Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Talk1 esc3 muscl-standards and regulation_v1_1

41 views

Published on

A quick introduction to ISO 27001, 27002, FFIEC, GDPR and Mauritius DPA 2017

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Talk1 esc3 muscl-standards and regulation_v1_1

  1. 1. {elysiumsecurity} STANDARDS AND REGULATIONS AN INTRODUCTION TO ISO27001, FFIEC & GDPR Version: 1.1a Date: 29/03/2018 Author: Sylvain Martinez Reference: ESC3-MUSCL Classification: Public cyber protection & response
  2. 2. {elysiumsecurity} cyber protection & response 2 GDPRFFIECISO 27001CONTEXT • ISO 27001 Purpose; • ISO 27002 Purpose; • ISO 27001 Vs 27002; • ISO 27001 Domains; • ISO 27002 Domains. • GDPR Key Facts; • MAURITUS DPA 2017; • FREE Resources. CONTENTS Public • Why Care? • Goals. • FFIEC Purpose; • FFIEC Overview; • Maturity Assessment Statistics; • Maturity Domains; • ISO 27001 Vs FFIEC.
  3. 3. {elysiumsecurity} cyber protection & response 3 GDPRFFIECISO 27001CONTEXT WHY CARE? Public HEAVY FINES BUSINESS ENABLEMENT ENHANCED SECURITY Icons from the noun project unless specified otherwise
  4. 4. {elysiumsecurity} cyber protection & response 4 GOALS IDENTIFY DETECT PREVENT RESPOND RECOVER DIFFERENT FRAMEWORKS AND STANDARDS SAME GOALS GDPRFFIECISO 27001CONTEXT Public
  5. 5. {elysiumsecurity} cyber protection & response 5 • Helps organizations to keep secure both their information assets and those of their customers. • It provides requirements for establishing, implementing, maintaining and continually improving an information security management system. • It can be used by internal and external parties to assess the ability of an organization to meet its own information security requirements. Information security management systems Requirements ISO 27001 PURPOSE GDPRFFIECISO 27001CONTEXT Public 27001
  6. 6. {elysiumsecurity} cyber protection & response 6 • Helps organizations to keep secure both their information assets and those of their customers. • It offers organizations a wide selection of security controls, together with accompanying implementation guidance. Code of Practice for Information Security Controls ISO 27002 PURPOSE GDPRFFIECISO 27001CONTEXT Public 27002
  7. 7. {elysiumsecurity} cyber protection & response 7 • You can get certified; • Management Standards; • Information Security must be planned, implemented, monitored, reviewed and improved; • Defines management responsibilities; • High Level. ISO 27001 • You can not get certified; • Comprehensive set of controls; • Full list of controls may not apply to all organizations. • Very detailed. ISO 27002 ISO 27001 vs. 27002 GDPRFFIECISO 27001CONTEXT Public
  8. 8. {elysiumsecurity} cyber protection & response 8 Context of the Organization Leadership (policy, roles, responsibilities, etc.) Planning (Action to address risks, security objectives) Support (Resources, competence, awareness, etc.) Operation (Planning and control, risk assessment, etc.) Performance evaluation (monitoring, measurement, internal audit, etc.) Improvement (corrective action, continual improvement) 7x ISO 27001 DOMAINS ISO 27001 DOMAINS GDPRFFIECISO 27001CONTEXT Public
  9. 9. {elysiumsecurity} cyber protection & response 9 Information Security Policies 14x ISO 27002 DOMAINS Organization of Information Security Human Resource Security Asset Management Access Control Cryptography Physical and Environmental security Operations Security Communication Security System acquisition, development and maintenance Supplier relationships Information security incident management Information security aspects of business continuity management Compliance ISO 27002 DOMAINS GDPRFFIECISO 27001CONTEXT Public
  10. 10. {elysiumsecurity} cyber protection & response 10 FFIEC PURPOSE GDPRFFIECISO 27001CONTEXT Public • Assesses the complexity of an institution’s operating environment, including the types of communication connections and payments initiated, as well as how the institution manages its information technology products and services. (Inherent Risk) • Assesses an institution’s current practices and overall cybersecurity preparedness. (Maturity) • Helps make risk-informed decisions to identify and prioritize actions to enhance the effectiveness of cybersecurity-related programs and the overall level of preparedness to address the increasing cybersecurity threats. Cybersecurity Assessment Tool (version 2.1, August 2017) FFIEC
  11. 11. {elysiumsecurity} cyber protection & response 11 OVERVIEW GDPRFFIECISO 27001CONTEXT Public
  12. 12. INOVATIVE (59) ADVANCED (86) {elysiumsecurity} cyber protection & response 12 MATURITY ASSESSMENT STATISTICS GDPRFFIECISO 27001CONTEXT Public 8x DOMAINS 15x ASSESSMENTS FACTOR 30x COMPONENTS 494x QUESTIONS INTERMEDIATE (113) EVOLVING (113) BASELINE (123)
  13. 13. {elysiumsecurity} cyber protection & response 13 MATURITY DOMAINS GDPRFFIECISO 27001CONTEXT Public CYBER RISK MANAGEMENT AND OVERSIGHT THREAT INTELLIGENCE AND COLLABORATION CYBERSECURITY CONTROLS EXTERNAL DEPENDENCY MANAGEMENT CYBER INCIDENT MANAGEMENT AND RESILIENCE
  14. 14. {elysiumsecurity} cyber protection & response 14 • You can get certified; • Management Standards; • YOU choose what ISO 27002 controls apply to your company; • Internationally recognised ISO 27001 • You can not get certified; • Includes and starts with a risk context assessment; • Guided approach as to which controls applies to you; • Very comprehensive list of requirements and recommendations; • Mainly USA usage with an uptake in Africa. FFIEC ISO 27001 vs. FFIEC GDPRFFIECISO 27001CONTEXT Public
  15. 15. {elysiumsecurity} cyber protection & response 15 ALL COMPANIES RIGHT TO ACCESS 4% OR €20 MILLION RIGHT TO BE FORGOTTEN PRIVACY BY DESIGN AND BY DEFAULT 72H REPORTING 25TH OF MAY 2018 Public GDPR KEY FACTS GDPRFFIECISO 27001CONTEXT
  16. 16. {elysiumsecurity} cyber protection & response 16 MAURITIUS DPA 2017 INTRODUCED IN DECEMBER 2017 SMALLER FINE PASSED ON 22/12/2017 – ACT 20 REPLACES THE DPA 2004 ALIGNED WITH GDPR GDPRFFIECISO 27001CONTEXT Public
  17. 17. {elysiumsecurity} cyber protection & response 17 FREE RESOURCES CNIL – French guide on GDPR (case studies) https://www.cnil.fr/fr/nouveautes-sur-le-pia-guides-outil-piaf-etude-de-cas GDPRFFIECISO 27001CONTEXT CNIL – Privacy Impact Assessment software https://www.cnil.fr/fr/outil-pia-telechargez-et-installez-le-logiciel-de-la-cnil ICO – Interactive Online Assessment Tool https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ Public
  18. 18. {elysiumsecurity} cyber protection & response © 2018 ElysiumSecurity Ltd. All Rights Reserved www.elysiumsecurity.com ElysiumSecurity provides practical expertise to identify vulnerabilities, assess their risks and impact, remediate those risks, prepare and respond to incidents as well as raise security awareness through an organization. ElysiumSecurity provides high level expertise gathered through years of best practices experience in large international companies allowing us to provide advice best suited to your business operational model and priorities. ABOUT ELYSIUMSECURITY LTD. ElysiumSecurity provides a portfolio of Strategic and Tactical Services to help companies protect and respond against Cyber Security Threats. We differentiate ourselves by offering discreet, tailored and specialized engagements. Operating in Mauritius and in the United Kingdom, our boutique style approach means we can easily adapt to your business operational model and requirements to provide a personalized service that fits your working environment.

×