Cyber Surakshit Bharat-GRC

Governance Risk and Compliance
Agenda: Governance Risk and Compliance

Sl.No. Governance Risk and Compliance – Sub Modules Slide #
1 Policies
1.1 National Cyber Security Policy 45 mins (Quiz – 10 mins)
1.2 IT Act
1.3 CERT-In
1.4 NCIIPC
1.5 Cyber Crisis Management Plan
2 Cyber Security Assessment Framework 20 mins

2.1 Objectives
2.2 Dimensions
2.3 Cyber Security Capability Assessment
3 Cyber Security Organization Structure
3.1 Roles and Responsibilities
TOC - Governance Risk and Compliance - Draft
Sl.No. Governance Risk and Compliance – Sub Modules Slide #
4 Standards, Audit and Compliance 25 mins (10 mins Quiz)
4.1 ISO 27001 (ISMS)
4.2 ISO 22301
4.3 NIST 800-30
4.4 ISO 20000 (Exercise 2 – Asset Management, ISO
27001)
5 Governance and Risk Management 5 mins

5.1 Objectives and KPI’s
5.2 Technology Enablers
National Cyber Security Policy 2013
Introduction
Agenda The National Cyber Security Policy

document outlines a road-map to create a
Concept
framework for comprehensive,
collaborative and collective response to
deal with the issue of cyber security at all
levels within the country.
National Cyber Security Policy
2013
Vision
Introduction
To build a secure and resilient cyberspace for citizens, businesses and
Agenda Government
Concept
Mission
To protect information and information infrastructure in cyberspace, build capabilities to
prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from
cyber incidents through a combination of institutional structures, people, processes,
technology and cooperation.
2013
Enabling secure
computing environment &
Introduction
confidence in electronic
transactions
Agenda
The National Cyber
Concept Strengthen cyber
01 Roadmap to
create cyber
Security Policy was
released on 2nd July 2013
Regulatory 04 02 security
framework framework
03
Approach &
Strategy for
protection of
cyber space
Overview of NCSP 2013
2013
Objectives
Introduction
Agenda
Concept
1
• Secure cyber
2
• Assurance
3 4
• Regulatory
framework
• 24 x 7
5
• 24x7
ecosystem framework for operational operational
design of for a national National
• Trust & security policies Secure level Critical
confidence in Cyberspace computer Information
IT systems • Compliance to emergency Infrastructur
and global security response e Protection
transactions standards and team (CERT- Centre
in cyberspace best practices in) (NCIIPC)
2013
Objectives
Introduction
Agenda
Concept
6 7 8
Development • Security • Capacity
9
• To provide
10
• Protection of
of indigenous testing of building of fiscal benefits information
Security ICT workforce of to businesses while in
technologies products. 500,000 for adoption of process,
for addressing professional standard handling,
National s skilled in security storage &
Security cyber practices and transit so as to
requirements. security in processes. safeguard
the next 5 privacy of
years citizen's data
2013
Objectives
Introduction
Agenda
Concept
11 12 13 14
• Prevention, • Culture of • Effective • Global
investigatio cyber security public private cooperation
n and and privacy partnerships by
prosecution enabling and promoting
of cyber responsible collaborative shared
crime user engagements understandi
behaviour & for enhancing ng and
actions the security of information
cyberspace. sharing
Information Technology Act
Introduction
Agenda The Information Technology Act is

Concept
the primary law in India serving as
the governing law for cybercrime
and electronic commerce.
National Cyber
Information Security Policy
Technology Act 2013
Legal
The Information Technology (IT Act)
recognition of
was passed by both the houses of the Electronic
Introduction
Parliament in May 2000. Documents
Agenda
IT Act provides a legal framework Justice 01 Legal
Concept Dispensation recognition
to the Cyber ecosystem in India.
System for
04 02 of Digital
Cyber Crimes
03 Signatures
Offenses and
Contraventions
Highlights of IT Act
Information Technology Act
Few Sections applicable to Cyber
Introduction Security
Penalty and compensation for damage to computer, computer system,
43 etc
Agenda
43A Compensation for failure to protect data
Concept
46 Power to adjudicate
65 Tampering with computer source documents
66 Hacking with Computer system

Punishment for sending offensive messages through communication
66A service
Punishment for dishonestly receiving stolen computer resource or
66B communication device
Note: Section 66A of the Information Technology Act was struck down by the Supreme
Court in 2015.
Computer Emergency Response Team (CERT-
In) Section 70B, Information
Technology Act 2000: Designates ISPs, Key CERTs, CSIRTs &
Introduction CERT-In as the National nodal Network Vendors
agency to tackle emerging
Agenda challenges in the area of Cyber
Security risks and vulnerabilities.
Concept Law
Mission Enforcement CERT - In Media
Agencies
“To enhance the security of
India’s communications Home Users • Government
and information Sector
infrastructure through • Critical
Information
proactive action and infrastructure
effective collaboration”
In)
Designated to function in below area of cyber
Introduction security
1 Collection, analysis and dissemination of information on cyber incidents.
Agenda
Concept
2 Forecast and alerts of cyber security incidents.
3 Emergency Measures for handling cyber security incidents.
4 Coordination of cyber incident response activities.
Issue guidelines, advisories, vulnerability notes and whitepapers relating to

5 information security practices, procedures, prevention of cyber incidents.
6 Such other functions relating to cyber security as may be prescribed.

In)
Role of CERT-In
Introduction • Role of CERT-In
– Computer Security Incident Response (Reactive)
Agenda – Computer Security Incident Prevention (Proactive)
– Security Quality Management Services
Concept
• Information Exchange
– With sectoral CERTs (CSIRTs), CIOs of Critical Infrastructure organisations, ISPs,
Vendors
• International Collaboration
– Member of FIRST
– Member of APCERT
– Research Partner- APWG
– Functional relationships with CERTs (US-CERT, CERT/CC, JPCERT etc.)
NCIIPC
Government of India, has designated ‘National Critical Information Infrastructure
Protection Centre’ (NCIIPC) for taking all measures including associated Research and
Introduction Development for the protection of CIIs in India.
NCIIPC
Agenda
“To take all necessary measures to facilitate protection of Critical Information
Infrastructure, from unauthorized access, modification, use, disclosure, disruption,
Concept incapacitation or destruction, through coherent coordination, synergy and raising information
security awareness among all stakeholders” and with a vision “to facilitate safe, secure and
resilient Information Infrastructure for Critical Sectors in the country”.
NCIIPC Responsibilities
1 Research and
3 Partnership across
Development for
protection of CII 2 National Program
& policies on CII
Government/Academia
and Private Sector
.
NCIIPC
NCIIPC Responsibilities
Introduction
Agenda 4 National &

International 5 Vulnerability
Assessment and
Security Testing
6 Generate alerts on
security Risks
Linkages for
Concept Protection of CII
.
7 Training &
8 Reporting of all
incidents by CII
stakeholders
9 Compliance of all
advisories of
NCIIPC by all stake
Awareness
holders
10 Malware
Analysis 11 Cyber
Forensics
activities
12 24X7 operation
and helpdesk
.
Cyber Crisis Management Plan
This plan establishes strategic framework
for dealing with Cyber incidents . It
Introduction describes types of cyber incidents, actions
and responsibilities for a coordinated
Agenda
approach in order to prepare for rapid
Concept identification, information exchange,
response, and remediation to mitigate &
recover from malicious cyber related
incidents impacting critical business
functions and processes.
Cyber Crisis Management Plan
• Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics and

Introduction
Information Technology (MeitY) developed Cyber Crisis Management Plan (CCMP) for
countering cyber attacks and cyber terrorism.
Agenda
Concept • This plan takes into consideration the crisis that occur due to cyber security incidents
and breaches, and presents a broad based approach to deal with such crisis. CCMP is
not only to respond cyber crisis/incidence but guide in building cyber resiliency at
organisation & sector-level.
• The plan is updated periodically by CERT-In to take into account dynamic nature of
Cyber Security threat landscape and emerging technologies.
a. Public, Private b. Public, Critical
c. Critical, Private d. None of these
National Cyber Security Policy aims at protecting

_________ and _________ infrastructure from cyber
attacks. Choose correct options from above
Press the space bar to see the correct answer.

Copyright 2017-2018, Government of India (MeitY) All rights reserved
b. Assurance
a. Secure cyber framework for design
ecosystem of security policies
c. 24 x 7 operational
national level computer
emergency response d. All of the above
team (CERT-in)
Which of the following are the objectives of

National Cyber Security Policy?

a. True b. False
National Cyber Security Policy encourages use of

open standards to facilitate interoperability and
data exchange among different products or
services. State True or False.

a. Creating an b. Strengthening the
Assurance Regulatory
Framework Framework
c. Resilience of
Critical Information d. All of the above
Infrastructure
Which of the above is a strategy of National

Cyber Security Policy?

a. Section 66B c. Section 71
b. Section 66A d. Section 72
Which of these sections of the IT Act – 2000

was struck down by the Supreme Court in
2015?

a. IT FIRST b. APCERT
c. APWG d. All of the above
With which of these agencies CERT-In has

international collaborations?

a. Training and b. Vulnerability
Awareness Assessment and
Security Testing
c. Cyber Forensic d. All of the above

Activities
Which of these are the responsibilities of

NCIIPC?

a. 44 c. 42
b. 40 d. 50
How many minimum critical controls are vital for

the creation of the basic safe, secure and resilient
platform for the protection of CII under NCIIPC?

a. True b. False
DOS attacks and DDOS attacks both are a type of

Cyber Crisis. State True or False.

a. Inventory of b. Risk Assessment
Critical and Risk
Information Management
Assets
c. Business Impact d. All of the above

Analysis
Which of the following actions are important

with respect to the preparation of Cyber Crisis
Management Plan?

Cyber Security Capability
Assessment
Cybersecurity Capability
Introduction Assessment helps a nation
Agenda evaluate and assess their
Concept
current cyber capabilities,
current state of maturity
and identify areas of
concern/priority areas
where action needs to be
taken
Global Cybersecurity Index
(GCI)GCI Pillars and Sub-pillars
Legal Technical Organizational
Introduction
Cybercriminal National CIRT Strategy
Agenda Legislation
Cybersecurity Govt. CIRT Responsible agency
Concept Regulations
Cybersecurity Sectoral CIRT Cybersecurity Metric
Training
Standards for
Organizations
Standards and
Certifications for
professionals
Child online protection

Global Cybersecurity Index
(GCI)GCI Pillars and Sub-pillars
Capacity Building Cooperation
Introduction
Standardization Bodies
Intra-state Cooperation
Agenda Good Practices
R&D Programmes Multilateral agreements

Concept
Public awareness
International for a
campaign
participation
National Education
programmes Public Private
partnership
Incentive mechanism
Inter-agency
Home grown partnership
cybersecurity industry
Cyber Security Organization
Structure
Introduction
A security organizational
Agenda
model should include four
Concept major domains of
responsibility: security
oversight, IT risk, security
engineering, and security
operations
Source: Forrester Research Inc.
Cyber Security Organization
Structure
As per the IT Act, the CISO must be informed about incidents to be reported to CERT-IN.
Introduction
Agenda
Concept
ATIVE
DIC
I N
Standards, Audit and Compliance
ISO 27001
Introduction • ISO/IEC 27001:2013 specifies the requirements for establishing, implementing,

maintaining and continually improving an information security management system
Agenda
within the context of the organization. It also includes requirements for the assessment
and treatment of information security risks tailored to the needs of the organization.
The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be
Concept applicable to all organizations, regardless of type, size or nature.
Information Security:
• Preservation of confidentiality, integrity and availability of information.
-ISO 27000:2012 clause 3.30
Management System:
• Framework of guidelines, policies, procedures, processes and associated resources
aimed at ensuring an organization meets its objectives.
- -ISO 27000:2012 clause 2.42
ISO 27001
Introduction
14 Domains – 114 Controls
• A.5: Information security policies (2 controls)
Agenda • A.6: Organization of information security (7 controls)
Concept • A.7: Human resource security - 6 controls that are applied before, during, or after
employment
• A.8: Asset management (10 controls)
• A.9: Access control (14 controls)
• A.10: Cryptography (2 controls)
• A.11: Physical and environmental security (15 controls)
ISO 27001
Introduction
14 Domains – 114 Controls
• A.12: Operations security (14 controls)
Agenda
• A.13: Communications security (7 controls)
Concept • A.14: System acquisition, development and maintenance (13 controls)
• A.15: Supplier relationships (5 controls)
• A.16: Information security incident management (7 controls)
• A.17: Information security aspects of business continuity management (4
controls)
• A.18: Compliance; with internal requirements, such as policies, and with external
requirements, such as laws (8 controls)
ISO 27001
Plan
Introduction
04 Context of the 07 Support
05 Leadership 06 Planning
organization
Agenda
Understanding the Leadership and Actions to Resources
Concept organization and its commitment address risk and
context opportunities
Competence
Expectations of Policy
interested parties IS objectives and Awareness
Organization plans to achieve
Scope of ISMS roles and them Communication
responsibilities
ISMS Documented
information
Annex A : 14 control objectives and 114 controls
ISO 27001
Do Check Act
Introduction
8 Operation 9 Performance 10 Improvement
Evaluation
Agenda
Operational Monitoring Non conformity
Concept planning and measurement, and corrective
control analysis and action
evaluation
Information
security risk Continual
assessment Internal audit improvement
Information Management
security risk review
treatment
Annex A : 14 control objectives and 114 controls

ISO 27001 Certification Benefits
Introduction By implementing ISO 27001, a company will comply not only

with all the information security requirements, but also with
Compliance
Agenda contractual security requirements that clients are enforcing
more and more;
Concept
Companies with this certificate tend to get more clients as

Marketing
everybody is looking for this kind of guarantee for the
Advantage
security of their information;
Introduction
By implementing ISO 27001, many security incidents are
Agenda Decreasing prevented, and the investment in implementing this standard
the Cost is usually far less than the cost of remediation which goes in
correction of the incidents; and
Concept
Since the standard requires defining exactly who needs to do

Optimizing what, when and how, this means that employees will be
the business spending less time searching for ways to perform their tasks
processes and will be more aligned to achieve the strategic objectives of
the organization.
ISO 22301
Introduction • ISO 22301:2012 specifies requirements to plan, establish, implement, operate,

monitor, review, maintain and continually improve a documented management
Agenda system to protect against, reduce the likelihood of occurrence, prepare for,
respond to, and recover from disruptive incidents when they arise. The
Concept requirements specified in ISO 22301:2012 are generic and intended to be
applicable to all organizations, or parts thereof, regardless of type, size and
nature of the organization. The extent of application of these requirements
depends on the organization's operating environment and complexity.
Business continuity Management Lifecycle

Introduction Business continuity
strategy selection
Agenda Clause 8.2.2 and 8.2.3
Concept
Business continuity Planning and control
plan exercising and Business continuity
of operations strategy selection
testing
Clause 8.5 Business continuity

procedure
establishment and Clause 8.4
implementation Clause 8.3
Identify and manage current and future threats to your business
Introduction
Take a proactive approach to minimizing the impact of incidents

Agenda
Keep critical functions up and running during times of crises

Concept
Minimize downtime during incidents and improve recovery time
Demonstrate resilience to customers, suppliers and for tender requests

NIST 800-30
• The purpose of Special Publication 800-30 is to provide guidance for
Introduction conducting risk assessments of federal information systems and
organizations
Agenda
• It provides guidance for carrying out each of the three steps in the risk
Concept
assessment process i.e.
• prepare for the assessment
• conduct the assessment
• maintain the assessment
NIST 800-30
Introduction
Agenda ASSESS
Information and Information and
Concept communication flows communication flows
FRAME
MONITOR RESPOND
NIST 800-30 Conducting risk assessments within organizations
Step 1: Prepare for Assessment

Derived from organizational risk Frame
Introduction
Agenda Step 2: Conduct Assessment

Step 3: Communication Results
Expanded Task View
Step 4: Maintain Assessment

Concept Identify Threat Sources and Events
Identify Vulnerabilities and predisposing

conditions
Determine Likelihood of Occurrence
Determine Magnitude of Impact
Determine Risk
ISO 20000
Introduction
ISO 20000 is the international standard for IT service management.
Agenda “It describes an integrated set of management processes for the
effective delivery of services to the business and its customers.”
Concept • Closely follows the ITIL framework.
• While individuals are ITIL certified, organizations are ISO 20000
certified.
ISO 20000
ISO/IEC 20000 ITIL V3 framework

Introduction
• Standard and Code of Practice • Best practice
Agenda • Certification for a service provider • Qualifications for individuals
organization • Detailed best practices guidance,
Concept
• Definitive high-level requirements for description, and implementation
processes and management system aids
• Organization structure independent • Defines many function and
with very few mandatory roles specified process roles and responsibilities
• 16 process areas; no functions, • 26 process areas and four
lifecycle not explicitly specified functions documented in five
lifecycle stages
• Definitive set of required documents
• Description of key documentation
ISO 20000
Introduction
The Standard is divided into three parts.
• Part 1 : Provides the requirements for IT service management to gain certification
Agenda • This is relevant to those responsible for initiating, implementing or maintaining
IT service management in their organization
Concept
• Senior Management are responsible and accountable for ensuring all
requirements of Part One are met if Certification is sought
• Part 2 - Code of Practice for Service Management
• Provides guidance to internal auditors and assists service providers planning
service improvements or preparing for audits against ISO 20000
• Part 3 - Scope & Applicability
• Advice on scoping for service management
• Planning & improvements
ISO 20000
Service Design And Service

Introduction Management Transition Of New Delivery
System SMS (4) Service(5) Process (6)
Agenda
Resource Transition Planning Service Reporting
Management and Support
Concept Financial Management
Documentation Capacity Management
Management
Info Security
Establish and Management
Improve the SMS Availability
Management
Governance of Service Continuity
processes Management
Management Service Level
Responsibility Management
ISO 20000
Relationship Resolution Control Process

Introduction Process (7) Process (8) (9)
Agenda
Problem Release & Deploy
Business Management Management
Relationship
Concept Management
Incident Configuration
Management Management
Supplier
Management
Change
Management
ISO 20000
Why implement of ISO 20000?
Introduction
• ISO 20000 provides the organization with the means to operate more effectively and
efficiently
Agenda
• ISO 20000 provides an auditable method by which it can assess the quality and
conformance of its IT Services
Concept
• Provides a structured framework to effectively manage IT services to meet the business/
customer requirements.
• Improves effectiveness of IT and promotes consistent delivery of IT services.
• Improves IT performance and service reliability.
• Inculcates a ‘Process Driven’ approach for providing IT services.
CIA
• Confidentiality of information refers to the property that
information is not made available or disclosed to unauthorized
individuals, entities, or processes.
• Integrity refers to the property of safeguarding the accuracy

and completeness of assets.
• Availability refers to the property of being accessible and

usable upon demand by an authorized entity
Asset Valuation - Key Tasks Performed
•Asset Format/Type
• Information – Policies and procedures, system documentation etc.
•Software – Applications, system software, utilities etc.
•Physical – Servers, Tapes, Magnetic Devices etc.
•Services – Client services, Facility Management Services, Process etc.
•People
•Paper – Physical hard copy
•Asset Classification
•Top Management Confidential, Confidential, Restricted, Internal, Public
•Asset Valuation -
Perform impact assessment for compromise of confidentiality, integrity and
availability of assets in a qualitative and a quantitative manner
a. Service Delivery b. Supplier Management
c. Decision Analysis d. Configuration

Management
Which of these is not component of ISO 20000?

a. Activity b. IT Component
Management Management
c. IT Governance d. IT Service
Management
To which domain can ISO 20000 be applied?

a. 100 b. 54
c. 23 d. 24
India ranks at which position on GCI report, 2017?

a. True b. False
ISO 27001 was developed to "provide a model for

establishing, implementing, operating,
monitoring, reviewing, maintaining and
improving an information security management
system." State True or False.

a. Bottom Up, Risk c. Bottom-Up, Risk
Based Averse
b. Top-Down, Risk d. Top-Down, Risk

Based Averse
ISO 27001 uses a ______, _______ approach and

is technology-neutral.

a. 13, 114 b. 13, 115
c. 14, 114 d. 15, 115
ISO 27001 consists of ___ domains and ____ controls.

a. Information b. Access Control
Security Policies
c. Cryptography d. All of the above
Which of the following are the domains of

ISO 27001?

a. Context of the b. Planning
Organization
c. Implementation d. Improvement
Which of the below is not included in Plan-Do-Check-

Act?

a. I, II, IV, III b. II, I, III, IV
c. II, IV, III, I d. II, IV, I, III
Arrange the following steps in the order they are

performed while conducting an NIST 800-30 Risk
Assessment. i) Maintain Assessment, ii) Prepare for
Assessment, iii) Communicate Results, iv) Conduct
Assessment

a. Information b. Information
Technology infrastructure
infrastructure Technology Library
Library
c. Information d. None of the above

transformation and
infrastructure Library
What does ITIL stands for?

a. Plan b. Procedure
c. Process d. Project
What does P stands for in PDCA?

Governance and Risk Management
Organizations today are consistently exposed to cyber threats and a pragmatic risk-based approach is
required to manage these threats. GRC management is a vital component of organizational governance
Executive Management/ Integrated Risk Governance and Oversight

Board of Directors • Sets “tone from the top”
Introduction Perform Oversight • Establishes risk appetite, strategy & Leverages risk.
Internal Audit Third line of defense – “Independent Assurance
Agenda and Validation”
Test and Verify, • Validates the overall risk framework
Provide Assurance
Concept
Compliance Second line of defense – “Risk Risk Management
Second line of defense “Risk
Interpret and Control and Monitoring” Design Control and Monitoring”
Develop • Perform compliance monitoring and Facilitate • Monitors BU adherence to
Monitor of policies and procedures. Monitor framework and strategy
and Report and Report
Process and First line of defense – “Risk Owner”
Control Owners ” and reports on risk
• Identifies, assess, manages, mitigates
Mandate & Scope Infrastructure & People

Methods & Practices Information & Technology
At most companies compliance activities appear as a ‘Spaghetti Diagram’. Strategies for
managing compliance and risk are isolated and lead to the creation of multiple risk
governance processes, methods and infrastructure which raise cost, duplicates efforts and
Introduction deflect resources away from key business activities.
Agenda Current state structures are not optimal to address the drivers shaping the current landscape.
These companies are not:
Concept ► Allocating compliance spend efficiently to proactively identify potential violations before
they arise.
► Recognizing the complexity of the regulatory environment and the priorities of the
regulatory agencies
► Advancing data analytics tools and capabilities to match the sophistication of the agencies
that regulate them when it comes to compliance
Agenda Board Oversight
Audit Compensation Risk Other
committee committee committee committees
Executive Management
CEO CFO CIO General Counsel
Internal Internal Legal & External

Compliance Risk Mgmt. IT
Audit Control Regulatory Audit
Business Unit Business Unit Business Unit Business Unit

Siloed risk functions reduce value, increase costs, and impact
business performance
Business environment
Aligning ITRM to the businessITRM
environment
Market Business
forces objectives
IT megatrends Outcomes
Introduction Enable
Globalization Reduced cost of
Consumerization Legal and Programs innovation
Agenda operations and change
Margin & regulatory and change
Cloud management Manage
Regulatory
Concept computing Predictability
Applications compliance
pressure
and Security and and
Resiliency databases Transparency
IT risk privacy expectation
New and confidence
business universe Physical
Cybercrime Infrastructure
models and environment Avoidance of Drive growth
technology security breaches
Internal threats Third-party
Investor suppliers and Operations Operational
Enhanced excellence
confidence outsourcing
Change agenda capability
Developing an IT Risk Management framework
Organization structure, Risk identification, IT policies and
roles and responsibilities. risk domains. standards
Introduction Information and technology risk governance and strategy
Organization Design
Risk identification and Policies and
(People, Program and
Agenda profiling standards methodologies
Business drivers and regulatory
Framework Function)
incorporating and
Organization Process, risk and control framework
Concept
an IT process procedures.
(People, Risk assessments
IT strategy
requirements
Program
Businessand Risk processes and operational procedures Processes,
procedures
Issues mgmt.
Function)
e
objectives,
Ri s k
a nd
c
ptan
regulatory and methods
repo
met ting
t.
As rdi
a cce
gm
co
s u na for executing
o
requirements Inc
r ic s
m
r
ra tio
ma i d e n nc n
at
Ri sk
n a t lo mt
. the IT risk
re
e
and board gem ss g
Th
m
en i s is program.
directives. Scenari
o a n al y
t r
C Awareness
s is and training
Tools and technology Tools to
IT risk
facilitate IT
dashboard: Compliance monitoring and reporting risk program.
Managing risk, driving value, controlling costs and achieving compliance
Key Objectives
Concept Cyber Security Risk Management Program
• The program should be aligned to address cyber risks that matter most to the business
• Each component requires people, processes and technology capabilities to develop a
resilient IT environment Govern
Complicate Effectively manage cybersecurity risks through
people, processes and technology
Complicate (Deter)
Make it difficult for an attacker to achieve their
Risk Threat objective
tolerance intelligence Detect
Establish capabilities to identify the attack before
Educate meaningful business impact is accomplished
Govern
Detect Respond
Effectively and efficiently respond and remediate
Business an attack
priorities Educate
Maintain a security-conscious workforce
Respond
Integrated risk assessment approach to identify the organization’s keys risks and cyber security gaps
Business drivers
Compliance and
Introduction Top Down Outcomes
Governance
Proposed
intelligence
Policy and standard
EY CPA framework
► CPA Assessment Assessment Services Prioritized
Agenda
People, process, technology across Data infrastructure roadmap
Metrics and reporting
20 domains
Concept
Executive perspectives on what Critical assets Prioritized initiatives
matters most to the business Company Information Security
Domain Mitigation
1 Security Monitor egress
Strategy Monitoring
Bottom Up Align security to the business 2 Incident Incident
Management response process
► Scenario-based technical testing Fill technical gaps 3 Software SDLC
► Attack and penetration technical Manage security risk Security
testing 4 Host Security Remove local
Web application assessments Bottom-up assessments admin

5 Identity & Password
► Active threat assessments Results from Complicate Access vaulting
the client’s Management
► Incident response table-top existing A&P Detect
assessments reports Respond
Key KPIs
Our cyber security risk assessment approach maps directly to ISO27001:2013 and many
other security frameworks. Therefore, results using other security frameworks can be
Introduction normalized to show progress and opportunities for improvement using the CPA framework.
ITRM Domain ISO 27001:2013 Domain Maturity
Maturities
Agenda Vulnerability Identification & Remediation
Architecture
Asset Management
Policy
Threat Intelligence 5 Awareness Compliance Organization
5
4
Concept Third Party Mgmt BCP/DR Business Continuity 4 Human Resources
3 3
Strategy 2 Data Protection 2
Incident Mangement Asset Mangement
1
1
0
Software Security 0 Governance and Organization
Supplier Relationships Access Control
Security Monitoring Host Security

System Acquistion, Development and Maintenance Cryptography
Privacy Identity and Access Management

Comunications Physical and Environmental Security
Operations
Policy and standards Incident Response
Operations Metrics and Reporting
Network Security Current State Future State
Future State Average Score Current State Average Score
We take the following considerations when developing a roadmap
• Organization’s strategic ► Emerging technologies
Introduction imperatives and values ► Organization’s in-flight projects
• Cyber security risk assessment ► Organization’s target maturity
Agenda and previous assessment results levels
• Existing policies and procedures ► Input from project participants
Concept
Cost Risk Value
Goals of a future state cyber security roadmap

► Multi-year global roadmap that is co-developed with the organization
► Cost-effective and strategically aligned cyber security function that provides

transparency, accountability and performance reporting
► A target future state resulting in a more secure, better protected the
organization
Technology Enablers:
List of open source and commercial tools
Introduction
Open Source tools Commercial tools
Agenda • STREAM • Archer
• Eramba • Metric Stream
Concept • Conga Contracts • Druva inSync
• ORICO • PowerDMS
• GLPI • SafetySync
• Ecompass
• LogicGate
• CIMCON software
• Carta
a. Governance, Risk b.
Assurance, Governance, Risk
Compliance Assurance, Cyber
Security
c. Governance, Risk d. Governance, Risk

Management, Cyber Management,
Security Compliance
GRC stands for:

a. True b. False
In GRC, strategies for managing compliance

and risk are isolated. State True or False.

a. How risk is identified? b. Who can accept risk?
c. How risk can be d. Necessary steps to reduce

transferred? risk
Which of the following is not addressed by

Cybersecurity Risk Management Program?

a. Detect b. Educate
c. React d. Respond
Which of the following steps is not a part of

Cybersecurity risk management program?


Cyber Surakshit Bharat-GRC

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Surakshit Bharat-GRC

Uploaded by

Copyright:

Available Formats

Governance Risk and Compliance

Agenda: Governance Risk and Compliance

2 Cyber Security Assessment Framework 20 mins

5 Governance and Risk Management 5 mins

Agenda The National Cyber Security Policy

Agenda The Information Technology Act is

65 Tampering with computer source documents

66 Hacking with Computer system

3 Emergency Measures for handling cyber security incidents.

4 Coordination of cyber incident response activities.

Issue guidelines, advisories, vulnerability notes and whitepapers relating to

6 Such other functions relating to cyber security as may be prescribed.

Agenda 4 National &

• Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics and

c. Critical, Private d. None of these

National Cyber Security Policy aims at protecting

Press the space bar to see the correct answer.

Which of the following are the objectives of

Press the space bar to see the correct answer.

National Cyber Security Policy encourages use of

Press the space bar to see the correct answer.

Which of the above is a strategy of National

Press the space bar to see the correct answer.

b. Section 66A d. Section 72

Which of these sections of the IT Act – 2000

Press the space bar to see the correct answer.

c. APWG d. All of the above

With which of these agencies CERT-In has

Press the space bar to see the correct answer.

c. Cyber Forensic d. All of the above

Which of these are the responsibilities of

Press the space bar to see the correct answer.

How many minimum critical controls are vital for

Press the space bar to see the correct answer.

DOS attacks and DDOS attacks both are a type of

Press the space bar to see the correct answer.

c. Business Impact d. All of the above

Which of the following actions are important

Press the space bar to see the correct answer.

Child online protection

R&D Programmes Multilateral agreements

Introduction • ISO/IEC 27001:2013 specifies the requirements for establishing, implementing,

Annex A : 14 control objectives and 114 controls

Introduction By implementing ISO 27001, a company will comply not only

Companies with this certificate tend to get more clients as

Since the standard requires defining exactly who needs to do

Introduction • ISO 22301:2012 specifies requirements to plan, establish, implement, operate,

Business continuity Management Lifecycle

Clause 8.5 Business continuity

Take a proactive approach to minimizing the impact of incidents

Keep critical functions up and running during times of crises

Minimize downtime during incidents and improve recovery time

Demonstrate resilience to customers, suppliers and for tender requests

Step 1: Prepare for Assessment

Agenda Step 2: Conduct Assessment

Expanded Task View

Step 4: Maintain Assessment

Identify Vulnerabilities and predisposing

Determine Likelihood of Occurrence

Determine Magnitude of Impact

ISO/IEC 20000 ITIL V3 framework

Service Design And Service

Relationship Resolution Control Process

• Integrity refers to the property of safeguarding the accuracy

ISO 27001 uses a , _ approach and

ISO 27001 consists of _ domains and __ controls.