"Like any information security processes, there should be an adequate and"
"reasonable level of assurance for cyber security, which completes the security perspective when combined with governance and management processes. Cyber security assurance requires a comprehensive set of controls that covers risk as well as management processes."
"These controls are supported by appropriate metrics and indicators for"
"security goals and factual security risk. This session will share the cybesecurity self assessment program in carrying out an audit or self- assessment review on cyber security controls and practices in a typical organisation. This assurance program will leverage on COBIT 5 framework"
"and COBIT 5 for Information Security as a baseline."
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Alan Yau Ti Dun
When weighing options for increasing enterprise computing capabilities or seeking ways
to improve IT operational efficiency, the prevailing method is to integrate an external IT
services vendor, commonly referred to as a cloud service provider (CSP). There is a
high probability that audit clients will engage this CSP service to manage their IT needs.
Learn how to cope with the audit and risk assessment challenges related to this
emerging technology trend in this key session.
•Understanding the various Cloud Service Levels and Implementation Types
•Identifying Compliance, Service Level Agreement and other Important Duties each
party must perform
•Understand the Complexities of Auditing internal controls, data security, privacy and
performancerelated to cloud
•Mitigating the underlying Business Risks associated with adopting a cloud-based IT model
What's Next : A Trillion Event Logs, A Million Security ThreatAlan Yau Ti Dun
The Challenge For Log Analysis
Log Management vs SIEM vs NextGen SIEM
Security Analytic + Storage + Actionable Intelligence
NexGen Security Operation Center For Smart Cities
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
ControlCase discusses the following:
•What is “One Audit” for multiple assessments
•Current Research
•Zero Trust Principles for IT security
•Remote Assessment Methodology
ControlCase covers the following:
- What does SOC stand for?
- What is SOC 2 compliance?
- What is SOC 2 certification?
- What is a SOC 2 report?
- Who can perform a SOC 2 audit?
- How do managed service providers comply with SOC 2
- How to lower cost of SOC 2 audit?
- ControlCase methodology for SOC 2 compliance
ControlCase discusses the following:
•About the cloud
•About PCI DSS
•PCI DSS in the cloud
•How to keep sensitive data secure as you move to the cloud
•Q&A
How to minimize threats in your information system using network segregation? PECB
We will discuss the importance of network infrastructure and how we can minimize risks of attacks in our IT by segregating and segmenting our network infrastructure.
Main points that have been covered are:
• Why it’s always a primary target for attacks?
• What are the segmented networks?
• How can it be used?
Presenter:
Our presenter for this webinar is Mohamed Tawfik, who is a qualified Technocrat, and a seasoned IT/Telecom Professional having over 20 years of solid experience with multi-national corporate organizations planning, deployment, governance, audit and enforcing policy on Information Security Practice, while having in-depth knowledge of IT/Telecom Infrastructure and with a proven record of customer satisfaction.
Link of the recorded session published on YouTube:https://youtu.be/sKhihzgElH8
Assessing the Security of Cloud SaaS SolutionsDigital Bond
Matthew Theobald of Schneider Electric presentation at S4x15 OTDay.
This session provided a tutorial on how to evaluate the security of a SaaS solution. These are being increasingly offered for storage, processing and analysis of ICS data.
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkKevin Fealey
In 2011, Marc Andreessen said "software is eating the world." Today, that statement is truer than ever. Businesses in every industry - from retail, to energy, to financial - are essentially software companies, with millions of lines of custom source code being written and managed in-house. Additionally, advances in the Software Development Life Cycle (SDLC) and the emergence of DevOps have allowed some organizations to deploy new code from development to production dozens of time each day. Traditional approaches to securing such large quantities of code, especially at the speed of current development, have proven to be ineffective, as is evident by recent public data breaches of both public and private sector organizations; as well as the resulting legislation, like Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity. The only way for cybersecurity teams to keep up with their development counterparts is to automate, but where should they start?
The NIST Cybersecurity Framework provides guidance for organizations interested in establishing or improving a cybersecurity program. Today, a security automation plan is a crucial aspect of any cybersecurity program.
This talk will describe how the NIST Cybersecurity Framework can be used to establish and implement a plan for integrating security-automation activities into any security program. We'll describe the latest trends in security-automation and DevOps, including how to automatically identify security-best practices being followed, and anti-patterns that indicate a potential risk. Attendees will learn how to consolidate this data in a centralized dashboard of their choosing, and how such information can be automatically distributed to stakeholders throughout their organization.
In the coming years, with the growth of Internet of Things (IoT) and Cloud, organizations will become more and more reliant on custom software. Cybersecurity teams who fail to begin automating soon will only continue to fall further behind and put their organizations at greater risk. The NIST Cybersecurity Framework provides the foundation for such teams to establish their roadmap to security, and this talk will build on that foundation to highlight some potential paths.
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Alan Yau Ti Dun
When weighing options for increasing enterprise computing capabilities or seeking ways
to improve IT operational efficiency, the prevailing method is to integrate an external IT
services vendor, commonly referred to as a cloud service provider (CSP). There is a
high probability that audit clients will engage this CSP service to manage their IT needs.
Learn how to cope with the audit and risk assessment challenges related to this
emerging technology trend in this key session.
•Understanding the various Cloud Service Levels and Implementation Types
•Identifying Compliance, Service Level Agreement and other Important Duties each
party must perform
•Understand the Complexities of Auditing internal controls, data security, privacy and
performancerelated to cloud
•Mitigating the underlying Business Risks associated with adopting a cloud-based IT model
What's Next : A Trillion Event Logs, A Million Security ThreatAlan Yau Ti Dun
The Challenge For Log Analysis
Log Management vs SIEM vs NextGen SIEM
Security Analytic + Storage + Actionable Intelligence
NexGen Security Operation Center For Smart Cities
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
ControlCase discusses the following:
•What is “One Audit” for multiple assessments
•Current Research
•Zero Trust Principles for IT security
•Remote Assessment Methodology
ControlCase covers the following:
- What does SOC stand for?
- What is SOC 2 compliance?
- What is SOC 2 certification?
- What is a SOC 2 report?
- Who can perform a SOC 2 audit?
- How do managed service providers comply with SOC 2
- How to lower cost of SOC 2 audit?
- ControlCase methodology for SOC 2 compliance
ControlCase discusses the following:
•About the cloud
•About PCI DSS
•PCI DSS in the cloud
•How to keep sensitive data secure as you move to the cloud
•Q&A
How to minimize threats in your information system using network segregation? PECB
We will discuss the importance of network infrastructure and how we can minimize risks of attacks in our IT by segregating and segmenting our network infrastructure.
Main points that have been covered are:
• Why it’s always a primary target for attacks?
• What are the segmented networks?
• How can it be used?
Presenter:
Our presenter for this webinar is Mohamed Tawfik, who is a qualified Technocrat, and a seasoned IT/Telecom Professional having over 20 years of solid experience with multi-national corporate organizations planning, deployment, governance, audit and enforcing policy on Information Security Practice, while having in-depth knowledge of IT/Telecom Infrastructure and with a proven record of customer satisfaction.
Link of the recorded session published on YouTube:https://youtu.be/sKhihzgElH8
Assessing the Security of Cloud SaaS SolutionsDigital Bond
Matthew Theobald of Schneider Electric presentation at S4x15 OTDay.
This session provided a tutorial on how to evaluate the security of a SaaS solution. These are being increasingly offered for storage, processing and analysis of ICS data.
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkKevin Fealey
In 2011, Marc Andreessen said "software is eating the world." Today, that statement is truer than ever. Businesses in every industry - from retail, to energy, to financial - are essentially software companies, with millions of lines of custom source code being written and managed in-house. Additionally, advances in the Software Development Life Cycle (SDLC) and the emergence of DevOps have allowed some organizations to deploy new code from development to production dozens of time each day. Traditional approaches to securing such large quantities of code, especially at the speed of current development, have proven to be ineffective, as is evident by recent public data breaches of both public and private sector organizations; as well as the resulting legislation, like Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity. The only way for cybersecurity teams to keep up with their development counterparts is to automate, but where should they start?
The NIST Cybersecurity Framework provides guidance for organizations interested in establishing or improving a cybersecurity program. Today, a security automation plan is a crucial aspect of any cybersecurity program.
This talk will describe how the NIST Cybersecurity Framework can be used to establish and implement a plan for integrating security-automation activities into any security program. We'll describe the latest trends in security-automation and DevOps, including how to automatically identify security-best practices being followed, and anti-patterns that indicate a potential risk. Attendees will learn how to consolidate this data in a centralized dashboard of their choosing, and how such information can be automatically distributed to stakeholders throughout their organization.
In the coming years, with the growth of Internet of Things (IoT) and Cloud, organizations will become more and more reliant on custom software. Cybersecurity teams who fail to begin automating soon will only continue to fall further behind and put their organizations at greater risk. The NIST Cybersecurity Framework provides the foundation for such teams to establish their roadmap to security, and this talk will build on that foundation to highlight some potential paths.
OneAudit™ - Assess Once, Certify to ManyControlCase
ControlCase covers the following:
•About PCI DSS, ISO 27001, NERC, HIPAA, and FISMA
•Best Practices and Cloud Implications for Comprehensive Compliance within IT Standards/Regulations
•Challenges in the Comprehensive Compliance Space
What can local government use to help manage IT security threats and IT losses? NIST has developed standards that are recommended for local governments.
Building an Intelligence-Driven Security Operations CenterEMC
This white paper describes how an intelligence-driven security operations center (SOC) improves threat detection and response by helping organizations use all available security-related information from both internal and external sources to detect hidden threats and even predict new ones.
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj Purandare ☁
Effective Security Operations Centre SOC building - by Manoj Purandare. This article tries to give a strategy towards building am effective SOC using its 4 major points steps and 11 effective steps recipe - for Organisation's / Govt's safety and security
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
Abstract: Modern day cyber threats are ever increasing in sophistication and evasiveness against Process Control Networks. Organizations in the industry are facing a constant challenge to adopt modern techniques to proactively monitor the security posture within the SCADA infrastructure whilst keeping cyber attackers and threat actors at bay.
In this presentation we will cover the fundamental building blocks of building a SCADA cyber security operations center with key responsibilities such as Incident Response Management, Vulnerability and Patch Management, Secure-by-design Architecture, Security Logging and Monitoring and how such security domains drive accountability and act as a line of authority across the PCN.
Unanet is a leading provider of Cloud and On-Premise software for project-based professional services organizations. Unanet delivers a purpose built Project ERP solution with skills management, resource planning, budgeting & forecasting, time & expense reporting, billing & revenue recognition, project management analytics and dashboards, and integrated financials with AR, AP, GL and cost pool calculations.
Over 2,000 organizations trust Unanet to maximize staff utilization, reduce overhead and administrative costs, improve speed and accuracy of invoicing, and support forward decision-making for improved operations.
Learn more about Unanet at www.unanet.com/videos .
Top 20 Security Controls for a More Secure InfrastructureInfosec
The CIS® (Center for Internet Security, Inc.®) Controls offer 20 proven, globally recognized best practices for securing your IT systems and data against the most pervasive attacks. Join Tony Sager, CIS Senior Vice President and Chief Evangelist, to learn:
- Origin and purpose of the CIS Controls
- How to prioritize implementation
- How to make the CIS Controls a foundational part of your security program, and improve your enterprise defenses, operations, compliance and security awareness
Watch the full webinar: https://www2.infosecinstitute.com/l/12882/2018-12-06/bcbc68
Click Here to visit the FedRAMP blog - https://www.controlcase.com/what-is-fedramp/?utm_source=webinar&utm_campaign=webinar
Click Here for FedRAMP Compliance Checklist - https://www.controlcase.com/fedramp-checklist-lp/?utm_source=webinar&utm_campaign=webinar
ControlCase covers the following:
- What is FedRAMP?
- What is FedRAMP Marketplace?
- Who does FedRAMP apply to?
- How hard is it to get FedRAMP certified?
- How long does the FedRAMP process take?
- How to get FedRAMP certified?
- ControlCase methodology for FedRAMP compliance
OneAudit™ - Assess Once, Certify to ManyControlCase
ControlCase covers the following:
•About PCI DSS, ISO 27001, NERC, HIPAA, and FISMA
•Best Practices and Cloud Implications for Comprehensive Compliance within IT Standards/Regulations
•Challenges in the Comprehensive Compliance Space
What can local government use to help manage IT security threats and IT losses? NIST has developed standards that are recommended for local governments.
Building an Intelligence-Driven Security Operations CenterEMC
This white paper describes how an intelligence-driven security operations center (SOC) improves threat detection and response by helping organizations use all available security-related information from both internal and external sources to detect hidden threats and even predict new ones.
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj Purandare ☁
Effective Security Operations Centre SOC building - by Manoj Purandare. This article tries to give a strategy towards building am effective SOC using its 4 major points steps and 11 effective steps recipe - for Organisation's / Govt's safety and security
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
Abstract: Modern day cyber threats are ever increasing in sophistication and evasiveness against Process Control Networks. Organizations in the industry are facing a constant challenge to adopt modern techniques to proactively monitor the security posture within the SCADA infrastructure whilst keeping cyber attackers and threat actors at bay.
In this presentation we will cover the fundamental building blocks of building a SCADA cyber security operations center with key responsibilities such as Incident Response Management, Vulnerability and Patch Management, Secure-by-design Architecture, Security Logging and Monitoring and how such security domains drive accountability and act as a line of authority across the PCN.
Unanet is a leading provider of Cloud and On-Premise software for project-based professional services organizations. Unanet delivers a purpose built Project ERP solution with skills management, resource planning, budgeting & forecasting, time & expense reporting, billing & revenue recognition, project management analytics and dashboards, and integrated financials with AR, AP, GL and cost pool calculations.
Over 2,000 organizations trust Unanet to maximize staff utilization, reduce overhead and administrative costs, improve speed and accuracy of invoicing, and support forward decision-making for improved operations.
Learn more about Unanet at www.unanet.com/videos .
Top 20 Security Controls for a More Secure InfrastructureInfosec
The CIS® (Center for Internet Security, Inc.®) Controls offer 20 proven, globally recognized best practices for securing your IT systems and data against the most pervasive attacks. Join Tony Sager, CIS Senior Vice President and Chief Evangelist, to learn:
- Origin and purpose of the CIS Controls
- How to prioritize implementation
- How to make the CIS Controls a foundational part of your security program, and improve your enterprise defenses, operations, compliance and security awareness
Watch the full webinar: https://www2.infosecinstitute.com/l/12882/2018-12-06/bcbc68
Click Here to visit the FedRAMP blog - https://www.controlcase.com/what-is-fedramp/?utm_source=webinar&utm_campaign=webinar
Click Here for FedRAMP Compliance Checklist - https://www.controlcase.com/fedramp-checklist-lp/?utm_source=webinar&utm_campaign=webinar
ControlCase covers the following:
- What is FedRAMP?
- What is FedRAMP Marketplace?
- Who does FedRAMP apply to?
- How hard is it to get FedRAMP certified?
- How long does the FedRAMP process take?
- How to get FedRAMP certified?
- ControlCase methodology for FedRAMP compliance
Scholarly Networks: Friend or Foe or Risky Fray? ALL OF THE ABOVEBonnie Stewart
Keynote from Digital Pedagogy Lab Cairo, exploring the benefits, challenges, and complexities of engaging in public in digital networks, especially as higher education professionals.
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
This webinar gives an idea of what is the relation of ISO 27032 with ISO 55001, and how these two standards cover one another. Get more information on Cybersecurity as the importance is given more to the security industry nowadays.
Main points covered:
• Protection assets in Cyberspace
• Covering ISO 27032 in ISO 55001 and ISO 55001 in ISO 27032
• Sample of Cybersecurity Risks in Assets
• Highlights of the Implementation of the Cyber Security program Framework
Presenter:
This webinar was presented by PECB Partner and Trainer Mr. Claude Essomba, who is a Managing Director at GETSEC SARL, and has more than 9 years of experience in IT and Information Security.
Link of the recorded session published on YouTube: https://youtu.be/_280jG77iKY
A portion of an internal training session at EBSL Technologies Int\'l
Principles of IT Operations, to include ISO 27001, COBIL ,ITIL,IT Security, IT Frameworks.
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
20220911-ISO27000-SecurityStandards.pptxSuman Garai
This PowerPoint presentation is a comprehensive guide to understanding the ISO 27001:2022 standard for information security management. The presentation explores the history and background of the standard, the hardware requirements for implementing it, and the features and functionalities available in ISO 27001:2022.
The presentation covers topics such as the functionalities ISO 27001:2022 provides, best practices for implementing the standard, and the advantages it provides for organizations that use it.
This presentation is intended for individuals and organizations seeking to enhance their knowledge and understanding of information security management. By the end of the presentation, the audience will have gained a thorough understanding of the ISO 27001:2022 standard and how to effectively implement it in their organizations to safeguard their valuable information assets.
Presentation for March 2017 webcast by NIST.
www.nist.gov/cyberframework
Webcast video: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
This presentation introduces the audience to the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). It provides a brief history about why and how the Framework was developed, and an understanding of each of the three primary Framework components (the Core, Implementation Tiers, and Profiles). It covers potential benefits of Framework, and how the Framework can be used. It highlights industry resources, progress in Roadmap areas, and future direction of the Framework program.
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
María Carolina Martínez - eCommerce Day Colombia 2024
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
1. CYBERSECURITY
ASSURANCE
ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL
SPECIAL INTEREST GROUP 1
ISACA MALAYSIA CHAPTER
2. Like any information security processes, there should be an adequate and
reasonable level of assurance for cyber security, which completes the
security perspective when combined with governance and management
processes. Cyber security assurance requires a comprehensive set of
controls that covers risk as well as management processes.
These controls are supported by appropriate metrics and indicators for
security goals and factual security risk. This session will share the
cybesecurity self assessment program in carrying out an audit or self-
assessment review on cyber security controls and practices in a typical
organisation. This assurance program will leverage on COBIT 5 framework
and COBIT 5 for Information Security as a baseline.
CYBERSECURITY
ASSURANCE
2
3. CYBERSECURITY
ASSURANCE
3
<insert speaker organization logo>
This session aims to bring forth the following to the delegates:
• General understanding of cyber security assurance.
• Exposure to a cyber security assurance program, which is leveraging on
COBIT 5 as a baseline.
• Provide guideline in conducting cybersecurity audit
5. 5
AUDITING
&
REVIEWING
CYBERSECURITY
• Review is required to validate the controls are designed
and operating effectively.
• Audit & review universe is distributed across all 3 lines of
defense, which provides the required degree of
independence needed.
7. 7
AUDIT
UNIVERSE
• Include all control sets, management practices and GRC
provisions in force.
• Possible to be extended to 3rd parties – contract with audit
rights.
• Keep within the right boundaries –
! Corporate sphere of influence vs private sphere of
controls.
! Internal IT infrastructure vs external infrastructure.
! Corporate sovereignty vs legal provisions.
9. 9
AUDIT
OBJECTIVES
• Can range from high-level governance reviews to technical
reviews.
• Needs to be clearly defined and concise manner.
• Consider time and effort.
• Audit objectives are best defined in line with the
governance and management activities defined for cyber
security.
• For complex audits, the underlying audit program may
spans several years.
10. 10
KEY
CONSIDERATIONS
• Legal consideration
• Privacy and data protection
• Logging, data retention and archiving
• Audit data storage and archiving. Should be within the
standard criteria:
• Confidentiality
• Integrity
• Availability
15. 15
TRANSFORMING
CYBERSECURITY
–
COBIT
5
Eight
Key
Principles:
1. Understand
the
potenAal
impact
of
cybercrime
and
warfare
on
your
enterprise.
2. Understand
end
users,
their
cultural
values
and
their
behavior
paQerns.
3. Clearly
state
the
business
case
for
cybersecurity
and
the
risk
appeAte
of
the
enterprise.
4. Establish
cybersecurity
governance.
5. Manage
cybersecurity
using
principles
and
enablers.
(The
principles
and
enablers
found
in
COBIT
5
will
help
your
organizaAon
ensure
end-‐to-‐end
governance
that
meets
stakeholder
needs,
covers
the
enterprise
to
end
and
provides
a
holisAc
approach,
among
other
benefits.
The
processes,
controls,
acAviAes
and
key
performance
indicators
associated
with
each
enabler
will
provide
the
enterprise
with
a
comprehensive
picture
of
cybersecurity.)
6. Know
the
cybersecurity
assurance
universe
and
objecTves.
7. Provide
reasonable
assurance
over
cybersecurity.
(This
includes
monitoring,
internal
reviews,
audits
and,
as
needed,
invesAgaAve
and
forensic
analysis.)
8. Establish
and
evolve
systemic
cybersecurity.
18. 18
CYBERSECURITY
ASSURANCE
–
COBIT
5
EDM01:
ENSURE
GOVERNANCE
FRAMEWORK
SETTING
AND
MAINTENANCE
Key
Areas
/
Points
1
Cyber
security
management
is
supported
by
enAty
standards,
processes
and
procedures.
2
Cyber
security
prevenAon
is
monitored
on
a
regular
basis
by
senior
management.
3
Business
and
IT
Unit
Leaders
are
trained
and
acTvely
involved
in
the
oversight
and
significant
decisions
relaAng
to
cyber
security
preparedness
and
incidents.
4
A
cyber
security
task
force
/
panel
has
been
established
and
includes
appropriate
funcAonal
members.
5
Cyber
security
risks
and
vulnerabiliTes
are
idenTfied
and
evaluated
on
a
periodic
basis.
19. 19
CYBERSECURITY
ASSURANCE
–
COBIT
5
EDM01:
ENSURE
GOVERNANCE
FRAMEWORK
SETTING
AND
MAINTENANCE
Other
notable
cyber
security
assurance
concepts
1
IdenAfy
and
validate
governance
model
in
terms
of
cyber
security
aYacks
(e.g.
‘Zero
Tolerance’
vs
‘Living
with
it’).
This
model
should
be
aligned
with
the
enTty’s
overall
risk
appeTte.
2
Determine
an
opTmal
decision
making
model
for
cyber
security.
This
may
be
disAnct
and
different
from
the
‘ordinary’
informaAon
security
model.
3
Embed
cyber
security
transformaAon
acAviAes
that
is
driven
by
a
steering
commiQee.
These
acAviAes
should
be
included
in
the
overall
security
strategy.
4
Develop
and
foster
an
informaAon
security-‐posiTve
culture
and
environment
within
all
business
units.
5
Integrate
cyber
security
measures
measurements
and
metrics
into
rouAne
compliance
check
mechanisms.
20. 20
CYBERSECURITY
ASSURANCE
–
COBIT
5
APO01:
MANAGE
THE
IT
MANAGEMENT
FRAMEWORK
Key
Areas
/
Points
1
IT
management
establishes,
maintains
and
monitors
a
secure
infrastructure
2
IT
management
receives
and
reviews
key
reports
and
analysis
of
security,
vulnerability,
intrusions
and
penetraAon
test
results.
3
IT
management
supports
the
cyber
security
task
force
and
informaAon
security
iniAaAves
21. 21
CYBERSECURITY
ASSURANCE
–
COBIT
5
APO01:
MANAGE
THE
IT
MANAGEMENT
FRAMEWORK
Other
notable
cyber
security
assurance
concepts
1
Define
the
expectaAons
with
regard
to
cyber
security,
including
ethics
and
culture.
The
expectaAons
should
match
the
overall
governance
model.
2
IT
General
Controls
(‘ITGC’)
should
be
tested
and
updated
regularly.
IT
General
Controls
provides
the
support
and
baseline
assurance
for
cyber
security
specific
objecAves.
3
Controls
and
objecAves
that
are
performed
by
third
parAes
should
also
be
evaluated
periodically
by
management.
23. 23
CYBERSECURITY
ASSURANCE
–
COBIT
5
Security
Incident
Management
1
Policies
and
procedures
are
established
to
ensure
that
a
risk
analysis
and
asset
prioriAzaAon
is
part
of
the
evaluaAon
process
2
Asset
value
and
prioriAzaAon
are
components
of
the
incident
response
analysis
3
Incident
response
policies
and
processes
should
idenAfy
the
scope,
objecAves
and
requirements
defining
how
and
who
should
respond
to
an
incident,
what
consTtutes
an
incident,
and
the
specific
processes
for
monitoring
and
reporAng
the
incident
acAviAes.
4
An
incident
response
team
has
been
organized
with
appropriate
management,
staffing
and
senior
management
support.
5
Forensic
policies
and
procedures
should
ensure
that
documented
management
trails
are
preserved
to
permit
internal
invesTgaTons
and
support
any
legal
or
regulatory
invesTgaTons
(internal
and
external).
6
Incident
response
tools
should
be
installed,
scheduled,
monitored,
and
secured
to
avoid
unauthorised
access
to
invesAgaAon
acAviAes.
7
The
crisis
management
funcTon
is
part
of
the
cyber
security
preparedness
process.
AP013
MANAGE
SECURITY
(SECURITY
INCIDENT
MANAGEMENT)
25. 25
SUMMARY
• Understand CyberSecurity from a holistic,
organizational perspective
• Understand the approach to CyberSecurity Assurance
• Develop audit programmes by identifying risks and
relevant controls
• Know how to test controls related to CyberSecurity
26. ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL
SPECIAL INTEREST GROUP 1
ISACA MALAYSIA CHAPTER