IIBA UK Chapter, profile picture
Uploaded byIIBA UK Chapter
355 views

CCA study group

This document summarizes a presentation on cybersecurity analysis from IIBA UK Study Group director Sam Merrick. The presentation provided an introduction to cybersecurity content from IIBA and IEEE, including their Certified Cybersecurity Analyst (CCA) certification. It covered key topics like the cybersecurity imperative, business analyst focal points, important definitions, how security fits into enterprise architecture, dealing with risk, security frameworks like ISO 27001 and NIST, and data privacy. The session was fast-paced and interactive, exploring these areas through collaborative exercises. More information on the CCA certification and related learning resources can be found on the IIBA website.

Embed presentation

CYBERSECURITY ANALYSIS IIBA UK Study Group Sam Merrick CBAP, AAC, CBDA, CCA Lead Business Analyst, Shell Energy Director, IIBA UK 8 June 2020
To provide you with an introduction to IIBA & IEEE Cybersecurity Analysis content and the corresponding certification (CCA). This session will be fast-paced, collaborative and cover the following areas: - Cybersecurity Imperative, IIBA Perspectives & BA Focal Points - Key Terms & Definitions - Security in Architecture - Dealing with Risk - Security Frameworks - Data Privacy - CCA information and where to find further IIBA/IEEE content OBJECTIVES
CYBERSECURITY IMPERATIVE, IIBA PERSPECTIVES & BA FOCAL POINTS Cybersecurity Imperative: The expansion of technology in our business and in our lives has made cybersecurity a top of mind concern for enterprises, government, and individuals. IIBA Perspectives: 1. Governance and Risk • Senior BAs work with business, architects and security specialists to establish security framework and governance processes 2. Infrastructure and Networking • Go-between the business and technical teams to assure business needs are effectively part of the requirements, planning and collaborating on initiatives 3. Applications and Information integrity • Assuring that that the security requirements, the data integrity issues, the interface and integration components, and the functional and non-functional requirements are met. This applies across Agile, DevOps, and SDLC methods. Most BAs work at this level. Business Analysis (BA) Focal Points: • Analysis is the basis of planning and preparation for a secure cyber environment. • Business Analysis is about understanding the requirements, the value, and in cybersecurity context it is about building in not bolting on security into everything we work on.
KEY TERMS & DEFINITIONS Lets introduce some key terms used in Cybersecurity… Jamboard (5 mins) Match the terms to their definitions
KEY TERMS & DEFINITIONS Breach: Any incident that results in unauthorized access of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms. A security breach occurs when an individual or an application illegitimately enters a private, confidential or unauthorized logical IT perimeter. Hacking/Hacker: An unauthorized user who attempts to or gains access to an information system. Threat: Refers to anything that has the potential to cause serious harm to a computer system. Phishing: The fraudulent act of acquiring private and sensitive information, such as credit card numbers, personal identification and account usernames and passwords. (Pronounced like “fishing”.) Identity Theft: The unauthorized collection of personal information and its subsequent use for criminal reasons such as to open credit cards and bank accounts, redirect mail, set up cell-phone service, rent vehicles and even get a job. Exploit: A general term for any method used by hackers to gain unauthorized access to computers, the act itself of a hacking attack, or a hole in a system's security that opens a system to an attack. Ransomware: Using malware to lock up a set of computer files and asking for payment to the offender to undo the malware control of the computer files. (analogy to kidnapping and ransom).
KEY TERMS & DEFINITIONS Governance: Security governance is a framework containing security policies, approach, tools and awareness programs for achieving the organization’s security objectives. Risk and data privacy are enforced by security policies. Security Policy: A policy that “includes security objectives or provides the framework for setting information security objectives”. Information Security Management System (ISMS): Consists of the policy, procedures, guidelines, and associated resources and activities, collectively managed by an organization in the pursuit of protecting its information assets. Confidentiality: Ensures that data or an information system is accessed by only an authorized person. Ensures that data is not made available or disclosed to unauthorized individuals, entities, or processes. Integrity: Integrity assures that the data or information system can be trusted and is edited by only authorized persons and remains in its original state when at rest. Integrity means assuring the accuracy and completeness of data over its entire lifecycle. Availability: Data and information systems are available when required; computing systems used to store and process information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly.
SECURITY IN ENTERPRISE ARCHITECTURE (TOGAF) Business Architecture Application Architecture Technology Architecture Data Architecture BA focal points depend on architectural perspective. Lets conceptualise the enterprise architecture… Jamboard (3 mins) Match the business aspects to their architectural domain
SECURITY IN ENTERPRISE ARCHITECTURE (TOGAF) Business Architecture: • Strategy • Governance • Organisation • Core Business Processes Application Architecture: • Application systems • Interactions • Relationship to core business processes Technology Architecture: • Infrastructure • Middleware • Networks • Communications Data Architecture: • Logical data assets • Physical data assets • Data Management resources
DEALING WITH RISK BAs often have to deal with risk. Lets introduce some of the key terms around dealing with risk and think about the focal points. Jamboard (7 mins) 1. Match the terms to their definitions 2. Add items that should a risk register should contain 3. Add what the BA focal points are when dealing with risk
DEALING WITH RISK Risk: A risk can be defined as the effect of uncertainty on objectives. Risk Appetite: The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission. Risk Tolerance: Risk tolerance is about what an organization can cope with, the maximum limit beyond which the organization does not want to perform. Risk Probability: The estimated likelihood that an event will be realized, typically expressed as a percentage. Risk Impact: The estimated impact to the business, which could be positive or negative, and typically expressed as a dollar amount. Risk Register: A risk register is a living document that is created to list and track identified risks, and should include the following information for every risk: • unique identifier, • description, • likelihood of occurrence, • impact to business, • any associated threats or vulnerabilities that have been identified, • the planned treatment, • risk owner, • status, and • all significant dates.
DEALING WITH RISK BA Focal Points around “Dealing with Risk” may include: • Facilitate identification of the organization's key risks. • Define risk appetite and tolerance in relation to enterprise risk and leverage a consistent approach to risk management. • Establish risk governance, policies and processes for monitoring and shifting the risk appetite and tolerance, accordingly, based on the changing internal and external factors. • Define infrastructure risk tolerance, using a consistent approach. • Define risk tolerance for data and applications, as part of the solution design and delivery. • Implement controls for ensuring management of risk through the life of the solution. • Extend evaluation of risk to include value chain partners, and the likelihood and impact to the organization's goals.
SECURITY FRAMEWORKS (ISO 27001) Security Frameworks shape the governance and controls of cybersecurity. The ISO 27001 Standard provides a list of 114 security controls organized within 14 sections of its Annex A: A.5 Information Security Policies A.6 Organisation of Information Security A.7 Human Resource Security A.8 Asset Management A.9 Access Control A.10 Cryptography A.11 Physical & Environmental Security A.12 Operations Security A.13 Communications Security A.14 System Acquisition, Development & Maintenance A.15 Supplier Relationships A.16 Information Security Incident Management A.17 Information Security Aspects of Business Continuity Management A.18 Compliance
SECURITY FRAMEWORKS (NIST) NIST Cybersecurity Framework Appendix A, the Framework Core, represents a common set of activities used across all critical infrastructure sectors, for managing cybersecurity risk. It groups 118 activities into 23 subcategories, which roll up into five functions. Jamboard (7 mins) match the sub-categories to the functions Identify Protect Detect Respond Recover
SECURITY FRAMEWORKS (NIST) Identify Protect Detect Respond Recover Asset Management Identity Management & Access Control Anomalies & Events Response Planning Recovery Planning Business Environment Awareness & Training Security Continuous Monitoring Response Communications Improvements Governance Data Security Detection Processes Analysis Recovery Communications Risk Assessment Information Protection Processes & Procedures Mitigation Risk Management Strategy Improvements Supply Chain Risk Management Protective Technology
DATA PRIVACY Data Privacy is a common area that BAs work on. Let’s familiarise ourselves with some of the key terms Jamboard (3 mins) Match the terms to their definitions
DATA PRIVACY Privacy By Design: The practice of incorporating data privacy requirements into a technical solution and its associated processes during the project design phase, rather than as an afterthought. Data Subject: The person whose information is being protected. Data privacy is primarily about protecting the privacy of an individual. Personal Information: Information that is associated toa human being, such as name, age, or reputation. Note that personal information can even be on paper. Data Subject Rights: Data privacy regulations are often phrased in terms of human rights. The most famous data subject right is the “right to be forgotten” – that is, to have personal information removed from a company’s possession. Privacy Policy: A company’s statement disclosing to its customers how their information is gathered, managed, used and disclosed to others.
DATA PRIVACY Notice: The act of informing a data subject how his or her information will be gathered, managed, used, and disclosed to others. Consent: The act of acquiring permission to gather, manage, use or disclose personal data. Data Minimization: The act of limiting data elements to be used in a technical solution by investigating the rationale behind collecting them and confirming that the data gathered is the minimum required for the given purpose or use case. Pseudonymization: The act of assigning an artificial identifier to replace personal information, in order to minimize the amount of personal information processed by an application. Anonymization: The act of disassociating data about a person from information that could cause that person to be identified in a larger context. Note that pseudonymization does not necessarily constitute anonymization. Data Retention: The act of defining how long a company needs to keep a given piece of information and removing it when the retention period has expired.
WHERE CAN I GET MORE INFORMATION? IIBA & IEEE have created a “Learning Manual” and interactive Online Learning Modules which covers some elements of this session and much more. It’s available as learning modules or as part of a learning module bundle at iiba.org This content forms the basis, for IIBA’s Certified Cybersecurity Analyst certification, CCA. Information, handbooks and FAQs for this certification can be found at iiba.org
To provide you with an introduction to IIBA & IEEE Cybersecurity Analysis content and the corresponding certification (CCA). This session was fast-paced, collaborative and covered the following areas: Cybersecurity Imperative, IIBA Perspectives & BA Focal Points Key Terms & Definitions Security in Architecture Dealing with Risk Security Frameworks Data Privacy CCA information and where to find further IIBA/IEEE content RECAP
CYBERSECURITY ANALYSIS IIBA UK Study Group Sam Merrick CBAP, AAC, CBDA, CCA Lead Business Analyst, Shell Energy Director, IIBA UK 8 June 2020

More Related Content

PDF
Information Security Benchmarking 2015
byCapgemini
 
PPTX
Zscaler ThreatLabz dissects the latest SSL security attacks
byZscaler
 
PDF
AI in Cybersecurity | 2023
byKharimMchatta
 
PPTX
Cyber Crisis Management - Technology Risk Management Forum
byjellegroenendaal
 
PDF
How to Reduce the Attack Surface Created by Your Cyber-Tools
byEnterprise Management Associates
 
PPTX
Cybersecurity Risk Management Program and Your Organization
byMcKonly & Asbury, LLP
 
PPTX
Introduction to cyber security
byRaviPrashant5
 
PPTX
Cybersecurity Awareness Overview- BSBXCS402.pptx
byitsamuamit11
 
Information Security Benchmarking 2015
byCapgemini
 
Zscaler ThreatLabz dissects the latest SSL security attacks
byZscaler
 
AI in Cybersecurity | 2023
byKharimMchatta
 
Cyber Crisis Management - Technology Risk Management Forum
byjellegroenendaal
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
byEnterprise Management Associates
 
Cybersecurity Risk Management Program and Your Organization
byMcKonly & Asbury, LLP
 
Introduction to cyber security
byRaviPrashant5
 
Cybersecurity Awareness Overview- BSBXCS402.pptx
byitsamuamit11
 

What's hot

PPTX
Understanding Your Attack Surface and Detecting & Mitigating External Threats
byUlf Mattsson
 
PDF
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
byCrowdStrike
 
PPT
Introduction to cyber security by cyber security infotech(csi)
byCyber Security Infotech
 
PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
PPTX
Cyber Threat Hunting: Identify and Hunt Down Intruders
byInfosec
 
PPTX
Cyber Security 03
byHome
 
PPTX
CYBER SECURITY
byVaishak Chandran
 
PDF
Microsoft threat modeling tool 2016
byRihab Chebbah
 
PDF
You can detect PowerShell attacks
byMichael Gough
 
PPSX
Cyber security & Data Protection
byDr. Hemant Kumar Singh
 
PPTX
Cyber security
bySapna Patil
 
PDF
Cyber fraud in banks
byNetwork Intelligence India
 
PPTX
Cyber crime and cyber laws
byishmecse13
 
PPTX
Cyber security for children
byAvanzo net
 
PDF
Cyber Security Maturity Assessment
byDoreen Loeber
 
PDF
Customer information security awareness training
byAbdalrhmanTHassan
 
PDF
Overview of Data Loss Prevention (DLP) Technology
byLiwei Ren任力偉
 
PPTX
Security of IOT,OT And IT.pptx
byMohanPandey31
 
PDF
Gestión de Incidentes de Seguridad de la Información - CERT / CSIRT
byDaniel Sasia
 
PDF
What is ISO 27001 ISMS
byBusiness Beam
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
byUlf Mattsson
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
byCrowdStrike
 
Introduction to cyber security by cyber security infotech(csi)
byCyber Security Infotech
 
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
byInfosec
 
Cyber Security 03
byHome
 
CYBER SECURITY
byVaishak Chandran
 
Microsoft threat modeling tool 2016
byRihab Chebbah
 
You can detect PowerShell attacks
byMichael Gough
 
Cyber security & Data Protection
byDr. Hemant Kumar Singh
 
Cyber security
bySapna Patil
 
Cyber fraud in banks
byNetwork Intelligence India
 
Cyber crime and cyber laws
byishmecse13
 
Cyber security for children
byAvanzo net
 
Cyber Security Maturity Assessment
byDoreen Loeber
 
Customer information security awareness training
byAbdalrhmanTHassan
 
Overview of Data Loss Prevention (DLP) Technology
byLiwei Ren任力偉
 
Security of IOT,OT And IT.pptx
byMohanPandey31
 
Gestión de Incidentes de Seguridad de la Información - CERT / CSIRT
byDaniel Sasia
 
What is ISO 27001 ISMS
byBusiness Beam
 

Similar to CCA study group

PPTX
Cissp- Security and Risk Management
byHamed Moghaddam
 
PPT
MIS chap # 9.....
bySyed Muhammad Zeejah Hashmi
 
PPTX
IT Security & Risk
byTanujpandey5
 
PPTX
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
bymacraaiclass
 
PPTX
ke-1 - Copy cat massunu rahing.pptxdfdff
byAhmadNaswin
 
PPTX
Dancyrityshy 1foundatioieh
byAnne Starr
 
PPT
S nandakumar
byIPPAI
 
PPT
S nandakumar_banglore
byIPPAI
 
PDF
Chapter 6 Security of Information and Cyber Security(FASS)
byMd Shaifullar Rabbi
 
PDF
Dealing with Information Security, Risk Management & Cyber Resilience
byDonald Tabone
 
PPTX
Presentation1 110616195133-phpapp01(information security)
byBonagiri Rajitha
 
PPTX
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
byDataExchangeAgency
 
PDF
CISSP 8 Domains.pdf
bydotco
 
PPTX
ke-1.pptx454545454545550515545456486498498498
byAhmadNaswin
 
PPTX
ke-1.pptx
byAhmadNaswin
 
PPTX
NIST_Framework_overview_20150219 YEAR 2015
bymagesh527916
 
PPTX
Introduction to cyber security module1.pptx
bymeghana25s2000
 
PPTX
Chapter 1 Introduction about information assurance.pptx
bymc0225225
 
PPTX
crisc_wk_5.pptx
bydotco
 
PPTX
Digital literacy lecture 2 data security.pptx
byjohnnderitu16
 
Cissp- Security and Risk Management
byHamed Moghaddam
 
MIS chap # 9.....
bySyed Muhammad Zeejah Hashmi
 
IT Security & Risk
byTanujpandey5
 
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
bymacraaiclass
 
ke-1 - Copy cat massunu rahing.pptxdfdff
byAhmadNaswin
 
Dancyrityshy 1foundatioieh
byAnne Starr
 
S nandakumar
byIPPAI
 
S nandakumar_banglore
byIPPAI
 
Chapter 6 Security of Information and Cyber Security(FASS)
byMd Shaifullar Rabbi
 
Dealing with Information Security, Risk Management & Cyber Resilience
byDonald Tabone
 
Presentation1 110616195133-phpapp01(information security)
byBonagiri Rajitha
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
byDataExchangeAgency
 
CISSP 8 Domains.pdf
bydotco
 
ke-1.pptx454545454545550515545456486498498498
byAhmadNaswin
 
ke-1.pptx
byAhmadNaswin
 
NIST_Framework_overview_20150219 YEAR 2015
bymagesh527916
 
Introduction to cyber security module1.pptx
bymeghana25s2000
 
Chapter 1 Introduction about information assurance.pptx
bymc0225225
 
crisc_wk_5.pptx
bydotco
 
Digital literacy lecture 2 data security.pptx
byjohnnderitu16
 

More from IIBA UK Chapter

PDF
Bitesize BA techniques: business case development
byIIBA UK Chapter
 
PDF
IT VM for BAs - A Closer Look (Part I) - 300823.pdf
byIIBA UK Chapter
 
PDF
Business Analysis and the Art of Storytelling
byIIBA UK Chapter
 
PDF
IIBA_Cheltenham_D_Paul_C_Lovelock_LeadingTheBAServiceV05.pdf
byIIBA UK Chapter
 
PDF
IIBA_Manchester_D_Paul_C_Lovelock_LeadingTheBAServiceV07.pdf
byIIBA UK Chapter
 
PDF
Infinite organisation - a vision of agility as growth and opportunity.pdf
byIIBA UK Chapter
 
PDF
Behavioural Science - IIBA UK 2022-10-26
byIIBA UK Chapter
 
PPSX
IT VM for BAs - The Journey and The Elephant
byIIBA UK Chapter
 
PPTX
How to thrive during change
byIIBA UK Chapter
 
PPTX
Future of ba iiba slides
byIIBA UK Chapter
 
PDF
Confidence at Work
byIIBA UK Chapter
 
PDF
Analysis in Action 21 September 2021
byIIBA UK Chapter
 
PDF
BABOK Summer Bootcamp - Chapter 8: Solutions Evaluation Date: 7 Sep 2021
byIIBA UK Chapter
 
PDF
BABOK Summer Bootcamp - Chapter 5: Requirements Lifecycle Management
byIIBA UK Chapter
 
PDF
BABOK Summer Bootcamp - Chapter 7: Requirements Analysis & Design Definition
byIIBA UK Chapter
 
PDF
BABOK Summer Bootcamp Chapter 4: Elicitation & Collaboration
byIIBA UK Chapter
 
PDF
BABOK Summer Bootcamp - Chapter 3: Business Analysis Planning & Monitoring
byIIBA UK Chapter
 
PDF
Babok webinar strategy analysis 20210803
byIIBA UK Chapter
 
PDF
Babok webinar underlying competencies 20210727
byIIBA UK Chapter
 
PDF
Babok webinar key concepts pdf 20210720
byIIBA UK Chapter
 
Bitesize BA techniques: business case development
byIIBA UK Chapter
 
IT VM for BAs - A Closer Look (Part I) - 300823.pdf
byIIBA UK Chapter
 
Business Analysis and the Art of Storytelling
byIIBA UK Chapter
 
IIBA_Cheltenham_D_Paul_C_Lovelock_LeadingTheBAServiceV05.pdf
byIIBA UK Chapter
 
IIBA_Manchester_D_Paul_C_Lovelock_LeadingTheBAServiceV07.pdf
byIIBA UK Chapter
 
Infinite organisation - a vision of agility as growth and opportunity.pdf
byIIBA UK Chapter
 
Behavioural Science - IIBA UK 2022-10-26
byIIBA UK Chapter
 
IT VM for BAs - The Journey and The Elephant
byIIBA UK Chapter
 
How to thrive during change
byIIBA UK Chapter
 
Future of ba iiba slides
byIIBA UK Chapter
 
Confidence at Work
byIIBA UK Chapter
 
Analysis in Action 21 September 2021
byIIBA UK Chapter
 
BABOK Summer Bootcamp - Chapter 8: Solutions Evaluation Date: 7 Sep 2021
byIIBA UK Chapter
 
BABOK Summer Bootcamp - Chapter 5: Requirements Lifecycle Management
byIIBA UK Chapter
 
BABOK Summer Bootcamp - Chapter 7: Requirements Analysis & Design Definition
byIIBA UK Chapter
 
BABOK Summer Bootcamp Chapter 4: Elicitation & Collaboration
byIIBA UK Chapter
 
BABOK Summer Bootcamp - Chapter 3: Business Analysis Planning & Monitoring
byIIBA UK Chapter
 
Babok webinar strategy analysis 20210803
byIIBA UK Chapter
 
Babok webinar underlying competencies 20210727
byIIBA UK Chapter
 
Babok webinar key concepts pdf 20210720
byIIBA UK Chapter
 

Recently uploaded

DOCX
What Are Telegram Accounts and Why Are They Important for Global Communicatio...
byx24gm4qs23vusc8s2b53
 
DOCX
Buy Old Gmail Accounts in 2026_ Complete Buyer’s Guide
bypvasmmpath
 
DOCX
Buy Old Gmail Accounts_ Top Benefits and Legal Considerations.docx
bypvasmmpath
 
PDF
KGA - Governing administration in a consolidated market
byHenry Tapper
 
PDF
How to Buy Old Gmail Accounts in Bulk Safely in the USA.pdf
bypvaisback is Online Marketing site
 
PDF
Andria Sergio - Known For Her Accuracy And Professionalism
byAndria Sergio
 
PDF
AI,Analytics, Digital HR, Agentic AI.pdf
bypgp25chinica
 
PDF
How Oversize Embroidery Design Size Is Measured
byInkdnylon
 
PDF
Ultra Map Section II Multifaceted Second Edition.pdf
byBrij Consulting, LLC
 
PDF
Fraud Warning MOALA WALLET Exchange Exposed
byTraderKnowsReport
 
PDF
Top Five Trends Shaping RCM in 2026 - Revenue Cycle Resources-HUB
byRevenue Cycle Resources-HUB
 
PDF
ICv2 White Paper - Navigating the New World of Comics
byDennisViau
 
PPTX
5, Money Number Tax and Wages 19072017.pptx
byAdrian Hawkes
 
PPTX
Levels of Management: Top, Middle and Lower Management Explained
bychrispshajugig
 
PDF
𝐖𝐚𝐠 𝐂𝐥𝐨𝐧𝐞 𝐏𝐞𝐭 𝐂𝐚𝐫𝐞 𝐀𝐩𝐩 𝐃𝐞𝐯𝐞𝐥𝐨𝐩𝐦𝐞𝐧𝐭
byV3CUBE TECHNOLABS
 
PDF
Rami Tawasha - Specializes In High-Impact Work
byRami Tawasha
 
PDF
Lessons on Branding from the Team Behind the World's Biggest Brands
byNeil Horowitz
 
DOCX
8 Best Places to Buy Facebook Accounts at Wholesale Prices.docx
byFacebook Accounts
 
PDF
Stablecoins beyond narrow banking - Lombard Notes
byGiorgio Giuliani
 
PDF
AnyDesk, The Leading Remote Desktop Software | AnyDesk, o software líder em a...
byTechMeetups
 
What Are Telegram Accounts and Why Are They Important for Global Communicatio...
byx24gm4qs23vusc8s2b53
 
Buy Old Gmail Accounts in 2026_ Complete Buyer’s Guide
bypvasmmpath
 
Buy Old Gmail Accounts_ Top Benefits and Legal Considerations.docx
bypvasmmpath
 
KGA - Governing administration in a consolidated market
byHenry Tapper
 
How to Buy Old Gmail Accounts in Bulk Safely in the USA.pdf
bypvaisback is Online Marketing site
 
Andria Sergio - Known For Her Accuracy And Professionalism
byAndria Sergio
 
AI,Analytics, Digital HR, Agentic AI.pdf
bypgp25chinica
 
How Oversize Embroidery Design Size Is Measured
byInkdnylon
 
Ultra Map Section II Multifaceted Second Edition.pdf
byBrij Consulting, LLC
 
Fraud Warning MOALA WALLET Exchange Exposed
byTraderKnowsReport
 
Top Five Trends Shaping RCM in 2026 - Revenue Cycle Resources-HUB
byRevenue Cycle Resources-HUB
 
ICv2 White Paper - Navigating the New World of Comics
byDennisViau
 
5, Money Number Tax and Wages 19072017.pptx
byAdrian Hawkes
 
Levels of Management: Top, Middle and Lower Management Explained
bychrispshajugig
 
𝐖𝐚𝐠 𝐂𝐥𝐨𝐧𝐞 𝐏𝐞𝐭 𝐂𝐚𝐫𝐞 𝐀𝐩𝐩 𝐃𝐞𝐯𝐞𝐥𝐨𝐩𝐦𝐞𝐧𝐭
byV3CUBE TECHNOLABS
 
Rami Tawasha - Specializes In High-Impact Work
byRami Tawasha
 
Lessons on Branding from the Team Behind the World's Biggest Brands
byNeil Horowitz
 
8 Best Places to Buy Facebook Accounts at Wholesale Prices.docx
byFacebook Accounts
 
Stablecoins beyond narrow banking - Lombard Notes
byGiorgio Giuliani
 
AnyDesk, The Leading Remote Desktop Software | AnyDesk, o software líder em a...
byTechMeetups
 

CCA study group

  • 2.
    CYBERSECURITY ANALYSIS IIBA UKStudy Group Sam Merrick CBAP, AAC, CBDA, CCA Lead Business Analyst, Shell Energy Director, IIBA UK 8 June 2020
  • 3.
    To provide youwith an introduction to IIBA & IEEE Cybersecurity Analysis content and the corresponding certification (CCA). This session will be fast-paced, collaborative and cover the following areas: - Cybersecurity Imperative, IIBA Perspectives & BA Focal Points - Key Terms & Definitions - Security in Architecture - Dealing with Risk - Security Frameworks - Data Privacy - CCA information and where to find further IIBA/IEEE content OBJECTIVES
  • 4.
    CYBERSECURITY IMPERATIVE, IIBAPERSPECTIVES & BA FOCAL POINTS Cybersecurity Imperative: The expansion of technology in our business and in our lives has made cybersecurity a top of mind concern for enterprises, government, and individuals. IIBA Perspectives: 1. Governance and Risk • Senior BAs work with business, architects and security specialists to establish security framework and governance processes 2. Infrastructure and Networking • Go-between the business and technical teams to assure business needs are effectively part of the requirements, planning and collaborating on initiatives 3. Applications and Information integrity • Assuring that that the security requirements, the data integrity issues, the interface and integration components, and the functional and non-functional requirements are met. This applies across Agile, DevOps, and SDLC methods. Most BAs work at this level. Business Analysis (BA) Focal Points: • Analysis is the basis of planning and preparation for a secure cyber environment. • Business Analysis is about understanding the requirements, the value, and in cybersecurity context it is about building in not bolting on security into everything we work on.
  • 5.
    KEY TERMS &DEFINITIONS Lets introduce some key terms used in Cybersecurity… Jamboard (5 mins) Match the terms to their definitions
  • 6.
    KEY TERMS &DEFINITIONS Breach: Any incident that results in unauthorized access of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms. A security breach occurs when an individual or an application illegitimately enters a private, confidential or unauthorized logical IT perimeter. Hacking/Hacker: An unauthorized user who attempts to or gains access to an information system. Threat: Refers to anything that has the potential to cause serious harm to a computer system. Phishing: The fraudulent act of acquiring private and sensitive information, such as credit card numbers, personal identification and account usernames and passwords. (Pronounced like “fishing”.) Identity Theft: The unauthorized collection of personal information and its subsequent use for criminal reasons such as to open credit cards and bank accounts, redirect mail, set up cell-phone service, rent vehicles and even get a job. Exploit: A general term for any method used by hackers to gain unauthorized access to computers, the act itself of a hacking attack, or a hole in a system's security that opens a system to an attack. Ransomware: Using malware to lock up a set of computer files and asking for payment to the offender to undo the malware control of the computer files. (analogy to kidnapping and ransom).
  • 7.
    KEY TERMS &DEFINITIONS Governance: Security governance is a framework containing security policies, approach, tools and awareness programs for achieving the organization’s security objectives. Risk and data privacy are enforced by security policies. Security Policy: A policy that “includes security objectives or provides the framework for setting information security objectives”. Information Security Management System (ISMS): Consists of the policy, procedures, guidelines, and associated resources and activities, collectively managed by an organization in the pursuit of protecting its information assets. Confidentiality: Ensures that data or an information system is accessed by only an authorized person. Ensures that data is not made available or disclosed to unauthorized individuals, entities, or processes. Integrity: Integrity assures that the data or information system can be trusted and is edited by only authorized persons and remains in its original state when at rest. Integrity means assuring the accuracy and completeness of data over its entire lifecycle. Availability: Data and information systems are available when required; computing systems used to store and process information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly.
  • 8.
    SECURITY IN ENTERPRISEARCHITECTURE (TOGAF) Business Architecture Application Architecture Technology Architecture Data Architecture BA focal points depend on architectural perspective. Lets conceptualise the enterprise architecture… Jamboard (3 mins) Match the business aspects to their architectural domain
  • 9.
    SECURITY IN ENTERPRISEARCHITECTURE (TOGAF) Business Architecture: • Strategy • Governance • Organisation • Core Business Processes Application Architecture: • Application systems • Interactions • Relationship to core business processes Technology Architecture: • Infrastructure • Middleware • Networks • Communications Data Architecture: • Logical data assets • Physical data assets • Data Management resources
  • 10.
    DEALING WITH RISK BAsoften have to deal with risk. Lets introduce some of the key terms around dealing with risk and think about the focal points. Jamboard (7 mins) 1. Match the terms to their definitions 2. Add items that should a risk register should contain 3. Add what the BA focal points are when dealing with risk
  • 11.
    DEALING WITH RISK Risk:A risk can be defined as the effect of uncertainty on objectives. Risk Appetite: The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission. Risk Tolerance: Risk tolerance is about what an organization can cope with, the maximum limit beyond which the organization does not want to perform. Risk Probability: The estimated likelihood that an event will be realized, typically expressed as a percentage. Risk Impact: The estimated impact to the business, which could be positive or negative, and typically expressed as a dollar amount. Risk Register: A risk register is a living document that is created to list and track identified risks, and should include the following information for every risk: • unique identifier, • description, • likelihood of occurrence, • impact to business, • any associated threats or vulnerabilities that have been identified, • the planned treatment, • risk owner, • status, and • all significant dates.
  • 12.
    DEALING WITH RISK BAFocal Points around “Dealing with Risk” may include: • Facilitate identification of the organization's key risks. • Define risk appetite and tolerance in relation to enterprise risk and leverage a consistent approach to risk management. • Establish risk governance, policies and processes for monitoring and shifting the risk appetite and tolerance, accordingly, based on the changing internal and external factors. • Define infrastructure risk tolerance, using a consistent approach. • Define risk tolerance for data and applications, as part of the solution design and delivery. • Implement controls for ensuring management of risk through the life of the solution. • Extend evaluation of risk to include value chain partners, and the likelihood and impact to the organization's goals.
  • 13.
    SECURITY FRAMEWORKS (ISO27001) Security Frameworks shape the governance and controls of cybersecurity. The ISO 27001 Standard provides a list of 114 security controls organized within 14 sections of its Annex A: A.5 Information Security Policies A.6 Organisation of Information Security A.7 Human Resource Security A.8 Asset Management A.9 Access Control A.10 Cryptography A.11 Physical & Environmental Security A.12 Operations Security A.13 Communications Security A.14 System Acquisition, Development & Maintenance A.15 Supplier Relationships A.16 Information Security Incident Management A.17 Information Security Aspects of Business Continuity Management A.18 Compliance
  • 14.
    SECURITY FRAMEWORKS (NIST) NISTCybersecurity Framework Appendix A, the Framework Core, represents a common set of activities used across all critical infrastructure sectors, for managing cybersecurity risk. It groups 118 activities into 23 subcategories, which roll up into five functions. Jamboard (7 mins) match the sub-categories to the functions Identify Protect Detect Respond Recover
  • 15.
    SECURITY FRAMEWORKS (NIST) IdentifyProtect Detect Respond Recover Asset Management Identity Management & Access Control Anomalies & Events Response Planning Recovery Planning Business Environment Awareness & Training Security Continuous Monitoring Response Communications Improvements Governance Data Security Detection Processes Analysis Recovery Communications Risk Assessment Information Protection Processes & Procedures Mitigation Risk Management Strategy Improvements Supply Chain Risk Management Protective Technology
  • 16.
    DATA PRIVACY Data Privacyis a common area that BAs work on. Let’s familiarise ourselves with some of the key terms Jamboard (3 mins) Match the terms to their definitions
  • 17.
    DATA PRIVACY Privacy ByDesign: The practice of incorporating data privacy requirements into a technical solution and its associated processes during the project design phase, rather than as an afterthought. Data Subject: The person whose information is being protected. Data privacy is primarily about protecting the privacy of an individual. Personal Information: Information that is associated toa human being, such as name, age, or reputation. Note that personal information can even be on paper. Data Subject Rights: Data privacy regulations are often phrased in terms of human rights. The most famous data subject right is the “right to be forgotten” – that is, to have personal information removed from a company’s possession. Privacy Policy: A company’s statement disclosing to its customers how their information is gathered, managed, used and disclosed to others.
  • 18.
    DATA PRIVACY Notice: The actof informing a data subject how his or her information will be gathered, managed, used, and disclosed to others. Consent: The act of acquiring permission to gather, manage, use or disclose personal data. Data Minimization: The act of limiting data elements to be used in a technical solution by investigating the rationale behind collecting them and confirming that the data gathered is the minimum required for the given purpose or use case. Pseudonymization: The act of assigning an artificial identifier to replace personal information, in order to minimize the amount of personal information processed by an application. Anonymization: The act of disassociating data about a person from information that could cause that person to be identified in a larger context. Note that pseudonymization does not necessarily constitute anonymization. Data Retention: The act of defining how long a company needs to keep a given piece of information and removing it when the retention period has expired.
  • 19.
    WHERE CAN IGET MORE INFORMATION? IIBA & IEEE have created a “Learning Manual” and interactive Online Learning Modules which covers some elements of this session and much more. It’s available as learning modules or as part of a learning module bundle at iiba.org This content forms the basis, for IIBA’s Certified Cybersecurity Analyst certification, CCA. Information, handbooks and FAQs for this certification can be found at iiba.org
  • 20.
    To provide youwith an introduction to IIBA & IEEE Cybersecurity Analysis content and the corresponding certification (CCA). This session was fast-paced, collaborative and covered the following areas: Cybersecurity Imperative, IIBA Perspectives & BA Focal Points Key Terms & Definitions Security in Architecture Dealing with Risk Security Frameworks Data Privacy CCA information and where to find further IIBA/IEEE content RECAP
  • 21.
    CYBERSECURITY ANALYSIS IIBA UKStudy Group Sam Merrick CBAP, AAC, CBDA, CCA Lead Business Analyst, Shell Energy Director, IIBA UK 8 June 2020