• STAKEHOLDERS• Internal • External

• RISK ASSESSMENT

Assets Probability (P)

Impact (I)

Inherent Risk = P x I

CompensatingControls

Residual Risk

Software Medium High High • Patch Management• White Listing

Medium

Databases

Medium High High • Encryption Medium

Hardware

Low Medium Medium • Blocking External Devices

Low

Network Medium Medium Medium • Monitoring Low

Human Factor

Medium High High • Training & Awareness

• Reporting Structure• Anti-Retaliation

Policy• Open-Door Policy

Medium

Access Control

Medium High High • Least User Privileges Medium

• Patch Management

• Whitelisting• Removal of RDP

• Hardware-based Firewalls

• Two-step authentication

• Awareness• Training

• Background Checks/Ongoing Employee Screening• Cyber Vetting• Monitoring user activity

• Unauthorized use of personal devices• Security Information and Event

Management• Policies on Confidential Reporting

• Anti-retaliation Policy• Open-door Policy

Plan and Protect• Create an

Incident Response TeamContaining the Incident

• Isolate affected files or networks

• Backup files on servers and hard drives

• Remove access upon termination

Communication to Stakeholders

• Internal Stakeholders• Business

Operations• Oversight• Board of Directors

• External Stakeholders• Law Enforcement• Regulatory

Agencies

Technical Aspect:• Encryption• New Intrusion Prevention

Systems• Anti-malware toolsThird Party Involvement:• Legal and Insurance

Assessments• Notifications of Incidents to:

• S&E, FTC, FBI

Behavioral:• Revamped Employee Training

ModulesPress Involvement:

• Press Statements• Maintains the integrity of the

company

Looking Towards The Future!

Current Topology

Enhanced Topology• Eliminates Path

to E-trading System

• Redundancy• Smaller subsets

allow for easy management

Identify Place:• Red-Amber-

GreenProtect Street:• Hardware• Software• Employee

Behavior Protection

Detect Square:• Screening

Process • FlaggingRespond Park:• Incident

Response Plan

Recover Blvd:• Reassessmen

t