Submit Search
Upload
Isaca csx2018-continuous assurance
•
0 likes
•
29 views
F
François Samarcq
Follow
Continuous assurance using data threat modeling
Read less
Read more
Technology
Report
Share
Report
Share
1 of 30
Download now
Download to read offline
Recommended
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
Rd. R. Agung Trimanda
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk
►David Clarke FBCS CITP
An Essential Guide to EU GDPR
An Essential Guide to EU GDPR
Tripwire
Data Privacy
Data Privacy
cliff_rudolph
Data Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
IT Governance Ltd
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
Eugene Lee
Recommended
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
Rd. R. Agung Trimanda
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk
►David Clarke FBCS CITP
An Essential Guide to EU GDPR
An Essential Guide to EU GDPR
Tripwire
Data Privacy
Data Privacy
cliff_rudolph
Data Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
IT Governance Ltd
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
Eugene Lee
GDPR in practice
GDPR in practice
ZoneFox
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
PECB
GDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your business
Olivier BARROT
Gdpr and ISMS Quick Map Framework EL
Gdpr and ISMS Quick Map Framework EL
Eugene Lee
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
IT Governance Ltd
GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017
Amarach Research
20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here
Richard Hogg,Global GDPR Offerings Evangelist
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
AIIM International
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
IT Governance Ltd
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
IT Governance Ltd
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
IT Governance Ltd
How does GDPR affect your business?
How does GDPR affect your business?
Christiana Kozakou
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
Kwanzoo Inc
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud Providers
IT Governance Ltd
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
IT Governance Ltd
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
IBM Security
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
Frederick Penaud
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
IT Governance Ltd
GDPR in the Healthcare Industry
GDPR in the Healthcare Industry
EMMAIntl
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
OSIsoft, LLC
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
Precisely
More Related Content
What's hot
GDPR in practice
GDPR in practice
ZoneFox
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
PECB
GDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your business
Olivier BARROT
Gdpr and ISMS Quick Map Framework EL
Gdpr and ISMS Quick Map Framework EL
Eugene Lee
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
IT Governance Ltd
GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017
Amarach Research
20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here
Richard Hogg,Global GDPR Offerings Evangelist
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
AIIM International
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
IT Governance Ltd
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
IT Governance Ltd
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
IT Governance Ltd
How does GDPR affect your business?
How does GDPR affect your business?
Christiana Kozakou
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
Kwanzoo Inc
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud Providers
IT Governance Ltd
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
IT Governance Ltd
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
IBM Security
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
Frederick Penaud
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
IT Governance Ltd
GDPR in the Healthcare Industry
GDPR in the Healthcare Industry
EMMAIntl
What's hot
(20)
GDPR in practice
GDPR in practice
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
GDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your business
Gdpr and ISMS Quick Map Framework EL
Gdpr and ISMS Quick Map Framework EL
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017
20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
How does GDPR affect your business?
How does GDPR affect your business?
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud Providers
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
GDPR in the Healthcare Industry
GDPR in the Healthcare Industry
Similar to Isaca csx2018-continuous assurance
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
OSIsoft, LLC
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
Precisely
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber Risk
Shawn Tuma
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
Cameron Forbes Over
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
Cameron Forbes Over
Leveraging Compliance to “Help” Prevent a Future Breach
Leveraging Compliance to “Help” Prevent a Future Breach
Kevin Murphy
Proactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital Disruption
Mike Wons
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
EQS Group
IBM i Security SIEM Integration
IBM i Security SIEM Integration
Precisely
Big Data LDN 2018: ACCELERATING YOUR ANALYTICS JOURNEY WITH REAL-TIME AI
Big Data LDN 2018: ACCELERATING YOUR ANALYTICS JOURNEY WITH REAL-TIME AI
Matt Stubbs
Machine Learning for Auditors
Machine Learning for Auditors
Andrew Clark
Internet of things ecosystem: The quest for value
Internet of things ecosystem: The quest for value
Deloitte United States
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
Judith Beckhard Cardoso
IMA meeting accounting for big data
IMA meeting accounting for big data
James Deiotte
Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby
Legal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology Risk
William Gamble
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
Case IQ
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter Most
Precisely
The Insider Threat
The Insider Threat
illustro
TrustArc-Webinar-Slides-2022-02-22-Incorporating privacy when leveraging AI
TrustArc-Webinar-Slides-2022-02-22-Incorporating privacy when leveraging AI
TrustArc
Similar to Isaca csx2018-continuous assurance
(20)
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber Risk
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
Leveraging Compliance to “Help” Prevent a Future Breach
Leveraging Compliance to “Help” Prevent a Future Breach
Proactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital Disruption
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
IBM i Security SIEM Integration
IBM i Security SIEM Integration
Big Data LDN 2018: ACCELERATING YOUR ANALYTICS JOURNEY WITH REAL-TIME AI
Big Data LDN 2018: ACCELERATING YOUR ANALYTICS JOURNEY WITH REAL-TIME AI
Machine Learning for Auditors
Machine Learning for Auditors
Internet of things ecosystem: The quest for value
Internet of things ecosystem: The quest for value
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
IMA meeting accounting for big data
IMA meeting accounting for big data
Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby - Presentation to Innovation Masters 2016
Legal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology Risk
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter Most
The Insider Threat
The Insider Threat
TrustArc-Webinar-Slides-2022-02-22-Incorporating privacy when leveraging AI
TrustArc-Webinar-Slides-2022-02-22-Incorporating privacy when leveraging AI
Recently uploaded
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
Raghuram Pandurangan
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
LoriGlavin3
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
Alan Dix
Training state-of-the-art general text embedding
Training state-of-the-art general text embedding
Zilliz
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Manik S Magar
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
blackmambaettijean
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
LoriGlavin3
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
DianaGray10
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
Addepto
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
LoriGlavin3
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
LoriGlavin3
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
LoriGlavin3
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
gvaughan
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
Dilum Bandara
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
LoriGlavin3
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
LoriGlavin3
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
BookNet Canada
Recently uploaded
(20)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
Training state-of-the-art general text embedding
Training state-of-the-art general text embedding
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Isaca csx2018-continuous assurance
1.
Fouad Khalil, Vice
President Compliance, SecurityScorecard Continuous Assurance Using Data Threat Modeling
2.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • What’s new? • All about the Data • Background • Current state • Regulatory perspective • Threat Modeling Case Study • Continuous Assurance • Putting all this into practice • Q & A Agenda
3.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator • British Airways (September 2018) PCI compliant but breached… • Bupa fined for malicious insider privacy breach (£175,000 by UK regulators for “systematic data protection failures”) • Google exposed private data of 1000s of Google+ users. Still under investigation. Latest Headlines
4.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • Connected clouds (private, public, hybrid) • Blockchain finally understood but a mess • Data analytics à Machine Learning à AI • GDPR Global trend – companies measured by compliance • Economy boom into 2019 but 2020 is a bit questionable A Quick Look Ahead
5.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • 45% of IoT buyers concerned about security (Bain & Co) • 90% say IoT devices pose moderate to significant risk (Bain & Co) • IoT market size expected to reach $457B by 2020 (Growthenabler) • SaaS application security architectures are broken • New Compliance requirements and penalties drive pain level higher • So many open or misconfigured servers in the cloud (Tesla, Walmart) Are We Exposed?
6.
7.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. Best example of protected data? GDPR of course!!
8.
Big Data Mobile Subscriptions Social
Media Users Enterprise Using Cloud Internet Users IoT Connected Devices Tablets Smartphones 1.5 Exabyte/yr 740M 0 0 400M 200M 0 0 1 Exabyte/day 5B 1B 15% 2B 1B 18M 300M 3 Exabytes/day 7.5B 3B 70% 4B 10B 1.3B 2.5B Dot Com 2010 Today
9.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • Enterprise competitiveness, regulatory considerations, process maturity • Data key consideration to manage and monitor risk • Manage changes to minimize risk • Applying application threat modeling principles to data • Methodically analyze applications to identify and map threats in post-prod – Take an attacker’s viewpoint. Background – All About the Data
10.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. All About the Data Competition Regulations Customer Engagements Pursuit of new Markets Maturity & Resiliency Factor in everything of significance The DATA!!
11.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • Continuous changes impact level of risk to data • Changes in context, environmental factors and threat landscape • What data changes to monitor (listing a few) – How the data is used – How data is protected (new, changed or removed controls) – Threats of which data is likely to be exposed – New or modified business activities change impact if a compromise may now occur What Data changes to monitor
12.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • Fairly easy to understand why • Enterprises want to know how to realize the hacker’s vision • Attacker sees data as a target accessible through a number of pathways • Data is profit for hackers and breach potential for us • Threat modeling exercise can help systematically evaluate an application • Application threat modeling discipline has developed as an application security strategy Adopt a Hacker’s view
13.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • Assists in developing applications that are robust, resilient and hardened • Maps the threats applications might encounter in production • Enables addressing threats and monitoring conditions impacting data over time • Enable better tracking of changes in data that impact risk • Provides better visibility into data that intersects with the supply chain • Enterprises use this model to understand state of data (stored, transmitted or processed). How Does Application Threat Modeling help?
14.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • Best to understand exiting conditions that pertain to data • Two parallel transformations that make a thorny problem • Practical challenges in data management as data proliferates • Legal, regulatory and other mandatory requirements that govern how data is (or can be) used • Practical challenges – how data is stored, processed an transmitted is changing: • Data consolidation: Denser data due to new data processing methods and increased analytical capabilities. • Data ubiquity: Data becoming more pervasive - spreads throughout the enterprise • Data expansion: Data becoming more plentiful. • Processing parallelization: Data increasingly being processed in parallel The Current State
15.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • Organizations are witnessing transformations depending on business activities, industry and regulatory constraints. • Organizations with even an accurate and solid inventory of assets, may have less clear idea of data processing. • Poor data inventory leads to challenges ranging from resources and time and the problem data tends to compound over time. • Enterprises become more externalized (supply chain) challenges may compound as new players come into play Beyond the current state
16.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • Several regulations and standards impact data in difficult ways • GDPR pertains to data that intersects with operations performed in EU • CA first state to enact GDPR like Privacy law • Breach disclosure requirements specify the what, how and when to notify of a breach • Industry specific standards add to the challenge such as PCI DSS, HIPAA, HITECH. Regulatory requirements add to challenges
17.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. Objectives: 1. Case Study Example based on by Antonio Fontes (Threat Modeling, Detecting Web Application Threats Before Coding) 2. Understand the concept of Threat Modeling 3. Build an actionable Threat Model 4. Know when to build a threat model and how to document it Threat Modeling Case Study
18.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. Newspaper that uses standard news distribution channel • They host a website on which articles are posted all day by the online editor • They Distribute a printed journal every day of the week. • Content on the website is free • The printed version is sold Threat Model Case Study
19.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • The company has decided to also sell an electronic edition of the newspaper • Access to the content must be restricted to authorized customers • The team is designing a feature to enable users to authenticate to access their account for payment. • The board is worried about the threats associated with this decision. Threat Model Case Study - Continued
20.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • Understand the application – Review Business Requirements – Comprehend application configuration (technologies, architecture, functionalities components) – Role of application in the organization – Be Clear on the objective/drivers » Stay compliant » Protect against hackers » Never want system to be compromised » Protect user privacy » Avoid system downtime Threat Modeling Steps
21.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • Understand the application… » What are the use cases (how is the application used)? » How are users authenticated? » Understand the data classification » Understand the data flow…especially financial flow Threat Modeling Steps
22.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • Identify Potential Threat Sources – Based on what we know who might be interested in compromising the system – Perform research to identify other sources (media, business owners, users) – List all potential Threats – Hackers – Untrained employees – Disgruntled employees – Government – And so on... Threat Modeling Steps
23.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • Identify Major Threat Sources – Identify Threat Triggers – Understand complete scenario – Understand the likelihood – Understand the impact – Finalize major threat model – Threat, Source, Description of attack Threat Modeling Steps
24.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • Identify Controls – Document Threat with identified sources and attack description – Develop controls to mitigation the likelihood and impact of the threat – Ensure controls are designed effectively – Make recommendation on controls and prioritization – Based on asset criticality and threat likelihood and impact Threat Modeling Steps
25.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. Threat Model - Sample Threat Source Description Likelihood Control Denial of Service Attack Hacker perpetrator seeks to make a system unavailable by disrupting services of a host connected to the Internet Stealing Intellectual Property Disgruntled Employee Copying data due to authorized access Stealing Customer Data Competitor Social Engineering attack
26.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • Case study shows how data can be used to analyze threats • We need to move to continuous assurance understanding of the threats • Point-in-time view compared to continuous auditing (ongoing validation) • Continuous monitoring provides near real-time status of security controls • Continuous assurance notifies of changes that impact threats to data Continuous Assurance
27.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • We need something to measure • Perform that measurement in an ongoing way • A retailer has different risks to measure than a bank • First step is to determine what to measure • Map out the threats of greatest risk • Set up and monitor the security controls to mitigate these risks • Automation is key – such as data shared with supply chain Continuous view (KRIs)
28.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • What KRI to use to measure control efficiencies? • How will enterprises know about changes impacting threats to data? • How to evaluate control performance at 3rd, Nth parties? • How to stay informed of changes at the supply chain? • Who owns and maintains the continuous view? • Amount of effort enterprises are prepared to invest in this? Putting all this into practice
29.
Copyright © 2018
Information Systems Audit and Control Association, Inc. All rights reserved. • Continuous assurance makes risk decisions easier • Start small with narrow scope and build from there • Determine approach that is best for you • Enterprises struggling with data protection greatly benefit from threat modeling • No hidden problems go unexamined • Near real-time view of what hackers see • Flexible approach that works for every environment In Conclusion
30.
Thank You Fouad Khalil VP
Compliance 585 472 2356 fkhalil@securityscorecard.com 214 West 29th St, 5th Floor New York, NY 10001
Download now