Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Risk mngt gov compliance security cyber

740 views

Published on

Risk mngt gov compliance security cyber 2015

Published in: Technology
  • Be the first to comment

Risk mngt gov compliance security cyber

  1. 1. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph STKI is here to serve you……… 1
  2. 2. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Technology Risk Management: Governance, Compliance, Security & Cyber ENGAGE & INNOVATE GOVERN & PROTECT DELIVER & MAINTAIN 2
  3. 3. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph IT Complexity SocialAPIs Systems of Records Systems of Engagement Legacy Cost Center eCommerce Enterprise App Store Enterprise Mobility Engage & Innovate Govern & Protect Deliver & Maintain Engage & Innovate Govern & Protect Deliver & Maintain IT strategy 3
  4. 4. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Govern and Protect 4
  5. 5. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Strategic direction may change by the time a final budget is approved Increasing Pace Of Business Changes 5 Traditional IT Governance methods: no longer work in a business world demanding speed & value
  6. 6. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Bi-model IT 6 Invest in new systems Reduce Operating Expenses Long development and deployment cycles Touch people In-moment decisions Personalized & in-context Social and analytics driven Short & rapid releases Doing IT right, efficiency, safely Doing IT fast IT don't have to be perfect, just quick IT with different ⁻ people, ⁻ set of skills ⁻ processes, ⁻ tools supporting each Systems of Records evolving to Transactions Systems of Engagement evolving to Immersion
  7. 7. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Balance and re-balance IT assets allocation 7 70% 30% Email, upgrade, maintenance, operations Transformational investments, new capabilities
  8. 8. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Provide visibility into IT “…And that in quick view what we have in our IT today” Programs & projects HW & SW assets ContractsVendors Partners Costs Accountability is ultimately more important today than cost cutting 8
  9. 9. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph IT Governance – Office of the CIO 9 Programs & projects HW & SW assets ContractsVendors Partners CostsChargeback Service catalog Business models Financial stability Vendor evaluation & mngt Demand mngt Agility Project mngt EA Asset mgt Agreement mgt Benchmarks SOW SLA mngt Skill mngt Resource mngt ITIL Risk mngt Accountability Future roadmaps Business – IT Orchestrator Navigator IT
  10. 10. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Highest business value possible 10 Internal IT XaaSExternal provider • Demand identification shaping, aggregation & prioritization; • Expectation mngt • Business value • Business changes hatmaa • Services & products supply in terms of quality and capacity • Resources coordination • IT services & products catalog • Agility Explore technology trends and new potential business review Align to business strategy and risk appetite BRM Internal impact External impact LoB LoBLoB
  11. 11. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph IT Governance evolvement: 3 types of CIOs 11 Conservative CIO PMO Modern CIO Early adaptor CIO Strategic BRM • Demand mngt • Portfolio mngt • Project mngt • Resource mngt to ensure correct services & products supply • Project tool • Reporting • Project risk mngt • Demand coordination and aggregation, PPM • Enterprise architecture • Resource mngt • PPM / Governance tool • Business & IT executives dashboards • Technology risk mngt – compliance & reliable reporting • Facilitate business and IT convergence • Removing boundaries – embeds IT capabilities with LoBs to increase agility and business value • Innovation • Enterprise architecture • PPM • Holistic IT Governance tool • Proactive technology risk mngt Tactical Office of the CIO
  12. 12. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Technology Risk Management 12
  13. 13. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph The dark side of innovation & new business models 13 • Emerging technologies bring completely new and often unknown challenges and risks:  Digital information is growing exponentially  Access to enterprise info is often done from customers and employees' private smart devices  Boundaries between customer and organization are blurred • Same is with new business models:  Managing privacy, regulatory compliance and legal aspects in public cloud technology.  On demand or sharing economy leads us to a necessity to manage our own online reputation • Growing risk of security breach or data loss
  14. 14. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Start with your own personal data 14 Ministry of Defense's personal security online educational campaign: 'Think Before You... Share'
  15. 15. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Sharing (on-demand) economy 15 share our living spaces share our knowledge share our cars share our parking space How do I know Airbnb guest won’t ransack my apartment? Is it guaranteed that a Getaround user will return my car?
  16. 16. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Reputation economy 16 - portable measure of trust
  17. 17. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Who are you Galit Fein? Who is responsible for the personal risk management? 17
  18. 18. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Why Manage Risks? Corporate catastrophes are all too common 18 BP will plead guilty to manslaughter charges stemming from the 2010 Deepwater Horizon explosion and oil spill in the Gulf of Mexico, and agreed to pay $4.5 billion in government penalties, Attorney General Eric Holder announced Thursday.
  19. 19. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Risk equals new opportunity 19
  20. 20. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph What is Risk? • Risk is intentional interaction with uncertainty • Enterprise risk is the effect of uncertainty on objectives and organization goals • Risk mngt - In today’s uncertain times we have to prepare response for unwanted events in advance • Accepting risk is OK; ignoring risk is tragic 20
  21. 21. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Managing technology risk is now a business priority • With the increasing importance of technology and business reliance on technology – focus is shifting to technology risk • It’s not about project risks, it will continue to run in PMO • It’s not limited to security • For the first time business executives ask IT: “What may be the impact on the organization, from all IT-related risks?” 21 Source: Riskjournal
  22. 22. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph 22
  23. 23. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Technology risks Project related • Entering (NOT) to new technology • Difficulties related to new technology hatmaa • Big project failure • Is the project technically feasible? • Could the technology be obsolete before a useful product be produced? • Late project delivery Non project related • Obsolete or inflexible IT architecture • Cloud based solution • Unstable systems • Not achieving enough value from IT • Compliance • Misalignment • IT service delivery problems • Employee related fraud 23
  24. 24. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Tsunami of Regulations •Data Privacy Laws •Freedom of Information Act •HIPAA •Payment Card Industry Data Security Standard •Homeland Security •Sarbanes-Oxley •BAZEL II •Industry specific regulations (HACCP) •Federal Rules of Civil Procedure 24 Legal costs, fines and damages could be reduced by 25% if organizations applied best practice procedures to records management, security and e-Discovery. Source: Monica Crocker, Land O’Lakes at #AIIM13
  25. 25. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Technology Risks Compliance •Technology Risks Compliance = legal requirements + industry standards + organizational policies and guidelines, and more... • Finding and retrieving information on demand • Controlling access and confidentiality • Monitoring and reporting for enforcement • Comprehensive auditing • Secure retention and destruction 25 Compliance is key: deceptive marketing, debt traps, dead ends, discrimination, retailer data breaches, emerging technologies protections There’s a huge price for non-compliance!
  26. 26. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Technology Risk Mngt evolvement: 3 types of CIOs 26 Conservative CIO Modern CIO Early adaptor CIO IT risk mngt: their own risk department • Risks being managed in silos per specific project, tech, etc. • GRC as unnecessary and burdensome reactions to regulations and risk events • Policy & methodology • Random risk assessment • Regulatory Compliance • Holistic & continues approach • Substantial need • Proper processes & activities of the IT supporting & promoting business goals Strategic & proactive technology risk mngt Risks being managed as part of IT projects or security ValueBurden Risk mngtCrisis mngt
  27. 27. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph And Remember: 27 AND WHEN IT WENT WRONG DO YOU KNOW THE RISK?
  28. 28. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Why effective cyber security platform is a vital component of risk management? 2828 ENGAGE & INNOVATE GOVERN & PROTECT DELIVER & MAINTAIN IT Strategy
  29. 29. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Cyber Insurance Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. A cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection. 29
  30. 30. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Cyber insurance solutions 30
  31. 31. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph IT GRCs General Control Areas Source: Menny Barzilay 31
  32. 32. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Be prepared for the worst 32Source: http://id.lockheedmartin.com/blog/risky-business-the-role-of-risk-management-in-cyber-security Cyber security executives can leverage the risk management toolset to communicate clearly to their executive teams and more importantly secure funding for important security programs.
  33. 33. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Which “Security” type are you? Your winning hand is… 33 Conservative CIO Systems to support clients’ functional needs efficiently Customers IDM API security Common technologies NAC SIEM DLP FW+IPS SSL+ OTP IDM Application Security Testing Modern CIO Systems to spur intimacy with customers and turns them into advocates Adaptive Access Control Security as a service Cyber risk management Security analysis behavior Cyber SOC Cyber intelligence Early adopter CIO Systems that bond with customers and immerses them into the company’s story Big data cyber analytics IoT and wearables Cyber insurance Cloud security SDN security Open source security Systems of records Systems of Engagement Systems of Immersion
  34. 34. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph A Changing Battle-Space: Prevention Is Not Enough Source:http://www.battery.com/powered/general/2014/09/11/why- breach-detection-is-your-new-must-have-cyber-security-tool/ 34
  35. 35. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Security Risks in house Sensitive Data leak (SCADA) System Admins BYOD 35
  36. 36. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph SIEM Access Management-IDM Forensic Tools DLP Malware scanning & Sandbox -WAF Endpoint security Steps to govern Security inside threats Mobile Security Next generation SOC 36
  37. 37. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Cyber threats outside S.O.S Zero day malware & APT 37
  38. 38. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph FW+IPS Access Management IDM Cyber intelligence Malware scanning & Sandbox API Security Steps to govern Cyber external threats Network security virtualization Cloud application Security 38
  39. 39. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Cyber Risks Any organization that: (1) uses technology in its operations &/or (2) handles/collects/stores confidential information has Cyber Risks:  Legal liability to others for computer security breaches  Legal liability to others for privacy breaches of confidential information  Regulatory actions, fines and scrutiny  Loss or damage to data / information  Loss of revenue due to a computer attack  Extra expense to recover / respond to a computer attack  Loss or damage to reputation  Cyber-extortion  Cyber-terrorism 39
  40. 40. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph 2015 cybersecurity predictions 40
  41. 41. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Cloud Security 41
  42. 42. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Data Breaches Data Loss Account Hijacking Insecure APIs Denial Of Service Malicious Insiders Abuse of Cloud Services Insufficient Due Diligence Shared Technology issues Source: https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf Moshe Ferber, Cloud Security Alliance Israel The notorious 9 Cloud computing threats As described the Cloud Security Alliance 40
  43. 43. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Cloud attack vectors Provider administration Management console Multi tenancy & virtualization Automation & API Chain of supply Side channel attack Insecure instances Source:MosheFerber,CloudSecurityAllianceIsrael 41
  44. 44. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Israel cloud adoption - by sector Private Cloud Army, Banks, Government, Utility Cloud curious checking the technology Government Finance Telecom Operators Health Cloud adopters running 2-5 application in cloud Telecom Vendor Industry services Utilities Cloud focus most application in the cloud High-Tech Startups SMB Source:MosheFerber,CloudSecurityAllianceIsrael 42
  45. 45. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Regulations, ordinances and laws in Israel Laws • The privacy laws are currently address cloud as form of outsourcing. State level efforts • INCB are working on cyber guidelines for SMB and private sector. Sector level efforts • Finance: Bank of Israel published draft of guidelines for Cloud adoption. Source:MosheFerber,CloudSecurityAllianceIsrael 45
  46. 46. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Tools & Technologies to secure cloud services: • Encryption gateways • Governance and compliance • Identity gateway SaaS • Database monitoring and encryption • Dynamic and static analysis tools PaaS • Governance & compliance • Encryption • Multi cloud management IaaS Source:MosheFerber,CloudSecurityAllianceIsrael 46
  47. 47. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Security is NOT obstacle  Identify information assets  Conduct periodic risk assessments to identify the specific vulnerabilities your company faces  Develop and implement a security program to manage and control the risks identified  Monitor and test the program to ensure that it is effective  Continually review and adjust the program in light of ongoing changes  Oversee third party service provider arrangements  Maintain training for all staff on Information Security 47
  48. 48. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Which “Security” type are you? Your winning hand is… 48 Conservative CIO Systems to support clients’ functional needs efficiently Customers IDM API security Common technologies NAC SIEM DLP FW+IPS SSL+ OTP IDM Application Security Testing Modern CIO Systems to spur intimacy with customers and turns them into advocates Adaptive Access Control Security as a service Cyber risk management Security analysis behavior Cyber SOC Cyber intelligence Early adopter CIO Systems that bond with customers and immerses them into the company’s story Big data cyber analytics IoT and wearables Cyber insurance Cloud security SDN security Open source security Systems of records Systems of Engagement Systems of Immersion
  49. 49. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Technology Risk Mngt evolvement: 3 types of CIOs 49 Conservative CIO Modern CIO Early adaptor CIO IT risk mngt: their own risk department • Risks being managed in silos per specific project, tech, etc. • GRC as unnecessary and burdensome reactions to regulations and risk events • Policy & methodology • Random risk assessment • Regulatory Compliance • Holistic & continues approach • Substantial need • Proper processes & activities of the IT supporting & promoting business goals Strategic & proactive technology risk mngt Risks being managed as part of IT projects or security ValueBurden Risk mngtCrisis mngt
  50. 50. Galit Fein & Sigal Russin’s work/ Copyright@2015 Do not remove source or attribution from any slide, graph or portion of graph Sigal Russin Sigalr@stki.info 50 Galit Fein Galit@stki.info

×