adopting a risk-based approach to cybersecuritythe risk-based approach is usually scenario-based....

ADOPTING A R ISK -BASED APPROACH TO

CYBERSECURITY2ND INFOCOM SECURITY CYPRUS – MAY 14 2019

ISACA CYPRUS CHAPTER

1

5/12/20192 ® 2018 ISACA. All Rights Reserved.

Paschalis Pissarides, CRISC, CISM, CISA, CPA, CFE, CSXf

• Certified by ISACA International to teach CSX Cybersecurity Fundamentals Workshop, as well as the

CISA, CISM, & CRISC review courses.

• Have been in the field of Information Security for over 20 years in the Cyprus Banking sector.

• Previously worked for 9 years as Senior Information Systems Auditor at USA Group, a company based in

Indianapolis USA.

• Past President of ISACA - Indiana Chapter USA (1995-96)

• Founding member & past President of the ISACA Cyprus Chapter (2011-2015). Currently serving on its

Board of Directors as the Academic Relations Director.

• Received an undergraduate degree in Management Information Systems & Accounting, an MBA in

Finance, and a Master’s degree in Political Science from Bowling Green State University, Ohio USA.

• Actively involved as a speaker in seminars and conferences in Cyprus and abroad in the areas of

information security, information systems auditing and risk management. Have taught over the years the

CISA exam preparation course.

WHAT IS CYBERSECURITY?


“The protection of information assets

by addressing threats to information

processed, stored and transported by

internetworked information systems.”


BOARD OF DIRECTORS

Identifies key assets and verifies that

protection levels and priorities are appropriate

EXECUTIVE COMMITTEE

Sets the tone for cybersecurity management and

ensure that necessary functions, resources and

infrastructure are available and properly utilized

SECURITY MANAGEMENT

Develops security and risk mitigation strategies,

develops information security policy and ensures

compliance and manages incidents and remediation

CYBERSECURITY ROLES

CYBERSECURITY PRACTITIONERS

Design, implement and manage processes and

technical controls and respond to events and

incidents

SITUATIONAL AWARENESS


Cybersecurity professionals must have an awareness of the environment in which they operate:

• Each organization has its own distinct culture

• Every organization faces its own unique challenges and risk based on the nature of its business

• Business environment in particular tends to drive risk decisions. A small startup company may be much

more tolerant of risk than a large, well-established corporation or a financial institution.

• Internal and external factors can directly impact an organization and its security needs, including:

o Business plans and business environment

o Available information technology, security processes and security tools in particular

Knowledge of

information

threats

Understanding of

organizational

environment

Cybersecurity professionals

APPROACHES TO IMPLEMENTING CYBERSECURITY


This approach simply implements security with no particular rationale or criteria.

It may be driven by vendor marketing, or reflect insufficient subject matter expertise, knowledge or training when designing and implementing safeguards.

Ad hoc

Also known as standards-based security, this approach relies on regulations or standards to determine security implementations.

Controls are implemented regardless of their applicability or necessity, which often leads to a “checklist” attitude toward security.

Compliance-based

This approach relies on identifying the unique risk a particular organization faces and designing and implementing security controls to address that risk above and beyond the entity’s risk tolerance and business needs.

The risk-based approach is usually scenario-based.

Risk-based

WHY A RISK-ORIENTED APPROACH?


• The core duty and most critical function of

cybersecurity is to identify, assess, mitigate,

and manage cyber risk to an organization’s

digital assets.

• Effective policies, security controls

implementation, resource allocation, and

incident response preparedness are all

dependent on understanding the risk and

threats an organization faces.

• Using a risk-based approach to cybersecurity

allows informed decision-making, better

protection, and effective application of budgets

and resources.

INFLUENCING RISK FACTORS


FRAMING RISK MANAGEMENT


Source: “Generic Risk Model with Key Risk Factors,” National Institute of Standards and Technology (NIST), Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments, USA, September 2012

RISK ASSESSMENT


RISK ASSESSMENT ORIENTATIONS


ORIENTATION DESCRIPTION

1. Asset-oriented Important assets are defined first, and then

potential threats to those assets are analyzed.

Vulnerabilities are identified that may be exploited

to access the asset.

2. Threat-oriented or Potential threats are determined first, and then

threat scenarios are developed. Based on the

scenarios, vulnerabilities and assets of interest to

the adversary are determined in relation to the

threat.

3. Vulnerability-oriented Vulnerabilities and deficiencies are identified first,

then the exposed assets and potential threat

events are determined.

RISK SCENARIO


A risk scenario is a description of a possible event whose occurrence will have an uncertain

impact on the achievement of the enterprise’s objectives, which may be positive or negative.

RISK MANAGEMENT WORKFLOW


Source: ISACA, COBIT 5 for Risk, 2013

CYBER SECURITY FRAMEWORKS *


RecoverPlan for resilience and the timely repair of compromised capabilities and services.

RespondTake appropriate action after learning of a security event.

DetectImplement activities to identify the occurrence of a cybersecurity event.

ProtectDesign safeguards to limit the impact of potential events on critical services and infrastructure.

IdentifyUse organizational understanding to minimize risk to systems, assets, data and capabilities.

*Cybersecurity Frameworks - National Institute of Standards and Technology (NIST) & European

Union Agency for Network and Information Security (ENISA)

15

THANK YOU

adopting a risk-based approach to cybersecuritythe risk-based approach is usually scenario-based....

Documents