Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SPUnite17 Cost Effective Risk Mitigation

SharePoint Unite 2017 Session

  • Be the first to comment

  • Be the first to like this

SPUnite17 Cost Effective Risk Mitigation

  1. 1. Cost Effective Risk Mitigation for Governmental Office 365 Implementations 26 October 2017
  2. 2. About Richard Fransen Principal Consultant KBenP WorkPoint Information Security
  3. 3. Information Security “Information Security is the process of establishing the required reliability of information systems in terms of confidentiality, availability and integrity as well as the establishment, maintenance and monitoring of a coherent package of accompanying measures.”
  4. 4. BIR:2012 baseline informatiebeveiliging rijksoverheid ❖ Dutch Government ❖ Departmentally confidential & privacy risk class II. ❖ ISO:27001/2 + Extensions ❖ ± 300 requirements ❖ Comply or Explain 0 10 20 30 40 50 60 Security Policy Organization of information security Mgt of assets Personal Security Physical security Mgt of comm. and operational processes Access Security Acquisition, maint. and dev. Incident Mgt Business Continuity Mgt Compliance ISO R
  5. 5. How do Microsoft Online Services comply ❖ KPMG report in Microsofts Trust Center ❖ Office 365, 91% of the BIR controls are either covered by certifications or assurance standards or are not in scope. ❖ https://www.microsoft.com/en-us/TrustCenter/Compliance/bir-2012 ❖ Real life scenario – SPO2 based DMS: 3 ‘explains’ out of 179 applicable requirements 61% 37% 2% comply not relevant explain
  6. 6. Risk strategy ❖ Data exfiltration ❖ Data deletion ❖ Malicious insider ❖ Accout breach ❖ Elevation of privilege ❖ Password cracking ❖ Data spillage ❖ Phishing / whaling ❖ Spoofing
  7. 7. Plan > Do > Check > Act ❖ S&C – Audited controls ❖ S&C - Secure Score ! ❖ Risk matrix ❖ S&C – Actions ❖ S&C - Alerts ❖ S&C – Reports ❖ S&C – Reviews 0 10 20 30 40 Data Exfiltration Data Deletion Malicious Insider Account Breach Elevation of Privilege Password Cracking Data Spillage Phishing / Whaling Spoofing
  8. 8. Wrap-up ❖ Baseline provides extensive guidance, not only for government. ❖ Microsoft Office 365 and Azure provide good coverage of requirements. ❖ Secure Score is a handy tool, but: ❖ there’s more to it. ❖ There’s more coming up !
  9. 9. Thank you for your attention Any questions ? We take our time for you at our booth Richard.Fransen@KBenP.nl

×