1 / 22

Compliance Vs cyber security

Compliance Vs cyber security. Milda Petraityte, MSc, SSCP, ISO27001 LA. Recent news. What does it mean to be compliant?. Complying with Regulatory requirements. PCI DSS, GDPR, HIPAA have different types of data in scope

kdees
Download Presentation

Compliance Vs cyber security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Compliance Vs cyber security Milda Petraityte, MSc, SSCP, ISO27001 LA

  2. Recent news

  3. What does it mean to be compliant?

  4. Complying with Regulatory requirements • PCI DSS, GDPR, HIPAA have different types of data in scope • Gaming authorities focus on very specific requirements and turn some information security frameworks into a checklist. • UKGC, a UK gaming authority, does not require organisations to have a business continuity plan. • …or controls around change management • …or background checks of employees

  5. Following A CHECKLIST • Checklists could be overly specific • Checklists are useful for static environments and repetitive processes • Checklists mislead people into believing that there are shortcuts for high-stakes predictions.

  6. Performing audits • Checking that ‘everything is all right’ • Organisations prepare for an audit • A state at a point in time based on the information that an organisation provides to the auditor • A dependency on auditor’s knowledge and experience

  7. Trades for compliance • Focused on regulatory requirements; • Focused on scope and narrow or academic; • Based on a checklist; • Focused on a point in time snapshot (i.e. audit). Bottom line: compliance doesn't guarantee security (nothing guarantees it)

  8. What is cyber security in practice?

  9. Involvement from the top • Where in the organisational chart does cyber security team sit in your organisation? • Cyber security must be on the agenda of top management • Cyber security is a ‘team sport’

  10. Security culture and behaviour • Is speaking up and whistleblowing encouraged? • Do people receive appropriate training? • What kind of behaviours are rewarded? • Are audit findings frowned upon?

  11. Risk Based approach • Name all applicable risks! • Any activities and implementations must work for the organisation, they must make sense • Cyber security must be reasonable, based on risks and cost-benefit analysis • Controls should be flexible and adaptable to multiple systems across the organisation • Cyber security is not static, it is a continuous process

  12. Trades of cyber security • Covers people, processes and technology • Is strategic due to involvement from the leadership • Flexible, based on risk management and cost-benefit analysis • Focused on creating a cyber security culture and mindset across the organization Again: practicing cyber security does not guarantee no breaches! (nothing guarantees it)

  13. An Accident.. or is it? “Though we want to believe that violence is a matter of cause and effect, it is actually a process, a chain in which the violent outcome is only one link. The process of [attack] starts way before the [actual attack].” (G. de Becker, The Gift of Fear)

  14. Threat drives the risk calculation New cyber jargon: • Threat • Threat landscape • Threat intelligence • Cyber kill chain

  15. What is your Threat landscape?

  16. Is it a threat? Potential Impending Insubstantial

  17. https://www.citycomp.de/English/enterprise/stellungnahme.htmlhttps://www.citycomp.de/English/enterprise/stellungnahme.html https://www.vice.com/en_us/article/d3np4y/hackers-steal-ransom-citycomp-airbus-volkswagen-oracle-valuable-companies

  18. Malicious insider People who take advantage of their access to inflict harm on an organization: • Disgruntled employees ..but could also be: • Tired and distracted employees (accidental) • Unaware and uneducated employees

  19. Cyber kill chain Cost and risk to contain and remediate https://www.eventtracker.com/blog/2017/january/siemphonic-cyber-kill-chain/

  20. Learning from incidents (of others?) What organisations do after an incident: • Playing The Blame Game • Stacking up new ‘singing and dancing’ technology solutions • Hiring a silver bullet ‘magician’ security expert who is ‘skilled in Splunk intrusion detection, network administration and Cisco routers, Cloud security including AWS, Gsuite, Azure. Can code in Java, Python and Ruby. Must be a team player, experienced in risk management and excellent communicator with C-suite. Should be able to fix the ventilation and fire suppression system in the server room if required. Ability to make good tea is a big plus.’ …when it happens to someone else: • Adopting ‘This will not happen to us’ mentality • Assuring each other that ‘this is how we always did things and it was fine so far’

  21. Staying ahead Similar to what you do when you walk in a dark alley in the middle of the night: • Don’t walk alone, have ‘buddies’ • Understand what criminals would be interested in what you do • Understand what is happening around you and how that could impact you • Do not be the low hanging fruit.

  22. Thank You Email: milda@kyte.global Skype: milda.kyte Linkedin: mildapetraityte

More Related