Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_By ACinfote
Similar to C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_By ACinfote (20)
Recently uploaded
Recently uploaded (20)
C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_By ACinfote
- 2. ISO Management System Standards Worldwide Source: ISO
- 4. Industry 4.0 creates new Cyber-Physical world
- 6. Can you see the threats?
- 7. ‘Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected’ ISO 27002:2013
- 8. ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. Policy ITSM Incident Change Risk Management SLA Information Security
- 9. ISO 22301:2012, Societal security – Business continuity management systems – Requirements, will help organizations, regardless of their size, location or activity, to be better prepared and more confident to handle disruption of any type.
- 10. ISO/IEC 27032:2012 provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains.
- 12. ISO 27032:2012
- 13. ISO 27032: 2012 Three main themes of Cybersecurity Dark Net Monitoring Cybersecurity Attack Detection Trace Back Cybersecurity Attack Investigation Sinkhole Operation Cybersecurity Attack Response
- 14. Integrate ISO 27001 and ISO 27032 ISO 27001:2013 ISO 27032: 2012
- 16. NIST Cybersecurity Framework: Core Functions • Not a checklist of actions to perform • Presents key cybersecurity outcomes identified as helpful in managing risk
- 22. CSA STAR PROGRAM ASSESSMENT AND CERTIFICATIONS
- 23. • Controls derived from guidance • Mapped to familiar frameworks: ISO 27001, PCI, COBIT • Applicable to IaaS, PaaS, SaaS • Customer vs Provider roles • Help bridges the gap for IT and IT Auditor Guideline for Implementing Security Controls in the Cloud
- 24. • Cloud risk management and due diligence questionnaire (approx. 148 questions) Enable Cloud Service Provider to demonstrate compliance with the CSA CCM Form the basis for establishing cloud specific Service Level Objectives that can be incorporated into supplier agreements
- 25. CSA STAR Certification • A STAR Certification Certificate cannot be issued unless the organization has passed ISO 27001 assessment • The scope of ISO 27001 certification must not be less than the scope of STAR certification • The assessment cycle is the same as ISO 27001 – initial assessment followed by surveillance audits over a 3-year period
- 27. ISO/IEC 27017 Extending ISO/IEC 27001 into the Cloud The standard provides cloud-based guidance on 37 of the controls in ISO/IEC 27002 but also features seven new controls.
- 28. ISO 27017 Controls based on ISO 27002 ISO 27002 controls ISO 27017 Annex A Provided specific guidance for cloud service customers and cloud service providers base on ISO 27002 controls Provided extended control set for securing the cloud Specific guidance for cloud
- 29. ISO/IEC 27018 Protection of personally identifiable information (PII) in public clouds
- 30. ISO 27018 Annex A Provided specific guidance for protecting PII base on ISO 27001 controls Provided additional controls for protecting PII base on ISO 29100 principle ISO 27018 Controls based on ISO 27002 ISO 27002 controls Specific guidance for privacy in the cloud
- 31. Which standard?
- 32. Risk Management is core to all ISO standards Risk Management is a continual process, not one independent event. Risk assessment takes place from the time you identity the risk and involves assessing and planning into the implementation stage to reduce risk.
- 33. ISO 31000: 2009 Risk management It is written in business language, in order to gain an understanding of key risk management concepts and terminology.
- 35. Establishand maintain information classification scheme Establishand maintainsecurity policy Establishand maintainaccess control program Continuity Managethe useof cryptographic controls Control all methodsof mobile& teleworking Establishandmaintain malwareprotection program Establishand maintaina virtual environment andshared resourcesPhysicaland environmental protection Human resources management, awareness andtraining Operations management Network management Systemdesign, buildand implementation Acquisitionof facilities, technologyand services Security Assessment Patch management andhardening Security incident management Privacy protectionfor information anddata Thirdparty andsupply chain oversight Common Controls (c)ACinfotec2016
- 36. ISO 27017 Other ISO Standards ISO 27018 ISO 27032 ISO 27001 ISO 22301 ISO 20000 Integrated Management System ISO 31000 ISO 31000 ISO 31000 ISO 31000
- 38. For more information, contact: ACinfotec Consulting Services 02-670-8980-3 | services@acinfotec.com | www.acinfotec.com THANK YOU DRIVING BUSINESS EXCELLENCE