Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
Denise Tawwab's presentation on "Understanding the NIST Risk Management Framework" given at the Techno Security & Digital Forensics Conference on June 3, 2019 in Myrtle Beach, SC.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
The security of information systems and business-critical information needs constant managing to ensure your operational continuity and data protection. ISO 27001 Information Security Management Systems certification allows you to stand out from the competition through strong information security measurement.
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
Denise Tawwab's presentation on "Understanding the NIST Risk Management Framework" given at the Techno Security & Digital Forensics Conference on June 3, 2019 in Myrtle Beach, SC.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
The security of information systems and business-critical information needs constant managing to ensure your operational continuity and data protection. ISO 27001 Information Security Management Systems certification allows you to stand out from the competition through strong information security measurement.
ISO27001 standard was revised and a new version was published in 2013. ISO27001 is also becoming more common Information Security standard among service providers. This presentation focuses on the recent changes in 2013 version and also the process for implementing and getting certified for ISO27001.
Following are the key objectives of this presentation:
Provide an introduction to ISO27001 and changes in 2013 version
Discuss the implementation approach for an Information Security Management System (ISMS) framework
Familiarize the audience with some common challenges in implementation
Presentation for March 2017 webcast by NIST.
www.nist.gov/cyberframework
Webcast video: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
This presentation introduces the audience to the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). It provides a brief history about why and how the Framework was developed, and an understanding of each of the three primary Framework components (the Core, Implementation Tiers, and Profiles). It covers potential benefits of Framework, and how the Framework can be used. It highlights industry resources, progress in Roadmap areas, and future direction of the Framework program.
Information Security Metrics - Practical Security MetricsJack Nichelson
So exactly how do you integrate information security metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program.
Recently, NTT published the Global Threat Intelligence Report 2016 (GTIR). This year’s report focused both on the changes in threat trends and on how security organizations around the world can use the kill chain to help defend the enterprise.
Turning threat intelligence data from multiple sources into actionable, contextual information is a challenge faced by many organizations today. The Global Threat Intelligence Platform provides increased efficiency, reduces risks and focuses on global coverage with accurate and up-to-date threat intelligence.
This presentation was given at Carnegie Mellon University by Kenji Takahashi, VP of Product Management, Security at NTT Innovation Institute.
These are slides from local security chapters meetup, Here I tried to explain the challenges in appsec and complete framework for different life cycle of secure software development cycle
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
Information technology experts can now take advantage of How To Handle Cybersecurity Risk PowerPoint Presentation Slides. This information security PPT theme infuses top-quality design with data obtained by industry experts. Explain the present situation of the target firm’s information security management employing this PowerPoint layout. The data visualizations featured here simplify the elucidation of complex data such as the analysis of the current IT department. Showcase the cybersecurity framework roadmap and risks of the internet using our PPT presentation. Elaborate on the cybersecurity risk management action plan using the tabular format via this PowerPoint slideshow. Demonstrate the cybersecurity contingency plan with appreciable ease. Our information security management system PPT templates deck assists you in assigning risk handling responsibilities to the staff. Explain the duties of the management in successful information security governance. This PowerPoint presentation also addresses the cost of cybersecurity management and staff training. Hit the download icon and start personalization. Our How To Handle Cybersecurity Risk PowerPoint Presentation Slides are explicit and effective. They combine clarity and concise expression. https://bit.ly/3o0xDkR
Présentation de la suite ELK dans un contexte SIEM et zoom sur Wazuh (OSSEC) , IDS open source
Venez découvrir comment être proactif face aux problèmes de cyber sécurité en analysant les données fournies par vos équipements et applications critiques.
Building a Next-Generation Security Operations Center (SOC)Sqrrl
So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.
Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc
Navigating the complex Risk Management Framework (RMF) requirements can be daunting. Learn best practices and gain a better understanding of NIST's RMF.
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
10 Ways For Mitigating Cybersecurity Risks In Project Management.docxyoroflowproduct
Each strategy discussed here will focus on a specific aspect of project management that can be vulnerable to cyber threats. From establishing strong access controls and user authentication mechanisms to ensuring regular data backups and robust incident response plans, these strategies will provide project managers with practical steps to enhance their project’s cybersecurity posture.
Take the first step today by requesting a demo of the Yoroproject, enabling you to proactively protect your business against cyber threats.
ISO27001 standard was revised and a new version was published in 2013. ISO27001 is also becoming more common Information Security standard among service providers. This presentation focuses on the recent changes in 2013 version and also the process for implementing and getting certified for ISO27001.
Following are the key objectives of this presentation:
Provide an introduction to ISO27001 and changes in 2013 version
Discuss the implementation approach for an Information Security Management System (ISMS) framework
Familiarize the audience with some common challenges in implementation
Presentation for March 2017 webcast by NIST.
www.nist.gov/cyberframework
Webcast video: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
This presentation introduces the audience to the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). It provides a brief history about why and how the Framework was developed, and an understanding of each of the three primary Framework components (the Core, Implementation Tiers, and Profiles). It covers potential benefits of Framework, and how the Framework can be used. It highlights industry resources, progress in Roadmap areas, and future direction of the Framework program.
Information Security Metrics - Practical Security MetricsJack Nichelson
So exactly how do you integrate information security metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program.
Recently, NTT published the Global Threat Intelligence Report 2016 (GTIR). This year’s report focused both on the changes in threat trends and on how security organizations around the world can use the kill chain to help defend the enterprise.
Turning threat intelligence data from multiple sources into actionable, contextual information is a challenge faced by many organizations today. The Global Threat Intelligence Platform provides increased efficiency, reduces risks and focuses on global coverage with accurate and up-to-date threat intelligence.
This presentation was given at Carnegie Mellon University by Kenji Takahashi, VP of Product Management, Security at NTT Innovation Institute.
These are slides from local security chapters meetup, Here I tried to explain the challenges in appsec and complete framework for different life cycle of secure software development cycle
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
Information technology experts can now take advantage of How To Handle Cybersecurity Risk PowerPoint Presentation Slides. This information security PPT theme infuses top-quality design with data obtained by industry experts. Explain the present situation of the target firm’s information security management employing this PowerPoint layout. The data visualizations featured here simplify the elucidation of complex data such as the analysis of the current IT department. Showcase the cybersecurity framework roadmap and risks of the internet using our PPT presentation. Elaborate on the cybersecurity risk management action plan using the tabular format via this PowerPoint slideshow. Demonstrate the cybersecurity contingency plan with appreciable ease. Our information security management system PPT templates deck assists you in assigning risk handling responsibilities to the staff. Explain the duties of the management in successful information security governance. This PowerPoint presentation also addresses the cost of cybersecurity management and staff training. Hit the download icon and start personalization. Our How To Handle Cybersecurity Risk PowerPoint Presentation Slides are explicit and effective. They combine clarity and concise expression. https://bit.ly/3o0xDkR
Présentation de la suite ELK dans un contexte SIEM et zoom sur Wazuh (OSSEC) , IDS open source
Venez découvrir comment être proactif face aux problèmes de cyber sécurité en analysant les données fournies par vos équipements et applications critiques.
Building a Next-Generation Security Operations Center (SOC)Sqrrl
So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.
Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc
Navigating the complex Risk Management Framework (RMF) requirements can be daunting. Learn best practices and gain a better understanding of NIST's RMF.
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
10 Ways For Mitigating Cybersecurity Risks In Project Management.docxyoroflowproduct
Each strategy discussed here will focus on a specific aspect of project management that can be vulnerable to cyber threats. From establishing strong access controls and user authentication mechanisms to ensuring regular data backups and robust incident response plans, these strategies will provide project managers with practical steps to enhance their project’s cybersecurity posture.
Take the first step today by requesting a demo of the Yoroproject, enabling you to proactively protect your business against cyber threats.
Ensuring cyber resilience presents different risk points and many challenges. Not all organizations possess the internal capabilities and expertise necessary to strategize, execute, and safeguard their attack surface. By identifying vulnerabilities, deploying tools, and educating users, cybersecurity services can make the digital environment safer for all.
Our Cyber Resilience FasTrak provides three flexible options for personalized
protection. Select the service that is right for your organization:
- Improve cyber defenses with a Security Health Check
- Uncover hidden threats with AI powered Threat Hunting Service
- Don’t be scared, be prepared with Incident Response Simulation
Dalam dunia keamanan siber, sinergi antara berbagai proses memiliki peran yang sangat penting. Salah satu proses atau framework yang tengah menjadi sorotan dan menarik perhatian luas adalah Detection Engineering. Proses Detection Engineering ini bertujuan untuk meningkatkan struktur dan pengorganisasian dalam pembuatan detection use case atau rules di Security Operation Center (SOC). Detection Engineering bisa dikatakan masih baru dalam dunia keamanan siber, sehingga terdapat banyak peluang untuk membuat keseluruhan prosesnya menjadi lebih baik. Salah satu hal yang masih terlupakan adalah integrasi antara proses Detection Engineering dan Threat Modeling. Biasanya, Threat Modeling lebih berfokus pada solusi pencegahan dan mitigasi resiko secara langsung dan melupakanan komponen deteksi ketika pencegahan dan mitigasi tersebut gagal dalam menjalankan fungsinya. Dalam makalah ini, kami memperkenalkan paradigma baru dengan mengintegrasikan Detection Engineering ke dalam proses Threat Modeling. Pendekatan ini menjadikan Detection sebagai langkah proaktif tambahan, yang dapat menjadi lapisan pertahanan ekstra ketika kontrol pencegahan dan mitigasi akhirnya gagal dalam menghadapi ancaman sesungguhnya.
Some organizations have the resources and skills to secure their IT infrastructure against security threats; however, many organizations cannot do so. Organizations have a state-of-the-art security software solution or pay thousands of dollars for security tools. Even after that, no organization is entirely secure. Certified Threat Intelligence Analyst (C|TIA) allows cybersecurity professionals to enhance their skills in building sufficient organizational cyber threat intelligence. It is a specialist-level program. CTIA is an examination that tests the individuals’ skills and prepares them to make useful threat intelligence in the organization.
Read more: https://www.infosectrain.com/blog/ctia-course-outline/
Cyber-attacks are an alarming threat to all types of businesses & organizations.The risk of a cyber-attack is not just a risk to your company but also to your privacy.Hence, cybersecurity is crucial for every business. Cybersecurity protects critical data from cyber attackers. This includes sensitive data, governmental and industry information, personal information, personally identifiable information (PII), intellectual property, and protected health information (PHI). If you are looking for tools to fight against cyber threats, then Techwave’s tools & technologies with adequate controls will help your organization stay protected.
Cyber-attacks are an alarming threat to all types of businesses & organizations.The risk of a cyber-attack is not just a risk to your company but also to your privacy.Hence, cybersecurity is crucial for every business. Cybersecurity protects critical data from cyber attackers. This includes sensitive data, governmental and industry information, personal information, personally identifiable information (PII), intellectual property, and protected health information (PHI). If you are looking for tools to fight against cyber threats, then Techwave’s tools & technologies with adequate controls will help your organization stay protected.
The Importance of Cybersecurity for Digital TransformationNUS-ISS
In the rapidly evolving landscape of digital transformation, the importance of cybersecurity cannot be overstated. As organizations embrace digital technologies to enhance their operations, innovate, and connect with customers in new and dynamic ways, they simultaneously become more vulnerable to cyber threats.
This talk will discuss the importance of having a well thought through approach in dealing with cybersecurity in the form of a strategy that lays out the various programmes and initiatives that will underpin a secure and resilient digital transformation journey. Not surprisingly, having a pool of well-trained cybersecurity personnel is one of the key ingredient in a cyber strategy as exemplified in Singapore's own national cybersecurity strategy.
Top 5 secrets to successfully jumpstarting your cyber-risk programPriyanka Aash
Businesses like Autodesk understand that cyber-risk management is essential, but they often don’t know where to begin. Autodesk implemented a cyber-risk framework in six months by using Agile software development, risk modeling and risk quantification. This session will explore the company’s success secrets and offers advice on how security leaders can jumpstart their cyber-risk program.
(Source : RSA Conference USA 2017)
PwC industry expert, Josh McKibben, helps us break down what a breach is truly comprised of, analyze key breaches as examples, and look for lessons you can bring back to your organization to avoid being the next headline.
Application Threat Modeling In Risk ManagementMel Drews
How to perform threat modeling of software to protect your business, critical assets and communicate your message to your boss and the Board of Directors
Cyber presentation spet 2019 v8sentfor uploadsavassociates1
An accountant is a valuable asset to any organization. He or she is a professional who performs accounting functions. Accounting is not only confined to tax and financial matters as per what people generally think.
What is Cyber Security
What is Cyber Threat and Threat Landscape
Is Cybersecurity an IT Problem? It’s a human Problem
Role of a CFO
Well accepted Cybersecurity Frameworks and common Themes
SOC (Service Organization Control) and SOC for Cybersecurity
Recommended risk mitigation strategies for the weakest links of the Cybersecurity chain
Key Takeaways
Best Practices
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Framework
1. From Boardroom to War Room:
Practical Application of the NIST
Cybersecurity Framework
2018 ISACA SECURITY & RISK CONFERENCE
29 OCTOBER 2018
2. Speaker Bio 2
Rob Samuel, CISSP
Chief Cybersecurity Officer
Province of Nova Scotia
Contact Information:
Robert.Samuel@novascotia.ca
(902) 222-6685
Experience
Communications and Electronics Engineering Officer (2001-2006)
Senior System Analyst (2006-2010)
Manager – Client Services (2010-2013)
Senior Advisor – Cyber and IT Security (2013-2016)
Chief Cybersecurity Officer (2016-Present)
Education
• Bachelor of Technology (Information Management) – Cape Breton University
• Computer Information Systems (Diploma) – Cape Breton University
• Canadian Forces School of Communications and Electronics
• Information Assurance and Security – University of Winnipeg
Boards and Affiliations
• National CIO Subcommittee on Information Protection (NCSIP) - Chair
• Microsoft Canadian Security Council - Member
9. ACRONYMS (WE NEED TO SPEAK THE SAME LANGUAGE)
9
What Doesn’t Work?
Source:
RSA Conference 2017
Briefing the Board: Lessons
Learned From CISOs and
Directors
12. SHOW HOW CYBERSECURITY HELPS MANAGE
BUSINESS RISKS ( IT’S NOT AN IT ISSUE)
12
Business Risks
Financial Risk
Operational Risk
Strategic Risk
Reputational Risk
Cybersecurity
Bad Outcomes &
Negative Impacts
A breach of information exposes a sensitive
strategic organizational priority.
A ransomware infection prevents access to
medical records and impacts the ability to
deliver services to patients.
A cyber attack prevents us from processing
financial transactions (lost employee
productivity, litigation) or manipulates staff
to send money to fake accounts (cyber-
enabled financial fraud).
Inadequate security causes a loss or
disclosure of private information resulting
in loss of public trust.
Confidentiality
Risks could hinder the organizations ability to achieve its priorities and objectives
Integrity
Availability
Third Party
Medical equipment is installed with
security weaknesses allowing threat actors
to alter drug dosing (potentially lethal
consequences).
Patient Safety Risk
18. 18Establishing a Common Lexicon
A framework is a foundational tool to communicate with stakeholders at all levels.
CISO Clients & Stakeholders
Common Language to help organizations understand, manage
and reduce cybersecurity risks
A framework helps your organization understand:
Where you are today?
How you are doing?
Where do you need to improve?
How do you measure progress?
Cybersecurity Framework
20. 20The Framework Has 5 Core Functions
Do We Understand Our Risks?
Do We Have Adequate Safeguards?
Can We Detect Anomalies and Incidents?
Can We Address Incidents?
Can We Effectively Restore Capabilities Post-Incident?
27. 27
Communicate Your Security Maturity
(Americas)
Initial Repeatable Defined Managed
Industry
Benchmark
Identify
Protect
Detect
Respond
Recover
Function
Targeted Maturity
by FY 20-21
Current
Maturity
World-Class
Benchmark
Optimized
28. 28
Initial Repeatable Defined Managed
Industry
Benchmark
Identify
Protect
Detect
Respond
Recover
Function
Targeted Maturity
by FY 20-21
Current
Maturity
World-Class
Benchmark
Optimized
Communicate Your Security Maturity
(APAC)
29. 29Build Your Security Program Roadmap
2018 2019Major Themes
Increase
Situational
Awareness
Endpoint
Protection
Incident
Response
Plans
Create Incident Response Playbooks
Identify
Protect
Detect
Respond
Recover
Function
Governance
Risk Assessment
Establish Cyber Risk Council
Network Monitoring
User Education
& Awareness
Procure & Deploy Tanium
Update Awareness Policy
Asset Inventory Identification & Prioritization
Define Incident Response Roles & Responsibilities
Windows XP UpgradeCore
Enhancements
Multi-Factor Authentication
Communications Plan & Process
Deploy Cofense
30. TACTICAL PLAN
ASSET INVENTORY
30
Work Status: Implementation Stage
Project Description:
Procure and implement an asset inventory suite.
Key Milestones/Tasks Date Status Comments
1. Obtain permanent O&M funding Complete
2. Convert existing services to new service Complete
3. Declare updated service operational Complete
4. Automate reporting and asset management In-Progress
Identify
Protect
Detect
Respond
Recover
Function
How Will We Measure Success
Key Metric Target
Hardware and software
automatically detected in real-time
100%
Identification of unauthorized
hardware and software
100%
Strategic Objectives Supported
• [Objective #1]: Drive efficiency and cost reduction
• [Objective #2]: Increase security
• [Objective #3]: Reduce client downtime
• [Objective #4):
• [Objective #5]: Improve situational awareness
• [Objective #4]:
Potential Issues / Implementation Risks
• [Issue #1]: No procurement vehicle in place
• [Issue #2]: Migrating to a new tool
• [Issue #3]: Subscription Service model
Resource Summary
• Team leader / Point of Contact: Rob Samuel
• Core team members:
• Vendor liaison:
Investment Status: Approved
Cost Estimates (Indicative)
Category Cost
Capital Procurement $
Implementation $
Sustainment (O&M) $
Sustainment (FTE)
31. TACTICAL PLAN
INCIDENT RESPONSE
31
Work Status: In Progress
Project Description:
Develop and implement security incident response playbooks.
Key Milestones/Tasks Date Status Comments
1 Not Started
2 1/28/2016 Not Started
3 2/3//2016 Not Started
4 2/8/2016 Not Started
Identify
Protect
Detect
Respond
Recover
Function
How Will We Measure Success
Key Metric Target
Strategic Objectives Supported
• [Objective #1]: Decrease time to resolve incidents
• [Objective #2]: Increase efficiencies
• [Objective #3]: Reduce client downtime
• [Objective #4):
• [Objective #5]:
Potential Issues / Implementation Risks
• [Issue #1]:
• [Issue #2]:
• [Issue #3]:
Resource Summary
• Team leader / Point of Contact:
• Core team members:
• Vendor liaison:
•
Investment Status: Pending Approval
Cost Estimates (Indicative)
Category Cost
Capital Procurement
Implementation
Sustainment (O&M)
Sustainment (FTE)
32. Map Your Plans and Requests to the Framework 32
Identify
Protect
Detect
Respond
Recover
Function
Increase Workforce Education and Awareness
Set a tone from the top in support of enterprise-wide cybersecurity improvements
Support the implementation of mandatory annual cybersecurity awareness training
Support internal phishing campaigns
Mitigation Plan
Overview
How You Can Help
Risk Status: Our employees and staff are largely unaware about cyber threats. Tricking
unexpecting people (social engineering) into opening fake emails or malicious documents/links
(phishing attacks) is the most common cause of cybersecurity incidents and data breaches.
Risk Velocity: We can’t block all phishing attacks, approximately X phony emails get past our
defences and are delivered to staff email inboxes each month and X% - X% of staff falling victim.
Implement an enterprise-wide cybersecurity awareness and education program
Improve the effectiveness of our existing secure email gateways (blocks fake emails)
Investigate alternative secure email gateway solutions
Implement modern anti-virus solutions to help protect users from malicious emails
Launch internal phishing campaigns to help users learn and reduce their susceptibility
33. Use Lessons Learned from Security Incidents
as Roadmap Updates 33
Lessons Learned Remediation Steps
Critical systems lack good controls hygiene, leaving
them vulnerable to known malware.
Work with IT to improve security controls hygiene
tracking on critical systems and create incentives for
better performance.
Incident response is hampered by a lack of pre-
defined communication channels.
Establish an incident response playbook and define
roles, responsibilities and communications channels
for all stakeholders.
These are inputs into our cybersecurity roadmap
Perform a series of table top exercises to practice
incident response and refine incident response
processes with stakeholders.
34. Apply Lessons Learned to Plan Improvements 34
Added Post
Breach
2018 2019Major Themes
Increase
Situational
Awareness
Endpoint
Protection
Incident
Response
Plans
Create Incident Response Playbooks
Identify
Protect
Detect
Respond
Recover
Function
Governance
Risk Assessment
Establish Cyber Risk Council
Network Monitoring
User Education
& Awareness
Procure & Deploy Tanium
Update Awareness Policy
Asset Inventory Identification & Prioritization
Define Incident Response Roles & Responsibilities
Windows XP UpgradeCore
Enhancements
Multi-Factor Authentication
Communications Plan & Process
Deploy Cofense
Establish Pre-Defined
Communication Channels
Identify Control Owners
Improve
Hygiene
Set Hygiene Goals
Measure & Report
Improvements
Table Top 1 Table Top 2
35. Explain How Cyber Incidents to
External Companies Relate to Your Organization 35
The attacker deliberately damaged the SCADA
system (servers and workstations) to delay the
restoration of power. Staff switched to ‘manual
mode’ and restore the system.
State-sponsored attacker gained access into the
power company’s SCADA using a known piece of
malware. Effective patching may have prevented
the attacker from gaining access to systems.
The attacker flooded call centers to disrupt customer
reports of power outages and launched a
coordinated DDoS attack on the company website.
Improved controls would have reduced the
impact of these attacks.
Ukraine Attack
Identify
Protect
Detect
Respond
Recover
Function Our Organization
We have the capability to switch to back-up, off-
line critical systems in the event of a disruption.
We are investing and will upgrade our DDoS
protection.
We continue to prioritize system patching as part
of our security controls hygiene.
37. Gather Information About Your Environment
(Provide Fact-Based Evidence)
37
• Technical & Administrative Details
• Business Units, Departments, Services,
• Governance, Assets, Processes, Architectures, Capabilities, etc.
• Historical Information Sources
• Cyber Insurance
• Organizational Risk Assessments
• Continuous Improvement Plans
• Audits or Independent Assessments
• Comparison to Industry Best Practices
• Center for Internet Security – Top 20 Critical Security Controls
• Communications Security Establishment – Top 10 IT Security Actions
• Australian Signals Directorate - Essential Eight Cybersecurity Incident Mitigation Strategies
• Gartner – IT Key Metrics Data
38. Perform Self Assessments
(Center for Internet Security – Critical Controls)
38
Source: Audit Scripts
CSC initial assessment tool v7
39. CENTER FOR INTERNET SECURITY –
CRITICAL SECURITY CONTROLS
39
Inventory and Control
of Hardware Assets
1
Inventory and Control
of Software Assets
2
Continuous
Vulnerability
Management
3
Controlled Use of
Administrative
Privileges
4
Secure Configuration for
Hardware and Software
on Mobiles, Laptops,
Workstaitons and Servers
5
Maintenance,
Monitoring and
Analysis of Audit Logs
6
Email and Web
Browser Protections
7
Malware Defences
8
Limitation and Control
of Network Ports,
Protocols and Services
9
Data Recovery
Capabilities
Secure Configuration for
Network Devices
(Firewalls, Routers,
Switches)
Boundary Defence
Data Protection
Controlled Access
Based on Need to
Know
Wireless Access
Control
Account Monitoring
and Control
Implement a Security
Awareness and
Training Program
Application Software
Security
Incident Response and
Management
Penetration Tests and
Red Team Exercises
10
11
12
13
14
15
16
17
18
19
20
Not Met
Partially Met
Implemented
Baseline Your Org Against Best Practices
(Center for Internet Security – Critical Controls)
41. • Mission
• Vision
• Mandate
• Principles
• CharterPurpose
• Current State / Gaps
• Strategic Plan
• Priorities
• Action Plan
• Roadmap
Strategy
• Organizational Structure
• Governance
• Authorities
• Business Processes
Organization
• Function, Category, Role
• Knowledge & Skills
• Strategic Intake Plan
• Succession Planning
• Talent Management
People
• IT Capabilities
• Budget Allocations
• HR Allocations
• Organizational Priority
Supports
• Outcomes
• Business Benefits
• KRI’s / KPI’s
• Security Maturity
• Annual Report
Results
Enterprise Cybersecurity Program Planning
42. 1. Understand Your Audience
• Articulate the Business Risks
2. Keep It Simple
• No Acronyms
• Easy to Understand Language
• Be Brief, Be Bright, Be Gone
3. Do Not Use Fear, Uncertainty and Doubt
• Provide Facts, Relevant to Your Industry / Organization
4. Map Topics Back to the Overall Strategy
Guiding Principles
Welcome everyone and thanks for coming to the session today
Also thanks to ISACA volunteers for putting the event together, great to see so many security professionals here
I see many familiar faces in the room but for those that don’t know me……..
Quick outline of my experience…..
Proud Cape Bretoner
Most of my experience was as federal public servant, starting as a communications engineering officer in the Canadian Forces then out of uniform in a variety of technical and leadership roles
In 2016 I assumed the CISO role for the Province of Nova Scotia
Concurrently serve as the chair of NCSIP, a pan Canadian group of Federal, Provincial, Territorial and Municipal leads for cybersecurity
Also invited to participate in the MS Canadian Security Council (if I only had time!!)
In 2016, I moved back to Nova Scotia to assume the CISO role and started to build the cybersecurity program
This represented both home for me (back to the foggy mornings!) but also the work environment
Our scope was government and health environments (60K+ clients) but had limited understanding or visibility into the environments, risks, vulnerabilities
Continuous improvement program was in place (but it was highly technical……………focused on IT……….e.g. we have x number of unsupported versions of y)
ISO (checklist) based approach was used (our maturity didn’t match the ISO self-assessment score)
This caused a bit of a false sense of security (e.g. policies and standards in place…….check……but are policies and standards being followed…???)
What we needed to do was to paint a clear picture of risks, to identify where we were from a current state perspective,
Understand our risks, gaps, potential impacts
Communicate these to various stakeholders across government and health and
Create a strategy and action plan to reduce our risks (gain support to pursue these improvements)
And report back on progress
Sounds easy right???
What we see and say is often much different than what our audience understands
What does the sign say? To us it’s clear…….to others……..Awesome waves? Great surfing here??
Our job as security professionals (or as board members or other employees) is to ensure we’re all on the same page
(and to remove complexity)
The outcomes of poor communication?
The audience or stakeholders won’t understand what the problem is (what their risks are)………
You won’t gain the support and traction needed to improve security…...and you could ultimately suffer from more incidents and breaches
There are some days that this feels like the norm!
But………it doesn’t convey confidence
Another common tactic is to use the latest news headlines……..
Everyone sees these types of headlines every day………..from all industries and sectors……….
We need to convey information as it relates to us……..not the “if it can happen to them it can happen to us”
This is an example from RSA…….
it’s only one and I’m just as guilty as anyone talking about (IPS, IDS, IOC’s, AV, Botnets, PAM and SPAM………)
The good old pew pew map of recorded attacks………
We’ve admired the problem long enough……….
You need to make it very clear that cybersecurity is a business risk, and risk is a business decision.
You need to provide actual examples for your industry, sector and potential outcomes.
Another key message to give your stakeholders…………regardless of the model you choose:
Organizations need a way to measure their cybersecurity maturity
Organizations that are not mature (for example technology-focused) are reactive to security issues.
There is a direct relationship between maturity and risk in that higher maturity leads to lower risk.
The NIST Cybersecurity Framework is voluntary, so there is no ‘right’ or ‘wrong’ way to do it.
It’s meant to be adaptable and adjustable. How I use it could be different than your usage.
It’s color blind friendly!
Based on best practices for organizations to better manage and reduce cybersecurity risk.
It was designed to enable communications amongst both internal and external organizational stakeholders.
I’m not covering it all, it’s freely available online…….i want to show you how I use it and what’s worked for me
The Core functions are concurrent and continuous
Help you understand and answer these questions…..
Each core function is broken down into a category for each
Each category has a reference ID
this doesn’t need to be a self-assessment
You could have an external entity perform an assessment on your behalf
Note our assessment model hasn’t been updated to NIST CSF v1.1
0. No control of any kind.
Initial: Control is not a priority; Unstable environment leads to dependency on heroics
2. Repeatable: Process established and repeating; reliance on people continues -- Controls documentation lacking
3. Defined: Policies, process and standards defined and institutionalized
4. Managed: Risks managed quantitatively, enterprise-wide
5. Optimized: Continuously improving controls enterprise-wide
0. No control of any kind.
Initial: Control is not a priority; Unstable environment leads to dependency on heroics
2. Repeatable: Process established and repeating; reliance on people continues -- Controls documentation lacking
3. Defined: Policies, process and standards defined and institutionalized
4. Managed: Risks managed quantitatively, enterprise-wide
5. Optimized: Continuously improving controls enterprise-wide
See how the tactical plan always relates back to the core function?
Easy for your audience to follow……..regardless of topic
Here’s an example of an approach I’ve used to explain employee awareness and email security activities……..
Showing your stakeholders how you’ve updated your plan based on lessons learned
Don’t say it “could happen to us”
Show your organization the true delta between what happened and your org
You should also show weaknesses on the organization, and again show how you plan on addressing these in the roadmap