Chaiyakorn
Download as PPTX, PDF0 likes373 views
The document discusses aligning IT security solutions with business justifications, emphasizing the importance of risk-based security investments and the need for organizations to understand their assets and threats. It outlines methodologies for calculating risks and highlights the significance of workforce development in IT security through established frameworks and competencies. The text underscores the need for a balance between technology and business language in security management to ensure effective communication and strategy implementation.
Chaiyakorn
- 1. Aligning IT Security Solutions with Business JustificationChaiyakorn ApiwathanokulCISSP,GCFA,IRCA:ISMSChief Security Officer, PTT ICT Solutions
- 2. Aligning IT Security Solutions with Business JustificationRisk-base security investment (ROSI: Return on Security Investment)Global PerspectiveBeside security solutions, investing in human resource is essential KEY to successYour user: need awarenessYour IT staff: need educationYour management: need understanding
- 3. Risk-base Security InvestmentThe ChallengesOrganization using IT has associated RISKVendors want to sell new stuff Organization doesn’t want to be outdatedSecurity solution is expensiveLimited budgetTechnology moves fast forwardSecurity prof. is too techy(no business language)Where enough is enough?Requirement base vs. Technology base
- 4. Sun Tzu – The Art of War“If you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”, Sun Tzu – The Art of War 6th century BCUnderstand your business - YourselfUnderstand the surrounding THREATs – Your ENEMYUnderstand the PROTECTION requirement, limitation and readiness – Your STRATEGY
- 5. Risk-base = Requirement-baseRisk AssessmentQuantify – money figureRisk-base Security Investment
- 6. Recent Standards/GuidelinesBy A. Chaiyakorn Apiwathanokul
- 7. Identifying assetsTangiblesComputers, communications equipment, wiringDataSoftwareAudit records, books, documentsIntangiblesPrivacyEmployee safety & healthPasswordsImage & reputationAvailabilityEmployee morale
- 8. 1Identify Asset ValueCost to acquire or develop the asset Cost to maintain and protect the asset Value of the asset to owners and users Value of the asset to adversaries Value of intellectual property that went into developing the information Price others are willing to pay for the asset Cost to replace the asset if lost Operational and production activities that are affected if the asset is unavailable Liability issues if the asset is compromised Usefulness and role of the asset in the organization
- 9. Identifying threatsEarthquake, flood, hurricane, lighteningStructural failure, asbestosUtility loss, i.e., water, power, telecommunicationsTheft of hardware, software, dataTerrorists, both political and informationSoftware bugs, virii, malicious code, SPAM, mail bombsStrikes, labor & union problemsHackers, internal/externalInflammatory usenet, Internet & web postingsEmployee illness, death Outbreak, epidemic, pandemic
- 10. 1Calculating (quantifying) RisksSingle Loss Expectancy (SLE) SLE = Asset Value x EFAnnual Lose Expectancy ALE = SLE x AROSingle Lose Expectancy (SLE)Amount of lose occur once the threat is realizedExposure Factor (EF)A measure of the magnitude of loss or impact on the value of an assetAnnualized rate of occurrence (ARO)On an annualized basis, the frequency with which a threat is expected to occurAnnualized loss expectancy (ALE)Single loss expectance x annualized rate of occurrence = ALE
- 11. Cost/benefit Analysis forCountermeasure ValuationCost of a lossOften hard to determine accuratelyCost of preventionLong term/short termRefer as Safeguard Cost(ALEno.SG) – (ALEwith.SG) – (Cost of SG) = Value of SG to the companyThis value is always referred to when determining Security ROI or ROSI
- 13. From Global Workforce Study by (ISC)2
- 17. Information Technology (IT) SecurityEssential Body of Knowledge (EBK)A Competency and Functional Frameworkfor IT Security Workforce DevelopmentSeptember 2008United States Department of Homeland Security
- 18. DoD 8570.01-MInformation Assurance Workforce Improvement ProgramDecember 19, 2005
- 19. DoD 8570.01-MInformation Assurance Workforce Improvement ProgramMay 15, 2008
- 20. Why was the EBK established?Rapid evolution of technologyVarious aspects and expertise are increasingly requiredStandard or common guideline in recruiting, training and retaining of workforceKnowledge and skill baselineLinkage between competencies and job functionsFor public and private sectors
- 21. Key Divisions4 functional perspectives14 competency areas10 roles
- 23. IT Security RolesChief Information OfficerDigital Forensics ProfessionalInformation Security OfficerIT Security Compliance OfficerIT Security EngineerIT Security ProfessionalIT Systems Operations and Maintenance ProfessionalPhysical Security ProfessionalPrivacy ProfessionalProcurement Professional
- 24. Competency Areas (MDIE in each)Data SecurityDigital ForensicsEnterprise ContinuityIncident ManagementIT Security Training and AwarenessIT System Operations and MaintenanceNetwork and Telecommunication SecurityPersonnel SecurityPhysical and Environmental SecurityProcurementRegulatory and Standards ComplianceSecurity Risk ManagementStrategic Security ManagementSystem and Application Security
- 26. TISA EBK AnalysisEntry LevelProfessional LevelManagerial Level
- 28. Enterprise Infosec Competency ProfileEnterpriseCapabilityEBKTrainingProvider
- 30. 0-30
- 31. Thank You
Editor's Notes
- #7: ISO has published the first internationally ratified benchmark document addressing incident preparedness and continuity management for organizations in both public and private sectors.The Publicly Available Specification ISO/PAS 22399:2007, Societal security – Guideline for incident preparedness and operational continuity management, is based on best practice from five national standards from Australia, Israel, Japan, the United Kingdom and the United States.Natural disasters, acts of terror, technology-related accidents and environmental incidents have clearly demonstrated that neither public nor private sectors are immune from crises, either intentionally or unintentionally provoked. This has lead to a global awareness that organizations in the public and private sectors must know how to prepare for and respond to unexpected and potentially devastating incidents. ISO/PAS 22399 is the first deliverable from ISO technical committee ISO/TC 223, Societal security, which is charged with developing standards in the area of crisis and continuity management. http://www.continuityforum.org/news/1120/ISO22399