Академический Документы
Профессиональный Документы
Культура Документы
PROTECTING
Rethinking How Secure is Your Secure
We are not prepared for Cyber War
– and it is Economic war now
SECURITY RISKs @GROUND LAYER
Business Needs
DATA SECURITY APPLICATION SECURITY PEOPLE & PASSWORD MOBILE ENDPOINT NETWORK SECURITY
SECURITY
• Confidentiality • Compliance & • Access Control and • IT Management • State sponsored
• Integrity Reporting Monitoring Bandwidth espionage
• Availability • Resource Skills • User Authentication • Mobile Workforce • DDoS attack
• Scope & Pace • Lack of integration • Loss of visibility &
• Fast moving control
security Threats • Insider threats
Security Challenges
• Data Tampering • Spoof identity • Unauthorized • User installing • Compromise
• Data Theft • Leak sensitive corp User accessing unvetted apps Corporate
• Falsifying User data server without • Users click first network
Identities • Information permission worry later • Spoof Identity
• Password-Related disclosure • Users losing data • Users loosing • Gain
Threats • Remote control • Users sharing devices unauthorized
• Unauthorized • Take over devices • Users sharing user and data
Access user/admin account • Bypassed devices access
• Lack of • Spread viruses Restriction • Android malware • Many more I-S
Accountability • Exploit intranet apps raising cyber attack and
• Complex User & • Unauthorized user • Too many data breach
Mgt Requirements access permission
• Compromised • Vulnerable sw &
system and device
application, etc • Restriction can be
bypassed
BUSINESS NEEDS & CHALLENGE
Security Advanced
Applications Intelligence Fraud
Identity
Data
and Access
Consulting Managed
Services Services
Other Email
Sensors
Triage Information
Request
Incident
Hotline/ Report Analyze
Phone
Vulnerability
Report
Obtain
Coordinate Contact
Information Information
and
Response
Provide
Technical
Assistance
What is Compliance?
Regulations Control
Framework
Partners/
Customers
Policy
and
Risk Awareness
Assessment
Assessments
Automate
Process
Audits
Improve Treat
Controls Risks
Risk and Compliance Approaches
Regulations
Partners/
Customers
Risk
Assessment
Identify Drivers
• Risk Assessment
– Identify unique risks and controls requirements
• Partners / Customers
– Partners represent potential contractual risk
– Customer present privacy concerns
• Regulations – regulatory risk is considered as part of
overall risk
Develop Program
Regulations Control
Framework
Partners/
Customers
Policy
and
Risk Awareness
Assessment
What is a Control?
• ISO 27001/27002
• COBIT
• ITIL
• NIST
• Industry-specific – i.e. PCI
• Custom
What is ISO27001?
▪ Not all requirements in ISO 27001 are mandatory. You can also define the scope to be covered by the security policy
Mandatory requirements
▪ Define scope
▪ Define ISMS policy
▪ Define roles and responsibilities
▪ Define the risk assessment approach & criteria for accepting risk
▪ Define a level of acceptability of risk
▪ List assets & define owners
▪ Identify threats, vulnerabilities, impact, likely-hood and risk for each asset
Mandatory requirements
Business Organizing
Continuity Information
Management Security
Management Operational
Control Control
Information
Protected Security Protected Asset
Information Incident
Management Information Management
IS
Acquisition, Human
Development Resources
and Technical Security
Maintenance
Control
Physical and
Access
Environment
Control
Communicati al Security
on and
Operation ISO 27002: Code of Practice for
Management Information Security
Management
ISO27001 Implementation Roadmap
Define
Understand existing Workshops for Conduct internal
documentation
procedures promotion audit
hierarchy
Prepare Mentor IT
Review established External certification
Project Plan Management
documents audit
to review
Define Obtain approval
Roles & from authorized
Responsibilities personnel
Conduct Training &
Workshops
CONTACT
Taro Lay
▪ taro.lay@osaka.infosec-world.org
▪ taro.lay@infosec-world.id
▪ +62-811189788