SlideShare a Scribd company logo
1 of 20
Agenda
 Welcome and introductions
 DORA, ISO/IEC 27005 and Artificial
Intelligence – what they are and
important aspects to consider
 DORA and incident management
 DORA and the need to delve deeper
into ISO/IEC 27005
 Treating AI as ‘just another system’
 Managing the threats from third
parties
 Key takeaways
Martin Tully
Martin is a Senior Consultant at CRMG with over twenty years of experience, and
has previously been employed at two of the ‘Big Four’ professional services firms.
Martin has worked across most industry sectors in the development of the best
practice guidance and risk analysis methodologies. Martin holds a Bachelors
degree from Royal Holloway University of London.
Geoffrey Taylor
Geoffrey is the Director of Cybersecurity at Trifork Cyber Protection. He has had
information security governance roles within telecommunications, transportation
and IT outsourcing to name a few. He holds both CISM and CRISC certifications
as well as the ISO 27001 Lead Implementer and ISO 27001 Lead Auditor. He is
also a PECB Certified Trainer and has over 20 years of experience.
Welcome and Introductions
• The Digital Operational Resilience Act (DORA) is a EU regulation that
‘entered into force’ on 16 January 2023, is currently going through a public
consultation of draft documents and will apply as of 17 January 2025.
• The regulation focuses on IT security of financial institutions to ensure they
stay resilient in the event of a severe operational disruption.
• DORA will apply to 20 different types of financial entities and ICT third-party
service providers.
Digital Operational Resilience Act (DORA)
ICT risk framework
(Chapter II)
ICT related incident
management
classification
and reporting (Chapter III)
Digital Operational
Resilience Testing
(Chapter IV)
Third-party risk
management (Chapter
V.I)
Oversight framework
(Chapter
V.II)
Delving into DORA
ICT risk framework
(Chapter II)
ICT related incident
management
classification
and reporting (Chapter III)
Digital Operational
Resilience Testing
(Chapter IV)
Third-party risk
management (Chapter
V.I)
Oversight framework
(Chapter
V.II)
Set up and maintain resilient ICT systems and tools to identify and
minimize ICT risk on a continuous basis.
Establish and implement a management process to monitor, classify
and report major ICT-related incidents to competent authorities.
Test the operational resilience included in the ICT risk management
framework to identify weaknesses, deficiencies or gaps.
Assess, monitor and document ICT third-party risk and ensure all
contracts with such parties state their obligations under the act.
Critical ICT third-party service providers in the financial sectors to
adhere to an oversight framework.
Article 17- “Financial entities shall define, establish and implement an ICT-related
incident management process to detect, manage and notify ICT-related
incidents.”
• Review the incident management process from top to bottom
• Ensure that the incident management function is fit for purpose
• Test the plans regularly to identify gaps and continually improve them
”At least Major ICT-related incidents are reported to relevant senior management”
DORA and ICT- related Incident Management
ICT related incident
management,
classification and
reporting (Chapter III)
ICT related incident
management process
(Article 17)
Classification of ICT-
related incidents and
cyber threats
(Article 18)
Reporting of major ICT-
related incidents and
voluntary notification of
significant cyber threats
(Article 19)
Harmonization of
reporting content and
templates
(Article 20))
ICT-related incident reporting decision tree
ICT related incident
management,
classification and
reporting (Chapter III)
ICT related incident
management process
(Article 17)
Classification of ICT-
related incidents and
cyber threats
(Article 18)
Reporting of major ICT-
related incidents and
voluntary notification of
significant cyber threats
(Article 19)
Harmonization of
reporting content and
templates
(Article 20))
Source: Joint Committee of the European
Supervisory Authorities
The current recommendations being considered are:
• Initial notification – 4 hours from the incident being classified as major and not
later than 24 hours
• Intermediate report- 72 hours or before if
• Final report- within 1 month*
Source: https://www.esma.europa.eu/document/final-report-draft-rts-
classification-major-incidents-and-significant-cyber-threats
ICT- related incident reporting
ICT related incident
management,
classification and
reporting (Chapter III)
ICT related incident
management process
(Article 17)
Classification of ICT-
related incidents and
cyber threats
(Article 18)
Reporting of major ICT-
related incidents and
voluntary notification of
significant cyber threats
(Article 19)
Harmonization of
reporting content and
templates
(Article 20))
ISO/IEC 27005
• ISO 27005 is the international standard that describes how to conduct an
information security risk assessment.
• ISO 27001 requires you to demonstrate
evidence of information security risk
management, risk actions taken and how
relevant controls from Annex A have been
applied.
• ISO 27005 is applicable to all organizations
and is designed to assist the satisfactory
implementation of information security
based on a risk management approach.
ISO/IEC 27005 and DORA
• Examples of Consequence Scales
• Example of likelihood scale
• Asset types (primary and supporting)
• Examples and usual methods of attack
• Examples of target objectives
• Examples of threats and vulnerabilities
• Methods to assess vulnerabilities
The rise of Artificial Intelligence - challenges
Source: CyberArk
AI specific threats
Adversarial data
poisoning
Data scarcity
Unauthorized
access to AI/ML
model source
code
Overloading
machine
learning models
Introduction of
selection bias
Input data
manipulation
Label
manipulation
and inaccuracy
AI voice cloning
Model
extraction
attacks
Deepfake video
Artificial Intelligence Threats
Source: CRMG
EU AI Act: first regulation on artificial
intelligence
In April 2021, the European Commission proposed the
first EU regulatory framework for AI.
AI systems that can be used in different applications
are analysed and classified according to the risk they
pose to users.
Unacceptable risk AI systems are systems considered
a threat to people and will be banned (e.g. Cognitive
behavioural manipulation and biometric identification
and categorisation of individuals).
High risk AI systems that negatively affect safety or
fundamental rights will be considered high risk.
Transparency requirements, such as generative AI, like
ChatGPT, will not be classified as high-risk, but will
have to comply with transparency requirements and
EU copyright law.
Treating AI as ‘just another system’
• Consider using ISO/IEC 42001 and/or the creation of an Artificial Intelligence
Management System (AIMS) to manage the risk associated with AI and to
comply with new (DORA) and future legislation
• All management systems require management commitment, mandate and the
proper resourcing to operate adequately
• Like ISO 27001 the standard is flexible and can be adapted to all
organizations, regardless of size and complexity
• Independent assurance will engender trust for an FE with internal and external
stakeholders
Fairness Transparency Accountability Reliability and safety Privacy and Security
Fictious Financial Entity (FFE)
Relevance of ISO 42001 for DORA
AIMS
Financial
Service
Business
Intelligence
Digital
payments
AI Threat
Intelligence
SecOps
Saas
Anti-Fraud
AMLaaS
• Financial Service
• AI Internal residing in Private Cloud
• Data Analytics -3rd Party
• SaaS AI service-3rd Party
• SecOps SaaS- 3rd party provider AI
• AI anti-malware
• Automated Incident reporting within the
organization and to the authorities
• Automated incident response
• AI Threat intelligence- 3rd party provider
• Anti-Money Laundering as Service utilizing AI
• Business Intelligence- 3rd party
• Organizations will need to gain assurance that third parties have performed their due diligence
on their use of AI. This is required to manage any threats posed using AI.
• Examples of AI controls that are linked to AI threats and AI enabled threats:
Testing third party use of AI
AI control AI control description
Data Validation
and Sanitization
Implement strict data validation and sanitization processes to ensure that incoming data (especially
the data used for training machine learning models) is clean, accurately labeled, and free from
malicious modifications.
Anomaly Detection
Systems
Use anomaly detection systems to monitor data and model behavior for signs of poisoning or other
anomalies. This can help in identifying and mitigating attacks early.
Incident Response
Plan
Have a well-defined incident response plan that includes procedures for dealing with data poisoning
attacks. This should involve steps for isolating affected systems, analyzing the attack, and restoring
system integrity.
Source: CRMG
Clear emphasis in DORA on managing third parties
Source: EIOPA
Enhancing third party management
Triage critical third
parties
Define security
requirements
Gain assurance
from the third party
Implement security
control gaps
Typical approach to assess third parties
Objective:
To identify your critical
third parties
Activity:
Use the requirements in
ISO/IEC 27005 to scope
the third party (e.g. type
of information shared,
hosting and business
impact assessment) in
addition to AI threats.
Objective:
To define third party
security controls
Activity :
Interpret the DORA
requirements for third
parties and create a
security requirements
questionnaire based on
the service provided by
the third party.
Objective:
To understand control
gaps from the third party
Activity :
Third party responds to
the tailored questionnaire
provided to them and
shares evidence/artefacts
with the requesting
organization
Objective:
To fix third party control
gaps
Activity :
Third party applies
resources to provide
assurance that security
gaps have been
addressed. This may
include utilizing AI for
efficiency over deploying
technical controls
Agree Third Party
Contracts/SLAs
Objective:
To include contract clauses
agreed by the third party
Activity :
The security requirements
interpreted from the DORA
regulation are formalized
into a contract between the
main organization and its
third parties. AI-specific
controls are also included,
which are mapped to
specific AI threats.
Key Takeaways
 Become aware of the new DORA regulations and the roadmap towards
implementation in 2025
 Utilize ISO/IEC 27005 to focus on enhancing the approach to incident
management within DORA
 Assess third parties against the requirements in DORA, supported by
understanding their criticality through 27005.
 Support the implementation of security measures in third parties, providing
assistance where necessary that utilizes AI
 Establish continuous improvement of your and third-party security
requirements as new threats evolve.
THANK YOU
Q&A
martin.tully@crmg-consult.org linkedin.com/in/martin-tully-a050378
glta@trifork.com https://www.linkedin.com/in/geoffrey-t/

More Related Content

Similar to DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity

INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
Christopher Nanchengwa
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
IPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
IPPAI
 
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital LandscapeUnveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscape
greendigital
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptx
soulscout02
 

Similar to DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity (20)

Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.ppt
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdf
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdfWritten-Blog_Ethic_AI_08Aug23_pub_jce.pdf
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdf
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009   Underside Of The Compliance EcosystemPci Europe 2009   Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
 
Security as a Strategy
Security as a Strategy Security as a Strategy
Security as a Strategy
 
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital LandscapeUnveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscape
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
ARTIFCIAL INTELLIGENGE
ARTIFCIAL INTELLIGENGEARTIFCIAL INTELLIGENGE
ARTIFCIAL INTELLIGENGE
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.
 
European Risk Management Seminar 2018 - Cyber Report
European Risk Management Seminar 2018 - Cyber Report European Risk Management Seminar 2018 - Cyber Report
European Risk Management Seminar 2018 - Cyber Report
 
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic ApproachCloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
Cloud Services As An Enabler: the Strategic, Legal & Pragmatic Approach
 
Solvency II Offering
Solvency II Offering Solvency II Offering
Solvency II Offering
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptx
 
Ctia course outline
Ctia course outlineCtia course outline
Ctia course outline
 

More from PECB

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
PECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
PECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
PECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
PECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
PECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
PECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
PECB
 

More from PECB (20)

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
 

Recently uploaded

Financial Accounting IFRS, 3rd Edition-dikompresi.pdf
Financial Accounting IFRS, 3rd Edition-dikompresi.pdfFinancial Accounting IFRS, 3rd Edition-dikompresi.pdf
Financial Accounting IFRS, 3rd Edition-dikompresi.pdf
MinawBelay
 
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
中 央社
 

Recently uploaded (20)

Features of Video Calls in the Discuss Module in Odoo 17
Features of Video Calls in the Discuss Module in Odoo 17Features of Video Calls in the Discuss Module in Odoo 17
Features of Video Calls in the Discuss Module in Odoo 17
 
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
 
II BIOSENSOR PRINCIPLE APPLICATIONS AND WORKING II
II BIOSENSOR PRINCIPLE APPLICATIONS AND WORKING IIII BIOSENSOR PRINCIPLE APPLICATIONS AND WORKING II
II BIOSENSOR PRINCIPLE APPLICATIONS AND WORKING II
 
Removal Strategy _ FEFO _ Working with Perishable Products in Odoo 17
Removal Strategy _ FEFO _ Working with Perishable Products in Odoo 17Removal Strategy _ FEFO _ Working with Perishable Products in Odoo 17
Removal Strategy _ FEFO _ Working with Perishable Products in Odoo 17
 
IPL Online Quiz by Pragya; Question Set.
IPL Online Quiz by Pragya; Question Set.IPL Online Quiz by Pragya; Question Set.
IPL Online Quiz by Pragya; Question Set.
 
Spring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community PartnershipsSpring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community Partnerships
 
Financial Accounting IFRS, 3rd Edition-dikompresi.pdf
Financial Accounting IFRS, 3rd Edition-dikompresi.pdfFinancial Accounting IFRS, 3rd Edition-dikompresi.pdf
Financial Accounting IFRS, 3rd Edition-dikompresi.pdf
 
MichaelStarkes_UncutGemsProjectSummary.pdf
MichaelStarkes_UncutGemsProjectSummary.pdfMichaelStarkes_UncutGemsProjectSummary.pdf
MichaelStarkes_UncutGemsProjectSummary.pdf
 
Mattingly "AI and Prompt Design: LLMs with Text Classification and Open Source"
Mattingly "AI and Prompt Design: LLMs with Text Classification and Open Source"Mattingly "AI and Prompt Design: LLMs with Text Classification and Open Source"
Mattingly "AI and Prompt Design: LLMs with Text Classification and Open Source"
 
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
 
MOOD STABLIZERS DRUGS.pptx
MOOD     STABLIZERS           DRUGS.pptxMOOD     STABLIZERS           DRUGS.pptx
MOOD STABLIZERS DRUGS.pptx
 
“O BEIJO” EM ARTE .
“O BEIJO” EM ARTE                       .“O BEIJO” EM ARTE                       .
“O BEIJO” EM ARTE .
 
The Last Leaf, a short story by O. Henry
The Last Leaf, a short story by O. HenryThe Last Leaf, a short story by O. Henry
The Last Leaf, a short story by O. Henry
 
How to Manage Closest Location in Odoo 17 Inventory
How to Manage Closest Location in Odoo 17 InventoryHow to Manage Closest Location in Odoo 17 Inventory
How to Manage Closest Location in Odoo 17 Inventory
 
Championnat de France de Tennis de table/
Championnat de France de Tennis de table/Championnat de France de Tennis de table/
Championnat de France de Tennis de table/
 
HVAC System | Audit of HVAC System | Audit and regulatory Comploance.pptx
HVAC System | Audit of HVAC System | Audit and regulatory Comploance.pptxHVAC System | Audit of HVAC System | Audit and regulatory Comploance.pptx
HVAC System | Audit of HVAC System | Audit and regulatory Comploance.pptx
 
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
 Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
 
An overview of the various scriptures in Hinduism
An overview of the various scriptures in HinduismAn overview of the various scriptures in Hinduism
An overview of the various scriptures in Hinduism
 
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
 
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT VẬT LÝ 2024 - TỪ CÁC TRƯỜNG, TRƯ...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT VẬT LÝ 2024 - TỪ CÁC TRƯỜNG, TRƯ...TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT VẬT LÝ 2024 - TỪ CÁC TRƯỜNG, TRƯ...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT VẬT LÝ 2024 - TỪ CÁC TRƯỜNG, TRƯ...
 

DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity

  • 1.
  • 2. Agenda  Welcome and introductions  DORA, ISO/IEC 27005 and Artificial Intelligence – what they are and important aspects to consider  DORA and incident management  DORA and the need to delve deeper into ISO/IEC 27005  Treating AI as ‘just another system’  Managing the threats from third parties  Key takeaways
  • 3. Martin Tully Martin is a Senior Consultant at CRMG with over twenty years of experience, and has previously been employed at two of the ‘Big Four’ professional services firms. Martin has worked across most industry sectors in the development of the best practice guidance and risk analysis methodologies. Martin holds a Bachelors degree from Royal Holloway University of London. Geoffrey Taylor Geoffrey is the Director of Cybersecurity at Trifork Cyber Protection. He has had information security governance roles within telecommunications, transportation and IT outsourcing to name a few. He holds both CISM and CRISC certifications as well as the ISO 27001 Lead Implementer and ISO 27001 Lead Auditor. He is also a PECB Certified Trainer and has over 20 years of experience. Welcome and Introductions
  • 4. • The Digital Operational Resilience Act (DORA) is a EU regulation that ‘entered into force’ on 16 January 2023, is currently going through a public consultation of draft documents and will apply as of 17 January 2025. • The regulation focuses on IT security of financial institutions to ensure they stay resilient in the event of a severe operational disruption. • DORA will apply to 20 different types of financial entities and ICT third-party service providers. Digital Operational Resilience Act (DORA) ICT risk framework (Chapter II) ICT related incident management classification and reporting (Chapter III) Digital Operational Resilience Testing (Chapter IV) Third-party risk management (Chapter V.I) Oversight framework (Chapter V.II)
  • 5. Delving into DORA ICT risk framework (Chapter II) ICT related incident management classification and reporting (Chapter III) Digital Operational Resilience Testing (Chapter IV) Third-party risk management (Chapter V.I) Oversight framework (Chapter V.II) Set up and maintain resilient ICT systems and tools to identify and minimize ICT risk on a continuous basis. Establish and implement a management process to monitor, classify and report major ICT-related incidents to competent authorities. Test the operational resilience included in the ICT risk management framework to identify weaknesses, deficiencies or gaps. Assess, monitor and document ICT third-party risk and ensure all contracts with such parties state their obligations under the act. Critical ICT third-party service providers in the financial sectors to adhere to an oversight framework.
  • 6. Article 17- “Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents.” • Review the incident management process from top to bottom • Ensure that the incident management function is fit for purpose • Test the plans regularly to identify gaps and continually improve them ”At least Major ICT-related incidents are reported to relevant senior management” DORA and ICT- related Incident Management ICT related incident management, classification and reporting (Chapter III) ICT related incident management process (Article 17) Classification of ICT- related incidents and cyber threats (Article 18) Reporting of major ICT- related incidents and voluntary notification of significant cyber threats (Article 19) Harmonization of reporting content and templates (Article 20))
  • 7. ICT-related incident reporting decision tree ICT related incident management, classification and reporting (Chapter III) ICT related incident management process (Article 17) Classification of ICT- related incidents and cyber threats (Article 18) Reporting of major ICT- related incidents and voluntary notification of significant cyber threats (Article 19) Harmonization of reporting content and templates (Article 20)) Source: Joint Committee of the European Supervisory Authorities
  • 8. The current recommendations being considered are: • Initial notification – 4 hours from the incident being classified as major and not later than 24 hours • Intermediate report- 72 hours or before if • Final report- within 1 month* Source: https://www.esma.europa.eu/document/final-report-draft-rts- classification-major-incidents-and-significant-cyber-threats ICT- related incident reporting ICT related incident management, classification and reporting (Chapter III) ICT related incident management process (Article 17) Classification of ICT- related incidents and cyber threats (Article 18) Reporting of major ICT- related incidents and voluntary notification of significant cyber threats (Article 19) Harmonization of reporting content and templates (Article 20))
  • 9. ISO/IEC 27005 • ISO 27005 is the international standard that describes how to conduct an information security risk assessment. • ISO 27001 requires you to demonstrate evidence of information security risk management, risk actions taken and how relevant controls from Annex A have been applied. • ISO 27005 is applicable to all organizations and is designed to assist the satisfactory implementation of information security based on a risk management approach.
  • 10. ISO/IEC 27005 and DORA • Examples of Consequence Scales • Example of likelihood scale • Asset types (primary and supporting) • Examples and usual methods of attack • Examples of target objectives • Examples of threats and vulnerabilities • Methods to assess vulnerabilities
  • 11. The rise of Artificial Intelligence - challenges Source: CyberArk
  • 12. AI specific threats Adversarial data poisoning Data scarcity Unauthorized access to AI/ML model source code Overloading machine learning models Introduction of selection bias Input data manipulation Label manipulation and inaccuracy AI voice cloning Model extraction attacks Deepfake video Artificial Intelligence Threats Source: CRMG
  • 13. EU AI Act: first regulation on artificial intelligence In April 2021, the European Commission proposed the first EU regulatory framework for AI. AI systems that can be used in different applications are analysed and classified according to the risk they pose to users. Unacceptable risk AI systems are systems considered a threat to people and will be banned (e.g. Cognitive behavioural manipulation and biometric identification and categorisation of individuals). High risk AI systems that negatively affect safety or fundamental rights will be considered high risk. Transparency requirements, such as generative AI, like ChatGPT, will not be classified as high-risk, but will have to comply with transparency requirements and EU copyright law.
  • 14. Treating AI as ‘just another system’ • Consider using ISO/IEC 42001 and/or the creation of an Artificial Intelligence Management System (AIMS) to manage the risk associated with AI and to comply with new (DORA) and future legislation • All management systems require management commitment, mandate and the proper resourcing to operate adequately • Like ISO 27001 the standard is flexible and can be adapted to all organizations, regardless of size and complexity • Independent assurance will engender trust for an FE with internal and external stakeholders Fairness Transparency Accountability Reliability and safety Privacy and Security
  • 15. Fictious Financial Entity (FFE) Relevance of ISO 42001 for DORA AIMS Financial Service Business Intelligence Digital payments AI Threat Intelligence SecOps Saas Anti-Fraud AMLaaS • Financial Service • AI Internal residing in Private Cloud • Data Analytics -3rd Party • SaaS AI service-3rd Party • SecOps SaaS- 3rd party provider AI • AI anti-malware • Automated Incident reporting within the organization and to the authorities • Automated incident response • AI Threat intelligence- 3rd party provider • Anti-Money Laundering as Service utilizing AI • Business Intelligence- 3rd party
  • 16. • Organizations will need to gain assurance that third parties have performed their due diligence on their use of AI. This is required to manage any threats posed using AI. • Examples of AI controls that are linked to AI threats and AI enabled threats: Testing third party use of AI AI control AI control description Data Validation and Sanitization Implement strict data validation and sanitization processes to ensure that incoming data (especially the data used for training machine learning models) is clean, accurately labeled, and free from malicious modifications. Anomaly Detection Systems Use anomaly detection systems to monitor data and model behavior for signs of poisoning or other anomalies. This can help in identifying and mitigating attacks early. Incident Response Plan Have a well-defined incident response plan that includes procedures for dealing with data poisoning attacks. This should involve steps for isolating affected systems, analyzing the attack, and restoring system integrity. Source: CRMG
  • 17. Clear emphasis in DORA on managing third parties Source: EIOPA
  • 18. Enhancing third party management Triage critical third parties Define security requirements Gain assurance from the third party Implement security control gaps Typical approach to assess third parties Objective: To identify your critical third parties Activity: Use the requirements in ISO/IEC 27005 to scope the third party (e.g. type of information shared, hosting and business impact assessment) in addition to AI threats. Objective: To define third party security controls Activity : Interpret the DORA requirements for third parties and create a security requirements questionnaire based on the service provided by the third party. Objective: To understand control gaps from the third party Activity : Third party responds to the tailored questionnaire provided to them and shares evidence/artefacts with the requesting organization Objective: To fix third party control gaps Activity : Third party applies resources to provide assurance that security gaps have been addressed. This may include utilizing AI for efficiency over deploying technical controls Agree Third Party Contracts/SLAs Objective: To include contract clauses agreed by the third party Activity : The security requirements interpreted from the DORA regulation are formalized into a contract between the main organization and its third parties. AI-specific controls are also included, which are mapped to specific AI threats.
  • 19. Key Takeaways  Become aware of the new DORA regulations and the roadmap towards implementation in 2025  Utilize ISO/IEC 27005 to focus on enhancing the approach to incident management within DORA  Assess third parties against the requirements in DORA, supported by understanding their criticality through 27005.  Support the implementation of security measures in third parties, providing assistance where necessary that utilizes AI  Establish continuous improvement of your and third-party security requirements as new threats evolve.

Editor's Notes

  1. The extended use of ICT systems increases the efficiencies of internal process and the user experience for the customers, however it also introduces risks and vulnerabilities, which may make financial entities expose to cyber-attacks or incidents. If not managed properly, ICT risks could lead to the disruptions of financial services that are often offered across borders and can have far-reaching effects on other companies, sectors, or even the rest of the economy. The risk of such cross-border and cross-sectoral disruptions highlights the importance of digital operational resilience of the financial sector.
  2. Risk framework: also set up protection and prevention measures, and establish dedicated and comprehensive business continuity policies and disaster recovery plans.
  3. To operationalise the application, DORA mandates the European Supervisory Authorities (ESAs) to prepare jointly, through the Joint Committee (JC), a set of policy products with two main submission deadlines 17 January 2024 (first batch) and 17 June 2024 (second batch) as highlighted in the picture. The standards set out requirements for all financial entities with respect to: (i) ICT security policies, procedures, protocols and tools (including requirements on: governance, ICT risk management, ICT asset management, encryption and cryptography, ICT operations security, network security, ICT project and change management, physical security, ICT and information security awareness and training); (ii) Human resources policy and access control; (iii) ICT-related incident detection and response, (iv) ICT business continuity management, (v) Report on the ICT risk management framework review; and (vi) Proportionality
  4. DORA imposes requirements on Financial Entities, referred to as FE, to define, establish and implement ICT related incident management process which aligns with ISO 27001. The Act mentions 'early-warning' indicators, a means to detect malicious activity as soon as possible. Similarly to ISO 27001, FE's must have in place the requisite policies, procedures, processes and people to manage incidents from detection to recovery (if needed). The requirements outlined in Article 17 including detection, management and notification align with best practice guidance regarding incident management. FE's are encouraged to ensure their incident mangement process, procedures and people are prepared and that the FE continuously improves its incident management processes (see Article 17' mention of root cause for example). The FE should investigate whether the process is still fit for purpose to ensure compliance with DORA. Is the process continually improved? Is root cause analysis regularly performed and are the actions implemented? Are staff aware of their roles and responsibilities and can they execute them adequately?
  5. 1. the ESAs have arrived at the view that the initial notification shall be submitted four hours from the moment of classification of the incident as major, but no later than 24 hours from the time of detection of the incident after the FE has classified the incident as major. 2. the ESAs have arrived at the view that the most appropriate timeline for submission of the intermediate report is 3 days (72 hours) after the classification of the incident as major. In addition, the ESAs have arrived at the view that regular activities of the FE can be recovered earlier and have specified in the RTS that FEs shall submit the intermediate report to Cas ‘within 72 hours from the classification of the incident as major, or sooner when regular activities have been recovered and business is back to normal’. 3. The ESAs have arrived at the view that 1 month (30 days) will be the most appropriate timeline since it will provide sufficient time for FEs to obtain all relevant information, while allowing CAs to receive the information without significant delay after the submission of the intermediate report. Note:  The ESAs have also envisaged cases where the FE may not be in a position to submit an initial notification, intermediate report or final report within the timelines set out in Article 2 of the draft RTS and have introduced in Article 4 of the draft ITS the possibility for FEs to submit the notification/report with a delay, in which case, FEs shall inform their competent authority without undue delay and shall explain the reasons why.
  6. ISO/IEC 27005 does not specify or recommend specific risk management methods in detail. Instead, it discusses the process in more general/overall terms, drawing on the generic risk management method described by ISO 31000[3] i.e.: Identify and assess the risks; Decide what to do about the risks (how to 'treat' them) ... and do it; Monitor the risks, risk treatments etc., identifying and responding appropriately to significant changes, issues/concerns or opportunities for improvement; Keep stakeholders (principally the organization's management) informed throughout the process.
  7. ISO 27005 can be used to assist organizations in establishing and maintaining compliance with DORA. Utilize the standard to threat model critical services with the required staff with a holistic approach. To support the effort, ensure that updated diagrams are available to discuss with the group of experts and establish boundaries to start the conversation. The outcome of the discussion may contribute to improving the security posture of the organization by identifying gaps that may not be obvious. An organization can address ICT risk management vulnerabilities, incident handling, resilience and a host of other information security challenges by regularly engaging in this activity.
  8. Impersonation, denial of service, brute force attacks – threats very similar in nature to before but now much more advanced in terms of speed, accuracy and potential to convince that communication is reliable when generated through AI.
  9. Adversarial data poisoning - Intentional Corrupting a training model for machine learning to compromise model integrity e.g. by replacing a legitimate model file by a poisoned model file on a cloud-hosted filesystem Data scarcity - Accidental Limiting the quantity of data available for AI/ML models by targeted attacks, therefore impacting functional capabilities as AI relies on the availability of consistent and accessible data Unauthorized access to AI/ML model source code - Intentional Gaining unauthorized source code access to exfiltrate IP (such as model parameters) and/or identify model weaknesses e.g. dependent library vulnerabilities Overloading machine learning models - Maliciously adding random samples to the set of training data to deny basic model availability by preventing the model from computing any meaningful inference Introduction of selection bias - Intentional Selection bias may be accidentally or purposefully introduced in raw datasets which may affect subsequent inference and overall trustworthiness of the platform Input data manipulation - Manipulating input data fed into the system to alter the output to serve attacker objectives Label manipulation and inaccuracy - Intentional Mislabeling, or adversarial modifications of data labels in supervised machine learning models to generate inaccurate model results AI voice cloning - The creation of an artificial simulation of a person's voice that can be used for adversarial means. Example: Artificial cloning of a senior managers voice to facilitate a financial transfer orchestrated by a hacking group. Model extraction attacks - This involves an attacker querying an AI model (for example, an API providing machine learning as a service) with the goal of reconstructing a copy of the model. This can be used for unauthorized purposes, including creating competitive services or finding weaknesses in the model for exploitation. Deepfake video - Intentional Use of AI to create video deepfakes to impersonate trusted individuals, tricking victims into revealing sensitive information or making unauthorized transactions.
  10. 1) AI systems that are used in products falling under the EU’s product safety legislation. This includes toys, aviation, cars, medical devices and lifts. 2) AI systems falling into specific areas that will have to be registered in an EU database: Management and operation of critical infrastructure Education and vocational training Employment, worker management and access to self-employment Access to and enjoyment of essential private services and public services and benefits Law enforcement Migration, asylum and border control management Assistance in legal interpretation and application of the law. Next steps The agreed text is expected to be finally adopted in April 2024. It will be fully applicable 24 months after entry into force, but some parts will be applicable sooner: The ban of AI systems posing unacceptable risks will apply six months after the entry into force Codes of practice will apply nine months after entry into force Rules on general-purpose AI systems that need to comply with transparency requirements will apply 12 months after the entry into force High-risk systems will have more time to comply with the requirements as the obligations concerning them will become applicable 36 months after the entry into force.
  11. DORA has been very clear on focusing on ICT and, in particular third parties used by financial institutions as a recognized ‘gap’ in an organisation’s threat landscape.
  12. Here are the main ways in which AI is used in cybersecurity: Threat detection. AI can act as a filter for analyzing files and software code to identify potential malware threats while avoiding false positives. Machine learning algorithms can be trained for threat detection to recognize patterns and characteristics of known malware and flag any new code that matches these patterns. Network security. AI algorithms can analyze network traffic data to detect patterns and anomalies indicating an attempted intrusion or attack. AI can flag any deviations from this baseline as potential threats by learning what normal network traffic patterns look like. Behavioral analysis. AI can be used to analyze user behavior and detect anomalies that may indicate unauthorized access or malicious activity using machine learning. This allows for more effective user activity monitoring and detection of potential threats while limiting false positives. Automated incident response. AI-based systems can be used to automatically respond to detected threats, like shutting down connections, quarantining infected machines, and disabling user accounts. Advanced machine learning models help to contain hacking attempts and minimize potential damage. Vulnerability assessment. AI can identify potential vulnerabilities in systems and networks. This allows for proactive measures to be taken to mitigate potential threats before they can be exploited.
  13. This slide shows how ISO/IEC 27005, DORA and AI could be used to enhance the third party management process. Building on the emphasis in DORA on securing third parties, the risk assessment elements of ISO/IEC 27005 and the advantages of greater efficiency of AI supported security controls could be applied to the requirements in DORA for third parties. Integrated artificial intelligence systems have the potential to be trained for the automatic identification of cyber threats, alerting users, and safeguarding sensitive information of businesses. most cybersecurity tools integrate deep learning and other capabilities intended to work with big data. Here are the main ways in which AI is used in cybersecurity: Threat detection. AI can act as a filter for analyzing files and software code to identify potential malware threats while avoiding false positives. Machine learning algorithms can be trained for threat detection to recognize patterns and characteristics of known malware and flag any new code that matches these patterns. Network security. AI algorithms can analyze network traffic data to detect patterns and anomalies indicating an attempted intrusion or attack. AI can flag any deviations from this baseline as potential threats by learning what normal network traffic patterns look like. Behavioral analysis. AI can be used to analyze user behavior and detect anomalies that may indicate unauthorized access or malicious activity using machine learning. This allows for more effective user activity monitoring and detection of potential threats while limiting false positives. Automated incident response. AI-based systems can be used to automatically respond to detected threats, like shutting down connections, quarantining infected machines, and disabling user accounts. Advanced machine learning models help to contain hacking attempts and minimize potential damage. Vulnerability assessment. AI can identify potential vulnerabilities in systems and networks. This allows for proactive measures to be taken to mitigate potential threats before they can be exploited.