Upload File

a risk-based approach to delivering a customer …...16 years information security experience...

  • Home
  • Documents
  • A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk
32
A risk-based approach to delivering a customer-centric, ‘enterprise’ patch and vulnerability management system STREAM Integrated Risk Manager Risk management made simple Richard Mayall [email protected] Partner, Acuity Risk Management Deniz Kucukreisoglu [email protected] Information Security & Risk Management Solutions Advisor, CGI

Upload: others

Post on 17-Jul-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

A risk-based approach to delivering a

customer-centric, ‘enterprise’ patch and

vulnerability management system

STREAM Integrated Risk Manager Risk management made simple

Richard Mayall [email protected]

Partner, Acuity Risk Management

Deniz Kucukreisoglu [email protected]

Information Security & Risk Management Solutions Advisor, CGI

Page 2: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Some of our Customers

http://www.csc.com/
Page 3: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Typical Customer requirements

Page 4: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

GRC Key Components

Page 5: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

…and supporting processes

Page 6: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Overview

Introductions

Business requirement for effective Patch & Vulnerability

management

How we built the system using STREAM

Highlights, lessons learned & next steps…

Summary and questions…

Page 7: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Your presenters…

Richard Mayall

30 years experience in software engineering, information security

and risk management

Responsible within Acuity for integrated content development

projects for our STREAM Enterprise customers

Deniz Kucukreisoglu

16 years Information Security experience

Previous clients include…

Specific experience of custom security solutions and risk

management methodologies for clients to enhance the value that a

security function adds to the business

Page 8: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Background

A Public Services Entity…

Characteristics

Large Legacy Asset Infrastructure

Distributed & Complex Business Functions…

We have this problem

Hard to determine Patching Priority & Risk Status…

How we solved it

Model environment & Infrastructure accurately

Bring clarity to areas of Business Risk

We’d used STREAM previously…

The requirement was…

How model was developed…

Page 9: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Modelling context

Page 10: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

The business environment

Primary Group:

Production

Pre-Production

Test & Development

Secondary Group:

System Test

BAU Development

DR

Sandpit

Etc.

STREAM Tree structure…

Page 11: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Asset Classes

Model: Asset types, groups & classes

HW

FW

MW

VW

SC / SS

OC / OS

AK / AS

Page 12: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Notification-Processing-Rollout

NPR stages

NPR assessment scheme

Page 13: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

User workflow – Process Steps

Page 14: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

User workflow - Acquire

VULsVULs

VULs

VULsVULs

VULs

Page 15: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

User workflow - Prepare

1_Env1_EnvPAT

VUL

Page 16: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

User workflow - Inject

VULs

PATs

THREAT

CONTROL

Page 17: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

User workflow – Set-up

Page 18: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

User workflow – Use (NPR)

Page 19: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

User workflow - Exploit

Page 20: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Tools Integration

Page 21: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Risk-Based Approach

Primary Assets vs Secondary Assets

Example Primary Assets

SAP

Siebel

SMS

S. P.

Gov.

Audit

General Ledger

Cost Centre/

Internal Order

Accounting

Cash Journal

Accounting

Project Accounting

Financial

Statements

Reporting

Expenses

Invoicing

Bank Accounting

Planning &

Budgeting

Applications Bespoke Prodcut

Assignment

Payment Request

AssignmentRefurbishment/

Maintenance

Returns

Contact Mgt

Activities Case Mgt

Reporting

HR Admin

Staff Mgt

Time & PACE Project Planning

Project Execution

Time & Expense

Recording

Sourcing

Requisition

Purchasing

Goods Receipt

Invoice

Verification

Generation

VENUS Finance

Product Sale

Case & Client Mgt

HR Special Projects

Procurement

SERIAL

Product

RegistrationSRV Registration

Fixed Assets

Accounts Payable

Cost Allocation

Resource

Planning

Accounts

Receivable

Product Mgt

Product

performance

Monitoring

Trading & Transfer

Groups

Users 3P Agents Credit CardSpecial

CustomersBank EFT Vendors

External

compliance

External Audit

VAT Returns

PayrollBenefits PensionsStaff MemberConglomerates

Locals

Client VVIP

Client VIP

Clients N

Consumers

Stakeholders

Business Topology

Siebel

SMS

SAP

S.P.

Internal Governance & Audit

Risk Mgt Governance

Compliance & AuditIG&A

Page 22: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Drillable Dashboard Interface

Page 23: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Initial / Inherent Risk View

Page 24: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Identify / Assess Primary Assets

Page 25: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Impact & Likelihood Assessment

Page 26: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Risks Assessed

Page 27: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Residual Risk View

Page 28: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Optional Risk Appetite View

Page 29: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Top Ten Risks

Page 30: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Lessons Learned

Brings clarity of understanding of the Information

Systems environment

Solution based approach encourages consistent

naming, accurate modelling, etc.

Asset based approach enhances understanding of

potential business impacts

Assessing C, I and A impacts separately helps to align

with key Standards such as ISO 27001

Provides Actionable Intelligence for senior managers

Page 31: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Summary of Benefits

Page 32: A risk-based approach to delivering a customer …...16 years Information Security experience Previous clients include… Specific experience of custom security solutions and risk

Acuity Risk Management LLP

Liberty House

222 Regent Street +44 20 7297 2086

London

W1B 5TR www.acuityrm.com

STREAM Integrated Risk Manager Risk management made simple

CGI UK Ltd.

Chaucer House, Springfield Drive

Leatherhead, Surrey, KT22 7LP

www.cgi-group.co.uk +44 (0) 1372 369579


Book - Climate Change as a Security Risk Climate Change as a Security Risk

Security Risk Management - York University · Security Risk Management • Security Risk Management – process of identifying vulnerabilities in an organization’s info. system

I T Security Risk

Cyber Security Risk Management and ... - Nevermore Security

Optimal risk Overview of risk & security services

Security and Risk

Security Risk Analysis & Requirements Engineering 1 Security Risk Analysis & Management

Security Risk Management

Security Risk Report - IT Assessment, Security, and

Managing Risk and Compliance - Cloud Security for Adobe Experience Manager on Amazon Web Service

Transportation Security Administration "Risk-Based Security Overview"

BREAKINGPOINT ON AMAZON WEB SERVICES (AWS) CLOUD ......workload and security controls, customer quality of experience (QoE) is at risk. SOLUTION: A FLEXIBLE SECURITY TESTING ECOSYSTEM

Security Risk Assessment & Audit Report of Security Risk

Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of

Security Audits and Security Risk Assessments

Financial institution security top it security risk

Cloud-Client Security – The Smart Protection Network...Security Latency Impacts Risk Content Security Risk/Cost 2003 Risk Profile Risk Profile 2008 If you think your business is

Risk Analysis of Android Applications: A User …Keywords: Android Security, User Experience and Expectations, Malware, Usability, Risk Analysis, User-Centric Devices. 1. Introduction

SCADA SECURITY ASSESSMENT METHODOLOGY, THE MALAYSIA EXPERIENCE … Security... · SCADA SECURITY ASSESSMENT METHODOLOGY, THE MALAYSIA EXPERIENCE Muhammad Reza Shariff Security Assurance

Chapter 1: Day 1 – Security and Risk Management - Security ...€¦ · Chapter 2: Day 2 – Security and Risk Management - Risk Management, Business Continuity, and Security Education

[email protected] · Strategic Security Consuling Humint Intelligence Risk Assessment Risk Percepion Risk Management Risk Governance Country Risk Report Travel Security Mariime Security

Network Security Risk

Cyber Security Risk

Information Security Risk Management - OVIC · This is often referred to as security risk, information security risk or information risk and is a category of risk to be considered

Gartner Security & Risk Management Summit 2015 · #gartnersecurity Gartner Security & Risk Management Summit 2015 Reevaluate your security and risk strategies and investments for

Risk-Based Security Testing: Prioritizing Security Testing

Information Security Risk Management-PR1 Security Risk... · Process is composed of technology, people, and tools. This is important because processes ... Security risk management:

Risk and Resilience: Considerations for Information Security Risk ... · Risk and Resilience: Considerations for Information Security Risk Assessment and Management. Objectives 2

Security risk presentation

Information Systems Security Information Security & Risk Management

Information Security Risk Analysis

Conceptual Framework on Information Security Risk ... · Conceptual Framework on Information Security Risk Management Risk Management Risk and risk management have been studied in

Risk Assessment The Heart of Information Security do we perform risk assessments? Not just security, the right security

MIT IT Risk Security Specialist Job Description v5 IT Risk... · Individuals within the IT Risk & Security Specialist role plan, ... IT Risk & Security Specialist Job Description

Protecting the customer experience › ... › white-papers › 7263-c2c-perspective-protect.… · Protecting the customer experience 3 Keeping data security/compliance, fraud risk