SlideShare a Scribd company logo

Mandelaris_SecureWorld_2016_FINAL

Download as PPTX, PDF
C
Christopher Mandelaris

Christopher Mandelaris is the CISO of Chemical Bank and has 15 years of progressive IT experience. He discusses the changing role of the CISO from being reactive to becoming more proactive and risk-informed. The modern CISO focuses on IT risk management and building partnerships between information security and IT teams. An information security management program consists of components like technical security operations, asset classification, security operations centers, business continuity, training and awareness, metrics and reporting, and information security governance. Future trends include addressing gaps in these program areas.

1 of 21
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Speakers: Put your Name and Title here: --- --- --- xxxSWE2016xxx Christopher Mandelaris, MS, CCSIO, CISM, CRISC, CISA, PMP, MCSA CISO Chemical Bank www.linkedin.com/in/cmandelaris Background: 15 years of progressive IT experience and organizations. 7x Ironman Triathlete, 2x Boston Marathon finisher and endurance athlete
Key Talking Points • Information Security and IT Risk Management • The Changing Dynamic of Information Security • The Modern CISO • Program Components and Future Trends • Partnership and Communication
Perspective Going from… • Reactive • Product Purchasing state of mind …To • Proactive • Risk-informed state of mind
Traditional Role of CISO
The Modern CISO
Security & Risk Management: A Shared Responsibility
IT Security Partnerships • Bridging the gaps between Information Security and Business • Building partnerships with Information Technology teams.
IT Risk Management • Set of processes through which management identifies, analyzes, and responds appropriately to risks that might adversely affect the business • Has become one of the most important tools used by the CISO • Translates security requirements and controls into a common language understood by all stakeholders
ISM Program Building Blocks
Gain An Understanding
Program Components & Future Trend Gaps
Technical Security Operations & Architecture Example. - Firewalls, gateways, IDS/IPS • Subset of enterprise architecture which answers: – When, Where and Why something can be done – What is being done – Who is authorized to do it – How is it supposed to be done • Only one facet of a mature program • Driven by Policy, which is driven by the business
Asset Classification • Establish IT asset inventory – Public, Internal, Restricted and Confidential • Review inventory at least quarterly • Policies & Procedures to document AND maintain: – Acceptable Use Policy – Information Classification and Handling Policy – IT asset handling procedures
Security Management & Operations Center (SOC)
Business Continuity & Disaster Recovery • Program which helps organizations prepare for disruptive events • Business Impact Analysis (BIA) = process that defines what and how critical something is
Training & Awareness • Build awareness to protect system resources • Develop skills and knowledge so employees can perform duties more securely • Build in-depth knowledge as needed, to design, implement or operate security for organizations and systems
Metrics & Reporting Basic Methods to define Operational Metrics for Information Security Reporting: 1. Trailing and leading indicators of business related metrics 2. To measure the effectiveness of the security department
Information Security Governance Defined: The active involvement of senior management in the institutionalization and oversight of the information security program of a given organization.
Information Security Governance Success Factors • Institution-wide issue • Leaders are accountable • Viewed as an instructional requirement • IT is Risk-Based, and Risk Informed • Roles, responsibilities and segregation of duties are defined • IT is addressed and enforced in policy • Adequate resources are committed • Staff is trained and aware • Requires Development Life Cycle • Planned, managed, measurable and measured • Reviewed and Audited
Information Security Governance
Closing Remarks

More Related Content

PPTX
Managing Security Risks in Manufacturing
William McBorrough
 
PDF
CNIT 160 3a Information Risk Management
Sam Bowne
 
PDF
BRG_CSP_Study-Summary-nofees
Faisal Amin
 
PPTX
Information Security Governance and Strategy - 3
Dam Frank
 
PPTX
Risk Management and Security in Strategic Planning
Keyaan Williams
 
PDF
Cisa 2013 ch0
Aladdin Dandis
 
PPTX
CISM sertifikacija
BKA (Baltijos kompiuteriu akademija)
 
PPTX
Mastering Information Technology Risk Management
Goutama Bachtiar
 
Managing Security Risks in Manufacturing
William McBorrough
 
CNIT 160 3a Information Risk Management
Sam Bowne
 
BRG_CSP_Study-Summary-nofees
Faisal Amin
 
Information Security Governance and Strategy - 3
Dam Frank
 
Risk Management and Security in Strategic Planning
Keyaan Williams
 
Cisa 2013 ch0
Aladdin Dandis
 
CISM sertifikacija
BKA (Baltijos kompiuteriu akademija)
 
Mastering Information Technology Risk Management
Goutama Bachtiar
 

What's hot (20)

DOCX
Task 2
BIBEKCHAUDHARYBScHon
 
DOCX
task 1
BIBEKCHAUDHARYBScHon
 
PPTX
CISSPills #3.02
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
PDF
Ch 3a: Risk Management Concepts
Sam Bowne
 
PPTX
Information Security Governance and Strategy
Dam Frank
 
PDF
CNIT 160: Ch 2a: Introduction to Information Security Governance
Sam Bowne
 
PDF
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
Sam Bowne
 
PDF
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
DOCX
Task 3
BIBEKCHAUDHARYBScHon
 
PPT
Lesson 1- Risk Managment
MLG College of Learning, Inc
 
PPTX
Roadmap to security operations excellence
Erik Taavila
 
PPTX
Information classification
Jyothsna Sridhar
 
PPT
Information security policy_2011
codka
 
PPTX
Nabil Malik - Security performance metrics
nooralmousa
 
PPT
Chapter 5 Planning for Security-students.ppt
Shruthi48
 
PDF
Information Security Benchmarking 2015
Capgemini
 
PPTX
Data governance guide
AstalapulosListestos
 
PDF
Information Security Governance #2A
Marius FAILLOT DEVARRE
 
PPTX
Assuring Digital Strategic Initiatives by
FirstMutualHoldings
 
PPTX
Professional Designations IT Assurance
a3virani
 
Task 2
BIBEKCHAUDHARYBScHon
 
task 1
BIBEKCHAUDHARYBScHon
 
CISSPills #3.02
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Ch 3a: Risk Management Concepts
Sam Bowne
 
Information Security Governance and Strategy
Dam Frank
 
CNIT 160: Ch 2a: Introduction to Information Security Governance
Sam Bowne
 
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
Sam Bowne
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
Task 3
BIBEKCHAUDHARYBScHon
 
Lesson 1- Risk Managment
MLG College of Learning, Inc
 
Roadmap to security operations excellence
Erik Taavila
 
Information classification
Jyothsna Sridhar
 
Information security policy_2011
codka
 
Nabil Malik - Security performance metrics
nooralmousa
 
Chapter 5 Planning for Security-students.ppt
Shruthi48
 
Information Security Benchmarking 2015
Capgemini
 
Data governance guide
AstalapulosListestos
 
Information Security Governance #2A
Marius FAILLOT DEVARRE
 
Assuring Digital Strategic Initiatives by
FirstMutualHoldings
 
Professional Designations IT Assurance
a3virani
 
Ad

Viewers also liked (6)

PDF
Flowchart - Building next gen malware behavioural analysis environment
isc2-hellenic
 
PPTX
Building next gen malware behavioural analysis environment
isc2-hellenic
 
PDF
GDPR Cyber Insurance 11/1/2017
isc2-hellenic
 
PDF
Super CISO 2020: How to Keep Your Job
Priyanka Aash
 
PDF
The evolving threats and the challenges of the modern CISO
isc2-hellenic
 
PDF
Itil 2011 Mind Maps
Hussein Elmenshawy
 
Flowchart - Building next gen malware behavioural analysis environment
isc2-hellenic
 
Building next gen malware behavioural analysis environment
isc2-hellenic
 
GDPR Cyber Insurance 11/1/2017
isc2-hellenic
 
Super CISO 2020: How to Keep Your Job
Priyanka Aash
 
The evolving threats and the challenges of the modern CISO
isc2-hellenic
 
Itil 2011 Mind Maps
Hussein Elmenshawy
 
Ad

Similar to Mandelaris_SecureWorld_2016_FINAL (20)

DOCX
IT Risk assessment and Audit Planning
goreankush1
 
PDF
Kmicro Cybersecurity Offerings 2020
Manuel Guillen
 
PPTX
CISM_WK_1.pptx
dotco
 
PDF
From Cave Man to Business Man, the Evolution of the CISO to CIRO
Priyanka Aash
 
PDF
Building an effective Information Security Roadmap
Elliott Franklin
 
PDF
Information Assurance Guidelines For Commercial Buildings...
Laura Benitez
 
PDF
Implementing a Security Management Framework
Joseph Wynn
 
PDF
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
PDF
Solve the exercise in security management.pdf
sdfghj21
 
PPTX
Bob West - Educating the Board of Directors
centralohioissa
 
PPT
Role of The Board In IT Governance & Cyber Security-Steve Howse
CGTI
 
PPTX
5548 isaca for-students
Universitas Bina Darma Palembang
 
PPT
Risk Based Security and Self Protection Powerpoint
randalje86
 
PDF
NY State's cybersecurity legislation requirements for risk management, securi...
IT Governance Ltd
 
PDF
CCISO_Certification_Training_Course-Outline.pdf
priyanshamadhwal2
 
PPTX
crisc_wk_2a.pptx
dotco
 
PPTX
MIS.pptx Management of information system
fahmyahmed789
 
PPTX
Cyber Defence - Service portfolio
Kaloyan Krastev
 
PDF
Decode_Portfolio2016
Dion McCloskey
 
PPTX
Pindad iso27000 2016 smki
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
IT Risk assessment and Audit Planning
goreankush1
 
Kmicro Cybersecurity Offerings 2020
Manuel Guillen
 
CISM_WK_1.pptx
dotco
 
From Cave Man to Business Man, the Evolution of the CISO to CIRO
Priyanka Aash
 
Building an effective Information Security Roadmap
Elliott Franklin
 
Information Assurance Guidelines For Commercial Buildings...
Laura Benitez
 
Implementing a Security Management Framework
Joseph Wynn
 
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Solve the exercise in security management.pdf
sdfghj21
 
Bob West - Educating the Board of Directors
centralohioissa
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
CGTI
 
5548 isaca for-students
Universitas Bina Darma Palembang
 
Risk Based Security and Self Protection Powerpoint
randalje86
 
NY State's cybersecurity legislation requirements for risk management, securi...
IT Governance Ltd
 
CCISO_Certification_Training_Course-Outline.pdf
priyanshamadhwal2
 
crisc_wk_2a.pptx
dotco
 
MIS.pptx Management of information system
fahmyahmed789
 
Cyber Defence - Service portfolio
Kaloyan Krastev
 
Decode_Portfolio2016
Dion McCloskey
 
Pindad iso27000 2016 smki
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 

Mandelaris_SecureWorld_2016_FINAL

  • 1. Speakers: Put your Name and Title here: --- --- --- xxxSWE2016xxx Christopher Mandelaris, MS, CCSIO, CISM, CRISC, CISA, PMP, MCSA CISO Chemical Bank www.linkedin.com/in/cmandelaris Background: 15 years of progressive IT experience and organizations. 7x Ironman Triathlete, 2x Boston Marathon finisher and endurance athlete
  • 2. Key Talking Points • Information Security and IT Risk Management • The Changing Dynamic of Information Security • The Modern CISO • Program Components and Future Trends • Partnership and Communication
  • 3. Perspective Going from… • Reactive • Product Purchasing state of mind …To • Proactive • Risk-informed state of mind
  • 6. Security & Risk Management: A Shared Responsibility
  • 7. IT Security Partnerships • Bridging the gaps between Information Security and Business • Building partnerships with Information Technology teams.
  • 8. IT Risk Management • Set of processes through which management identifies, analyzes, and responds appropriately to risks that might adversely affect the business • Has become one of the most important tools used by the CISO • Translates security requirements and controls into a common language understood by all stakeholders
  • 12. Technical Security Operations & Architecture Example. - Firewalls, gateways, IDS/IPS • Subset of enterprise architecture which answers: – When, Where and Why something can be done – What is being done – Who is authorized to do it – How is it supposed to be done • Only one facet of a mature program • Driven by Policy, which is driven by the business
  • 13. Asset Classification • Establish IT asset inventory – Public, Internal, Restricted and Confidential • Review inventory at least quarterly • Policies & Procedures to document AND maintain: – Acceptable Use Policy – Information Classification and Handling Policy – IT asset handling procedures
  • 14. Security Management & Operations Center (SOC)
  • 15. Business Continuity & Disaster Recovery • Program which helps organizations prepare for disruptive events • Business Impact Analysis (BIA) = process that defines what and how critical something is
  • 16. Training & Awareness • Build awareness to protect system resources • Develop skills and knowledge so employees can perform duties more securely • Build in-depth knowledge as needed, to design, implement or operate security for organizations and systems
  • 17. Metrics & Reporting Basic Methods to define Operational Metrics for Information Security Reporting: 1. Trailing and leading indicators of business related metrics 2. To measure the effectiveness of the security department
  • 18. Information Security Governance Defined: The active involvement of senior management in the institutionalization and oversight of the information security program of a given organization.
  • 19. Information Security Governance Success Factors • Institution-wide issue • Leaders are accountable • Viewed as an instructional requirement • IT is Risk-Based, and Risk Informed • Roles, responsibilities and segregation of duties are defined • IT is addressed and enforced in policy • Adequate resources are committed • Staff is trained and aware • Requires Development Life Cycle • Planned, managed, measurable and measured • Reviewed and Audited

Editor's Notes

  • #4: So often Information Security is thought of a product tools centric initiate with code running in the background in a dark room where the business has no idea what’s going on. Buying products to monitor, alert and respond to threats and vulnerabilities and keep the fraudsters at bay keep organizations in a reactive state rather than proactive state. Many organizations implement products and services to keep risk at a minimum but alternatively opens the organization up to more risk by not aligning with goals an objectives of the enterprise, not risk based focus, not reviewing logs and alerts coming from security applications, too many solutions best in class rather than a security management system focused on the right risks, vulnerabilities and threats for the environment.
  • #7: Domain 1 page 30 for further definitions to speak
  • #8: Domain 1 page 30 for further definitions to speak
  • #10: Domain 1 page 5
  • #15: The workhorses, monitoring, detecting and reporting
  • #18: Page 67 domain 1