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 
Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)
Saras Singh
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 

What's hot (20)

SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
 
Third-Party Oversight & Governance
Third-Party Oversight & GovernanceThird-Party Oversight & Governance
Third-Party Oversight & Governance
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
 
Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)Operational risk (by ms.sweta vijuraj)
Operational risk (by ms.sweta vijuraj)
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
Journey to cyber resilience
Journey to cyber resilienceJourney to cyber resilience
Journey to cyber resilience
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
DSS RMF Training.pptx
DSS RMF Training.pptxDSS RMF Training.pptx
DSS RMF Training.pptx
 

Viewers also liked

Supply Chain Security
Supply Chain SecuritySupply Chain Security
Supply Chain Security
guest031790
 

Viewers also liked (20)

Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assurance
 
Threat Intelligence - Routes to a Proactive Capability
Threat Intelligence - Routes to a Proactive CapabilityThreat Intelligence - Routes to a Proactive Capability
Threat Intelligence - Routes to a Proactive Capability
 
NCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory ServicesNCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory Services
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real world
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
 
Designing and building post compromise recoverable services
Designing and building post compromise recoverable servicesDesigning and building post compromise recoverable services
Designing and building post compromise recoverable services
 
Smart grid in the Critical National Infrastructure
Smart grid in the Critical National InfrastructureSmart grid in the Critical National Infrastructure
Smart grid in the Critical National Infrastructure
 
Finding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesFinding The Weak Link in Windows Binaries
Finding The Weak Link in Windows Binaries
 
Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)
 
Red Teaming and the Supply Chain
Red Teaming and the Supply ChainRed Teaming and the Supply Chain
Red Teaming and the Supply Chain
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentNCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat Assessment
 
Countering the Cyber Threat
Countering the Cyber ThreatCountering the Cyber Threat
Countering the Cyber Threat
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
 
Technical Challenges in Cyber Forensics
Technical Challenges in Cyber ForensicsTechnical Challenges in Cyber Forensics
Technical Challenges in Cyber Forensics
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
 
Supply Chain Best Practices
Supply Chain Best Practices Supply Chain Best Practices
Supply Chain Best Practices
 
Supply Chain Security
Supply Chain SecuritySupply Chain Security
Supply Chain Security
 
Private sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodes
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
 

Similar to Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains

CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
Invensis Learning
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
Taiye Lambo
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
awish11
 
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Doeren Mayhew
 

Similar to Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains (20)

CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
 
Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19 Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19
 
A Comprehensive Approach To Third Party Risk Management White Paper 20180103
A Comprehensive Approach To Third Party Risk Management White Paper 20180103A Comprehensive Approach To Third Party Risk Management White Paper 20180103
A Comprehensive Approach To Third Party Risk Management White Paper 20180103
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
 
Questions for a Risk Analyst Interview - Get Ready for Success.pdf
Questions for a Risk Analyst Interview - Get Ready for Success.pdfQuestions for a Risk Analyst Interview - Get Ready for Success.pdf
Questions for a Risk Analyst Interview - Get Ready for Success.pdf
 
𝐑𝐢𝐬𝐤 𝐀𝐧𝐚𝐥𝐲𝐬𝐭 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰 𝐐𝐮𝐞𝐬𝐭𝐢𝐨𝐧𝐬
𝐑𝐢𝐬𝐤 𝐀𝐧𝐚𝐥𝐲𝐬𝐭 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰 𝐐𝐮𝐞𝐬𝐭𝐢𝐨𝐧𝐬𝐑𝐢𝐬𝐤 𝐀𝐧𝐚𝐥𝐲𝐬𝐭 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰 𝐐𝐮𝐞𝐬𝐭𝐢𝐨𝐧𝐬
𝐑𝐢𝐬𝐤 𝐀𝐧𝐚𝐥𝐲𝐬𝐭 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰 𝐐𝐮𝐞𝐬𝐭𝐢𝐨𝐧𝐬
 
Class 2003 05 22
Class 2003 05 22Class 2003 05 22
Class 2003 05 22
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
Risk Product.pptx
Risk Product.pptxRisk Product.pptx
Risk Product.pptx
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmaster
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3Aicpa tech+panel presentation t6 managing risks and security 2014 v3
Aicpa tech+panel presentation t6 managing risks and security 2014 v3
 
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
 
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECVendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 

Assuring the Security of the Supply Chain - Designing best practices for cybersecurity in supply chains

  • 1. Assuring the Security of the Supply Chain Designing best practices for cybersecurity in supply chains Ollie Whitehouse, Technical Director
  • 2. Agenda Supply Chains and the Cyber Challenge Regulatory (FCA) Outsourcing Requirements Historic Approaches Models for the Future – our maturity model 2
  • 3. 3 Supply chains… • Software: common-off-the-shelf (COTS) and proprietary • Equipment: the routers, servers, tablets, phones, storage, multi function devices, the doors, conditional access devices, building management system etc. • Services: business process outsourcing, data processing, IaaS, PaaS, SaaS, people, other generic terms like data feeds, cloud and managed service etc.
  • 6. 6 Supplier tiers.. Tiers of suppliers.. .. need to focus on tier 1 and 2 initially .. the tier a supplier exists in will be dictated by the business criticality of the what they supply
  • 7. 7 Supplier tiers.. Tiers of suppliers have tiers of suppliers it is an exponential problem creating inadvertent centralized hot pockets of data or function for certain roles (legal, HR etc.) or sector niches
  • 9. 9 Suffice to say Suppliers are increasingly operating business critical functions
  • 10. 10 Today it is a challenge for customers Suppliers today need to show good will in order to support supply chain cyber maturity programs.. Legacy contractual cover is typically weak beyond compliance against standards such as ISO27001.. Cost of contract renegotiating is typically high.. If a supplier is unique or niche then commercial leverage evaporates..
  • 11. 11 FCA outsourcing regulatory requirements • Senior Management Arrangements, Systems and Controls • SYSC 8.1: General outsourcing requirements • SYSC 13.7.9: Geographic location considerations • Threshold Conditions • COND 2.4: Appropriate resources • COND 2.5: Suitability.. .. then there is the DPA etc… Handbook http://fshandbook.info/FS/
  • 12. 12 FCA outsourcing regulatory reality At the time of authorisation, a firm’s regulated activities must be supported by IT services which are effective, resilient and secure and have been appropriately designed to meet expected future as well as current business needs so as to avoid risks to our (the FCA’s) objectives. Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
  • 13. 13 FCA outsourcing regulatory reality Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf The firm must have undertaken sufficient preparatory work to provide reasonable assurance that each OSP will deliver its services effectively, resiliently and securely.
  • 14. 14 FCA outsourcing regulatory reality Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf The firm has established appropriate arrangements for the on-going oversight of its OSPs and the management of any associated risks such that the firm meets all its regulatory requirements.
  • 15. 15 FCA outsourcing regulatory reality Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf Above all, a regulated firm should be clear that it retains full accountability for discharging all of its regulatory responsibilities. It cannot delegate any part of its responsibility to a third party.
  • 16. 16 FCA protection considerations Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
  • 17. 17 FCA protection considerations Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
  • 18. 18 FCA protection considerations Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
  • 19. 19 FCA protection considerations Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
  • 20. 20 FCA protection considerations Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions, July 2014 https://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf
  • 21. 21 Current approach to the supply chain today only the most mature
  • 22. 22 This is not enough… Resilience
  • 23. 23 What does cyber resilience mean? We will have incidents both of internal and external origin we will contend with accidents and malicious acts we will face an evolving set of threats requiring agility We will build services for the business which are appropriately secure and resilient … which frustrate threat actors and reduce likelihood of accidents … which minimize the impact of any incident whilst being useable We will be in a position to detect incidents in a timely fashion … whilst being able to answer who, what, when and how … and then recover
  • 24. 24 How we deal with risk today • Elements / Tenants: CIA and Parkerian Hexad etc. • Models / Indexes: custom or off the shelf. • Taxonomies / Frameworks: FAIR, NIST RMF, OCTAVE, TARA, EBIOS, ISO/IEC 13335-2, SP800-30 etc. • Standards / Regulation: ISO/IEC 27001, PCI, FCA/PRA, SOC-1, SOX etc. • Maturity Models: recognizing risk isn’t static nor do we need to be perfect • Audit: tell us the gaps against regulation, standards, taxonomies etc.
  • 25. 25 How we deal with risk today C AI this priority is good for your sensitive data C = confidentiality, I = integrity or A = availability
  • 26. 26 How we deal with risk today CA I this priority is good for your buildings management system
  • 27. 27 How we deal with risk today N I C this priority is good for high frequency trading A N = nonrepudiation
  • 28. 28 Biggest challenges today are still • Where will my organizations data or the ability to significantly impact my business end up (logically and physically)? • Who will have access to it? • What is my suppliers ability to protect themselves in the first instance? • What is their ability to detect an incident, respond and notify me? • How cyber resilient is my supplier?
  • 29. 29 A maturity model for the supply chain Immature Early Starter Progressive Semi-Mature Mature Cyber security strategy Approach to risk management Contractual cover / supplier relationship Standards and validation Overall cyber resilience Reactive Ad-hoc None Cyber Essentials None Regulatory (customer) driven Conformance and audit driven Minimal cyber security requirements Cyber Essentials + ISO 27001 Ability to defend against some attacks Regulatory, customer and maybe peer driven Audit and proactive Allows independent cyber security review CE+, ISO plus paper validation Ability to defend and detect common incidents Regulatory, customer, peer & threat driven Audit, proactive with dynamic risk models Independent validation / information shared CE+, ISO, paper & tech validation Ability to defend, detect and respond to most incidents Regulatory, peer, customer, threat and intelligence driven .. plus continual validation of risk models … plus requires pro- active notification of incidents CE+, ISO, paper, tech & end-to-end ongoing validation Ability to defend, detect, respond and gain intelligence Implementation NCC Group Supply Chain Cyber Security Maturity Model for Enterprise Risk Management
  • 30. 30 CBEST in this context As a critical supplier to the UK economy of an economic function it validates • Level of threat awareness of the supplier i.e. tier 1 institution • Their ability to protect their estate in the first instance • Their ability to detect an incident, respond and notify in the second • The end-to-end technical and soft defence countermeasure effectiveness including from vectors such as the Internet and trusted partners etc.
  • 31. 31 So where is the best supply chain today? Immature Early Starter Progressive Semi-Mature Mature Cyber security strategy Approach to risk management Contractual cover / supplier relationship Standards and validation Overall cyber resilience Reactive Ad-hoc None Cyber Essentials None Regulatory (customer) driven Conformance and audit driven Minimal cyber security requirements Cyber Essentials + ISO 27001 Ability to defend against some attacks Regulatory, customer and maybe peer driven Audit and proactive Allows independent cyber security review CE+, ISO plus paper validation Ability to defend and detect common incidents Regulatory, customer, peer & threat driven Audit, proactive with dynamic risk models Independent validation / information shared CE+, ISO, paper & tech validation Ability to defend, detect and respond to most incidents Regulatory, peer, customer, threat and intelligence driven .. plus continual validation of risk models … plus requires pro- active notification of incidents CE+, ISO, paper, tech & end-to-end ongoing validation Ability to defend, detect, respond and gain intelligence Implementation NCC Group Supply Chain Cyber Security Maturity Model for Enterprise Risk Management
  • 32. 32 Closing… CBEST is mature But we can expect it to be trickle down in terms of what is looked at in the supply chain…
  • 33. 33 Further reading / viewing… http://www.slideshare.net/OllieWhitehouse/red-teaming-and-the-supply-chainhttps://www.nccgroup.trust/uk/our-research/cyber-red- teaming-business-critical-systems-while-managing- operational-risk/
  • 34. 34 How we help our customers … Red Team Assessments STAR and CBEST Phishing Assessments Cyber Incident Response Cyber Defence Operations Regulatory Advice Cyber Resilience Risk & Governance Supply Chain Assurance Operational Support
  • 35. 35 Final thought… Maturity is happening globally in financial services… Israeli Cyber Defense Management directive , March 2015 Prescriptive in comparison including 24x7x365 SOCs, incident rooms, mandatory reporting of cyber incidents etc… http://www.bankisrael.gov.il/en/BankingSupervision/SupervisorsDirectives/ProperConductOfBankingBusinessRegulations/361_et.pdf?AspxAutoDetectCookieSupport=1
  • 36. 36 Europe Manchester - Head Office Amsterdam Cambridge Copenhagen Cheltenham Edinburgh Glasgow Leatherhead London Luxembourg Munich Zurich Australia Sydney North America Atlanta Austin Chicago New York San Francisco Seattle Sunnyvale Ollie Whitehouse ollie.whitehouse@nccgroup.trust

Editor's Notes

  1. Doesn’t include technical counter measures..
  2. Doesn’t include technical counter measures..
  3. Doesn’t include technical counter measures..
  4. Doesn’t include technical counter measures..
  5. Doesn’t include technical counter measures..