SlideShare a Scribd company logo

DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity

Download as PPTX, PDF
PECB
PECB

In an era where digital transformation is inevitable, the landscape of cybersecurity is constantly evolving. Amongst others, the webinar covers: • DORA and its Implications • ISO/IEC 27005: Risk Management in Information Security • Leveraging Artificial Intelligence for Enhanced Cybersecurity Presenters: Geoffrey L. Taylor - Director of Cybersecurity Geoffrey Taylor brings a wealth of experience from multiple roles within various industries throughout his career. As a Certified ISO 27001 Implementer and Auditor, as well as certified ISO 27005, CISM and CRISC, he brings a unique perspective on cybersecurity strategy, risk management and the implementation of an Information Security Management System, having helped multiple organizations in aligning their strategy based on their threat landscape. Martin Tully - Senior Cyber Governance Consultant Martin is a Senior Consultant at CRMG with over twenty years of experience, and has previously been employed at two of the ‘Big Four’ professional services firms. Martin has worked across most industry sectors in the development of the best practice guidance and risk analysis methodologies. Martin is also accomplished at: leading the implementation of an ISMS; delivering a number of information risk assessments; reviewing information security policies; assessing security requirements across the supply chain; and updating a complete framework of supporting standards. Prior to the ISF, Martin’s roles have included delivering operational risk reporting, running research projects and benchmarking information security investments for major clients. Martin holds a Bachelors degree from Royal Holloway University of London. Date: March 27, 2024 Tags: ISO, ISO/IEC 27005, ISO/IEC 42001, Artificial Intelligence, Information Security, Digital Operational Resilience Act (DORA) ------------------------------------------------------------------------------- Find out more about ISO training and certification services Training: ISO/IEC 27005 Information Security Risk Management - EN | PECB ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB Webinars: https://pecb.com/webinars Article: https://pecb.com/article Whitepaper: https://pecb.com/whitepaper ------------------------------------------------------------------------------- For more information about PECB: Website: https://pecb.com/ LinkedIn: https://www.linkedin.com/company/pecb/ Facebook: https://www.facebook.com/PECBInternational/ Slideshare: http://www.slideshare.net/PECBCERTIFICATION YouTube video: https://youtu.be/ffX-Xbw7XUk

Education
1 of 20
Agenda  Welcome and introductions  DORA, ISO/IEC 27005 and Artificial Intelligence – what they are and important aspects to consider  DORA and incident management  DORA and the need to delve deeper into ISO/IEC 27005  Treating AI as ‘just another system’  Managing the threats from third parties  Key takeaways
Martin Tully Martin is a Senior Consultant at CRMG with over twenty years of experience, and has previously been employed at two of the ‘Big Four’ professional services firms. Martin has worked across most industry sectors in the development of the best practice guidance and risk analysis methodologies. Martin holds a Bachelors degree from Royal Holloway University of London. Geoffrey Taylor Geoffrey is the Director of Cybersecurity at Trifork Cyber Protection. He has had information security governance roles within telecommunications, transportation and IT outsourcing to name a few. He holds both CISM and CRISC certifications as well as the ISO 27001 Lead Implementer and ISO 27001 Lead Auditor. He is also a PECB Certified Trainer and has over 20 years of experience. Welcome and Introductions
• The Digital Operational Resilience Act (DORA) is a EU regulation that ‘entered into force’ on 16 January 2023, is currently going through a public consultation of draft documents and will apply as of 17 January 2025. • The regulation focuses on IT security of financial institutions to ensure they stay resilient in the event of a severe operational disruption. • DORA will apply to 20 different types of financial entities and ICT third-party service providers. Digital Operational Resilience Act (DORA) ICT risk framework (Chapter II) ICT related incident management classification and reporting (Chapter III) Digital Operational Resilience Testing (Chapter IV) Third-party risk management (Chapter V.I) Oversight framework (Chapter V.II)
Delving into DORA ICT risk framework (Chapter II) ICT related incident management classification and reporting (Chapter III) Digital Operational Resilience Testing (Chapter IV) Third-party risk management (Chapter V.I) Oversight framework (Chapter V.II) Set up and maintain resilient ICT systems and tools to identify and minimize ICT risk on a continuous basis. Establish and implement a management process to monitor, classify and report major ICT-related incidents to competent authorities. Test the operational resilience included in the ICT risk management framework to identify weaknesses, deficiencies or gaps. Assess, monitor and document ICT third-party risk and ensure all contracts with such parties state their obligations under the act. Critical ICT third-party service providers in the financial sectors to adhere to an oversight framework.
Article 17- “Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents.” • Review the incident management process from top to bottom • Ensure that the incident management function is fit for purpose • Test the plans regularly to identify gaps and continually improve them ”At least Major ICT-related incidents are reported to relevant senior management” DORA and ICT- related Incident Management ICT related incident management, classification and reporting (Chapter III) ICT related incident management process (Article 17) Classification of ICT- related incidents and cyber threats (Article 18) Reporting of major ICT- related incidents and voluntary notification of significant cyber threats (Article 19) Harmonization of reporting content and templates (Article 20))
ICT-related incident reporting decision tree ICT related incident management, classification and reporting (Chapter III) ICT related incident management process (Article 17) Classification of ICT- related incidents and cyber threats (Article 18) Reporting of major ICT- related incidents and voluntary notification of significant cyber threats (Article 19) Harmonization of reporting content and templates (Article 20)) Source: Joint Committee of the European Supervisory Authorities
The current recommendations being considered are: • Initial notification – 4 hours from the incident being classified as major and not later than 24 hours • Intermediate report- 72 hours or before if • Final report- within 1 month* Source: https://www.esma.europa.eu/document/final-report-draft-rts- classification-major-incidents-and-significant-cyber-threats ICT- related incident reporting ICT related incident management, classification and reporting (Chapter III) ICT related incident management process (Article 17) Classification of ICT- related incidents and cyber threats (Article 18) Reporting of major ICT- related incidents and voluntary notification of significant cyber threats (Article 19) Harmonization of reporting content and templates (Article 20))
ISO/IEC 27005 • ISO 27005 is the international standard that describes how to conduct an information security risk assessment. • ISO 27001 requires you to demonstrate evidence of information security risk management, risk actions taken and how relevant controls from Annex A have been applied. • ISO 27005 is applicable to all organizations and is designed to assist the satisfactory implementation of information security based on a risk management approach.
ISO/IEC 27005 and DORA • Examples of Consequence Scales • Example of likelihood scale • Asset types (primary and supporting) • Examples and usual methods of attack • Examples of target objectives • Examples of threats and vulnerabilities • Methods to assess vulnerabilities
The rise of Artificial Intelligence - challenges Source: CyberArk
AI specific threats Adversarial data poisoning Data scarcity Unauthorized access to AI/ML model source code Overloading machine learning models Introduction of selection bias Input data manipulation Label manipulation and inaccuracy AI voice cloning Model extraction attacks Deepfake video Artificial Intelligence Threats Source: CRMG
EU AI Act: first regulation on artificial intelligence In April 2021, the European Commission proposed the first EU regulatory framework for AI. AI systems that can be used in different applications are analysed and classified according to the risk they pose to users. Unacceptable risk AI systems are systems considered a threat to people and will be banned (e.g. Cognitive behavioural manipulation and biometric identification and categorisation of individuals). High risk AI systems that negatively affect safety or fundamental rights will be considered high risk. Transparency requirements, such as generative AI, like ChatGPT, will not be classified as high-risk, but will have to comply with transparency requirements and EU copyright law.
Treating AI as ‘just another system’ • Consider using ISO/IEC 42001 and/or the creation of an Artificial Intelligence Management System (AIMS) to manage the risk associated with AI and to comply with new (DORA) and future legislation • All management systems require management commitment, mandate and the proper resourcing to operate adequately • Like ISO 27001 the standard is flexible and can be adapted to all organizations, regardless of size and complexity • Independent assurance will engender trust for an FE with internal and external stakeholders Fairness Transparency Accountability Reliability and safety Privacy and Security
Fictious Financial Entity (FFE) Relevance of ISO 42001 for DORA AIMS Financial Service Business Intelligence Digital payments AI Threat Intelligence SecOps Saas Anti-Fraud AMLaaS • Financial Service • AI Internal residing in Private Cloud • Data Analytics -3rd Party • SaaS AI service-3rd Party • SecOps SaaS- 3rd party provider AI • AI anti-malware • Automated Incident reporting within the organization and to the authorities • Automated incident response • AI Threat intelligence- 3rd party provider • Anti-Money Laundering as Service utilizing AI • Business Intelligence- 3rd party
• Organizations will need to gain assurance that third parties have performed their due diligence on their use of AI. This is required to manage any threats posed using AI. • Examples of AI controls that are linked to AI threats and AI enabled threats: Testing third party use of AI AI control AI control description Data Validation and Sanitization Implement strict data validation and sanitization processes to ensure that incoming data (especially the data used for training machine learning models) is clean, accurately labeled, and free from malicious modifications. Anomaly Detection Systems Use anomaly detection systems to monitor data and model behavior for signs of poisoning or other anomalies. This can help in identifying and mitigating attacks early. Incident Response Plan Have a well-defined incident response plan that includes procedures for dealing with data poisoning attacks. This should involve steps for isolating affected systems, analyzing the attack, and restoring system integrity. Source: CRMG
Clear emphasis in DORA on managing third parties Source: EIOPA
Enhancing third party management Triage critical third parties Define security requirements Gain assurance from the third party Implement security control gaps Typical approach to assess third parties Objective: To identify your critical third parties Activity: Use the requirements in ISO/IEC 27005 to scope the third party (e.g. type of information shared, hosting and business impact assessment) in addition to AI threats. Objective: To define third party security controls Activity : Interpret the DORA requirements for third parties and create a security requirements questionnaire based on the service provided by the third party. Objective: To understand control gaps from the third party Activity : Third party responds to the tailored questionnaire provided to them and shares evidence/artefacts with the requesting organization Objective: To fix third party control gaps Activity : Third party applies resources to provide assurance that security gaps have been addressed. This may include utilizing AI for efficiency over deploying technical controls Agree Third Party Contracts/SLAs Objective: To include contract clauses agreed by the third party Activity : The security requirements interpreted from the DORA regulation are formalized into a contract between the main organization and its third parties. AI-specific controls are also included, which are mapped to specific AI threats.
Key Takeaways  Become aware of the new DORA regulations and the roadmap towards implementation in 2025  Utilize ISO/IEC 27005 to focus on enhancing the approach to incident management within DORA  Assess third parties against the requirements in DORA, supported by understanding their criticality through 27005.  Support the implementation of security measures in third parties, providing assistance where necessary that utilizes AI  Establish continuous improvement of your and third-party security requirements as new threats evolve.
THANK YOU Q&A martin.tully@crmg-consult.org linkedin.com/in/martin-tully-a050378 glta@trifork.com https://www.linkedin.com/in/geoffrey-t/

Recommended

A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramGoogleNewsSubmit
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk ManagementShaun Sloan
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceIT Governance Ltd
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course PreviewInvensis Learning
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdfkarthikvcyber
 
Kuliah Sesi ke-01 Control & Audit [080616].pptx
Kuliah Sesi ke-01 Control & Audit [080616].pptxKuliah Sesi ke-01 Control & Audit [080616].pptx
Kuliah Sesi ke-01 Control & Audit [080616].pptxReza743349
 
Risk Management
Risk ManagementRisk Management
Risk Managementijtsrd
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...Taiye Lambo
 

Recommended

A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramGoogleNewsSubmit
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk ManagementShaun Sloan
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceIT Governance Ltd
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course PreviewInvensis Learning
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdfkarthikvcyber
 
Kuliah Sesi ke-01 Control & Audit [080616].pptx
Kuliah Sesi ke-01 Control & Audit [080616].pptxKuliah Sesi ke-01 Control & Audit [080616].pptx
Kuliah Sesi ke-01 Control & Audit [080616].pptxReza743349
 
Risk Management
Risk ManagementRisk Management
Risk Managementijtsrd
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...Taiye Lambo
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.pptkarthikvcyber
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdf
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdfWritten-Blog_Ethic_AI_08Aug23_pub_jce.pdf
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdfjiricejka
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMChristopher Nanchengwa
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016FERMA
 
Security as a Strategy
Security as a Strategy Security as a Strategy
Security as a Strategy James Deiotte
 
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital LandscapeUnveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscapegreendigital
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
ARTIFCIAL INTELLIGENGE
ARTIFCIAL INTELLIGENGEARTIFCIAL INTELLIGENGE
ARTIFCIAL INTELLIGENGEZace1
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
European Risk Management Seminar 2018 - Cyber Report
European Risk Management Seminar 2018 - Cyber Report European Risk Management Seminar 2018 - Cyber Report
European Risk Management Seminar 2018 - Cyber Report FERMA
 
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic ApproachCloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic ApproachSLA-Ready Network
 
Solvency II Offering
Solvency II Offering Solvency II Offering
Solvency II Offering Thinksoft Global
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxsoulscout02
 
Ctia course outline
Ctia course outlineCtia course outline
Ctia course outlineShivamSharma909
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 

More Related Content

Similar to DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity

Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.pptkarthikvcyber
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdf
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdfWritten-Blog_Ethic_AI_08Aug23_pub_jce.pdf
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdfjiricejka
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMChristopher Nanchengwa
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016FERMA
 
Security as a Strategy
Security as a Strategy Security as a Strategy
Security as a Strategy James Deiotte
 
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital LandscapeUnveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscapegreendigital
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
ARTIFCIAL INTELLIGENGE
ARTIFCIAL INTELLIGENGEARTIFCIAL INTELLIGENGE
ARTIFCIAL INTELLIGENGEZace1
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
European Risk Management Seminar 2018 - Cyber Report
European Risk Management Seminar 2018 - Cyber Report European Risk Management Seminar 2018 - Cyber Report
European Risk Management Seminar 2018 - Cyber Report FERMA
 
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic ApproachCloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic ApproachSLA-Ready Network
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxsoulscout02
 

Similar to DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity (20)

Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.ppt
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdf
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdfWritten-Blog_Ethic_AI_08Aug23_pub_jce.pdf
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdf
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
 
Security as a Strategy
Security as a Strategy Security as a Strategy
Security as a Strategy
 
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital LandscapeUnveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscape
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
ARTIFCIAL INTELLIGENGE
ARTIFCIAL INTELLIGENGEARTIFCIAL INTELLIGENGE
ARTIFCIAL INTELLIGENGE
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.
 
European Risk Management Seminar 2018 - Cyber Report
European Risk Management Seminar 2018 - Cyber Report European Risk Management Seminar 2018 - Cyber Report
European Risk Management Seminar 2018 - Cyber Report
 
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic ApproachCloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
 
Solvency II Offering
Solvency II Offering Solvency II Offering
Solvency II Offering
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptx
 
Ctia course outline
Ctia course outlineCtia course outline
Ctia course outline
 

More from PECB

Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationPECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemPECB
 
ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?PECB
 

More from PECB (20)

Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
 
ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?
 

Recently uploaded

call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentInMediaRes1
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 

Recently uploaded (20)

call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media Component
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 

DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity

  • 1.
  • 2. Agenda  Welcome and introductions  DORA, ISO/IEC 27005 and Artificial Intelligence – what they are and important aspects to consider  DORA and incident management  DORA and the need to delve deeper into ISO/IEC 27005  Treating AI as ‘just another system’  Managing the threats from third parties  Key takeaways
  • 3. Martin Tully Martin is a Senior Consultant at CRMG with over twenty years of experience, and has previously been employed at two of the ‘Big Four’ professional services firms. Martin has worked across most industry sectors in the development of the best practice guidance and risk analysis methodologies. Martin holds a Bachelors degree from Royal Holloway University of London. Geoffrey Taylor Geoffrey is the Director of Cybersecurity at Trifork Cyber Protection. He has had information security governance roles within telecommunications, transportation and IT outsourcing to name a few. He holds both CISM and CRISC certifications as well as the ISO 27001 Lead Implementer and ISO 27001 Lead Auditor. He is also a PECB Certified Trainer and has over 20 years of experience. Welcome and Introductions
  • 4. • The Digital Operational Resilience Act (DORA) is a EU regulation that ‘entered into force’ on 16 January 2023, is currently going through a public consultation of draft documents and will apply as of 17 January 2025. • The regulation focuses on IT security of financial institutions to ensure they stay resilient in the event of a severe operational disruption. • DORA will apply to 20 different types of financial entities and ICT third-party service providers. Digital Operational Resilience Act (DORA) ICT risk framework (Chapter II) ICT related incident management classification and reporting (Chapter III) Digital Operational Resilience Testing (Chapter IV) Third-party risk management (Chapter V.I) Oversight framework (Chapter V.II)
  • 5. Delving into DORA ICT risk framework (Chapter II) ICT related incident management classification and reporting (Chapter III) Digital Operational Resilience Testing (Chapter IV) Third-party risk management (Chapter V.I) Oversight framework (Chapter V.II) Set up and maintain resilient ICT systems and tools to identify and minimize ICT risk on a continuous basis. Establish and implement a management process to monitor, classify and report major ICT-related incidents to competent authorities. Test the operational resilience included in the ICT risk management framework to identify weaknesses, deficiencies or gaps. Assess, monitor and document ICT third-party risk and ensure all contracts with such parties state their obligations under the act. Critical ICT third-party service providers in the financial sectors to adhere to an oversight framework.
  • 6. Article 17- “Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents.” • Review the incident management process from top to bottom • Ensure that the incident management function is fit for purpose • Test the plans regularly to identify gaps and continually improve them ”At least Major ICT-related incidents are reported to relevant senior management” DORA and ICT- related Incident Management ICT related incident management, classification and reporting (Chapter III) ICT related incident management process (Article 17) Classification of ICT- related incidents and cyber threats (Article 18) Reporting of major ICT- related incidents and voluntary notification of significant cyber threats (Article 19) Harmonization of reporting content and templates (Article 20))
  • 7. ICT-related incident reporting decision tree ICT related incident management, classification and reporting (Chapter III) ICT related incident management process (Article 17) Classification of ICT- related incidents and cyber threats (Article 18) Reporting of major ICT- related incidents and voluntary notification of significant cyber threats (Article 19) Harmonization of reporting content and templates (Article 20)) Source: Joint Committee of the European Supervisory Authorities
  • 8. The current recommendations being considered are: • Initial notification – 4 hours from the incident being classified as major and not later than 24 hours • Intermediate report- 72 hours or before if • Final report- within 1 month* Source: https://www.esma.europa.eu/document/final-report-draft-rts- classification-major-incidents-and-significant-cyber-threats ICT- related incident reporting ICT related incident management, classification and reporting (Chapter III) ICT related incident management process (Article 17) Classification of ICT- related incidents and cyber threats (Article 18) Reporting of major ICT- related incidents and voluntary notification of significant cyber threats (Article 19) Harmonization of reporting content and templates (Article 20))
  • 9. ISO/IEC 27005 • ISO 27005 is the international standard that describes how to conduct an information security risk assessment. • ISO 27001 requires you to demonstrate evidence of information security risk management, risk actions taken and how relevant controls from Annex A have been applied. • ISO 27005 is applicable to all organizations and is designed to assist the satisfactory implementation of information security based on a risk management approach.
  • 10. ISO/IEC 27005 and DORA • Examples of Consequence Scales • Example of likelihood scale • Asset types (primary and supporting) • Examples and usual methods of attack • Examples of target objectives • Examples of threats and vulnerabilities • Methods to assess vulnerabilities
  • 11. The rise of Artificial Intelligence - challenges Source: CyberArk
  • 12. AI specific threats Adversarial data poisoning Data scarcity Unauthorized access to AI/ML model source code Overloading machine learning models Introduction of selection bias Input data manipulation Label manipulation and inaccuracy AI voice cloning Model extraction attacks Deepfake video Artificial Intelligence Threats Source: CRMG
  • 13. EU AI Act: first regulation on artificial intelligence In April 2021, the European Commission proposed the first EU regulatory framework for AI. AI systems that can be used in different applications are analysed and classified according to the risk they pose to users. Unacceptable risk AI systems are systems considered a threat to people and will be banned (e.g. Cognitive behavioural manipulation and biometric identification and categorisation of individuals). High risk AI systems that negatively affect safety or fundamental rights will be considered high risk. Transparency requirements, such as generative AI, like ChatGPT, will not be classified as high-risk, but will have to comply with transparency requirements and EU copyright law.
  • 14. Treating AI as ‘just another system’ • Consider using ISO/IEC 42001 and/or the creation of an Artificial Intelligence Management System (AIMS) to manage the risk associated with AI and to comply with new (DORA) and future legislation • All management systems require management commitment, mandate and the proper resourcing to operate adequately • Like ISO 27001 the standard is flexible and can be adapted to all organizations, regardless of size and complexity • Independent assurance will engender trust for an FE with internal and external stakeholders Fairness Transparency Accountability Reliability and safety Privacy and Security
  • 15. Fictious Financial Entity (FFE) Relevance of ISO 42001 for DORA AIMS Financial Service Business Intelligence Digital payments AI Threat Intelligence SecOps Saas Anti-Fraud AMLaaS • Financial Service • AI Internal residing in Private Cloud • Data Analytics -3rd Party • SaaS AI service-3rd Party • SecOps SaaS- 3rd party provider AI • AI anti-malware • Automated Incident reporting within the organization and to the authorities • Automated incident response • AI Threat intelligence- 3rd party provider • Anti-Money Laundering as Service utilizing AI • Business Intelligence- 3rd party
  • 16. • Organizations will need to gain assurance that third parties have performed their due diligence on their use of AI. This is required to manage any threats posed using AI. • Examples of AI controls that are linked to AI threats and AI enabled threats: Testing third party use of AI AI control AI control description Data Validation and Sanitization Implement strict data validation and sanitization processes to ensure that incoming data (especially the data used for training machine learning models) is clean, accurately labeled, and free from malicious modifications. Anomaly Detection Systems Use anomaly detection systems to monitor data and model behavior for signs of poisoning or other anomalies. This can help in identifying and mitigating attacks early. Incident Response Plan Have a well-defined incident response plan that includes procedures for dealing with data poisoning attacks. This should involve steps for isolating affected systems, analyzing the attack, and restoring system integrity. Source: CRMG
  • 17. Clear emphasis in DORA on managing third parties Source: EIOPA
  • 18. Enhancing third party management Triage critical third parties Define security requirements Gain assurance from the third party Implement security control gaps Typical approach to assess third parties Objective: To identify your critical third parties Activity: Use the requirements in ISO/IEC 27005 to scope the third party (e.g. type of information shared, hosting and business impact assessment) in addition to AI threats. Objective: To define third party security controls Activity : Interpret the DORA requirements for third parties and create a security requirements questionnaire based on the service provided by the third party. Objective: To understand control gaps from the third party Activity : Third party responds to the tailored questionnaire provided to them and shares evidence/artefacts with the requesting organization Objective: To fix third party control gaps Activity : Third party applies resources to provide assurance that security gaps have been addressed. This may include utilizing AI for efficiency over deploying technical controls Agree Third Party Contracts/SLAs Objective: To include contract clauses agreed by the third party Activity : The security requirements interpreted from the DORA regulation are formalized into a contract between the main organization and its third parties. AI-specific controls are also included, which are mapped to specific AI threats.
  • 19. Key Takeaways  Become aware of the new DORA regulations and the roadmap towards implementation in 2025  Utilize ISO/IEC 27005 to focus on enhancing the approach to incident management within DORA  Assess third parties against the requirements in DORA, supported by understanding their criticality through 27005.  Support the implementation of security measures in third parties, providing assistance where necessary that utilizes AI  Establish continuous improvement of your and third-party security requirements as new threats evolve.

Editor's Notes

  1. The extended use of ICT systems increases the efficiencies of internal process and the user experience for the customers, however it also introduces risks and vulnerabilities, which may make financial entities expose to cyber-attacks or incidents. If not managed properly, ICT risks could lead to the disruptions of financial services that are often offered across borders and can have far-reaching effects on other companies, sectors, or even the rest of the economy. The risk of such cross-border and cross-sectoral disruptions highlights the importance of digital operational resilience of the financial sector.
  2. Risk framework: also set up protection and prevention measures, and establish dedicated and comprehensive business continuity policies and disaster recovery plans.
  3. To operationalise the application, DORA mandates the European Supervisory Authorities (ESAs) to prepare jointly, through the Joint Committee (JC), a set of policy products with two main submission deadlines 17 January 2024 (first batch) and 17 June 2024 (second batch) as highlighted in the picture. The standards set out requirements for all financial entities with respect to: (i) ICT security policies, procedures, protocols and tools (including requirements on: governance, ICT risk management, ICT asset management, encryption and cryptography, ICT operations security, network security, ICT project and change management, physical security, ICT and information security awareness and training); (ii) Human resources policy and access control; (iii) ICT-related incident detection and response, (iv) ICT business continuity management, (v) Report on the ICT risk management framework review; and (vi) Proportionality
  4. DORA imposes requirements on Financial Entities, referred to as FE, to define, establish and implement ICT related incident management process which aligns with ISO 27001. The Act mentions 'early-warning' indicators, a means to detect malicious activity as soon as possible. Similarly to ISO 27001, FE's must have in place the requisite policies, procedures, processes and people to manage incidents from detection to recovery (if needed). The requirements outlined in Article 17 including detection, management and notification align with best practice guidance regarding incident management. FE's are encouraged to ensure their incident mangement process, procedures and people are prepared and that the FE continuously improves its incident management processes (see Article 17' mention of root cause for example). The FE should investigate whether the process is still fit for purpose to ensure compliance with DORA. Is the process continually improved? Is root cause analysis regularly performed and are the actions implemented? Are staff aware of their roles and responsibilities and can they execute them adequately?
  5. 1. the ESAs have arrived at the view that the initial notification shall be submitted four hours from the moment of classification of the incident as major, but no later than 24 hours from the time of detection of the incident after the FE has classified the incident as major. 2. the ESAs have arrived at the view that the most appropriate timeline for submission of the intermediate report is 3 days (72 hours) after the classification of the incident as major. In addition, the ESAs have arrived at the view that regular activities of the FE can be recovered earlier and have specified in the RTS that FEs shall submit the intermediate report to Cas ‘within 72 hours from the classification of the incident as major, or sooner when regular activities have been recovered and business is back to normal’. 3. The ESAs have arrived at the view that 1 month (30 days) will be the most appropriate timeline since it will provide sufficient time for FEs to obtain all relevant information, while allowing CAs to receive the information without significant delay after the submission of the intermediate report. Note:  The ESAs have also envisaged cases where the FE may not be in a position to submit an initial notification, intermediate report or final report within the timelines set out in Article 2 of the draft RTS and have introduced in Article 4 of the draft ITS the possibility for FEs to submit the notification/report with a delay, in which case, FEs shall inform their competent authority without undue delay and shall explain the reasons why.
  6. ISO/IEC 27005 does not specify or recommend specific risk management methods in detail. Instead, it discusses the process in more general/overall terms, drawing on the generic risk management method described by ISO 31000[3] i.e.: Identify and assess the risks; Decide what to do about the risks (how to 'treat' them) ... and do it; Monitor the risks, risk treatments etc., identifying and responding appropriately to significant changes, issues/concerns or opportunities for improvement; Keep stakeholders (principally the organization's management) informed throughout the process.
  7. ISO 27005 can be used to assist organizations in establishing and maintaining compliance with DORA. Utilize the standard to threat model critical services with the required staff with a holistic approach. To support the effort, ensure that updated diagrams are available to discuss with the group of experts and establish boundaries to start the conversation. The outcome of the discussion may contribute to improving the security posture of the organization by identifying gaps that may not be obvious. An organization can address ICT risk management vulnerabilities, incident handling, resilience and a host of other information security challenges by regularly engaging in this activity.
  8. Impersonation, denial of service, brute force attacks – threats very similar in nature to before but now much more advanced in terms of speed, accuracy and potential to convince that communication is reliable when generated through AI.
  9. Adversarial data poisoning - Intentional Corrupting a training model for machine learning to compromise model integrity e.g. by replacing a legitimate model file by a poisoned model file on a cloud-hosted filesystem Data scarcity - Accidental Limiting the quantity of data available for AI/ML models by targeted attacks, therefore impacting functional capabilities as AI relies on the availability of consistent and accessible data Unauthorized access to AI/ML model source code - Intentional Gaining unauthorized source code access to exfiltrate IP (such as model parameters) and/or identify model weaknesses e.g. dependent library vulnerabilities Overloading machine learning models - Maliciously adding random samples to the set of training data to deny basic model availability by preventing the model from computing any meaningful inference Introduction of selection bias - Intentional Selection bias may be accidentally or purposefully introduced in raw datasets which may affect subsequent inference and overall trustworthiness of the platform Input data manipulation - Manipulating input data fed into the system to alter the output to serve attacker objectives Label manipulation and inaccuracy - Intentional Mislabeling, or adversarial modifications of data labels in supervised machine learning models to generate inaccurate model results AI voice cloning - The creation of an artificial simulation of a person's voice that can be used for adversarial means. Example: Artificial cloning of a senior managers voice to facilitate a financial transfer orchestrated by a hacking group. Model extraction attacks - This involves an attacker querying an AI model (for example, an API providing machine learning as a service) with the goal of reconstructing a copy of the model. This can be used for unauthorized purposes, including creating competitive services or finding weaknesses in the model for exploitation. Deepfake video - Intentional Use of AI to create video deepfakes to impersonate trusted individuals, tricking victims into revealing sensitive information or making unauthorized transactions.
  10. 1) AI systems that are used in products falling under the EU’s product safety legislation. This includes toys, aviation, cars, medical devices and lifts. 2) AI systems falling into specific areas that will have to be registered in an EU database: Management and operation of critical infrastructure Education and vocational training Employment, worker management and access to self-employment Access to and enjoyment of essential private services and public services and benefits Law enforcement Migration, asylum and border control management Assistance in legal interpretation and application of the law. Next steps The agreed text is expected to be finally adopted in April 2024. It will be fully applicable 24 months after entry into force, but some parts will be applicable sooner: The ban of AI systems posing unacceptable risks will apply six months after the entry into force Codes of practice will apply nine months after entry into force Rules on general-purpose AI systems that need to comply with transparency requirements will apply 12 months after the entry into force High-risk systems will have more time to comply with the requirements as the obligations concerning them will become applicable 36 months after the entry into force.
  11. DORA has been very clear on focusing on ICT and, in particular third parties used by financial institutions as a recognized ‘gap’ in an organisation’s threat landscape.
  12. Here are the main ways in which AI is used in cybersecurity: Threat detection. AI can act as a filter for analyzing files and software code to identify potential malware threats while avoiding false positives. Machine learning algorithms can be trained for threat detection to recognize patterns and characteristics of known malware and flag any new code that matches these patterns. Network security. AI algorithms can analyze network traffic data to detect patterns and anomalies indicating an attempted intrusion or attack. AI can flag any deviations from this baseline as potential threats by learning what normal network traffic patterns look like. Behavioral analysis. AI can be used to analyze user behavior and detect anomalies that may indicate unauthorized access or malicious activity using machine learning. This allows for more effective user activity monitoring and detection of potential threats while limiting false positives. Automated incident response. AI-based systems can be used to automatically respond to detected threats, like shutting down connections, quarantining infected machines, and disabling user accounts. Advanced machine learning models help to contain hacking attempts and minimize potential damage. Vulnerability assessment. AI can identify potential vulnerabilities in systems and networks. This allows for proactive measures to be taken to mitigate potential threats before they can be exploited.
  13. This slide shows how ISO/IEC 27005, DORA and AI could be used to enhance the third party management process. Building on the emphasis in DORA on securing third parties, the risk assessment elements of ISO/IEC 27005 and the advantages of greater efficiency of AI supported security controls could be applied to the requirements in DORA for third parties. Integrated artificial intelligence systems have the potential to be trained for the automatic identification of cyber threats, alerting users, and safeguarding sensitive information of businesses. most cybersecurity tools integrate deep learning and other capabilities intended to work with big data. Here are the main ways in which AI is used in cybersecurity: Threat detection. AI can act as a filter for analyzing files and software code to identify potential malware threats while avoiding false positives. Machine learning algorithms can be trained for threat detection to recognize patterns and characteristics of known malware and flag any new code that matches these patterns. Network security. AI algorithms can analyze network traffic data to detect patterns and anomalies indicating an attempted intrusion or attack. AI can flag any deviations from this baseline as potential threats by learning what normal network traffic patterns look like. Behavioral analysis. AI can be used to analyze user behavior and detect anomalies that may indicate unauthorized access or malicious activity using machine learning. This allows for more effective user activity monitoring and detection of potential threats while limiting false positives. Automated incident response. AI-based systems can be used to automatically respond to detected threats, like shutting down connections, quarantining infected machines, and disabling user accounts. Advanced machine learning models help to contain hacking attempts and minimize potential damage. Vulnerability assessment. AI can identify potential vulnerabilities in systems and networks. This allows for proactive measures to be taken to mitigate potential threats before they can be exploited.