Prinya acis slide for swpark - it & information security human resource development plan for aec 2015_TISA Pto-Talk 2-2554

Strategic GRC & iSAT for Management Security intelligence

“
AEC 2015”

Prinya Hom-Anek
CGEIT, CISSP, CSSLP, CISA, CISM, SSCP, SANS GIAC GCFW,
ITIL Expert, CompTIA Security+, IRCA: ISMS Lead Auditor, BCMS Auditor
(ISC)2 Asian Advisory Board; ISACA Thailand Committee,
Thailand Information Security Association (TISA) Committee,
ACIS Professional Center Co., Ltd. , President and Founder


Top 10 Strategic Technology Areas 2009
Top 10 Strategic Technology Areas
Technology Area Rank
Virtualization 1
Cloud Computing 2
Beyond Blade Servers 3
Green IT 4
Web-Oriented Architectures 5
Enterprise Mashups 6
Specialized Systems 7
Social Software and Social Networking 8
Unified Communications (UC) 9
Business Intelligence (BI) 10
Source: Gartner Symposium/ITxpo

© Copyright, ACIS Professional Center Company Limited, All rights reserved 2


Top 10 Strategic Technology Areas
Cloud Computing 1
Advanced Analytics 2
Client Computing 3
IT for Green 4
Reshaping the Data Center 5
Social Computing 6
Security – Activity Monitoring 7
Flash Memory 8
Virtualization for Availability 9
Mobile Applications 10
Source: Gartner Symposium/ITxpo



Top 10 Strategic Technologies for 2011
Cloud Computing 1
Mobile Applications and Media Tablets 2
Next Generation Analytics 3
Social Analytics 4
Social Communications and Collaboration 5
Video 6
Context-Aware Computing 7
Ubiquitous Computing 8
Storage Class Memory 9
Fabric-Based Infrastructure and Computers 10
Source: Gartner Symposium/Itxpo



IT Organizations and Users in 2010 and Beyond
This Year's Predictions Span 56 Markets, Topics and Industry Areas, January 2010

Gartner Highlights Key Predictions
By 2012, 20 percent of businesses will own no IT assets.
By 2012, India-centric IT services companies will represent 20 percent
of the leading cloud aggregators in the market (through cloud service
offerings).
By 2012, Facebook will become the hub for social network integration
and Web socialization.
In 2012, 60 percent of a new PC's total life greenhouse gas emissions
will have occurred before the user first turns the machine on.
By 2013, mobile phones will overtake PCs as the most
common Web access device worldwide.



IT Organizations and Users in 2010 and Beyond
This Year's Predictions Span 56 Markets, Topics and Industry Areas, January 2010

Gartner Highlights Key Predictions
By 2014, most IT business cases will include carbon remediation costs.
By 2014, over 3 billion of the world's adult population will be able to
transact electronically via mobile or Internet technology.
By 2015, Internet marketing will be regulated, controlling more than
$250 billion in Internet marketing spending worldwide.
By 2015, context will be as influential to mobile consumer services and
relationships as search engines are to the Web.



Prinya Hom-Anek
Hom-
CGEIT, CISSP, CRISC, CSSLP, CISA, CISM, SSCP, SANS GIAC GCFW,
ITIL Expert, IRCA:ISMS Lead Auditor, BCMS Auditor
(ISC)2 Asian Advisory Board, ISACA Thailand Committee
Thailand Information Security Association (TISA) Committee
ACIS Professional Center Co., Ltd.


1. Integrated GRC Implementation
(Governance, Risk Management & Compliance)
Corporate Governance using COSO ERM, COBIT 5 and ISO 31000
Corporate Governance for IT using ISO 38500
IT Governance/Management using COBIT, Val IT and Risk IT Framework
Information Security Governance/Management using ISO/IEC 27001/27002

2. IT Service Management Implementation
(ITSM, ITIL & ISO/IEC 20000)

3. Business Continuity Management (BCM)
(BS25999 and ICT Continuity Management using BS25777)



4. Tougher Regulatory Compliance, Risk Management
and Internal/External IT Audits

5. The Rising of Information Security Awareness
Training within organization (for Everyone)

6. The Need for Soft Skills Training/Education
(Human Factors in IT/ Information Security Professionals)

7. The Rising of Cloud Computing, Virtualization, and
Social & Mobile Computing


8. Corporate Fraud and Internet Banking/Online
Transaction Fraud Prevention and Detection

9. IT and Information Security Metrics
Implementation

10. The Need for Creating “Culture of Security” and
“Risk-Aware Culture in Organization”



Underlying Drivers
Infrastructure Weakness
Under-
Under-investment in both organizational and national critical
infrastructure has weakened the underlying IT platforms. They are
poorly placed to support new and evolving business technology such
as e-commerce, cloud computing and mobile working.
e-

Cultural Change
The rise of the ‘Internet generation’, coupled with high levels of personal
technology adoption, have caused an irreversible change in attitudes
to protecting information.

Globalization
Continuing globalization means that organizations of all kinds are subject
to greater threats, as a result of being seen as an attractive target,
having to meet the needs of multiple legal jurisdictions, and becoming
a more complex organization.



1. The Need for BCM/BIA
(Over-reliance on the Internet)

• SITUATION – over-reliance on the Internet for all forms of communications
and transactions has resulted in a lack of choice for customers in how they
interact with organizations such as banks, airlines and online retailers – and
higher potential risk of business impact from sustained corporate/regional
Internet failures.
• THREATS – under-investment in critical infrastructure and/or unsecured
critical infrastructure leads to poor resilience at network pinch points, with risk
of complete loss of communications and transaction channels.
• ACTIONS – evaluate business continuity management (BCM), contingency
arrangements prior to contracting with providers; ensure Business Impact
Analysis (BIA) are undertaken for Internet channels.



2. The Rise of Cloud Computing and Virtualization
(Platform-as-a-Service, Infrastructure-as-a-Service, and Security)

• SITUATION – the business and cost benefits of cloud computing have led to
short-cuts being taken, and security and compliance concerns being
overridden. Using of virtualization increased “attack surface”, “virtualization
software vulnerability”
• THREATS – rising costs associated with proving cloud computing compliance
and a rise in incidents associated with fraudulent activities and external
attacks masked by the cloud. The virtualization attack is on the rise.
• ACTIONS – develop strategies for virtualization, cloud computing security
and compliance, covering identity and access mechanisms, disaster recovery,
information classification, and contingency plans for retrenchment from the
cloud if necessary.



3. Pervasive Computing/Ubiquitous Computing
(Eroding Network Boundaries)

• SITUATION – mobile and remote working, outsourcing and cloud computing
have combined to all but remove organizations’ network boundary with the
outside world.
• THREATS – point security solutions are unable to prevent widespread loading
of software from untrusted sources; unauthorized system, network or
information access; or compliance failures in areas such as security and
privacy.
• ACTIONS – consider architectural options for “working without a network
boundary”, and investigate concepts of trusted zones and niche application of
products such as digital rights management (DRMO and data loss prevention
(DLP)



4. The Rise of Mobile Computing
(Smartphone is a new PC)

• SITUATION – the predominance of Smartphones both corporate and private
has blurred the line between business and personal usage, leading to
unproven and untrusted software being used for business/private
communications and transactions.
• THREATS – theft or loss of equipment, along with potential distribution of
mobile phone malware (Mitmo; Man-in-the-mobile), leads to increased risk of
business/private information loss and fraud.
• ACTIONS – establish security policies for use of mobile phones and access
management across devices; establish asset management for smartphones
and assess the security implications of their use; educate users by launching
security awareness program



5. The Rise of The Internet Generation
(Changing Cultures of the Techno-Generation (Gen-Y))

• SITUATION – for the Internet generation, the boundaries between work and
home life are even more indistinct; some even have difficulty distinguishing
between real life and fantasy life (the ‘avatar effect’/’the matrix effect).
Traditional information security awareness approaches are not properly applied.
• THREATS – email, Internet access and Social network use bypasses corporate
controls, increasing the risk of business information disclosure and compliance
failure. Internet Banking Threat; MitB (Man-in-the-Browser) for example Zeus
Trojan/SilentBanker Trojan.
• ACTIONS – create a profile of users, enhance security awareness for all users,
establish baseline policies and deploy technical controls in line with risk;
evaluate the use of Internet reputation protection services.



6. Privacy vs. Security
(Corporate Fraud is on the rise, the need for Lawful Interception)

• SITUATION – the conflict between the right to privacy and the need of
government agencies to analyse personal information in crime prevention has
reduced public confidence in organizations’ ability to safeguard personal
information to an all-time low. Many countries banned Blackberry (Lawful
Intercept issues)
• THREATS – organizations need to perform a compliance across different
jurisdictions with different levels of privacy protection, leading to a higher risk
of compliance failure and business information disclosure.
• ACTIONS – ensure privacy policies for employees and customers are clear
and meet all jurisdictions’ needs; create a forum for discussing changes in the
law with legal advisors and industry colleagues.



7. A lack of Corporate Security Awareness Program
(The LifeStyle Hacking, Integrated Hack vs. Integrated GRC)

• SITUATION – Targeted attack and organized crime are on the rise. The next
generation hacking is focusing on user lifestyle, many users on corporate
unaware of Internet Security Threats.
• THREATS – Blended Threats, Advanced Persistent Threat (APT), Remote
Access Trojan , LifeStyle Hacking, “Drive-by Download”,
• ACTIONS – Implement Corporate iSAT (Information Security Awareness
Program) at least once a year, Train and educate all users, Study occupational
fraud prevention and detection.



8. The Rise of Social Computing
(An insecure use of social software/social media)

• SITUATION – The rise of using social media/social networking over high-speed
Internet. The Viral marketing (the social marketing) techniques that use pre-
existing social networks to produce increases in brand awareness or to achieve
other marketing objectives through self-replicating viral processes, analogous to
the spread of virus or computer viruses.
• THREAT – rapid growth in use of home and mobile equipment has left the
security function unable to cope with the need to manage and protect personally
owned or remote equipment to a proper standard, leading to potential
compliance failure and disclosure of business information.
• ACTIONS – educate users and implement corporate social network security
policy ; implement the application-level filtering technology to monitor/block all
malicious software related with social network software.



9. Insecure Coding and Application Development Practices
(Application Security)

• SITUATION – the vulnerabilities in application software today. Lack of
system programmer/application developer security awareness when designing
and developing application software; insufficient web application security
knowledge.
• THREATS – web application hacking is the common hacking method,
criminals are targeting at application layer. Hackers know that you have
firewalls and hackers are targeting a new way to ‘hack’ into your systems. Not
convenient to hack the network.
• ACTIONS – Today we are wiring the world with applications. Having a skilled
professional capable of designing and deploying secure software is now
critical to this evolving world



10. The Threats Convergence (Integrated Hack)
(Cyber Espionage /Advanced Persistent Threat (APT))

• SITUATION – while there is continued focus on mitigating information security
threats, efforts are still largely siloed. Attackers have adopted strategies based on a
combination of threats, some of which are outside the information security remit.
the highly competitive global market has given rise to more sophisticated cyber-
espionage attacks, both from commercial competitors and from organized criminals.
• THREATS – the converged threat approach can be used to obtain authentication
details, gain access to systems or networks, misuse systems to commit fraud, steal
proprietary information and introduce malware. increased risk of loss of proprietary
information through hacking and other cyber attacks, potentially leading to a loss of
reputation and trust.
• ACTIONS – establish common risk languages across the organization; seek
pragmatic ways to assess and manage risk holistically; and report on converged
threats to the organization.



Live Show in Cyber Defense Initiative Conference 2010 (CDIC 2010)

Spear Phishing, PDF Embedded Exe Attack Spear
Phishing, PDF embedded EXE Attack
Phishing PDF

AutoHack Penetration Testing Tools Become Hacker Aid
AutoHack Penetration Testing Tool

Hacker

RFID Tag Counterfeiting: Case Study e-Passport
RFID TAG
Hack E-Passport Contactless
(VISA Wave Hacking)




Credit Card and Magnetic Card Hacking

GPUs and FPGAs in PC-Based Heterogeneous Systems
DIY Supercomputer Crack GPGPU
FPGA

Wireless Rogue AP & WPA Hacking on Cloud Computing
Rogue AP Crack Key EAP
Cloud computing WPA

The Return of BOT with CAPTCHA Attack
BOT CAPTCHA Attack




Advanced, New and Unseen Social Networking Attacks

Advanced Persistent Threats (APT), Spy Eye, Zeus,
GhostNet, Kneber Botnet and SilentBanker Trojan

Advanced Hacking on Smart Phone
(iPad, iPhone, Android, BlackBerry, Smart Phone)

(iPad, Android, iPhone, BlackBerry, Smartphone)



Why we need Hacking Technics for IT auditing



The Need for ITG : 7 IT Challenges

Keeping IT Running 1 The Essentials of IT and
Value 2 Information Security Standard,
Best practices and Frameworks
Costs 3
Mastering Complexity 4
Aligning IT With Business 5
Regulatory Compliance 6
Security 7 Organization
IT Resources and Expenses



“GRC” not only “ITG” and “ISG” => “CG”

Risk
Governance Compliance
Management

(C) © Copyright, 2007-2009, ACIS Professional Limited, All rights reserved
Copyright ACIS Professional Center Company Center Company Limited 28


An Integrated Approach To Governance, Risk & Compliance
Stakeholder Expectations

Governance
Key linkage Setting objectives, tone, policies, risk appetite
Objectives & and accountabilities. Monitoring performance.
Risk
Appetite

Enterprise Risk Management

Key linkage Identifying and assessing risks that may affect the
Risk ability to achieve objectives and determining risk
Response & response strategies and control activities.
Control
Activities Compliance
Operating in accordance with objectives and ensuring
adherence with laws and regulations, internal policies
and procedures, and stakeholder commitments.

Laws Policies Procedures Processes/system People Tools &Technologies
Source: A New Strategy for Success Through Integrated Governance, Risk and Compliance Management PWC white paper



Integrated GRC Framework

Source: wikipedia.org/wiki/Governance,_Risk_Management,_and_Compliance



TOP
MIDDLE
BOTTOM



Enterprise Governance:
Corporate Governance (CG) Drives IT Governance (ITG)
and Information Security Governance (ISG)
• Enterprise governance is about:
Performance
Improving profitability, efficiency, effectiveness, growth, and so on
Conformance
Adhering to legislation, internal policies, audit requirements, and
so on
• Enterprise governance and IT governance require a balance between the
conformance and performance goals, as directed by the board.

Conformance
Performance

© Copyright, ACIS Professional Center Company Limited, All Rights Reserved 32


Integrated Frameworks on Business / IT Alignment
CONFORMANCE
PERFORMANCE:
Drivers Business Goals
Basel II, Sarbanes-
Oxley Act, contracts etc.

Enterprise Governance Scorecard and COSO

IT Governance COBIT

ISO ISO/IEC ISO/IEC
Best Practice Standards
9001:2000 17799 20000/ITIL

BS 25999 BS 25777

QA Security Service Delivery
Processes and Procedures Procedures Principles procedures

BCM procedure ICT CM procedure

Source: modified from IT Governance (COBIT), ITGI


How to implement Standards and Best Practices in Thailand

SOX, HIPAA, Thai E-Transaction Laws
GLBA, PCI and Computer Crime Laws
DSS, BASEL

Balancing Strategies on
Balancing Strategies on
Process, People and
Process, People and
II
COSO => ISO 31000 Thai OAG / TRIS/

Technology
Technology
(The Committee of Sponsoring Organizations of the BOT/ SEC/ OIC
Treadway Commission) - Financial Reporting &
Business Process Oriented requirements

CobiT 4.1 => CobiT 5
Control Objectives for Information and related Technology IT oriented
bridging the gap between business processes and IT controls

ISG => ISO/IEC BS25999
ISO/IEC 20000
(ITSMS) & ITIL 27001 (ISMS) (BCMS) =>
=> new SC27 ISO 22301


GRC and Related IT Management Frameworks
Organisations will consider and use a variety of IT models, standards and best practices.
These must be understood in order to consider how they can be used together, with COBIT
(IT Governance) acting as the consolidator (‘umbrella’).

COSO

COBIT
ISO 17799 CMM
ISO 27001
BCM
ISO 9000
ITIL
WHAT ISO 20000 HOW

Source: ITGI
SCOPE OF COVERAGE



Integrated GRC Related Standards & Best Practices



COBIT, COSO, ITIL & Compliance
Process and Control Framework
Control App
Enterprise Business Processes

Control
Control App
App
Control
Control
Financial Processes IT Processes
ITIL®/CMMi®
App
Control App
Control Control
App
Control

Company–Level
Company–Level Application
Application IT General
Controls
COSO
Controls Controls
Controls COBIT™ Controls

Control Frameworks: COSO — Control and risk mgmt for corporate governance
COBIT™— IT Control Objectives
IT Process Frameworks: ITIL®/CMMi®—IT Best Practices
COBIT™ Trademark of ISACA
ITIL® Trademark of OGC
CMMi® Trademark of SEI



COBIT, COSO, ITIL & Compliance
How does it all put together?
COSO Control What controls you should have
CobiT Frameworks

ITIL Process What processes you should implement
CMMi Frameworks

Tools IT Service How to implement the required
Consulting controls and processes

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
COBIT (Control Objectives for Information and Related Technologies)
CMMi - Capability Maturity Model Integration



Manage IT from a Business Perspective

Applications

Manage As Business Services
Function 1 Function 2 Function 3



Use Controls to Go Faster
• Enable new services
• Support growth
• Lower risk
• Reduce cost

IT Controls
• Cost
• Availability
• Performance



How to use COBIT, ISO/IEC 27001 , CMM and ITIL
COBIT is based on and accommodates major international standards, and it is
increasingly recognized as the de facto framework for IT governance.
COBIT is focused on what is required to achieve this governance and control at
a high level. It has been aligned with other best practices and can be used as
the “integrator” of different guidance materials, such as ISO/IEC 27001 and ITIL.

ISO/IEC 27001
Strategic
COBIT

Process Control

CMM
Process Execution
ITIL
• Work instruction • Work instruction • Work instruction • Work instruction • Work instruction
• 2 • 2 • 2 • 2 • 2
Work Instruction • 3 • 3 • 3 • 3 • 3
• 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6….



Big Picture of International Standards and Best Practices

The relevance of standards and practices depends on the organization and its priorities and expectations.
An organization may decide to adopt all, one, or part of one of the standards to improve the
performance of a business process or enable business transformation.

TCO ISO/IEC ITIL/ISO/IEC
Specific

CMM
27001 20000
COBIT
Relevant to IT

General

Six Sigma

ISO/IEC 9000

Malcolm Baldrige Award
Holistic

Scorecards

Low (Process Improvement) Moderate High (Business Transformation)

Improvement Goal

COBIT is positioned centrally at the General level, helping integrate technical and specific practices
with broader business practices.



Business Model for Information Security
BMIS is primarily a three-dimensional model. It consists of four elements and six dynamic interconnections (DIs).



Recognizing Enterprise Architecture

The security programme is subject to the overarching direction provided by enterprise governance and its subsidiary areas, namely governance of IT
and—in some cases—detailed security governance provisions. The security programme implements a layer below the overall governance framework.
Source: www.isaca.org, “BMIS”, the business model for information security, 2010


Aligning Common Security Standards



Aligning Generic Frameworks




Zachman Enterprise Framework



Enterprise Architecture Framework
Based on ‘The Open Group Architecture Forum’ (TOGAF)

Business Risks What

Business Vision & Drivers

Business Architecture

Business
Organizational People
Processes

Data Application
Architecture Architecture

(Information) ( Services)

Technology Architecture
(Hardware, Software, Network)
IT Risks How



Business drivers for an integrated approach to GRC

Increased
complexity due
to globalisation
Increasing Increased
regulations competitive
pressures

Governance
New Ethical and
technologies Risk and financial
scandals
Compliance

Integrity-driven Transparency and
performance accountability
expectations demands
Increased
demands from
stakeholders



Hottest Cloud in 2011

© Copyright, ACIS Professional Center Company Limited, All rights reserved Page 50


Apple New Data Center in NC ($1 Billions)



iCloud Features



Does iCloud Pose Security Risks To Users?
Does iCloud make iPhones and iPads a security risk?



iCloud Raises Serious
Data Security Concerns
• Those intent on hacking into big systems will soon
have a big new target. Apple announced its iCloud
service that stores massive amounts of content,
much like a giant storage system in the sky. iCloud
users will be able to wirelessly access their music,
photos, email, calendar and all kinds of other
content on several devices. It's meant to eliminate
the need to sync phones, computers, laptops and
tablets. It's all about convenience. But is it safe?
• The forthcoming free Apple service syncs among
iCloud-enabled devices, moving data to devices and
cloud servers outside your control
•



iCloud Raises Serious
Data Security Concerns
• Simple phishing scam or socially engineered
attack could easily dupe a user into surrendering
username and password credentials that will
expose the data stored in iCloud
• In order for iCloud to be a success, Apple has to
assure consumers and businesses that the data
is protected
• The convenience of having documents
automatically synced to iCloud aside, what
happens when the business wants to delete that
information?



Concepts for New ITG Framework
Life Cycle Approach

7

“IT Governance”

“Enterprise
Governance”
Frameworks, Standards
“Best Practices”
“Adapt”
“Adopt”



Concepts for New ITG Framework
Implementation Life Cycle
“Implementing and
Continually Implementing IT
Governance” 4
Components
Create the right
environment
Programme Management
Project Management
Change Enablement
Continual Improvement
Life Cycle
7



Inside COBIT 5 Design
COBIT 5 ISACA Initiative
“TGF” “Taking Governance Forward” COBIT 5
7
Framework Val IT, Risk IT, BMIS ITAF
Framework
Framework

“Migrate” COBIT 4.1
COBIT 4.1
Enterprise Architecture (EA) Decision Making
People Skill Organization Structure Charge Enablement
Sustainability
“Governance Process” “Management Process”
“ ”“ “ “Standard”
“Best Practice”



COBIT 5 Family of Products

COBIT 5.0
COBIT 4.1 Internal Stakeholder External Stakeholder

COBIT 5 Stakeholder
COBIT 5 Family of Products

COBIT 5 for Risk

COBIT 5 for Value

COBIT 5 for Security

COBIT 5 for Compliance



COBIT 5 Objectives
COBIT 5 will:
• Provide a renewed and authoritative governance and management
framework for enterprise information and related technology, building
on the current widely recognized and accepted COBIT framework,
linking together and reinforcing all other major ISACA frameworks and
guidance such as:
Val IT Risk IT
BMIS ITAF
Board Briefing Taking Governance Forward

• Connect to other major frameworks and standards in the marketplace
(ITIL, ISO standards, etc.)



Other Guidance Options
The COBIT 5 product architecture will also contain practitioner
guidance designed to support specific business requirements, the
needs of ISACA constituent groups, specific content topic
development and reference to the COBIT framework and specific
framework as necessary. Such guidance could include:

Getting Started Guides
Mappings
Surveys and Benchmarks
Implementation Guides



COBIT 5 – Management of Enterprise IT

COBIT 5 Standard Best Practice
60 ITIL V3, ISO 27000 Series, ISO 20000,
ISO 38500:2008, TOGAF V9 ISO 9000:2008

COBIT 5
“Change”
(Culture) (Behavior)

ISACA
Implement IT Governance Life Cycle CSI 6 Steps
Model ITIL V3 7 Steps



COBIT 5 : ITG Focus Areas
“IT Governance” 5

Strategic Alignment
Value Delivery
Risk Management
Resource Management
Performance Measurement



1. Strategic Alignment

“ ” “Align”

Strategic Alignment

Aligning IT with Business



2. Value Delivery Value Creation

“ ”

,

“ ”

Value Delivery
$



ITG Focus Areas: Value Delivery Focus

“Two Views of Control”



3. Risk Management Value Preservation
“Value Delivery” (Value Creation)
Risk Management
(Value Preservation)

(Assess)
(Analysis) (Treatment)
(Risk Reduction, Risk Retention,
Risk Avoidance Risk Transfer) Risk Acceptance
Criteria (ISO 27005:2008)

Risk Management



3. Risk Management Value Preservation (cont.)

(Risk Aware)
“Risk Appetite” Risk
Acceptance Level” “
”
IT Governance Governance,
Risk Management and Compliance (GRC)
“IT Risk”
“Business Risk”

“IT Risk “Business
Risk”



4. Performance Management

“IT KPI” “IT Metric” “IT
Performance Management”

“ ”
“Metric” (Stakeholder)
Performance Scorecard, Dashboard
Benchmarking If you cannot measure it,
{ you cannot manage it. }

Performance Measurement



4. Performance Management (cont.)
“Measurement”
“Manage” “If you
cannot measure it, you cannot manage it”

Certification Body (CB)
ISO/IEC 27001 (Effectiveness)

ISMS
ISO/IEC 27001



5. Resource Management
4
1. (People)
2. (Infrastructure)
3. (Application)
Resource Management
4. (Information)

“Human Resource
Management”

“Knowledge Worker”




COBIT Framework IT Governance
Implementation Guide COBIT IT
Governance Implementation Guide “Solution”

“Method” “Luc Kordel” “It’s a method,
not the solution!”
Framework “Adopt” “Adapt”
Corporate Culture, Style People Skill



ISO/IEC 38500:2008
Corporate Governance of Information Technology

ITG Framework
ITG Principles:
Principle 1: Responsibility
Principle 2: Strategy
Principle 3: Acquisition
Principle 4: Performance
Principle 5: Conformance
Principle 6: Human Behavior

ITG Model:
a) Evaluate
b) Direct
c) Monitor



Aligning CobiT, ITIL and ISO 27002 for Business Benefit

Source: ITGI



International Register of Certificated Auditors
ACIS and TUV NORD : 3 IRCA Certified Training Courses



Information Security Governance

Source: ITGI


Information Security Governance Conceptual Framework

Source: ITGI


IT Risk vs. Risk IT
Its Impacts to Business


“IT Risk” Book from Harvard Business
School



Categories of IT risk



IT Risk vs. IT Opportunity
Techniques and Uses for Risk IT and its Supporting Materials for
Risk and Opportunity Management (Using COBIT, Val IT and Risk IT)

IT Risk
IT Risk ⇒ Business Risk
Value Inhibitor
⇒ Enterprise Risk

IT Opportunity
Value Enabler



The Core Disciplines of Risk Management



The Three Core Disciplines of Effective Risk Management

1. A well-structured, well-managed foundation of IT assets,
people, and supporting processes

2. A well-designed risk governance process to identify,
prioritize, and track risks

3. A risk-aware culture in which people understand causes
and solutions for IT risks and are comfortable discussing
risk



ISACA Risk IT Framework

Risk IT Based on COBIT Objectives and Principles



Risk IT Framework Principles
Defined around these building blocks is a process model for IT risk that will look familiar to
users of COBIT and ValIT4 substantial guidance is provided on the key activities within each
process, responsibilities for the process, information flows between processes and
performance management of the process. The processes are divided in three domains –
Risk Governance, Risk Evaluation and Risk Response – each containing three processes:

o Establish and Maintain a Common
Risk Governance o Integrate with Enterprise Risk Management
o Make Risk-aware Business Decision

o Collect Data
Risk Evaluation o Analyze Risk
o Maintain Risk Profile

o Articulate Risk
Risk Response o Manage Risk
o React to Events



Risk IT Process Model



Elements of Risk Culture



Embedding Standards & Best Practices
in the organization’s culture



Awareness Training

Information Security Awareness
Program Development

- Awareness (What)
- Training (How)
- Education (Why)



Competency, Knowledge, and Skills



The Seven Habits of Highly Effective People

1.
(Be Proactive)
2.
(Begin with the End in Mind)
3.
(Put first things first)
4. / From “The Seven Habits of Highly
Think Win-Win Effective People: Restoring
the Character Ethic”
by Stephen R. Covey,
5. Simon and Schuster, 1989
Seek First to Understand, Then to be Understood
6.
Synergize
7.
Sharpen the saw


Time Management

1 2

Put the
3 4 Big Rocks
in First


Six Thinking Hats
Edward de Bono



“ 6”



ACIS eEnterprise Series I

ISBN 978-974-401-593-8

.

,

(1987)

( )
99/ 16-20
10400
. 0-2642-3400 3991-5



ACIS eEnterprise Series II

Strategic Roadmap with International Standards and Best Practices to integrated GRC

..
ISBN xxx-xxx-xxx-xxx-x

.

,

(1987)

( )
99/ 16-20
10400
. 0-2642-3400 3991-5



“360 Degree IT Management Book”

Part 1 : Introduction to “GRC”, “IT GRC” and “Integrated GRC”
Implementation

Part 2 : IT Governance implementation using CobiT and New CobiT
Framework

Part 3 : Balancing in Improving Efficiency and Quality of IT Service
Management with ISO/IEC 20000 and ITIL V3

Part 4 : Information Security Management Implementation with
ISO/IEC 27001

Part 5 : Effective and Efficient Business Continuity Management on
Crisis Management



What’s the future trend in Thailand?

Audit => Forensic => Fraud
Security => Privacy
BIA (part of BCM) => PIA
BIA = Business Impact Analysis
PIA = Privacy Impact Assessment



“Social Networking Security”



“Social Networking Security”
1. Social Media / Social Networking
2. Facebook Twitter
3.
4. Facebook
5.
6.



www.cdicconference.com
29-30 November 2011 @BITEC



Future Trend 2012 (Conference Highlights)

• The Latest Update Top Ten Cyber Security Threats and Emerging
Trends in Year 2012 and Beyond

• The Latest Update International Business-IT and Security-related
Standards and Best Practices Trends, including New ISO/IEC 27001
and COBIT 5

• Practical Cloud Computing Implementation and its security concerns

• Encountering and Balancing on Security vs. Privacy Issues, and
Privacy Impact Assessment (PIA)

• What else, when an enterprise needs a framework for “IT GRC”,
“Security GRC” and “Integrated GRC”?




• Integrating Enterprise Governance with IT Governance (ITG) and
Information Security Governance (ISG); Integrated Audit and Risk
Assessment for High Performance Organization and Operational
Excellence

• How to drive a Strategic GRC implementation into Business
Alignment: Conformance vs. Performance, Create Value vs. Preserve
Value, and Corporate Social Responsibility (CSR) vs. Creating Shared
Value (CSV)

•The New Business Impact Analysis (BIA) and Risk Analysis (RA) from
ISO 22301 (BCMS) for Critical Infrastructure

•Layer 8 Exploitation: Lock'n Load Target

•IPv4 to IPv6 State Transition Vulnerabilities & Exploits




• Strategic Roadmap and Move on Enterprise Cloud Infrastructure

• The New Patterns of Advanced Persistent Threats (APT) and
Targeted Attacks from Anonymous and LulzSec Groups

• Advanced Smart Phone Forensics

• Mobile Malware Transformation

• GSM Deception Episode II

• In-depth Live Show Demonstration on New Advanced Cybercrime
and Ethical Hacking Techniques, Gadgets and Tools

• Real Case Studies from Professionals and the International Security
Experts



www.snsconference.com
SNSCON and MOBISCON 2011
28-29 June 2011

www.cdicconference.com
Cyber Defense Initiative Conference 2011
29-30 November 2011


www.TISA.or.th
Thailand Information Security Association

www.acisonline.net

prinya@acisonline.net


RSA Conference 2011
(ISC)2 member reception



Risk Culture/Culture of Security
When we look at the future of Internet Security with billions
of devices online, the first thing we do is that we have to
create the culture of security.

CDIC 2008, Keynote Speech, Howard Schmidt
CEO of The Information Security Forum
Cyber-Security Coordinator of the Obama Administration



“Risk Culture/Culture of Security”



My Facebook and Twitter
http://www.facebook.com/prinyah
http://www.twitter.com/prinyaACIS

CDIC Conference 2011
http://www.cdicconference.com

http://www.acisonline.net

Thailand Information Security Association
http://www.tisa.or.th
13-Oct-11

Prinya acis slide for swpark - it & information security human resource development plan for aec 2015_TISA Pto-Talk 2-2554

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (17)

Semelhante a Prinya acis slide for swpark - it & information security human resource development plan for aec 2015_TISA Pto-Talk 2-2554

Semelhante a Prinya acis slide for swpark - it & information security human resource development plan for aec 2015_TISA Pto-Talk 2-2554 (20)

Mais de TISA

Mais de TISA (11)

Último

Último (20)

Prinya acis slide for swpark - it & information security human resource development plan for aec 2015_TISA Pto-Talk 2-2554