Cyber Security in a Risk Management Framework

Slides:

Advertisements

Similar presentations

[Organisation’s Title] Environmental Management System

Advertisements

Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.

Environmental Management System (EMS)

SL21 Information Security Board Mission, Goals and Guiding Principles.

National Infrastructure Protection Plan

1 Telstra in Confidence Managing Security for our Mobile Technology.

Security Controls – What Works

Greg Shaw How do we turn private sector preparedness into an investment rather than a cost of doing.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

SEC835 Database and Web application security Information Security Architecture.

OECD Guidelines on Insurer Governance

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Building Capability.  In order to successfully operate an architecture function within an enterprise, it is necessary to put in place appropriate organization.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.

Item 5d Texas RE 2011 Budget Assumptions April 19, Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,

Business Continuity Program Orientation (insert presentation date) (This presentation is a template that requires adjustments to meet your needs)

AUSTRALIA. A National Strategy for Enhancing the Safety and Security of our Food Supply ที่มา : We pride ourselves on our high safety and security standards.

Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.

Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.

Business Continuity Disaster Planning

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

Business Continuity Planning 101

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

Cyber Security Phillip Davies Head of Content, Cyber and Investigations.

Security and resilience for Smart Hospitals Key findings

Defining your requirements for a successful security (and compliance

BruinTech Vendor Meet & Greet December 3, 2015

Principles for Recovery and Resolution of a Financial Market Infrastructure ACSDA Senior Leadership Summit – November 16 & 17, 2015.

An Overview on Risk Management

Cybersecurity - What’s Next? June 2017

Team 1 – Incident Response

Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.

and Security Management: ISO 28000

Gap Analysis Continuing the development of the strategy

Information Technology Sector

Cybersecurity Policies & Procedures ICA

Critical Infrastructure Protection Policy Priorities

World Forum of Central Securities Depositories (WFC)

Information Security Board

I have many checklists: how do I get started with cyber security?

Andy Hall – Cyber & Tech INSURANCE Specialist

Making Information Security Manageable with GRC

Personal Introduction

America’s First National Critical Infrastructure Exercise

Making Information Security Actionable with GRC

Cybersecurity at PJM Jonathon Monken

Deloitte Internal Audit

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Cyber Risk & Cyber Insurance - Overview

Cybersecurity ATD technical

Introduction to: National Response Plan (NRP)

Risk Mitigation & Incident Response Week 12

Business Continuity Program Overview

Securing Critical Chemical Assets: The Responsible Care® Security Code

Managing IT Risk in a digital Transformation AGE

DSC Contract Management Committee Meeting

MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further

Cybersecurity at PJM Jonathon Monken

Data Security and Privacy Techniques for Modern Databases

IT Management Services Infrastructure Services

DSC Contract Management Committee Meeting

CYBER RISKS IN SECURITIES SERVICES

Operational Risk Management

Presentation transcript:

Cyber Security in a Risk Management Framework Gary King Senior Risk Analyst, Capital Markets - Africa and Middle East April 2018 © Thomas Murray Data Services 2018 03/05/2019

What do you understand about Cyber Security? Introduction What do you understand about Cyber Security? How to create a secure password How to spot a dangerous E-mail How to protect against identity theft System testing How to treat Cyber Security as part of a full end-to-end risk framework??? © Thomas Murray Data Services 2018 03/05/2019

Risk Management Categories Overarching Components Agenda Key Documents Risk Management Categories Overarching Components © Thomas Murray Data Services 2018 03/05/2019

Key Documents CPMI-IOSCO and BIS CPMI-IOSCO G7 International Standards Key Documents Guidance on Cyber Resilience for Financial Market Infrastructures – June 2016 CPMI-IOSCO and BIS Principle for Financial Market Infrastructures (PFMIs) - April 2012 CPMI-IOSCO Fundamental Elements of Cyber Security for the Financial Sector G7 © Thomas Murray Data Services 2018 03/05/2019

Introduction Guidance Components © Thomas Murray Data Services 2018 03/05/2019

Risk Management Governance Sound Governance is key! The arrangements an FMI has put in place to establish, implement and review its approach to managing cyber risks Sound Governance is key! Cyber is more than just ICT Consistency with Enterprise Risk Management International and National standards Role of the Board and Senior Management Audits and Compliance © Thomas Murray Data Services 2018 03/05/2019

Understand your internal situation! Risk Management Identification Areas where an FMI should identify and classify business processes and information assets as well as external dependencies Business functions and processes Information assets and related access Regular review and update Understand your internal situation! Impact from and on the FMI Not just participants How are you interconnected with third parties? © Thomas Murray Data Services 2018 03/05/2019

Protection of processes and assets: Risk Management Protection How FMIs should implement appropriate and effective measures in line with leading cyber resilience and information security practices to prevent, limit or contain the impact of a potential cyber event. Protection of processes and assets: Protective Controls Resilience by design Layered Protection Interconnection Risk Participation requirements Service Provider agreements Insider Threats Security analytics Employment status changes Access control Training Staff High-risk groups © Thomas Murray Data Services 2018 03/05/2019

Continuous Monitoring Risk Management Detection An FMI’s ability to recognise signs of a potential cyber incident, or detect that an actual breach has taken place. Real time or near real time Comprehensive scope Continuous Monitoring Defence-in-depth approach Delay or disrupt any attack in progress Multi-Layered detection controls © Thomas Murray Data Services 2018 03/05/2019

Incident response, resumption and recovery Risk Management Response and Recovery An FMI’s capabilities to respond to and recover from cyber attacks Incident response, resumption and recovery Investigate! Contain! Recover! Two hour RTO Contingency plan Test it all! Are systems and processes designed to limit impacts, resume activities and ensure data integrity? Work together with the market © Thomas Murray Data Services 2018 03/05/2019

Overarching Components Testing All elements of a cyber resilience framework should be rigorously tested to determine their overall effectiveness before being deployed within an FMI, and regularly thereafter. Coordinate and Test all aspects of the framework Use the results Methodologies and Practices Vulnerability Assessment (VA) Scenario-based testing Penetration tests Red team tests © Thomas Murray Data Services 2018 03/05/2019

Situational Awareness Overarching Components Situational Awareness An FMI’s understanding of the cyber threat environment within which it operates, the business implications of being in that environment and the adequacy of its cyber risk mitigation measures. Cyber Threat Intelligence Identify potential threats Use a wide source of information Gather and analyse information Use information effectively Don’t work alone! – Share your information and expertise Local stakeholders / market participants Cross-industry Cross-border © Thomas Murray Data Services 2018 03/05/2019

Never stop learning! Overarching Components Learning and Evolving An FMI’s cyber resilience framework needs to achieve continuous cyber resilience amid a changing threat environment. Lessons from cyber events Monitor technological developments Predictive Capabilities Use of Metrics for Benchmarking Never stop learning! © Thomas Murray Data Services 2018 03/05/2019

THANK YOU © Thomas Murray Data Services 2018 03/05/2019