Presentation is loading. Please wait.

Presentation is loading. Please wait.

DSC Contract Management Committee Meeting

Published byAlfréd Pataki Modified over 5 years ago

Similar presentations

Presentation on theme: "DSC Contract Management Committee Meeting"— Presentation transcript:

1 DSC Contract Management Committee Meeting
Mar 19 DSC Contract Management Committee Meeting Information Security Presented by Vinnie Bhanderi 20 March 2019 Internal Use Only

2 Security Improvement Programme
Mar 19 Risk Driver Project Work stream Key Action Deliverable Information security requirements are not clearly defined or understood resulting in the absence of critical processes and controls necessary to manage information security risks within the firm's appetite. Information Security Governance Establish Steering Committee to oversee information security programme Establish Information Security Board Information Security Steering Committee held monthly with senior management/executives with defined terms of reference Define and published security architecture principles for information, systems and services [COMPLETED OCT 2018] Training and awareness is ineffective and increases the chance of a successful cyber attack against the firm or incorrect use and processing of sensitive information. Individuals are also not trained on how to react in the event of an incident delaying the firm's ability to respond. Education Training and Awareness Information Security training & awareness governance General awareness campaigns on an on- going basis GCHQ Approved Vendome Selected Provide computer based training for all staff and measure compliance for completion. Noncompliance with internal and external information security requirements resulting in a breach of legal, regulatory or commercial obligations for the firm. Data Protection Obtain expert advice on data protection and legal and regulatory issues Measure ongoing compliance Discovery phase completed end of Dec 2018 Remediation and improvement embedding commenced with support from 3rd Party DPA Consultancy and virtual DPO service Security events are not recorded, monitored or promptly reported resulting in the firm being unable to identify potential security incidents. Threats and vulnerabilities are not identified at the earliest opportunity or manged within the firm's tolerance, leaving critical systems, services and sensitive information exposed to malicious attack, fraud, error or failure. Security Monitoring Focus on security incident management, root cause analysis and management metrics for reporting Define scope of activity for security operations: e.g. vulnerability assessment, security testing, data loss prevention, threat intelligence and forensic investigations Phased approach with UK Link by end of March 2019 Gemini by end of April 2019 Rest of IT Infrastructure estate by end of May 2019

3 Security Improvement Programme
Mar 19 Risk Driver Project Work stream Key Action Deliverable Responsibility for information security, including the identification of new risks and external requirements, is not clearly assigned, understood or enforced, resulting in an insecure environment and culture at the firm. Information processed by suppliers is not handled securely or afforded the necessary level of protection throughout its useful economic life. Information Security Management System (ISMS) Develop a consistent approach for assessment of information security risk and embed within the organisation. Maintain ISMS documentation to meet ISO27001 standard. Review and address any audit findings Assess the danger of third parties who hold or manage Xoserve proprietary or client data Update key documentation to align with the requirements of the standard. Take corrective action to address non conformances from internal audit. Publish 3rd party reviews that have been conducted. Unified Control Framework (UCF) Develop a consistent approach for information security controls to ensure baseline security requirements are understood and embedded. Volunteering to include Network and Information System (NIS) Directive Continue to assess using baseline controls from ISO27001 Extend baseline security controls by selecting NIST Cybersecurity framework Publish fit for purpose framework with details of control requirements against NISD, NIST and ISO standards/frameworks Assess environment to understand maturity Continue to monitor against the UCF and adjust as necessary to meet both business and external obligations/requirements. NOTE: ISO27001 certification remains in place to provide assurance to stakeholders. Critical Business Application Review Develop a consistent approach for assessment against recognised industry frameworks for application security review of top 10 business application. Select and agree top 10 critical business application Completed review of top 10 business critical application Remediation plan defined and treatment plans signed off by security governance

Download ppt "DSC Contract Management Committee Meeting"

Similar presentations

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Environmental Management System Implementation

Environmental Management System Implementation
[Organisation’s Title] Environmental Management System

[Organisation’s Title] Environmental Management System
Environmental Management System (EMS)

Environmental Management System (EMS)
Security Controls – What Works

Security Controls – What Works
ISO General Awareness Training

ISO General Awareness Training
OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.

OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Information Security Risk Management

Information Security Risk Management
4. Quality Management System (QMS)

4. Quality Management System (QMS)
Fundamentals of ISO.

Fundamentals of ISO.
Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.

Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.
Evolving IT Framework Standards (Compliance and IT)

Evolving IT Framework Standards (Compliance and IT)
Basics of OHSAS Occupational Health & Safety Management System

Basics of OHSAS Occupational Health & Safety Management System
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC 27001 Standard for Information Security Management Systems.

© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC Standard for Information Security Management Systems.
1) Establish & Identify Scheme 5) Evolve Scheme 4) Review & Modify Scheme Deliverables 3) Operate the Framework 2) Manage Performance Assurance Scheme.

1) Establish & Identify Scheme 5) Evolve Scheme 4) Review & Modify Scheme Deliverables 3) Operate the Framework 2) Manage Performance Assurance Scheme.
ISMS Implementation Workshop Adaptive Processes Consulting Pvt. Ltd.

ISMS Implementation Workshop Adaptive Processes Consulting Pvt. Ltd.
Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.

Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.
Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015.

Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc

Similar presentations

Ads by Google