les joies et les peines de la transformation numérique ...© 2017 georges ataya legal and...
TRANSCRIPT
© 2017 Georges Ataya
Georges AtayaCISA, CGEIT, CISA, CISSP, MSCS, PBA
Professor, Solvay Brussels School of Economics and ManagementAcademic Director, IT Management EducationManaging Partner, ICT Control NV
Les joies et les peines de la transformation numérique
© 2017 Georges Ataya
Executive Education in IT
Management
Executive Education in Information
Security Management
SOLVAY.EDU/IT
© 2017 Georges Ataya
Executive
Education in IT
Management
Executive Master in IT
Management
Executive Programme in
. CIO Practices
. CIO Leadership
. IT Business Agility
. Enterprise and IT Architecture
. IT Sourcing
. IT Management Consulting
SOLVAY.EDU/IT
© 2017 Georges Ataya
Executive Master in Information
Risk and Cybersecurity
Executive Programme in
. Security Governance
. Information Security
. Cybersecurity
Executive Education
in Information Security
Management
SOLVAY.EDU/IT
© 2017 Georges Ataya
G3 – IT Risk and Legal concerns
M2 – IT Services and Run Management
G1 – The CIO Foundation
G2 – IT Governance Workshop
M1 – Applications Build and Management
B2 – Business Transformation
B3 – Digital Agility and Innovation
B1 – Enterprise Strategy and Architecture
M3 – IT Sourcing Management
G – track
IT Governance
M – track
IT ManagementB – track
Business Agility
Lectured tracks and modules
A1 – IT Finance and Portfolio Management
A2 – Soft Skills for IT professionals
A3 – Building Expert Opinion
A – track
Activating skills
© 2014 ictc.eu
WednesdayThursday MondayTuesday
S1 – Information Security Management
S2 – IT Security Practices
S3 – Cybersecurity Workshop
S – track
Info Security
Monday
© Copyright ICTC.EU 2017
© 2017 Georges Ataya
6
PROGRAMME IN EUROPEAN DATA PROTECTIONLeading to certified DPO
Solvay.edu/gdpr
© 2017 Georges Ataya
European Program in Data Protection
Next edition starting on March 22
Solvay.edu/gdpr
© 2017 Georges Ataya
Legal and Management Requirements
Define Data Protection
objectives and scope
Risk and Impact Assessment
Identify the gap in reaching
defined protection targets
Compliance Transformation
Manage compliance
Related transformation
Information Security and Privacy
Protect and secure
architectural components
Response and Breach Management
Prepare, React and notify
when needed
PROGRAM IN EUROPEAN DATA PROTECTION (GDPR)
SOLVAY.EDU/GDPR
© 2017 Georges Ataya
15
Digital transformation is the profound andaccelerating transformation of business activities,processes, competencies and models to fullyleverage the changes and opportunitiesof digital technologies and their impact acrosssociety in a strategic and prioritized way, withpresent and future shifts in mind.
© 2017 Georges Ataya
Focus of IT activities and orientations
Infrastructure Digital TransformationManagementApplication
© Copyright 2014 Georges Ataya
© 2017 Georges Ataya
• Digitization will change the traditional retail-banking business model, in some
cases radically.
• The bad news is that change is coming whether or not banks are ready.
Source: The rise of the digital bankBy ’Tunde Olanrewaju, Principal in McKinsey’s London office
© 2017 Georges Ataya
19
Source: “Leading Digital: Turning Technology into Business
Transformation”, George Westerman, Didier Bonnet & Andrew
McAfee, Harvard Business, Review Press, October 2014
© 2017 Georges Ataya
Sources of external threat
Intelligence
Agencies
Criminal
Groups
Terrorist
Groups
Activist
Groups
Armed
Forces
22
© 2017 Georges Ataya
Enterprise Security Architecture (cont.)
Business processes
Information
Services
Applications
Infrastructure
25
© 2017 Georges Ataya
Information
Services
Processus Métier
Applications
Infrastructure
Information
Services
Processus Métier
Applications
Infrastructure
Future
Transformation projects
Evolution projects
Current
© 2017 Georges Ataya
IT Security
Security mangement
Security programobjectives
Specific projects
Security operations
Information Security
Essential assets
Risks
Mitigation
Planning
Business as usual/Run
General Security
Physical security
Safety
Fraud, compliancy, etc.
Levels of security
* Security aspects
28
© 2017 Georges Ataya
IDENTIFY
DETECT
PROTECT
RECOVER
RESPOND
© 2015 ICTC.EU
Cybersecurity
processes
29
© 2017 Georges Ataya
IDENTIFY
DETECT
PROTECT
RECOVER
RESPOND
FunctionsDevelop and implement
Cybersecurity
processes
30
© 2017 Georges Ataya
DETECT
DE.AE-5: Incident alert
thresholds are established
DE.AE-1
DE.AE-2
DE.AE-3
DE.AE-4
• COBIT 5 APO12.06
• ISA 62443-2-1:2009 4.2.3.10
• NIST SP 800-53 Rev. 4 IR-4, IR-5,
IR-8
Anomalies and Events
(DE.AE): Anomalous activity
is detected in a timely
manner and the potential
impact of events is
understood. © 2015 ICTC.EU
The need for good business practices 31
© 2017 Georges Ataya
fff
33
Bottom-up approach using the SANS CIS top 20 security controls
CSC 1: Inventory of Authorized and Unauthorized DevicesCSC 2: Inventory of Authorized and Unauthorized SoftwareCSC 3: Secure Configurations for Hardware and SoftwareCSC 4: Continuous Vulnerability Assessment and RemediationCSC 5: Controlled Use of Administrative Privileges
CSC 6: Maintenance, Monitoring, and Analysis of Audit LogsCSC 7: Email and Web Browser ProtectionsCSC 8: Malware DefensesCSC 9: Limitation and Control of Network PortsCSC 10: Data Recovery Capability
CSC 11: Secure Configurations for Network Devices
CSC 12: Boundary Defense
CSC 13: Data Protection
CSC 14: Controlled Access Based on the Need to Know
CSC 15: Wireless Access Control
CSC 16: Account Monitoring and Control
CSC 17: Security Skills Assessment and Appropriate
Training to Fill Gaps
CSC 18: Application Software Security
CSC 19: Incident Response and Management
CSC 20: Penetration Tests and Red Team Exercises
The SANS CIS top 20 security controls are based on most frequent
recurring finding about security weaknesses in organizations.
Implementing those controls is always regarded as good practice from
a bottom-up perspective.
Eliminate the vast
majority of
organization's
vulnerabilities
© 2017 Georges Ataya34
The Ten Most Critical Web Application Security Risks
Attackers can potentially use many different paths through your
application to do harm to your business or organization. Each of these
paths represents a risk that may, or may not, be serious enough to
warrant attention.
www.owasp.org the free and open software security community
© 2017 Georges Ataya
A MANAGER FOR CYBER SECURITY INCIDENT MANAGEMENT
Information Security
Governance
Information Security
Incident Management
Information Security
Program Development &
Management
Information Risk
Management & Compliance
38
© 2017 Georges Ataya
Career Summary Expertise Summary Education/
Certification
Georges Ataya
• Professor and Academic
Director (SBS-EM)
• Managing Director ICT
Control advisory firm
• Past International Vice
President at ISACA
• Past Partner Ernst & Young
• Past Deputy International
CIO ITT World Directories
• Previously Project Manager
and Senior IT Auditor
• IT Governance (development of
Cobit 4 and COBIT 5)
• IT Governance and Value
governance (co-author VALIT and
supervision CGEIT BOK)
• Information Security
Management (Co-author CISM
Body of Knowledge)
• IT Audit and Governance
• Information security and risk
• Strategy and Enterprise
Architecture and IT Sourcing
• Master in Computer Science
(faculty of Sciences ULB)
• Postgraduate in Management
(Solvay Brussels School ULB)
• Certified Information Systems
Auditor (CISA); Certified
Information security Manager
(CISM); Certified in Risk and
control (CRISC); Certified
Information Systems Security
Professional (CISSP); Certified in
Governance of Enterptise IT
(CGEIT)
[email protected] – ataya.info – be.linkedin.com/in/ataya