The Art of

PROTECTING
Rethinking How Secure is Your Secure
We are not prepared for Cyber War
– and it is Economic war now
SECURITY RISKs @GROUND LAYER
Business Needs
DATA SECURITY APPLICATION SECURITY PEOPLE & PASSWORD MOBILE ENDPOINT NETWORK SECURITY
SECURITY
• Confidentiality • Compliance & • Access Control and • IT Management • State sponsored
• Integrity Reporting Monitoring Bandwidth espionage
• Availability • Resource Skills • User Authentication • Mobile Workforce • DDoS attack
• Scope & Pace • Lack of integration • Loss of visibility &
• Fast moving control
security Threats • Insider threats

Security Challenges
• Data Tampering • Spoof identity • Unauthorized • User installing • Compromise
• Data Theft • Leak sensitive corp User accessing unvetted apps Corporate
• Falsifying User data server without • Users click first network
Identities • Information permission worry later • Spoof Identity
• Password-Related disclosure • Users losing data • Users loosing • Gain
Threats • Remote control • Users sharing devices unauthorized
• Unauthorized • Take over devices • Users sharing user and data
Access user/admin account • Bypassed devices access
• Lack of • Spread viruses Restriction • Android malware • Many more I-S
Accountability • Exploit intranet apps raising cyber attack and
• Complex User & • Unauthorized user • Too many data breach
Mgt Requirements access permission
• Compromised • Vulnerable sw &
system and device
application, etc • Restriction can be
bypassed
BUSINESS NEEDS & CHALLENGE

Business Needs Key Business Needs

Social Cloud Mobility & 1 Trillion Compliance

Business Collaboration Connected Object Mandates

Technology Strategic Technology Trend

Trends
Merging the Virtual & Intelligence Everywhere The New IT Reality Emerged
Real World
-Advance, invisible Analytics -Cloud/Client Computing
-Computing Everywhere
-Context-Rich Systems -Sw Defined Apps & Infrastructure
-IoT
-Smart Machines -Web-Scale IT

Security Challenge Security Challenge & Trend

Advanced Cyber Attack Internal Threat & Self Skills

Threats Hacktivist Protection Shortage
Security Layers
Five Level Security

▪ Physical — Access controls for buildings, data centers, etc.

▪ Network — Restricting access to your network or between areas of
your network
▪ OS and Database — Patching and maintenance protecting your
network from exploits and bugs
▪ Application — Rules controlling what data and apps users can access
or change
▪ System Administration — Configuration, monitoring and
troubleshooting your system as a whole.
Expand the value of security solutions through
integration
Endpoint
Network Mobile

Security Advanced
Applications Intelligence Fraud

Identity
Data
and Access

Consulting Managed
Services Services

Continuous actionable intelligence

Incident Handling Life Cycle

Other Email
Sensors
Triage Information
Request

Incident
Hotline/ Report Analyze
Phone
Vulnerability
Report
Obtain
Coordinate Contact
Information Information
and
Response
Provide
Technical
Assistance
What is Compliance?

• Compliance should be a program based on defined

requirements
• Requirements are fulfilled by a set of mapped controls
solving multiple regulatory compliance issues
• The program is embodied by a framework
• Compliance is more about policy, process and risk
management than it is about technology
Risk & Compliance Mgmt

Regulations Control
Framework
Partners/
Customers
Policy
and
Risk Awareness
Assessment

Assessments
Automate
Process
Audits
Improve Treat
Controls Risks
Risk and Compliance Approaches

Minimal Sustainable Optimized

• Annual / Project-based • Proactive / Planned • Regulatory
Approach Approach Requirements are
• Minimal Repeatability • Learning Year over Year Mapped to Standards
• Only Use Technologies • Use Technologies to • A Framework is in
Where Explicitly Reduce Human Factor Place
Prescribed in • Leverage Controls • Compliance and
Standards and Automation Whenever Enterprise Risk
Regulations Possible Management are
• Minimal Automation Aligned
• Process is Automated
Identify Drivers

Regulations

Partners/
Customers

Risk
Assessment
Identify Drivers

Compliance is NOT just about regulatory

compliance. Regulatory compliance is a
driver to the program, controls and
framework being put in place.

Managing compliance is fundamentally

about managing risk.
Identify Drivers

• Risk Assessment
– Identify unique risks and controls requirements
• Partners / Customers
– Partners represent potential contractual risk
– Customer present privacy concerns
• Regulations – regulatory risk is considered as part of
overall risk
Develop Program

Regulations Control
Framework
Partners/
Customers
Policy
and
Risk Awareness
Assessment
What is a Control?

Control is defined as the policies,

procedures, practices and
organizational structures designed to
provide reasonable assurance that
business objectives will be achieved and
undesired events will be prevented or
detected and corrected.

*Source: ITGI, COBIT 4.1

What is a Framework?

A framework is a set of controls and/or

guidance organized in categories,
focused on a particular topic.

A framework is a structure upon which

to build strategy, reach objectives and
monitor performance.
Why use a framework?

• Enable effective governance

• Align with business goals
• Standardize process and approach
• Enable structured audit and/or assessment
• Control cost
• Comply with external requirements
Frameworks and Control Sets

• ISO 27001/27002
• COBIT
• ITIL
• NIST
• Industry-specific – i.e. PCI
• Custom
What is ISO27001?

▪ Leading International Standard

for Information Security Information
Security
Management
Confidentiality Availability
▪ A comprehensive set of controls Protecting sensitive Ensuring that
comprising best practices in information from
unauthorized disclosure or
information and vital
services are available
information security interception.
Integrity to users when required.
Safeguarding the
accuracy and
▪ Risk-management based completeness of
information

▪ Its purpose is to protect the

confidentiality, integrity and
availability of information
ISO27001 Requirements
Certification process

▪ Stage 1 - informal review of security documentation

▪ Stage 2 - formal and detailed compliance audit

▪ Stage 3 - Follow-up reviews and audits

Security Documents

▪ Security policy document

▪ Statement of Applicability (SoA)

▪ Risk Treatment Plan (RTP)

▪ Not all requirements in ISO 27001 are mandatory. You can also define the scope to be covered by the security policy
Mandatory requirements

▪ Define scope
▪ Define ISMS policy
▪ Define roles and responsibilities
▪ Define the risk assessment approach & criteria for accepting risk
▪ Define a level of acceptability of risk
▪ List assets & define owners
▪ Identify threats, vulnerabilities, impact, likely-hood and risk for each asset
Mandatory requirements

▪ Estimate levels of risk and define if risks are acceptable or not

▪ Define risk options (accept, transfer, avoid or reduce) for risks that are not acceptable
▪ List controls to implement
▪ Manage lifecycle of documentation
▪ Obtain management approval of residual; risks and for implementation plan
▪ Manage resources
Mandatory requirements

▪ Manage communications ▪ Management reviews

▪ Implement controls ▪ Write statement of applicability
▪ Implement metric for each control
▪ Monitor performance of the controls
▪ Review effectiveness of the controls
▪ Corrective actions
▪ Preventive actions
▪ Internal audits
Building a Framework
Risk
Assessment
& Treatment
Security
Compliance
Policy

Business Organizing
Continuity Information
Management Security

Management Operational
Control Control
Information
Protected Security Protected Asset
Information Incident
Management Information Management

IS
Acquisition, Human
Development Resources
and Technical Security
Maintenance
Control

Physical and
Access
Environment
Control
Communicati al Security
on and
Operation ISO 27002: Code of Practice for
Management Information Security
Management
ISO27001 Implementation Roadmap

Phase 1 – Planning, Phase 2 – System

Phase 3 – System Phase 4 –
Gap Assessment, Development and
Implementation Certification Audit
Training Documentation

Define
Understand existing Workshops for Conduct internal
documentation
procedures promotion audit
hierarchy

Identify Develop required Train up delegate as Provide direction to

key gaps documentation internal auditor rectify issues

Prepare Mentor IT
Review established External certification
Project Plan Management
documents audit
to review
Define Obtain approval
Roles & from authorized
Responsibilities personnel
Conduct Training &
Workshops
CONTACT

Taro Lay
▪ taro.lay@osaka.infosec-world.org
▪ taro.lay@infosec-world.id
▪ +62-811189788