Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Security in a Risk Management Framework

Published by현시 환 Modified over 5 years ago

Similar presentations

Presentation on theme: "Cyber Security in a Risk Management Framework"— Presentation transcript:

1 Cyber Security in a Risk Management Framework
Gary King Senior Risk Analyst, Capital Markets - Africa and Middle East April 2018 © Thomas Murray Data Services 2018 03/05/2019

2 What do you understand about Cyber Security?
Introduction What do you understand about Cyber Security? How to create a secure password How to spot a dangerous How to protect against identity theft System testing How to treat Cyber Security as part of a full end-to-end risk framework??? © Thomas Murray Data Services 2018 03/05/2019

3 Risk Management Categories Overarching Components
Agenda Key Documents Risk Management Categories Overarching Components © Thomas Murray Data Services 2018 03/05/2019

4 Key Documents CPMI-IOSCO and BIS CPMI-IOSCO G7
International Standards Key Documents Guidance on Cyber Resilience for Financial Market Infrastructures – June 2016 CPMI-IOSCO and BIS Principle for Financial Market Infrastructures (PFMIs) - April 2012 CPMI-IOSCO Fundamental Elements of Cyber Security for the Financial Sector G7 © Thomas Murray Data Services 2018 03/05/2019

5 Introduction Guidance Components © Thomas Murray Data Services 2018
03/05/2019

6 Risk Management Governance Sound Governance is key!
The arrangements an FMI has put in place to establish, implement and review its approach to managing cyber risks Sound Governance is key! Cyber is more than just ICT Consistency with Enterprise Risk Management International and National standards Role of the Board and Senior Management Audits and Compliance © Thomas Murray Data Services 2018 03/05/2019

7 Understand your internal situation!
Risk Management Identification Areas where an FMI should identify and classify business processes and information assets as well as external dependencies Business functions and processes Information assets and related access Regular review and update Understand your internal situation! Impact from and on the FMI Not just participants How are you interconnected with third parties? © Thomas Murray Data Services 2018 03/05/2019

8 Protection of processes and assets:
Risk Management Protection How FMIs should implement appropriate and effective measures in line with leading cyber resilience and information security practices to prevent, limit or contain the impact of a potential cyber event. Protection of processes and assets: Protective Controls Resilience by design Layered Protection Interconnection Risk Participation requirements Service Provider agreements Insider Threats Security analytics Employment status changes Access control Training Staff High-risk groups © Thomas Murray Data Services 2018 03/05/2019

9 Continuous Monitoring
Risk Management Detection An FMI’s ability to recognise signs of a potential cyber incident, or detect that an actual breach has taken place. Real time or near real time Comprehensive scope Continuous Monitoring Defence-in-depth approach Delay or disrupt any attack in progress Multi-Layered detection controls © Thomas Murray Data Services 2018 03/05/2019

10 Incident response, resumption and recovery
Risk Management Response and Recovery An FMI’s capabilities to respond to and recover from cyber attacks Incident response, resumption and recovery Investigate! Contain! Recover! Two hour RTO Contingency plan Test it all! Are systems and processes designed to limit impacts, resume activities and ensure data integrity? Work together with the market © Thomas Murray Data Services 2018 03/05/2019

11 Overarching Components
Testing All elements of a cyber resilience framework should be rigorously tested to determine their overall effectiveness before being deployed within an FMI, and regularly thereafter. Coordinate and Test all aspects of the framework Use the results Methodologies and Practices Vulnerability Assessment (VA) Scenario-based testing Penetration tests Red team tests © Thomas Murray Data Services 2018 03/05/2019

12 Situational Awareness
Overarching Components Situational Awareness An FMI’s understanding of the cyber threat environment within which it operates, the business implications of being in that environment and the adequacy of its cyber risk mitigation measures. Cyber Threat Intelligence Identify potential threats Use a wide source of information Gather and analyse information Use information effectively Don’t work alone! – Share your information and expertise Local stakeholders / market participants Cross-industry Cross-border © Thomas Murray Data Services 2018 03/05/2019

13 Never stop learning! Overarching Components Learning and Evolving
An FMI’s cyber resilience framework needs to achieve continuous cyber resilience amid a changing threat environment. Lessons from cyber events Monitor technological developments Predictive Capabilities Use of Metrics for Benchmarking Never stop learning! © Thomas Murray Data Services 2018 03/05/2019

14 THANK YOU © Thomas Murray Data Services 2018 03/05/2019

Download ppt "Cyber Security in a Risk Management Framework"

Similar presentations

[Organisation’s Title] Environmental Management System

[Organisation’s Title] Environmental Management System
Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.

Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.
Environmental Management System (EMS)

Environmental Management System (EMS)
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
National Infrastructure Protection Plan

National Infrastructure Protection Plan
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works

Security Controls – What Works
Greg Shaw 202-994-6736 How do we turn private sector preparedness into an investment rather than a cost of doing.

Greg Shaw How do we turn private sector preparedness into an investment rather than a cost of doing.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
OECD Guidelines on Insurer Governance

OECD Guidelines on Insurer Governance
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Building Capability.  In order to successfully operate an architecture function within an enterprise, it is necessary to put in place appropriate organization.

Building Capability.  In order to successfully operate an architecture function within an enterprise, it is necessary to put in place appropriate organization.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the Preface to the Standards on Internal.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Item 5d Texas RE 2011 Budget Assumptions April 19, 2010 2011 Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,

Item 5d Texas RE 2011 Budget Assumptions April 19, Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,
Business Continuity Program Orientation (insert presentation date) (This presentation is a template that requires adjustments to meet your needs)

Business Continuity Program Orientation (insert presentation date) (This presentation is a template that requires adjustments to meet your needs)

Similar presentations

Ads by Google