Professional Documents
Culture Documents
Auditing Cyber Security Risk - From Nuissance To Impact
Auditing Cyber Security Risk - From Nuissance To Impact
2
Cybersecurity: Current Context
• Internet of Everything
• Service delivery requires connectedness
• Economy and society depend on IT
• Everything and everybody exposed
• Everything Vulnerable
• Inherently fragile systems
• Often unpatchable
• Agile Adversaries
• Determined pursuit of goals
• Industrialization of operations
3
(Not)Petya
• June 2017
• “Targeted” attack
• Encryption malware
• Destructive intent: no way to decrypt
• Initial infection via accounting software
4
10% of all computers in UA destroyed !
3 billion € collateral damage
5
Collateral Damage
Maersk/APM
• 17 container terminals disrupted for days
• Loading and unloading impossible
• Perishable goods lost?
• Truck chaos
• Saved by power cut in Ghana…
6
Targeted Ransomware
7
8
Cyber hits the C-papers
9
Your C-Suite?
10
Intermediate Questions
• Has your company been facing this type of problems?
RESILIENCE
12
Infrastructure
Product
IT 5G
CISO
Mobile /
OT / IOT
BYOD
Cloud
13
Regulation
14
Compliance
DPA
Internal
Regulator
Regulator Auditor
Regulator
CISO
Client
Client External Cyber
Client
Auditor Insurance
15
16
Frameworks
17
Mapping
18
Mapping
Subcategory Informative References
· CIS CSC 1
· COBIT 5 BAI09.01, BAI09.02
· ISA 62443-2-1:2009 4.2.3.4
ID.AM-1: Physical devices and systems within the organization are inventoried
· ISA 62443-3-3:2013 SR 7.8
· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
· NIST SP 800-53 Rev. 4 CM-8, PM-5
Physical devices and systems within the organization are Singapore - SAMA "Information Security
ID.AM-1 Singapore - SAMA
inventoried Survey - 2016"
19
Supervisory
NIST Categories NIST Functions
Mapping
NIST Subcategories
Issuances
20
What Matters Most?
21
C-Level
• Translate cyber risk into business risk
• Continuity of operations (disruption, ransomware)
• Image damage
• IPR theft
• Financial loss
• GDPR
COVERAGE All relevant systems and applications are integrated into admin logging Green: > 90%, Yellow: 70-90%, Red: < 70% Number of logged security-critical systems/total number of security-critical systems
12.6 Logging administrative
activities
Number of incorrect admin logs
EFFECTIVENESS Completeness and integrity of admin logs Number of incorrectly written admin logs
Red: > 0,Green = 0
23
Metrics at Board Level
25
Different Metrics
26
Metrics: Principles to Follow
27
Take Aways
• Plan for resilience
• Preparedness
• C-Level visibility
• Cyber Risk is a Business Risk
• Gain and maintain C-Suite support
28
References
• NIST Cyber Security Framework
• FSSCC Financial Sector Cybersecurity Profile
• ISO 27001
• VDA’s Information Security Assessment
• CIS Critical Security Controls
• How to Steer Cybersecurity with Only One KPI
29
Thank You
FreddyDezeure.eu
30