Presentation is loading. Please wait.

Presentation is loading. Please wait.

What is Cybersecurity Office of Information Technology

Published byDarrell Flowers Modified over 5 years ago

Similar presentations

Presentation on theme: "What is Cybersecurity Office of Information Technology"— Presentation transcript:

1 What is Cybersecurity Office of Information Technology
Security & Compliance Think Security and Do Good Things! Elizabeth Cole-Walker (Information Security Specialist, Information Security Risk & Assurance)

2 What is Cybersecurity? Technology Facilities People Business Cybersecurity involves protecting an entire ecosystem People Physical Space Technology Operations It integrates the security and business layers of an organization to make balanced risk-based decisions about technology use It is an integrated approach to protect, respond, and recover from an attack or adverse event that increases the solvency of the business. We are an interconnected world, more then ever in history. Our refrigerators are part of cyberspace today. The internet (cyberspace) serves as a backbone for data exchange and use. All the ingress/egress points, i.e., people, facilities, data and related assets, technology, etc. need to be factored into how best to protect an organization. IT has transitioned as just a tool to help business meet mission to a integral part of the business. Cyber security is more then IT and although there is IT security, not all IT resources are for security, have been developed to be secure, or have knowledge of security.

3 Importance of People & Operations
Data drives the business and people use the data Business must focus more on the processes and use of people A risk based approach, where people understand the role they play in security is vital for success Security controls need to be assessed against real risks and risk tolerance to meet mission People are a business greatest asset and also greatest vulnerability. It is now necessary for a cybersecurity practitioner to understand business, operations, the big picture and IT and security!

4 Security Career Tracks
Information Security – Less Technical/Non-Technical (i.e., risk, assurance, policy, governance, or regulatory compliance, etc.) Hardware, Services, and Infrastructure IT Management and Strategy Storage and Data Web and Mobile Information Security – Technical (i.e., security analyst, architect, tester, engineer, or administrator, etc.) Software Development and Business Analysist Training Auditing and Assessment Network and Cloud Technologies

5 Functional Roles in Cybersecurity
Executive Management and Senior Leadership Visible advocate for cybersecurity program Promotes and demands accountability Promotes policy and governance Directs assessments If the top is not bought into cybersecurity program and the policy and strategy it will fail It is important to learn how to communicate Up, Down, and Sideways.

6 Functional Roles in Cybersecurity
Human Resources Knows the people and types of data used Key in identifying insider threat indications Develops and implements policy and procedures Understands many laws and regulations HR is the central place to integrate policy, processes, strategy that involve the People part of cybersecurity.

7 Functional Roles in Cybersecurity
Legal Counsel Reviews/advises on policy (i.e., data collection, data use, cyber investigations, etc.) Supports compliance with regulations, rules, laws Finance Knowledge of financial assets, data use Knowledge of risk and impacts Finance and Legal are big players in cybersecurity.

8 Functional Roles in Cybersecurity
Information Technology Builds operates and maintains data collection solutions Represents expertise in computer systems engineering, system and database administration, interface design, and algorithms development for using data Understanding of software and hardware and user interface Knowledge of operations that support business It is important to understand what IT support is needed, not a one size fits all.

9 Functional Roles in Cybersecurity
Works with all elements of the organizations to secure assets (people, facilities, data, etc.) Represents industrial, IT, information assurance, auditing, physical, personal, and operational security Training and awareness Logging, monitoring, investigations Understands the operational functions and people Security is the glue that holds everything together!

10 Protection of Critical Assets
Cybersecurity is really asset and risk management You can not protect what you don’t know you have.   An asset can be “Tangible” (physical in nature or measurable) or “Intangible” (not physical in nature and is often difficult to determine a value) Requires documentation and continual review, testing, and improving First thing that a company needs to do when establishing a security program is to conduct an asset inventory, include representatives from all core functional areas, and rank them. You can’t protect what you do not know you have or know what is important to you!

11 The Treat Landscape Nation States Organized Crime Hackers Espionage
The lines are blurring They are all bad guys and is the most likely attack method! It really does not matter what the adversary is, they are all bad guys. We are all targets, will be victimizes, so make it frustrating for the bad guy. Make him/her work for it. Often if it is requires effort they move on to the other guy. is the place that makes an organization or person vulnerable. User awareness is key to stopping all types of attacks because most likely that is the method of entry.

12 What is NIST Cybersecurity Framework
Cybersecurity is more than just IT/technical controls, but also includes all the people and processes that are used to do your business. It is important to understand what vital functions are necessary for a mature cybersecurity program Think about all the roles that are involved in each of the puzzle pieces that make up the framework. Cybersecurity profession is so rich and dynamic; don’t box yourself in! Identify - involves Asset Management, Business Environment, Governance, Risk Assessment, Risk Management, and Supply Chain Risk Management Protect - involves Identity Management and Access Control, Awareness and Training, Data Security, Information Protection Process and Procedures, Maintenance, Protective Technology Detect - involves Anomalies and Events, Security Continuous Monitoring, Detection Processes Respond - involves Response Planning, Communications, Analysis, Mitigation, Improvement Recover - Recovery Planning, Improvements, Communication

13 Data Life-cycle and CIA Triad
Cybersecurity community uses a data protection methodology that is called the CIA Triad. It stands for Confidentiality, Integrity, and Availability.   Confidentiality - Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542] Integrity - Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. [44 U.S.C., SEC. 3542] Availability - Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542]

14 Risk Factors Strategic - Affects the ability to carry out goals and objectives Reputational - Affects reputation, public perception, political issues, etc. Financial - Effects loss of (or ability to acquire) assets, technology, etc. Operational - Effects ongoing management processes and procedures Compliance - Affects compliance with laws and regulations; student, faculty, staff & visitor safety; environmental issues; litigation; conflicts of interest; privacy; and so forth. Hazard - Affects ongoing operation of a business by man-made, natural or other negative events This is important when attempting to determine the ranking or critical nature of an asset. Often intangible assets are most difficult to determine or are often overlooked as being critical assets.

15 Impact Scale NIST ranks impact as to how the company would be affected by an attack or unauthorized disclosure or loss of an asset.  It is defined on a scale from Low, Moderate, and High Understanding the impact that loss or unauthorized disclosure has on an asset for each risk factor is key to developing a strategic cyber program

16 Identifying Critical Assets
Determining the Impact that loss or compromise of assets would mean Low. Moderate. High Impact IP Code Website Strategic Reputational Financial Operational Compliance Risk Factors Clean Room

17 Cybersecurity Career References
CompTIA IT Certification Roadmap Cyber Security Degrees & Careers – How to Work in Cyber Security Getting Started in Cybersecurity with a Non-Technical Background Which non-technical skills are most important to a career in security? IT careers for non-technical people ISACA Certification: IT Audit, Security, Governance and Risk NIST Cybersecurity Framework CIA Triad Model

Download ppt "What is Cybersecurity Office of Information Technology"

Similar presentations

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
Security Controls – What Works

Security Controls – What Works
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.

Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
HIPAA COMPLIANCE WITH DELL

HIPAA COMPLIANCE WITH DELL
Confidentiality Integrity Accountability Communications Data Hardware Software Next.

Confidentiality Integrity Accountability Communications Data Hardware Software Next.
Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.

Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.

INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.

Similar presentations

Ads by Google