![Page 1: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/1.jpg)
CYBERSECURITY ASSURANCE ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTER
![Page 2: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/2.jpg)
Like any information security processes, there should be an adequate and reasonable level of assurance for cyber security, which completes the security perspective when combined with governance and management processes. Cyber security assurance requires a comprehensive set of controls that covers risk as well as management processes. These controls are supported by appropriate metrics and indicators for security goals and factual security risk. This session will share the cybesecurity self assessment program in carrying out an audit or self-assessment review on cyber security controls and practices in a typical organisation. This assurance program will leverage on COBIT 5 framework and COBIT 5 for Information Security as a baseline.
CYBERSECURITY ASSURANCE
2
![Page 3: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/3.jpg)
CYBERSECURITY ASSURANCE
3 <insert speaker organization logo>
This session aims to bring forth the following to the delegates: • General understanding of cyber security assurance. • Exposure to a cyber security assurance program, which is leveraging on
COBIT 5 as a baseline. • Provide guideline in conducting cybersecurity audit
![Page 4: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/4.jpg)
AUDITING & REVIEWING CYBERSECURITY
4
![Page 5: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/5.jpg)
5
AUDITING & REVIEWING CYBERSECURITY
• Review is required to validate the controls are designed and operating effectively.
• Audit & review universe is distributed across all 3 lines of defense, which provides the required degree of independence needed.
![Page 6: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/6.jpg)
6
AUDITING & REVIEWING CYBERSECURITY
![Page 7: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/7.jpg)
7
AUDIT UNIVERSE
• Include all control sets, management practices and GRC provisions in force.
• Possible to be extended to 3rd parties – contract with audit rights.
• Keep within the right boundaries –
Ø Corporate sphere of influence vs private sphere of controls.
Ø Internal IT infrastructure vs external infrastructure.
Ø Corporate sovereignty vs legal provisions.
![Page 8: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/8.jpg)
8
AUDIT BOUNDARIES
![Page 9: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/9.jpg)
9
AUDIT OBJECTIVES
• Can range from high-level governance reviews to technical reviews.
• Needs to be clearly defined and concise manner.
• Consider time and effort.
• Audit objectives are best defined in line with the governance and management activities defined for cyber security.
• For complex audits, the underlying audit program may spans several years.
![Page 10: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/10.jpg)
10
KEY CONSIDERATIONS
• Legal consideration
• Privacy and data protection
• Logging, data retention and archiving
• Audit data storage and archiving. Should be within the standard criteria:
• Confidentiality
• Integrity
• Availability
![Page 11: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/11.jpg)
11
EXAMPLE – CYBERSECURITY AUDIT GOALS
![Page 12: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/12.jpg)
12
EXAMPLE – CYBERSECURITY AUDIT GOALS
![Page 13: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/13.jpg)
13
EXAMPLE – CYBERSECURITY AUDIT GOALS
![Page 14: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/14.jpg)
14
EXAMPLE – CYBERSECURITY AUDIT GOALS
![Page 15: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/15.jpg)
15
TRANSFORMING CYBERSECURITY – COBIT 5
Eight Key Principles: 1. Understand the potenAal impact of cybercrime and warfare on your
enterprise. 2. Understand end users, their cultural values and their behavior paQerns. 3. Clearly state the business case for cybersecurity and the risk appeAte of the
enterprise. 4. Establish cybersecurity governance. 5. Manage cybersecurity using principles and enablers. (The principles and
enablers found in COBIT 5 will help your organizaAon ensure end-‐to-‐end governance that meets stakeholder needs, covers the enterprise to end and provides a holisAc approach, among other benefits. The processes, controls, acAviAes and key performance indicators associated with each enabler will provide the enterprise with a comprehensive picture of cybersecurity.)
6. Know the cybersecurity assurance universe and objecTves. 7. Provide reasonable assurance over cybersecurity. (This includes monitoring,
internal reviews, audits and, as needed, invesAgaAve and forensic analysis.) 8. Establish and evolve systemic cybersecurity.
![Page 16: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/16.jpg)
CYBERSECURITY ASSURANCE USING
16
![Page 17: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/17.jpg)
17
CYBERSECURITY ASSURANCE– COBIT 5
![Page 18: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/18.jpg)
18
CYBERSECURITY ASSURANCE – COBIT 5
EDM01: ENSURE GOVERNANCE FRAMEWORK SETTING AND MAINTENANCE Key Areas / Points
1 Cyber security management is supported by enAty standards, processes and procedures.
2 Cyber security prevenAon is monitored on a regular basis by senior management.
3 Business and IT Unit Leaders are trained and acTvely involved in the oversight and significant decisions relaAng to cyber security preparedness and incidents.
4 A cyber security task force / panel has been established and includes appropriate funcAonal members.
5 Cyber security risks and vulnerabiliTes are idenTfied and evaluated on a periodic basis.
![Page 19: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/19.jpg)
19
CYBERSECURITY ASSURANCE – COBIT 5 EDM01: ENSURE GOVERNANCE FRAMEWORK SETTING AND MAINTENANCE
Other notable cyber security assurance concepts
1 IdenAfy and validate governance model in terms of cyber security aYacks (e.g. ‘Zero Tolerance’ vs ‘Living with it’). This model should be aligned with the enTty’s overall risk appeTte.
2 Determine an opTmal decision making model for cyber security. This may be disAnct and different from the ‘ordinary’ informaAon security model.
3 Embed cyber security transformaAon acAviAes that is driven by a steering commiQee. These acAviAes should be included in the overall security strategy.
4 Develop and foster an informaAon security-‐posiTve culture and environment within all business units.
5 Integrate cyber security measures measurements and metrics into rouAne compliance check mechanisms.
![Page 20: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/20.jpg)
20
CYBERSECURITY ASSURANCE – COBIT 5 APO01: MANAGE THE IT MANAGEMENT FRAMEWORK
Key Areas / Points
1 IT management establishes, maintains and monitors a secure infrastructure
2 IT management receives and reviews key reports and analysis of security, vulnerability, intrusions and penetraAon test results.
3 IT management supports the cyber security task force and informaAon security iniAaAves
![Page 21: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/21.jpg)
21
CYBERSECURITY ASSURANCE – COBIT 5
APO01: MANAGE THE IT MANAGEMENT FRAMEWORK
Other notable cyber security assurance concepts
1 Define the expectaAons with regard to cyber security, including ethics and culture. The expectaAons should match the overall governance model.
2
IT General Controls (‘ITGC’) should be tested and updated regularly. IT General Controls provides the support and baseline assurance for cyber security specific objecAves.
3 Controls and objecAves that are performed by third parAes should also be evaluated periodically by management.
![Page 22: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/22.jpg)
22
CYBERSECURITY ASSURANCE – COBIT 5 AP003 MANAGE ENTERPRISE ARCHITECTURE (ARCHITECTURE REVIEW)
![Page 23: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/23.jpg)
23
CYBERSECURITY ASSURANCE – COBIT 5
Security Incident Management
1 Policies and procedures are established to ensure that a risk analysis and asset prioriAzaAon is part of the evaluaAon process
2 Asset value and prioriAzaAon are components of the incident response analysis
3 Incident response policies and processes should idenAfy the scope, objecAves and requirements defining how and who should respond to an incident, what consTtutes an incident, and the specific processes for monitoring and reporAng the incident acAviAes.
4 An incident response team has been organized with appropriate management, staffing and senior management support.
5 Forensic policies and procedures should ensure that documented management trails are preserved to permit internal invesTgaTons and support any legal or regulatory invesTgaTons (internal and external).
6 Incident response tools should be installed, scheduled, monitored, and secured to avoid unauthorised access to invesAgaAon acAviAes.
7 The crisis management funcTon is part of the cyber security preparedness process.
AP013 MANAGE SECURITY (SECURITY INCIDENT MANAGEMENT)
![Page 24: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/24.jpg)
24
CYBERSECURITY ASSURANCE – COBIT 5 AP013 MANAGE SECURITY (SECURITY INCIDENT MANAGEMENT)
![Page 25: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/25.jpg)
25
SUMMARY
• Understand CyberSecurity from a holistic, organizational perspective
• Understand the approach to CyberSecurity Assurance • Develop audit programmes by identifying risks and
relevant controls • Know how to test controls related to CyberSecurity
![Page 26: CYBERSECURITY*ASSURANCE*...CYBERSECURITY*ASSURANCE* ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTERLike any information security](https://reader034.vdocument.in/reader034/viewer/2022042121/5e9b663bb176536cbd61a07b/html5/thumbnails/26.jpg)
ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTER