adopting a risk-based approach to cybersecuritythe risk-based approach is usually scenario-based....
TRANSCRIPT
ADOPTING A R ISK -BASED APPROACH TO
CYBERSECURITY2ND INFOCOM SECURITY CYPRUS – MAY 14 2019
ISACA CYPRUS CHAPTER
1
5/12/20192 ® 2018 ISACA. All Rights Reserved.
Paschalis Pissarides, CRISC, CISM, CISA, CPA, CFE, CSXf
• Certified by ISACA International to teach CSX Cybersecurity Fundamentals Workshop, as well as the
CISA, CISM, & CRISC review courses.
• Have been in the field of Information Security for over 20 years in the Cyprus Banking sector.
• Previously worked for 9 years as Senior Information Systems Auditor at USA Group, a company based in
Indianapolis USA.
• Past President of ISACA - Indiana Chapter USA (1995-96)
• Founding member & past President of the ISACA Cyprus Chapter (2011-2015). Currently serving on its
Board of Directors as the Academic Relations Director.
• Received an undergraduate degree in Management Information Systems & Accounting, an MBA in
Finance, and a Master’s degree in Political Science from Bowling Green State University, Ohio USA.
• Actively involved as a speaker in seminars and conferences in Cyprus and abroad in the areas of
information security, information systems auditing and risk management. Have taught over the years the
CISA exam preparation course.
WHAT IS CYBERSECURITY?
5/12/20193 ® 2018 ISACA. All Rights Reserved.
“The protection of information assets
by addressing threats to information
processed, stored and transported by
internetworked information systems.”
5/12/20194 ® 2018 ISACA. All Rights Reserved.
BOARD OF DIRECTORS
Identifies key assets and verifies that
protection levels and priorities are appropriate
EXECUTIVE COMMITTEE
Sets the tone for cybersecurity management and
ensure that necessary functions, resources and
infrastructure are available and properly utilized
SECURITY MANAGEMENT
Develops security and risk mitigation strategies,
develops information security policy and ensures
compliance and manages incidents and remediation
CYBERSECURITY ROLES
CYBERSECURITY PRACTITIONERS
Design, implement and manage processes and
technical controls and respond to events and
incidents
SITUATIONAL AWARENESS
5/12/20195 ® 2018 ISACA. All Rights Reserved.
Cybersecurity professionals must have an awareness of the environment in which they operate:
• Each organization has its own distinct culture
• Every organization faces its own unique challenges and risk based on the nature of its business
• Business environment in particular tends to drive risk decisions. A small startup company may be much
more tolerant of risk than a large, well-established corporation or a financial institution.
• Internal and external factors can directly impact an organization and its security needs, including:
o Business plans and business environment
o Available information technology, security processes and security tools in particular
Knowledge of
information
threats
Understanding of
organizational
environment
Cybersecurity professionals
APPROACHES TO IMPLEMENTING CYBERSECURITY
5/12/20196 ® 2018 ISACA. All Rights Reserved.
This approach simply implements security with no particular rationale or criteria.
It may be driven by vendor marketing, or reflect insufficient subject matter expertise, knowledge or training when designing and implementing safeguards.
Ad hoc
Also known as standards-based security, this approach relies on regulations or standards to determine security implementations.
Controls are implemented regardless of their applicability or necessity, which often leads to a “checklist” attitude toward security.
Compliance-based
This approach relies on identifying the unique risk a particular organization faces and designing and implementing security controls to address that risk above and beyond the entity’s risk tolerance and business needs.
The risk-based approach is usually scenario-based.
Risk-based
WHY A RISK-ORIENTED APPROACH?
5/12/20197 ® 2018 ISACA. All Rights Reserved.
• The core duty and most critical function of
cybersecurity is to identify, assess, mitigate,
and manage cyber risk to an organization’s
digital assets.
• Effective policies, security controls
implementation, resource allocation, and
incident response preparedness are all
dependent on understanding the risk and
threats an organization faces.
• Using a risk-based approach to cybersecurity
allows informed decision-making, better
protection, and effective application of budgets
and resources.
INFLUENCING RISK FACTORS
5/12/20198 ® 2018 ISACA. All Rights Reserved.
FRAMING RISK MANAGEMENT
5/12/20199 ® 2018 ISACA. All Rights Reserved.
Source: “Generic Risk Model with Key Risk Factors,” National Institute of Standards and Technology (NIST), Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments, USA, September 2012
RISK ASSESSMENT
5/12/201910 ® 2018 ISACA. All Rights Reserved.
RISK ASSESSMENT ORIENTATIONS
5/12/201911 ® 2018 ISACA. All Rights Reserved.
ORIENTATION DESCRIPTION
1. Asset-oriented Important assets are defined first, and then
potential threats to those assets are analyzed.
Vulnerabilities are identified that may be exploited
to access the asset.
2. Threat-oriented or Potential threats are determined first, and then
threat scenarios are developed. Based on the
scenarios, vulnerabilities and assets of interest to
the adversary are determined in relation to the
threat.
3. Vulnerability-oriented Vulnerabilities and deficiencies are identified first,
then the exposed assets and potential threat
events are determined.
RISK SCENARIO
5/12/201912 ® 2018 ISACA. All Rights Reserved.
A risk scenario is a description of a possible event whose occurrence will have an uncertain
impact on the achievement of the enterprise’s objectives, which may be positive or negative.
RISK MANAGEMENT WORKFLOW
5/12/201913 ® 2018 ISACA. All Rights Reserved.
Source: ISACA, COBIT 5 for Risk, 2013
CYBER SECURITY FRAMEWORKS *
5/12/201914 ® 2018 ISACA. All Rights Reserved.
RecoverPlan for resilience and the timely repair of compromised capabilities and services.
RespondTake appropriate action after learning of a security event.
DetectImplement activities to identify the occurrence of a cybersecurity event.
ProtectDesign safeguards to limit the impact of potential events on critical services and infrastructure.
IdentifyUse organizational understanding to minimize risk to systems, assets, data and capabilities.
*Cybersecurity Frameworks - National Institute of Standards and Technology (NIST) & European
Union Agency for Network and Information Security (ENISA)
15
THANK YOU