Upload File

cybersecurity program management

19
Cybersecurity Program Management May 18, 2021

Upload: others

Post on 12-May-2022

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Cybersecurity Program Management

Cybersecurity Program ManagementMay 18, 2021

Page 2: Cybersecurity Program Management
Page 3: Cybersecurity Program Management

The Challenges

Page 4: Cybersecurity Program Management

ACCOUNTABILITY MATTERSGoal: Demonstrate good cybersecurity practices

Changes in the Industry− CPRA (inf. “CCPA v2.0”) – augmented enforcement

Crackdown on Regulations – guilty offenders getting fined

- GDPRo Google $56.6Mo H&M $41Mo TIM (Telecom Italia) $31.5Mo British Airways $26Mo Marriott $23.8M

Fragility of Third-Party Network- SolarWinds

Page 5: Cybersecurity Program Management

THE ROLE OF THE CISO

• There is a change happening.

• The CISO role will grow and gain respect.

• The CISO will become an enabler rather than a disabler.

• Enterprises will embrace the CISO’s teaching function.

Deep Technical ExpertiseExecutive Management Skillset

TIME

NEE

D

Page 6: Cybersecurity Program Management

Cyber Risk is Pervasive

Cross Functional

Technical Depth & Guidance

Business Recommendation & Policy

Corporate-Wide Enablement & Testing

Risk & Compliance Focal Point

Incident Management Analytics

)

Page 7: Cybersecurity Program Management

Cybersecurity Tools Alone Only Go So Far

Source: https://foundationcapital.com/cybersecurity-the-next-trillion-dollar-market/

Q: How are we doing overall for cyber?A: ?

Q: Have we improved over time?A: ?

Q: Where do we need to focus our attentionA: ?

Q: Where are our weaknesses?A: ?

https://foundationcapital.com/
https://foundationcapital.com/cybersecurity-the-next-trillion-dollar-market/
Page 8: Cybersecurity Program Management

THE STATE OF THE STATE• Last Fall, IBM Security and the Ponemon Institute published the “5th annual Cyber Resilient

Organization Report.” The report is based on their research from surveying more than 3,400 IT and security professionals around the world in April 2020, to determine their organizations’ ability to detect, prevent, contain and respond to cybersecurity incidents.

• Here is a sample of their findings:

https://www.ibm.com/security/digital-assets/soar/cyber-resilient-organization-report/#/

IBM/Ponemon Institute "Cyber Resilient Organization Report 2020"

https://www.ibm.com/security/digital-assets/soar/cyber-resilient-organization-report/#/
Page 9: Cybersecurity Program Management

ACCOUNTABILITY MATTERSProve to the C-suite, BoDs and regulators that the organization has:

A Plan Compliant Controls and Processes

Page 10: Cybersecurity Program Management

PRESENTING TO THE BOARDAnswering the 3 key questions

• Where is the risk? • How are you going to fix it? • How much does it cost?

Page 11: Cybersecurity Program Management

Limited Visibility & Governance

11 OR

GA

NIZ

ATIO

N

TOO

LS

MET

RIC

S Applications

Application Security

Cloud Security

Endpoint Security

SIEM

Threat Intelligence

Policies

Organization

Third Parties

Networks

People

Systems

CIS

O

Cybersecurity Program Management

OR

P Executive Leadership

Key Problem

Owners

Cybersecurity

CO

RP

Executive Leadership

Page 12: Cybersecurity Program Management

TPRM: Two Sides of the Same CoinFlexible Configuration Covers Procurement and Information Security Use Cases

PROCUREMENT INFO SECURITY

THIRD-PARTYRISK

Procure-to-PaySource-to-Contract

CybersecurityGRC

Page 13: Cybersecurity Program Management

Establishing a Program

Page 14: Cybersecurity Program Management

DEFINING YOUR CYBERSECURITY PROGRAM

Threats

Control Standards

Risks

Risk & Control Methodology

Regulations

Assessments

HVA Questionnaires

Threat Reviews

Risk Evaluations

TPR Questionnaire

Assess, Review & Monitor Tools

Baseline Questionnaires

Control Reviews

Risk-Prioritized Projects

Schedule of Coverage

“State of the State” for Cybersecurity Risk

Training Programs Third Parties

High Value Assets

Policies

Organization

Due Diligence

Your Company Data

Processes

Page 15: Cybersecurity Program Management

COMMITTING TO A CONTROL FRAMEWORK

© ProcessUnity, Inc.

• NIST 800-53• NIST CSF• SCF• ISO 27001/27002• IASME• FAIR• SOC 2• CIS• COBIT• HITRUST• …

GDPRCCPA NYDFSHIPAA

Many others…

Page 16: Cybersecurity Program Management

COMMITTING TO A CONTROL FRAMEWORKCONTROLS MAPPED TO YOUR PROGRAM COMPONENTS

Meta-frameworkControls DNA

GDPR

CCPA

HIPAA

PCI

My Controls DNA

AssetsOrganization

PoliciesThird Parties

IssuesIncidentsProjectsTraining

Assessments

NIST CSF

ISO 27002NIST 800-53

NYDFS

My Risks

My Threats

Page 17: Cybersecurity Program Management

DATA MAPPING EXAMPLEFramework Name

HIPAA (Health Insurance Portability and Accountability Act

164.306: Security Standard: General Rules

HIPAA (Health Insurance Portability and Accountability Act

164.308: Administrative Safeguards

HIPAA (Health Insurance Portability and Accountability Act

164.316: Policies & Procedures / Documentation Requirements

HIPAA (Health Insurance Portability and Accountability Act

164.530:Administrative Requirements

CCPA (California Consumer Privacy Act)

1798.81.5

GDPR (General Data Protection Regulation) 1.0

32. Security of Processing

ISO 27002 Standard A.5.1.1: Policies for Information Security

PCI DSS (Payment Card Industry Data Security Standard)

PCI DSS Requirements 12.1

PCI DSS (Payment Card Industry Data Security Standard)

PCI DSS Requirements 12.1.1

NIST (800-53 Standard) Rev. 4 PM-1: Information Security Program Plan

NYDFS (New York State Department of Financial Services)

Section 500.02: Cybersecurity Program

Page 18: Cybersecurity Program Management

DEMO

18

Page 19: Cybersecurity Program Management

Thank You!


ePlus CyberSecurity Management Program

Cybersecurity Management Programs - Cyber Thoughts

Cybersecurity Management

Advanced Executive Program in Cybersecurity

Assessing Cyber Risk Management Program Maturity · Healthcare Cyber Risk Management Solutions Assessing . Cyber Risk Management . Program Maturity. CISO Virtual Cybersecurity Symposium

Open itSM Solutions · 2019-02-15 · DxCERTS - IT & NIST Cybersecurity Workforce Development Training Curriculum & Management Program 3 DxCERTS IT & NIST Cybersecurity Training Curriculum

Cybersecurity Strategy for Programs of Record...Cybersecurity strategy for programs of record management process a.The CSS for POR is a required acquisition program as documented by

Cybersecurity Intelligence, Resilience, and Management · PDF fileCybersecurity Intelligence, Resilience, and Management ... Develop system for identifying, ... Cybersecurity Intelligence,

CyberEdge - AIG€¦ · cyber risk management program, allowing them to have insight into cybersecurity risk throughout their ecosystem. Cybersecurity Maturity Assessment Powered

Cybersecurity Intelligence, Resilience, and Management

Illustrative cybersecurity risk management

Cybersecurity Management in the States · PDF filethe importance of cybersecurity and retained Clarke ... CYBERSECURITY MANAGEMENT IN THE STATES: THE EMERGING ROLE OF CHIEF INFORMATION

Cybersecurity Law and Risk Management

Integrating Cybersecurity & Management,

Cybersecurity Test and Evaluation Process Sponsored Documents/Cybersecurity... · Program Office Implementation Plan must include cybersecurity ... – Ensures cybersecurity is part

Cybersecurity of Traffic Management Systems · 2017-10-16 · Program Goals Improve cybersecurity posture of Traffic Management Systems (TMSs) How? –Review State of the art across

Global Cybersecurity Capacity Program...Introduction 7 Global Cybersecurity Capacity Program (2016-2019) overview 7 Countries in scope 9 Key milestones 9 Global Cybersecurity Capacity

Cyber Risk Management Services - Alston & Bird · • Conducted a cybersecurity preparedness legal review for a large state bank, assessing its cybersecurity program against guidance

Description of XYZ Manufacturing’s Cybersecurity Risk ... · Description of XYZ Manufacturing’s Cybersecurity Risk Management ... The ompany’s cybersecurity risk management

Dams Sector Cybersecurity Program Guidance 2016 › sites › default › files › files › ... · Dams Sector Cybersecurity Program Guidance Introduction 1 Introduction Cybersecurity

Information for entity management - AICPA · risk management program. Overview of the AICPA Cybersecurity Risk Management Examination ... inventory management and distribution, information

National Cybersecurity Management System

Simulators Program Office Cybersecurity Review

Building a Cybersecurity Awareness Program

Cybersecurity Management - Yokogawa

ComplyTec | Cybersecurity | Cyber attacks |GRC | Identity ......POLICY PROGRAM MANAGEMENT RSA Archer Policy Program Management provides the framework to help organizations establish

Maryland Cybersecurity Program Policydoit.maryland.gov/Lists/DoIT Policies/Attachments/32/cybersecurity... · J Risk Management Approach This plan will embody a Risk Management approach

Cybersecurity Management in the States

Chapter 16 – Cybersecurity Management

Illustrative cybersecurity risk management - AICPA · 2020-03-26 · Note to readers: Although the AICPA Guide Reporting on an Entity’s Cybersecurity Risk Management Program and

CYBERSECURITY RISK INFORMATION SHARING PROGRAM …readthis.pnl.gov/marketsource/readthis/B3425_not_print_quality.pdf · The Cybersecurity Risk Information Sharing Program (CRISP)

Cybersecurity Risk Management & Best Practices

Understanding Cybersecurity on DoD Acquisition …...Understanding Cybersecurity on DoD Acquisition Programs Steve Mills – Professor of Program Management DAU South Cyber Lead [email protected]

Designing & Building a Cybersecurity Program

Cybersecurity Risk Management and Best Practices …transition.fcc.gov/bureaus/pshs/advisory/csric4/CSRIC_WG...Cybersecurity Risk Management and Best Practices (WG 4) Cybersecurity