RT
Uploaded byRd. R. Agung Trimanda
PPTX, PDF145 views

Resume: The Complete Guide to Cybersecurity Risks and Controls

The document discusses cybersecurity risks and controls. It begins by defining cybersecurity and noting that 46% of the world's population is connected to the internet. It then discusses common threat vectors and the industries most targeted by espionage. The document emphasizes the importance of cybersecurity management and outlines standard guidance documents. It describes the key elements of effective cybersecurity as including policies, governance, personnel security, and controls related to assets, access, operations, networks, software and more. Finally, it discusses integrating security across an organization's infrastructure.

Embed presentation

Downloaded 10 times
Resume: The Complete Guide to Cybersecurity Risks and Controls Rd. R. Agung T. EL5261 – Manajemen Resiko Keamanan Informasi Anne Kohnke,Dan Shoemaker,Ken Sigler",The Complete Guide to Cybersecurity Risks and Controls,CRC Press Taylor and Prancis Group,2016
The increasing prevalence and severity of malicious cyberenabled activities… Constitute an unusual and extraordinary threat to the national security, foreign policy and economy of the United States. I hereby declare a national emergency to deal with this threat. Barack Obama, President of the United States, 2015 4/14/2018
What is Cybersecurity? • The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this (Oxford English Dictionary) • 46% populasi dunia terhubung ke jaringan internet [1] THREAT VECTORS BY INDUSTRY The vectors by which industries are compromised. Source: Verizon 2015 Data Breach Investigations Report [1] Cybersecurity: Threats, Challenges, and Opportunities by ACS 4/14/2018
TOP 10 Espionage Targeted Industries The most targeted industries in 2015. Source: Verizon 2015 Data Breach Investigations Report EASY HACKS, EASY BREACHES Source: Verizon 2016 Data Breach Investigations Report 4/14/2018
China 37.01 US 17.88 UK 10.21 India 7.43 Spain 6.03 Korea 4.53 Russian Federation 4.45 Germany 4.29 Australia 4.18 Taiwan 4 Top sources of mitigated DDoS attacks on Akamai’s network. Source: Akamai State of the Internet Report, Q2 2015 4/14/2018
Why Cybersecurity Management is Important? • World Wide Web sudah mulai popular pada pertengahan 1990-an • Sindrom “Six Blind Men and an Elephant” 4/14/2018
Cybersecurity Controls • Accurately identify and authenticate all entities seeking access to a system • Authorize access to only those objects that the entity’s level of trust permits • Monitor and control activities during the time that the entity is granted access • Ensure against unauthorized access, or manipulation of data • Ensure against unauthorized manipulation of system objects 4/14/2018
the Disiplines of Cybersecurity • The confusion about what constitutes the proper elements of the field originates in the fact that the profession of cybersecurity could potentially comprise concepts from a number of disciplines. Some content from all of these disciplines might reasonably fall within legitimate boundaries. That includes such diverse areas as shown in Figure 4/14/2018
Standard Guidance • International Organization for Standardization (ISO) 27000 Information Security Standard. • The second is the National Institute for Standards and Technology (NIST) and its Federal Information Processing Standards (FIPS) 200 Framework, as implemented by NIST 800- 53 • The third and perhaps more influential are the Information System Audit and Control Association (ISACA) and its Control Objectives for IT (COBIT) Model 4/14/2018
Standard Guidance • COBIT and ISO 27000 are primarily oriented toward conventional business IT in their practical use. NIST 800-53 satisfies the requirements of the Federal Information Security Management Act (FISMA), and is used in all healthcare organizations to substantiate meaningful use with their electronic health records systems. 4/14/2018
Control or Countermeasure 1. Policy 2. Governance control 3. Personnel security 4. Physical and environmental security 5. Asset management 6. Access control 7. Security of operations 8. Network security 9. Computer security 10.Software development and maintenance security 11.Acquisition 12.Incident management 13.Compliance 14.Continuity 15.Elements of human factors such as training and education 4/14/2018
IT Governance • Top-down effectively describes the strategic approach and purposes of information governance 4/14/2018
Security and Control • Every organization has a basic need to understand the status of its own IT systems and to decide the level of security and control they should provide. Neither aspect of this issue—understanding or deciding on the required level of control—is straightforward. Furthermore, it is hard to get an objective view of what should be measured and how. 4/14/2018
Security and Control 4/14/2018
Important Resources • Most important is the need for them to be measurable. They need to focus on the resources most important to the process and be driven by generic business needs including: – Cost efciency – Productivity – Defects – Cycle time – Quality and innovation – Computing performance – Stakeholder satisfaction – Staff competency – Benchmark comparisons 4/14/2018
Control Framework Assumptions • In order to effectively and efficiently achieve those outcomes—for example, the desired information—the process has to be rationally and optimally managed. And to satisfy business objectives, the information must directly support the business need. Thus, the following dozen generic requirements tend to appear in most frameworks 1. Security requirements 2. Quality requirements 3. Confidentiality 4. Integrity 5. Availability 6. Cost 7. Service delivery 8. Fiduciary responsibility 9. Effectiveness and efficiency of operations 10. Reliability of information 11. Compliance with laws and regulations 12. Definition of concepts 4/14/2018
IT Security control frameworks overview 4/14/2018
• Effective information security governance should result in six outcomes to include (Information Systems Audit and Control Association [ISACA], 2012) the following: – Strategic alignment – Risk management – Business process management/value delivery – Resource management – Performance management – Integration 4/14/2018
Information Security Governance • The organization’s executive management team is then responsible for ensuring the needed infrastructure, resources, and organizational function are made available to carry out the directives of the board and any governmental regulatory agency that is required • CISO or Chief Information Security Officer have responsibility and authority over the full scope and breadth of information security activity. • CISO develops, oversees, and manages the information security program and initiatives to include strategic, personnel, infrastructure, policy enforcement, emergency planning, security training and awareness. 4/14/2018
What is Control? • Controls are a security mechanism, policy, or procedure that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization. The main focus of control formulation and development should be on the security of hardware, telecommunications, and software. Moreover, the level of control implementation chosen should protect sensitive information in one of the following three states: data at rest, data in transit, and data in process. 4/14/2018
Seven distinct outcomes of safeguarded information 4/14/2018
Information Security Integrated • Integrating information security into organizational infrastructure requires a carefully coordinated set of activities to ensure that fundamental requirements for information security are addressed and risk to the organization from information systems is managed efficiently and cost effectively. 4/14/2018
Kesimpulan 4/14/2018
Sumber: 4/14/2018
Terima Kasih… 4/14/2018

More Related Content

PDF
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
byEnterpriseGRC Solutions, Inc.
 
PPTX
cybersecurity analyst.pptx
byBoni Yeamin
 
PDF
Introduction to NIST Cybersecurity Framework
byTuan Phan
 
PPTX
Basic introduction to iso27001
byImran Ahmed
 
PDF
From NIST CSF 1.1 to 2.0.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
NIST cybersecurity framework
byShriya Rai
 
PDF
Cisco cybersecurity essentials chapter - 6
byMukesh Chinta
 
PDF
Soc 2 vs iso 27001 certification withh links converted-converted
byVISTA InfoSec
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
byEnterpriseGRC Solutions, Inc.
 
cybersecurity analyst.pptx
byBoni Yeamin
 
Introduction to NIST Cybersecurity Framework
byTuan Phan
 
Basic introduction to iso27001
byImran Ahmed
 
From NIST CSF 1.1 to 2.0.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
NIST cybersecurity framework
byShriya Rai
 
Cisco cybersecurity essentials chapter - 6
byMukesh Chinta
 
Soc 2 vs iso 27001 certification withh links converted-converted
byVISTA InfoSec
 

Similar to Resume: The Complete Guide to Cybersecurity Risks and Controls

PPTX
Cissp- Security and Risk Management
byHamed Moghaddam
 
PDF
Mergers and Acquisition Security - Areas of Interest
byMatthew Rosenquist
 
PDF
Chapter 6 Security of Information and Cyber Security(FASS)
byMd Shaifullar Rabbi
 
PPTX
Domain 1 - Security and Risk Management
byMaganathin Veeraragaloo
 
PPTX
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
bymacraaiclass
 
PPTX
Types of Security in Industrial Security
byRJCubillo
 
PDF
1. Security and Risk Management
bySam Bowne
 
PPTX
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
PPTX
Cybersecurity-Course.9643104.powerpoint.pptx
byAfsanaMumal2
 
PDF
Introduction to Cybersecurity.pdf
byssuserf98dd4
 
PPTX
Cloud Security.pptx
byBinod Rimal
 
PDF
IT Control Framework
byMarc-Andre Heroux
 
PDF
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
bySam Bowne
 
PDF
CNIT 125: Ch 2. Security and Risk Management (Part 1)
bySam Bowne
 
PPTX
ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptx
byhamzaalkhairi802
 
DOCX
Security architecture principles isys 0575general att
bySHIVA101531
 
PPTX
D1 security and risk management v1.62
byAlliedConSapCourses
 
PPTX
Topic11
byAnne Starr
 
PPTX
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
byAdam Levithan
 
PPTX
IT Security & Risk
byTanujpandey5
 
Cissp- Security and Risk Management
byHamed Moghaddam
 
Mergers and Acquisition Security - Areas of Interest
byMatthew Rosenquist
 
Chapter 6 Security of Information and Cyber Security(FASS)
byMd Shaifullar Rabbi
 
Domain 1 - Security and Risk Management
byMaganathin Veeraragaloo
 
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
bymacraaiclass
 
Types of Security in Industrial Security
byRJCubillo
 
1. Security and Risk Management
bySam Bowne
 
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
Cybersecurity-Course.9643104.powerpoint.pptx
byAfsanaMumal2
 
Introduction to Cybersecurity.pdf
byssuserf98dd4
 
Cloud Security.pptx
byBinod Rimal
 
IT Control Framework
byMarc-Andre Heroux
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
bySam Bowne
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
bySam Bowne
 
ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptx
byhamzaalkhairi802
 
Security architecture principles isys 0575general att
bySHIVA101531
 
D1 security and risk management v1.62
byAlliedConSapCourses
 
Topic11
byAnne Starr
 
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
byAdam Levithan
 
IT Security & Risk
byTanujpandey5
 

Recently uploaded

PPTX
Employee Motivation Practices at the National Bank of Abu Dhabi (NBAD)
byjammujaleel81
 
PPTX
CH5 PROJECT IMPLEMENTATION, MONITORING & EVALUATION
byAtoshe Elmi
 
PPTX
nursing care delivery model16_Scenarios_Tutorials.pptx
bysofiamansoor4
 
PDF
Agile's Post-Transformation Era (RSG-Banff 2025).pdf
byRichard Dolman
 
PPTX
14 Management Principles by Henri Fayol (Overview)
bySujan Chaudhary
 
PDF
Inspiring Global Change_ How the ICC Geller Fellowship Develops Tomorrow’s Le...
byJacob Baime ICC
 
PPTX
Types_of_Training_and_Executive_Development (2).pptx
byyuvarania5
 
PDF
PPST.RP_Module 9.pdf Selected, developed, organized and used appropriate teac...
byMARYJANEISRAEL3
 
PDF
Future Trends in Knowledge Management Systems
byWritegenic AI
 
PPTX
global trend chapter three power point .
bydessiea134
 
Employee Motivation Practices at the National Bank of Abu Dhabi (NBAD)
byjammujaleel81
 
CH5 PROJECT IMPLEMENTATION, MONITORING & EVALUATION
byAtoshe Elmi
 
nursing care delivery model16_Scenarios_Tutorials.pptx
bysofiamansoor4
 
Agile's Post-Transformation Era (RSG-Banff 2025).pdf
byRichard Dolman
 
14 Management Principles by Henri Fayol (Overview)
bySujan Chaudhary
 
Inspiring Global Change_ How the ICC Geller Fellowship Develops Tomorrow’s Le...
byJacob Baime ICC
 
Types_of_Training_and_Executive_Development (2).pptx
byyuvarania5
 
PPST.RP_Module 9.pdf Selected, developed, organized and used appropriate teac...
byMARYJANEISRAEL3
 
Future Trends in Knowledge Management Systems
byWritegenic AI
 
global trend chapter three power point .
bydessiea134
 

Resume: The Complete Guide to Cybersecurity Risks and Controls

  • 1.
    Resume: The CompleteGuide to Cybersecurity Risks and Controls Rd. R. Agung T. EL5261 – Manajemen Resiko Keamanan Informasi Anne Kohnke,Dan Shoemaker,Ken Sigler",The Complete Guide to Cybersecurity Risks and Controls,CRC Press Taylor and Prancis Group,2016
  • 2.
    The increasing prevalenceand severity of malicious cyberenabled activities… Constitute an unusual and extraordinary threat to the national security, foreign policy and economy of the United States. I hereby declare a national emergency to deal with this threat. Barack Obama, President of the United States, 2015 4/14/2018
  • 3.
    What is Cybersecurity? •The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this (Oxford English Dictionary) • 46% populasi dunia terhubung ke jaringan internet [1] THREAT VECTORS BY INDUSTRY The vectors by which industries are compromised. Source: Verizon 2015 Data Breach Investigations Report [1] Cybersecurity: Threats, Challenges, and Opportunities by ACS 4/14/2018
  • 4.
    TOP 10 EspionageTargeted Industries The most targeted industries in 2015. Source: Verizon 2015 Data Breach Investigations Report EASY HACKS, EASY BREACHES Source: Verizon 2016 Data Breach Investigations Report 4/14/2018
  • 5.
    China 37.01 US 17.88 UK10.21 India 7.43 Spain 6.03 Korea 4.53 Russian Federation 4.45 Germany 4.29 Australia 4.18 Taiwan 4 Top sources of mitigated DDoS attacks on Akamai’s network. Source: Akamai State of the Internet Report, Q2 2015 4/14/2018
  • 6.
    Why Cybersecurity Managementis Important? • World Wide Web sudah mulai popular pada pertengahan 1990-an • Sindrom “Six Blind Men and an Elephant” 4/14/2018
  • 7.
    Cybersecurity Controls • Accuratelyidentify and authenticate all entities seeking access to a system • Authorize access to only those objects that the entity’s level of trust permits • Monitor and control activities during the time that the entity is granted access • Ensure against unauthorized access, or manipulation of data • Ensure against unauthorized manipulation of system objects 4/14/2018
  • 8.
    the Disiplines ofCybersecurity • The confusion about what constitutes the proper elements of the field originates in the fact that the profession of cybersecurity could potentially comprise concepts from a number of disciplines. Some content from all of these disciplines might reasonably fall within legitimate boundaries. That includes such diverse areas as shown in Figure 4/14/2018
  • 9.
    Standard Guidance • InternationalOrganization for Standardization (ISO) 27000 Information Security Standard. • The second is the National Institute for Standards and Technology (NIST) and its Federal Information Processing Standards (FIPS) 200 Framework, as implemented by NIST 800- 53 • The third and perhaps more influential are the Information System Audit and Control Association (ISACA) and its Control Objectives for IT (COBIT) Model 4/14/2018
  • 10.
    Standard Guidance • COBITand ISO 27000 are primarily oriented toward conventional business IT in their practical use. NIST 800-53 satisfies the requirements of the Federal Information Security Management Act (FISMA), and is used in all healthcare organizations to substantiate meaningful use with their electronic health records systems. 4/14/2018
  • 11.
    Control or Countermeasure 1.Policy 2. Governance control 3. Personnel security 4. Physical and environmental security 5. Asset management 6. Access control 7. Security of operations 8. Network security 9. Computer security 10.Software development and maintenance security 11.Acquisition 12.Incident management 13.Compliance 14.Continuity 15.Elements of human factors such as training and education 4/14/2018
  • 12.
    IT Governance • Top-downeffectively describes the strategic approach and purposes of information governance 4/14/2018
  • 13.
    Security and Control •Every organization has a basic need to understand the status of its own IT systems and to decide the level of security and control they should provide. Neither aspect of this issue—understanding or deciding on the required level of control—is straightforward. Furthermore, it is hard to get an objective view of what should be measured and how. 4/14/2018
  • 14.
  • 15.
    Important Resources • Mostimportant is the need for them to be measurable. They need to focus on the resources most important to the process and be driven by generic business needs including: – Cost efciency – Productivity – Defects – Cycle time – Quality and innovation – Computing performance – Stakeholder satisfaction – Staff competency – Benchmark comparisons 4/14/2018
  • 16.
    Control Framework Assumptions •In order to effectively and efficiently achieve those outcomes—for example, the desired information—the process has to be rationally and optimally managed. And to satisfy business objectives, the information must directly support the business need. Thus, the following dozen generic requirements tend to appear in most frameworks 1. Security requirements 2. Quality requirements 3. Confidentiality 4. Integrity 5. Availability 6. Cost 7. Service delivery 8. Fiduciary responsibility 9. Effectiveness and efficiency of operations 10. Reliability of information 11. Compliance with laws and regulations 12. Definition of concepts 4/14/2018
  • 17.
    IT Security controlframeworks overview 4/14/2018
  • 18.
    • Effective informationsecurity governance should result in six outcomes to include (Information Systems Audit and Control Association [ISACA], 2012) the following: – Strategic alignment – Risk management – Business process management/value delivery – Resource management – Performance management – Integration 4/14/2018
  • 19.
    Information Security Governance •The organization’s executive management team is then responsible for ensuring the needed infrastructure, resources, and organizational function are made available to carry out the directives of the board and any governmental regulatory agency that is required • CISO or Chief Information Security Officer have responsibility and authority over the full scope and breadth of information security activity. • CISO develops, oversees, and manages the information security program and initiatives to include strategic, personnel, infrastructure, policy enforcement, emergency planning, security training and awareness. 4/14/2018
  • 20.
    What is Control? •Controls are a security mechanism, policy, or procedure that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization. The main focus of control formulation and development should be on the security of hardware, telecommunications, and software. Moreover, the level of control implementation chosen should protect sensitive information in one of the following three states: data at rest, data in transit, and data in process. 4/14/2018
  • 21.
    Seven distinct outcomesof safeguarded information 4/14/2018
  • 22.
    Information Security Integrated •Integrating information security into organizational infrastructure requires a carefully coordinated set of activities to ensure that fundamental requirements for information security are addressed and risk to the organization from information systems is managed efficiently and cost effectively. 4/14/2018
  • 23.
  • 24.
  • 25.

Editor's Notes

  • #3 Meningkatnya prevalensi dan tingkat keparahan kegiatan cyberenicious jahat ... merupakan ancaman yang tidak biasa dan luar biasa terhadap keamanan nasional, kebijakan luar negeri dan ekonomi Amerika Serikat. Dengan ini saya menyatakan darurat nasional untuk menangani ancaman ini.
  • #4 Keadaan yang dilindungi terhadap penggunaan data elektronik secara kriminal atau tidak sah, atau tindakan yang diambil untuk mencapainya (Oxford English Dictionary)
  • #7 Sadar atau tidak, bahwa selama kegiatan berlangsung (pertengahan 90an, atau sekitar 30 tahun), Tantangan untuk menghasilkan solusi yang menyeluruh berasal dari sindrom “Six Blind Men and an Elephant”, terdapat bagian bagian yang diketahui untuk dilindungi seperti bagian pada gajah yang the blind man sentuh, namun solusi yang ditawarkan adalah ketika kita dapat mengetahui keseluruhan bentuk dari gajah tersebut. Effective solutions can only be based on whole system approaches. Or in simple terms, “You are not secure if you are not completely secure.” Kontrol keamanan harus dirancang dan disusun dengan tepat.
  • #9 Kebingungan tentang apa yang merupakan unsur-unsur yang tepat dari lapangan berasal dari fakta bahwa profesi cybersecurity berpotensi terdiri dari konsep-konsep dari sejumlah disiplin ilmu. Beberapa konten dari semua disiplin ini mungkin masuk dalam batas yang sah. Itu termasuk berbagai bidang seperti berikut: Intinya bingung nentuin profesi dari cybersecurity itu seperti apa dan terdiri dari siapa aja sehingga bisa terdiri dari berbagai disiplin ilmu maka terbentuk bagan seperti itu.
  • #11 COBIT dan ISO 27000 terutama berorientasi pada TI bisnis konvensional dalam penggunaan praktisnya. NIST 800-53 memenuhi persyaratan Undang-Undang Pengelolaan Keamanan Informasi Federal (FISMA), dan digunakan di semua organisasi perawatan kesehatan untuk membuktikan penggunaan yang berarti dengan sistem catatan kesehatan elektronik mereka.
  • #13 Responsibilities and function of IT Governance shows at Figure
  • #14 Setiap organisasi memiliki kebutuhan dasar untuk memahami status sistem TI sendiri dan untuk memutuskan tingkat keamanan dan kontrol yang harus mereka sediakan. Tidak ada aspek dari masalah ini — memahami atau memutuskan tingkat kontrol yang diperlukan — sangat mudah. Lebih jauh lagi, sulit untuk mendapatkan pandangan objektif tentang apa yang harus diukur dan bagaimana.
  • #15 Selain kebutuhan untuk mengukur di mana organisasi berada, ada persyaratan untuk memastikan peningkatan yang berkelanjutan di bidang keamanan dan kontrol TI. Ini menyiratkan perlunya array garis pelaporan yang akan memungkinkan eksekutif yang sibuk untuk memantau proses dimana keamanan umum aset informasinya diimplementasikan dan dipelihara. Proses pemantauan harus membahas masalah manajemen seperti
  • #19 Strategic alignment—security activities must be aligned with the business strategy to support the organization objectives. Security solutions take into account the governance style, organizational culture, technology deployed, and the structure of the organization. 2. Risk management—risk mitigation should be based on the organization’s risk profile, acceptable levels of risk, understanding of risk exposure, and the potential impact/consequences of residual risk. 3. Business process management/value delivery—this includes the integration of all relevant information assurance processes and practices to maximize the effectiveness and efficiency of security activities. 4. Resource management—efficient and effective use of information security knowledge and infrastructure to ensure knowledge is captured and available to develop and document security processes and practices. 5. Performance management—develops a measurement process, aligned with strategic objectives, to aid in effective decision making. This includes continuous monitoring and reporting of information security processes and independent external assessments and audits. 6. Integration—ensures that processes function as intended from end to end
  • #22 The first of these is “effective” Effectiveness pertains to the relevance and value of the information to the business process. To be effective, the information also must be delivered in a timely, correct, consistent, and usable manner. The second factor is “efficiency” Efficiency underwrites the provision of information through the optimal, that is, most productive and economical use of resources. The third factor is “confidentiality” Confidential describes the protection of sensitive information from unauthorized disclosure. The fourth factor is "integrity" Integrity designates the accuracy and completeness of information as well as to its validity in accordance with business values and Expectations The fifth factor is “available” Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. The sixth factor is “compliant” Compliance ensures that the organization complies with those laws, regulations, and contractual arrangements to which the business process is subject, that is, externally imposed business criteria. The final factor is “reliable” Reliability designates that the appropriate information is trustworthy and dependable enough for management to operate the organization and for management to exercise its fnancial and compliance reporting responsibilities.