SlideShare uma empresa Scribd logo

Risk, regulation and data protection

Shahar Geiger Maor
Shahar Geiger Maor
TecnologiaEconomia e finançasNegócios
1 de 31
Baixar para ler offline
Risk, Regulations and Data Protection Shahar Geiger Maor, Senior Analyst Scan me to your contacts: www.shaharmaor.blogspot.com http://www.facebook.com/shahar.maor http://twitter.com/shaharmaor
What is Risk? Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
Risk Management… • Risk management is present in all aspects of life • It is about the everyday trade-off between an expected reward and a potential danger • It is universal, in the sense - it refers to human behaviour in the decision making process 3 Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 3
No Risk… No Gain! Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 4
Benefits of Risk Management increased certainty Supports strategic and fewer Better service And surprises delivery Business planning More efficient Quick grasp use of of new Potential benefits resources opportunities Promotes Reassures continual stakeholders Helps focus improvement internal audit programme 5 Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 5
• ERM is an ongoing process • ERM is an Integral part of how an organization operates • ERM applies to all organizations, not just financial organizations. • Risk applies broadly to all things threatening the achievement of organizational objectives • Risk is not limited to threats, but also refers to opportunities. • The goal of an organization is not “risk mitigation”, but seeking an appropriate “risk-return position.” Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 6
Regulations –The Olympic Minimum Syndrome Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 7
When Regulation is a Good Idea… Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 8
SOX Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 9
Ultimate Liability Countrywide’s Angelo Mozilo, Bear Stearns’ Jimmy Cayne, Lehman Brothers’ Dick Fuld, and Merrill Lynch’s John Thain Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 10
Security Echo-System: Key Roles Senior Management CISO Custodian Data Users owners Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 11
PCI-DSS: Israeli Market and Challenges Requirement 1 Requirement 2 POS Terminals Requirement 3 PIN Pads DSL Router Requirement 4 Network Requirement 5 Requirement 6 Requirement 7 3rd Party Requirement 8 Scan Vendor Requirement 9 Policies Requirement 10 POS Server Requirement 11 Requirement 12 Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 12
Information Security “Threatscape” Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 13
Social Engineering Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 14
Social Engineering Preventing social engineering: • Verify identity • Do not give out passwords • Do not give out employee information • Do not follow commands from unverified sources • Do not distribute dial-in phone numbers to any computer system except to valid users • Do not participate in telephone surveys Reacting to social engineering: • Use Caller ID to document phone number • Take detailed notes • Get person’s name/position • Report incidents Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 15
Phishing • A social engineering scam • A scam that uses email or websites to deceive you into disclosing sensitive information • How does it work? – You receive an email or pop-up message – The message usually says that you need to update or validate your account information – It might threaten some dire consequence if you don’t respond – The message directs you to a bogus website – You type sensitive info….and that’s it… Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 16
Technologies Categorization 20102011 Cyber Warfare “Social” Market Curiosity Security Mobile Sec IT Project Major Changes DLP IRM Size of figure = Application complexity/ Security Cloud cost of project Security Security Endpoint Management Security Data Network Protection Security Using Implementing Looking Market Maturity Source: STKI Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 17
Cyber-Warfare http://edmahoney.wordpress.com/2010/01/13/cyber-war-home-theater/ Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 18
Mobile sec Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 19
“Social Security” Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 20
Data Centric Approach Build a wall – “perimeter “Business of Security” – Security security” is built into the business process Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 21
Data Security Domain Source: Securosis Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 22
STKI Index-20102011 –Top Queries to STKI SIEM/SOC Miscellaneous Encryption Regulations 3% 2% 1% 7% Vendor/Product EPS/mobile 8% 14% Market/Trends DB/DC SEC 13% 9% Access/Authenti DCS cation 9% 12% GW Network Sec 10% 12% Source: STKI Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 23
Internal vs. External Human Threats Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 24
Leakage Mitigation in Israel AwarenessMethodology IRMVaultingMail Protection DB protection GW protection Encryption Device Control Endpoint DLP Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 25
Protect your data • Data Loss Prevention- Network • Data Loss Prevention- Endpoint • Data Loss Prevention- Storage • Full Drive Encryption • Access Management • USB/Media • Entitlement Management Encryption/Device Control • Network Segregation • Enterprise Digital Rights • Server/Endpoint Hardening Management • USB/Media • Data Masking Encryption/Device Control • Entitlement Management • Database Encryption • DAM • Storage Encryption • Application Encryption • Email Filtering Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 26
Top Insights • Most organizations still rely heavily on “traditional” security controls like system hardening, email filtering, access management, and network segregation to protect data. • Most organizations see unstructured data storage as their main security concern • Most organizations must meet at least 1 regulatory or contractual compliance requirement. Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 27
Top Insights –con… • Many organizations tend “not to touch” their prod DB. DB protection: Estimated Technology Penetration EvaluatingNot Using this using technology 48% 52% Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 28
Identity and Access Management Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 29
Identity and Access Management this is where most activity occurs A Leper Colony – keep away!!! Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 30
Thank you! Download this presentation: Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 31

Recomendados

Cpm Introduction
Cpm IntroductionCpm Introduction
Cpm IntroductionEric Kuo
 
Market outlook 19th July 2011
Market outlook 19th July 2011Market outlook 19th July 2011
Market outlook 19th July 2011Angel Broking
 
Eric on economic capital modeling
Eric on economic capital modelingEric on economic capital modeling
Eric on economic capital modelingEric Kuo
 
Market Outlook 25 03 10
Market Outlook 25 03 10Market Outlook 25 03 10
Market Outlook 25 03 10Angel Broking
 
Market Outlook -July 30, 2010
Market Outlook -July 30, 2010Market Outlook -July 30, 2010
Market Outlook -July 30, 2010Angel Broking
 
Market Outlook - August 2, 2010
Market Outlook - August 2, 2010Market Outlook - August 2, 2010
Market Outlook - August 2, 2010Angel Broking
 
Market Outlook 12th July 2011
Market Outlook 12th July 2011Market Outlook 12th July 2011
Market Outlook 12th July 2011Angel Broking
 
Market outlook 26 04-10
Market outlook 26 04-10Market outlook 26 04-10
Market outlook 26 04-10Angel Broking
 

Recomendados

Cpm Introduction
Cpm IntroductionCpm Introduction
Cpm IntroductionEric Kuo
 
Market outlook 19th July 2011
Market outlook 19th July 2011Market outlook 19th July 2011
Market outlook 19th July 2011Angel Broking
 
Eric on economic capital modeling
Eric on economic capital modelingEric on economic capital modeling
Eric on economic capital modelingEric Kuo
 
Market Outlook 25 03 10
Market Outlook 25 03 10Market Outlook 25 03 10
Market Outlook 25 03 10Angel Broking
 
Market Outlook -July 30, 2010
Market Outlook -July 30, 2010Market Outlook -July 30, 2010
Market Outlook -July 30, 2010Angel Broking
 
Market Outlook - August 2, 2010
Market Outlook - August 2, 2010Market Outlook - August 2, 2010
Market Outlook - August 2, 2010Angel Broking
 
Market Outlook 12th July 2011
Market Outlook 12th July 2011Market Outlook 12th July 2011
Market Outlook 12th July 2011Angel Broking
 
Market outlook 26 04-10
Market outlook 26 04-10Market outlook 26 04-10
Market outlook 26 04-10Angel Broking
 
Networking stki summit 2012 -shahar geiger maor
Networking stki summit 2012 -shahar geiger maorNetworking stki summit 2012 -shahar geiger maor
Networking stki summit 2012 -shahar geiger maorShahar Geiger Maor
 
Mobile payment v3
Mobile payment v3Mobile payment v3
Mobile payment v3Shahar Geiger Maor
 
Endpoints stki summit 2012-shahar geiger maor
Endpoints stki summit 2012-shahar geiger maorEndpoints stki summit 2012-shahar geiger maor
Endpoints stki summit 2012-shahar geiger maorShahar Geiger Maor
 
STKI Mobile brainstorming -MDM Panel
STKI Mobile brainstorming -MDM PanelSTKI Mobile brainstorming -MDM Panel
STKI Mobile brainstorming -MDM PanelShahar Geiger Maor
 
Information security stki summit 2012-shahar geiger maor
Information security stki summit 2012-shahar geiger maorInformation security stki summit 2012-shahar geiger maor
Information security stki summit 2012-shahar geiger maorShahar Geiger Maor
 
Cloud Security CISO club -April 2011 v2
Cloud Security CISO club -April 2011 v2Cloud Security CISO club -April 2011 v2
Cloud Security CISO club -April 2011 v2Shahar Geiger Maor
 
Cyber economics v2 -Measuring the true cost of Cybercrime
Cyber economics v2 -Measuring the true cost of CybercrimeCyber economics v2 -Measuring the true cost of Cybercrime
Cyber economics v2 -Measuring the true cost of CybercrimeShahar Geiger Maor
 
PCI Challenges
PCI ChallengesPCI Challenges
PCI ChallengesShahar Geiger Maor
 
How to Organize and Prioritize Requirements
How to Organize and Prioritize RequirementsHow to Organize and Prioritize Requirements
How to Organize and Prioritize RequirementsPatrick van Abbema, PMP, CBAP, CSP
 
Jaime fitzgerald on data driven customer experience in financial services and...
Jaime fitzgerald on data driven customer experience in financial services and...Jaime fitzgerald on data driven customer experience in financial services and...
Jaime fitzgerald on data driven customer experience in financial services and...Jaime Fitzgerald
 
Customer Experience: Data-Driven Customer Satisfaction at TD Ameritrade
Customer Experience: Data-Driven Customer Satisfaction at TD AmeritradeCustomer Experience: Data-Driven Customer Satisfaction at TD Ameritrade
Customer Experience: Data-Driven Customer Satisfaction at TD AmeritradeJaime Fitzgerald
 
Jaime Fitzgerald on Data-Driven Customer Experience in Financial Services and...
Jaime Fitzgerald on Data-Driven Customer Experience in Financial Services and...Jaime Fitzgerald on Data-Driven Customer Experience in Financial Services and...
Jaime Fitzgerald on Data-Driven Customer Experience in Financial Services and...Fitzgerald Analytics, Inc.
 
Coinsquad_ppt_deck_v1
Coinsquad_ppt_deck_v1Coinsquad_ppt_deck_v1
Coinsquad_ppt_deck_v1Frederic Rough
 
Zero Trust : How to Get Started
Zero Trust : How to Get StartedZero Trust : How to Get Started
Zero Trust : How to Get StartedEyesOpen Association
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
 
enableIT Presentation- Capital Markets
enableIT Presentation- Capital MarketsenableIT Presentation- Capital Markets
enableIT Presentation- Capital MarketsSammy Chowdhury, PMP, CSM, CISA
 
OIA administration
OIA administrationOIA administration
OIA administrationtechmeonline
 
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...FinTechLabs.io
 
Business Healthcheck Service By John Capper & Co
Business Healthcheck Service By John Capper & CoBusiness Healthcheck Service By John Capper & Co
Business Healthcheck Service By John Capper & CoJohn Capper & Co
 
Zd sap - predictive analytics - 3-26-13 r1
Zd sap - predictive analytics - 3-26-13 r1Zd sap - predictive analytics - 3-26-13 r1
Zd sap - predictive analytics - 3-26-13 r1Richard Lee
 
Reunião com investidores ing
Reunião com investidores ingReunião com investidores ing
Reunião com investidores ingCSURIWEB
 
Investors´ meeting
Investors´ meetingInvestors´ meeting
Investors´ meetingCSURIWEB
 

Mais conteúdo relacionado

Destaque

Networking stki summit 2012 -shahar geiger maor
Networking stki summit 2012 -shahar geiger maorNetworking stki summit 2012 -shahar geiger maor
Networking stki summit 2012 -shahar geiger maorShahar Geiger Maor
 
Endpoints stki summit 2012-shahar geiger maor
Endpoints stki summit 2012-shahar geiger maorEndpoints stki summit 2012-shahar geiger maor
Endpoints stki summit 2012-shahar geiger maorShahar Geiger Maor
 
STKI Mobile brainstorming -MDM Panel
STKI Mobile brainstorming -MDM PanelSTKI Mobile brainstorming -MDM Panel
STKI Mobile brainstorming -MDM PanelShahar Geiger Maor
 
Information security stki summit 2012-shahar geiger maor
Information security stki summit 2012-shahar geiger maorInformation security stki summit 2012-shahar geiger maor
Information security stki summit 2012-shahar geiger maorShahar Geiger Maor
 
Cloud Security CISO club -April 2011 v2
Cloud Security CISO club -April 2011 v2Cloud Security CISO club -April 2011 v2
Cloud Security CISO club -April 2011 v2Shahar Geiger Maor
 
Cyber economics v2 -Measuring the true cost of Cybercrime
Cyber economics v2 -Measuring the true cost of CybercrimeCyber economics v2 -Measuring the true cost of Cybercrime
Cyber economics v2 -Measuring the true cost of CybercrimeShahar Geiger Maor
 

Destaque (7)

Networking stki summit 2012 -shahar geiger maor
Networking stki summit 2012 -shahar geiger maorNetworking stki summit 2012 -shahar geiger maor
Networking stki summit 2012 -shahar geiger maor
 
Mobile payment v3
Mobile payment v3Mobile payment v3
Mobile payment v3
 
Endpoints stki summit 2012-shahar geiger maor
Endpoints stki summit 2012-shahar geiger maorEndpoints stki summit 2012-shahar geiger maor
Endpoints stki summit 2012-shahar geiger maor
 
STKI Mobile brainstorming -MDM Panel
STKI Mobile brainstorming -MDM PanelSTKI Mobile brainstorming -MDM Panel
STKI Mobile brainstorming -MDM Panel
 
Information security stki summit 2012-shahar geiger maor
Information security stki summit 2012-shahar geiger maorInformation security stki summit 2012-shahar geiger maor
Information security stki summit 2012-shahar geiger maor
 
Cloud Security CISO club -April 2011 v2
Cloud Security CISO club -April 2011 v2Cloud Security CISO club -April 2011 v2
Cloud Security CISO club -April 2011 v2
 
Cyber economics v2 -Measuring the true cost of Cybercrime
Cyber economics v2 -Measuring the true cost of CybercrimeCyber economics v2 -Measuring the true cost of Cybercrime
Cyber economics v2 -Measuring the true cost of Cybercrime
 

Semelhante a Risk, regulation and data protection

Jaime fitzgerald on data driven customer experience in financial services and...
Jaime fitzgerald on data driven customer experience in financial services and...Jaime fitzgerald on data driven customer experience in financial services and...
Jaime fitzgerald on data driven customer experience in financial services and...Jaime Fitzgerald
 
Customer Experience: Data-Driven Customer Satisfaction at TD Ameritrade
Customer Experience: Data-Driven Customer Satisfaction at TD AmeritradeCustomer Experience: Data-Driven Customer Satisfaction at TD Ameritrade
Customer Experience: Data-Driven Customer Satisfaction at TD AmeritradeJaime Fitzgerald
 
Jaime Fitzgerald on Data-Driven Customer Experience in Financial Services and...
Jaime Fitzgerald on Data-Driven Customer Experience in Financial Services and...Jaime Fitzgerald on Data-Driven Customer Experience in Financial Services and...
Jaime Fitzgerald on Data-Driven Customer Experience in Financial Services and...Fitzgerald Analytics, Inc.
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
 
OIA administration
OIA administrationOIA administration
OIA administrationtechmeonline
 
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...FinTechLabs.io
 
Business Healthcheck Service By John Capper & Co
Business Healthcheck Service By John Capper & CoBusiness Healthcheck Service By John Capper & Co
Business Healthcheck Service By John Capper & CoJohn Capper & Co
 
Zd sap - predictive analytics - 3-26-13 r1
Zd sap - predictive analytics - 3-26-13 r1Zd sap - predictive analytics - 3-26-13 r1
Zd sap - predictive analytics - 3-26-13 r1Richard Lee
 
Reunião com investidores ing
Reunião com investidores ingReunião com investidores ing
Reunião com investidores ingCSURIWEB
 
Investors´ meeting
Investors´ meetingInvestors´ meeting
Investors´ meetingCSURIWEB
 
Reunião com investidores somente em inglês
Reunião com investidores somente em inglêsReunião com investidores somente em inglês
Reunião com investidores somente em inglêsCSURIWEB
 
Investors meeting
Investors meetingInvestors meeting
Investors meetingCSURIWEB
 
Reuniao investidores 2007
Reuniao investidores 2007Reuniao investidores 2007
Reuniao investidores 2007CSURIWEB
 
090119 Enabling Strategic Sourcing
090119 Enabling Strategic Sourcing090119 Enabling Strategic Sourcing
090119 Enabling Strategic SourcingHan Driessen
 

Semelhante a Risk, regulation and data protection (20)

PCI Challenges
PCI ChallengesPCI Challenges
PCI Challenges
 
How to Organize and Prioritize Requirements
How to Organize and Prioritize RequirementsHow to Organize and Prioritize Requirements
How to Organize and Prioritize Requirements
 
Jaime fitzgerald on data driven customer experience in financial services and...
Jaime fitzgerald on data driven customer experience in financial services and...Jaime fitzgerald on data driven customer experience in financial services and...
Jaime fitzgerald on data driven customer experience in financial services and...
 
Customer Experience: Data-Driven Customer Satisfaction at TD Ameritrade
Customer Experience: Data-Driven Customer Satisfaction at TD AmeritradeCustomer Experience: Data-Driven Customer Satisfaction at TD Ameritrade
Customer Experience: Data-Driven Customer Satisfaction at TD Ameritrade
 
Jaime Fitzgerald on Data-Driven Customer Experience in Financial Services and...
Jaime Fitzgerald on Data-Driven Customer Experience in Financial Services and...Jaime Fitzgerald on Data-Driven Customer Experience in Financial Services and...
Jaime Fitzgerald on Data-Driven Customer Experience in Financial Services and...
 
Coinsquad_ppt_deck_v1
Coinsquad_ppt_deck_v1Coinsquad_ppt_deck_v1
Coinsquad_ppt_deck_v1
 
Zero Trust : How to Get Started
Zero Trust : How to Get StartedZero Trust : How to Get Started
Zero Trust : How to Get Started
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
 
enableIT Presentation- Capital Markets
enableIT Presentation- Capital MarketsenableIT Presentation- Capital Markets
enableIT Presentation- Capital Markets
 
OIA administration
OIA administrationOIA administration
OIA administration
 
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...
Open Banking UK “Identity Product” Internals #fapisum - Japan/UK Open Banking...
 
Business Healthcheck Service By John Capper & Co
Business Healthcheck Service By John Capper & CoBusiness Healthcheck Service By John Capper & Co
Business Healthcheck Service By John Capper & Co
 
Zd sap - predictive analytics - 3-26-13 r1
Zd sap - predictive analytics - 3-26-13 r1Zd sap - predictive analytics - 3-26-13 r1
Zd sap - predictive analytics - 3-26-13 r1
 
Reunião com investidores ing
Reunião com investidores ingReunião com investidores ing
Reunião com investidores ing
 
Investors´ meeting
Investors´ meetingInvestors´ meeting
Investors´ meeting
 
Reunião com investidores somente em inglês
Reunião com investidores somente em inglêsReunião com investidores somente em inglês
Reunião com investidores somente em inglês
 
Investors meeting
Investors meetingInvestors meeting
Investors meeting
 
Reuniao investidores 2007
Reuniao investidores 2007Reuniao investidores 2007
Reuniao investidores 2007
 
SME Lending
SME LendingSME Lending
SME Lending
 
090119 Enabling Strategic Sourcing
090119 Enabling Strategic Sourcing090119 Enabling Strategic Sourcing
090119 Enabling Strategic Sourcing
 

Mais de Shahar Geiger Maor

Summit 2011 trends in information security
Summit 2011 trends in information securitySummit 2011 trends in information security
Summit 2011 trends in information securityShahar Geiger Maor
 
Summit 2011 trends in infrastructure services
Summit 2011 trends in infrastructure servicesSummit 2011 trends in infrastructure services
Summit 2011 trends in infrastructure servicesShahar Geiger Maor
 
כנס אבטחת מידע מוטו תקשורת V2
כנס אבטחת מידע מוטו תקשורת V2כנס אבטחת מידע מוטו תקשורת V2
כנס אבטחת מידע מוטו תקשורת V2Shahar Geiger Maor
 
Stki Summit 2010 Infra Services V8
Stki Summit 2010 Infra Services V8Stki Summit 2010 Infra Services V8
Stki Summit 2010 Infra Services V8Shahar Geiger Maor
 
Infrastructure Trends -Jan 2010
Infrastructure Trends -Jan 2010Infrastructure Trends -Jan 2010
Infrastructure Trends -Jan 2010Shahar Geiger Maor
 
Info Sec C T O Forum Nov 2009 V1
Info Sec C T O Forum Nov 2009 V1Info Sec C T O Forum Nov 2009 V1
Info Sec C T O Forum Nov 2009 V1Shahar Geiger Maor
 
STKI Summit 2009 -Infrastructure Services Trends
STKI Summit 2009 -Infrastructure Services TrendsSTKI Summit 2009 -Infrastructure Services Trends
STKI Summit 2009 -Infrastructure Services TrendsShahar Geiger Maor
 
Trends In The Israeli Information Security Market 2008
Trends In The Israeli Information Security Market 2008Trends In The Israeli Information Security Market 2008
Trends In The Israeli Information Security Market 2008Shahar Geiger Maor
 
Trends in the World and Israeli Green Data Centers (2008)
Trends in the World and Israeli Green Data Centers (2008)Trends in the World and Israeli Green Data Centers (2008)
Trends in the World and Israeli Green Data Centers (2008)Shahar Geiger Maor
 
Trends in the Israeli Infrastructure Services/STKI Summit -Update June 2008
Trends in the Israeli Infrastructure Services/STKI Summit -Update June 2008Trends in the Israeli Infrastructure Services/STKI Summit -Update June 2008
Trends in the Israeli Infrastructure Services/STKI Summit -Update June 2008Shahar Geiger Maor
 
Green IT Trends in Israel July 2008
Green IT Trends in Israel July 2008Green IT Trends in Israel July 2008
Green IT Trends in Israel July 2008Shahar Geiger Maor
 

Mais de Shahar Geiger Maor (20)

From creeper to stuxnet
From creeper to stuxnetFrom creeper to stuxnet
From creeper to stuxnet
 
Social Sec infosec -pptx
Social Sec infosec -pptxSocial Sec infosec -pptx
Social Sec infosec -pptx
 
Summit 2011 trends in information security
Summit 2011 trends in information securitySummit 2011 trends in information security
Summit 2011 trends in information security
 
Summit 2011 trends in infrastructure services
Summit 2011 trends in infrastructure servicesSummit 2011 trends in infrastructure services
Summit 2011 trends in infrastructure services
 
DLP Trends -Dec 2010
DLP Trends -Dec 2010DLP Trends -Dec 2010
DLP Trends -Dec 2010
 
כנס אבטחת מידע מוטו תקשורת V2
כנס אבטחת מידע מוטו תקשורת V2כנס אבטחת מידע מוטו תקשורת V2
כנס אבטחת מידע מוטו תקשורת V2
 
Cloud security v2
Cloud security v2Cloud security v2
Cloud security v2
 
Stki Summit 2010 Infra Services V8
Stki Summit 2010 Infra Services V8Stki Summit 2010 Infra Services V8
Stki Summit 2010 Infra Services V8
 
Infrastructure Trends -Jan 2010
Infrastructure Trends -Jan 2010Infrastructure Trends -Jan 2010
Infrastructure Trends -Jan 2010
 
Info Sec C T O Forum Nov 2009 V1
Info Sec C T O Forum Nov 2009 V1Info Sec C T O Forum Nov 2009 V1
Info Sec C T O Forum Nov 2009 V1
 
Security Summit July 2009
Security Summit July 2009Security Summit July 2009
Security Summit July 2009
 
Green Security
Green SecurityGreen Security
Green Security
 
IPv6
IPv6IPv6
IPv6
 
STKI Summit 2009 -Infrastructure Services Trends
STKI Summit 2009 -Infrastructure Services TrendsSTKI Summit 2009 -Infrastructure Services Trends
STKI Summit 2009 -Infrastructure Services Trends
 
Trends In The Israeli Information Security Market 2008
Trends In The Israeli Information Security Market 2008Trends In The Israeli Information Security Market 2008
Trends In The Israeli Information Security Market 2008
 
Trends in the World and Israeli Green Data Centers (2008)
Trends in the World and Israeli Green Data Centers (2008)Trends in the World and Israeli Green Data Centers (2008)
Trends in the World and Israeli Green Data Centers (2008)
 
Trends in the Israeli Infrastructure Services/STKI Summit -Update June 2008
Trends in the Israeli Infrastructure Services/STKI Summit -Update June 2008Trends in the Israeli Infrastructure Services/STKI Summit -Update June 2008
Trends in the Israeli Infrastructure Services/STKI Summit -Update June 2008
 
Green IT Trends in Israel July 2008
Green IT Trends in Israel July 2008Green IT Trends in Israel July 2008
Green IT Trends in Israel July 2008
 
Round Tables Summary
Round Tables SummaryRound Tables Summary
Round Tables Summary
 
Green IT Trends in Israel
Green IT Trends in IsraelGreen IT Trends in Israel
Green IT Trends in Israel
 

Último

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 

Último (20)

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 

Risk, regulation and data protection

  • 1. Risk, Regulations and Data Protection Shahar Geiger Maor, Senior Analyst Scan me to your contacts: www.shaharmaor.blogspot.com http://www.facebook.com/shahar.maor http://twitter.com/shaharmaor
  • 2. What is Risk? Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
  • 3. Risk Management… • Risk management is present in all aspects of life • It is about the everyday trade-off between an expected reward and a potential danger • It is universal, in the sense - it refers to human behaviour in the decision making process 3 Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 3
  • 4. No Risk… No Gain! Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 4
  • 5. Benefits of Risk Management increased certainty Supports strategic and fewer Better service And surprises delivery Business planning More efficient Quick grasp use of of new Potential benefits resources opportunities Promotes Reassures continual stakeholders Helps focus improvement internal audit programme 5 Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 5
  • 6. • ERM is an ongoing process • ERM is an Integral part of how an organization operates • ERM applies to all organizations, not just financial organizations. • Risk applies broadly to all things threatening the achievement of organizational objectives • Risk is not limited to threats, but also refers to opportunities. • The goal of an organization is not “risk mitigation”, but seeking an appropriate “risk-return position.” Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 6
  • 7. Regulations –The Olympic Minimum Syndrome Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 7
  • 8. When Regulation is a Good Idea… Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 8
  • 9. SOX Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 9
  • 10. Ultimate Liability Countrywide’s Angelo Mozilo, Bear Stearns’ Jimmy Cayne, Lehman Brothers’ Dick Fuld, and Merrill Lynch’s John Thain Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 10
  • 11. Security Echo-System: Key Roles Senior Management CISO Custodian Data Users owners Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 11
  • 12. PCI-DSS: Israeli Market and Challenges Requirement 1 Requirement 2 POS Terminals Requirement 3 PIN Pads DSL Router Requirement 4 Network Requirement 5 Requirement 6 Requirement 7 3rd Party Requirement 8 Scan Vendor Requirement 9 Policies Requirement 10 POS Server Requirement 11 Requirement 12 Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 12
  • 13. Information Security “Threatscape” Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 13
  • 14. Social Engineering Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 14
  • 15. Social Engineering Preventing social engineering: • Verify identity • Do not give out passwords • Do not give out employee information • Do not follow commands from unverified sources • Do not distribute dial-in phone numbers to any computer system except to valid users • Do not participate in telephone surveys Reacting to social engineering: • Use Caller ID to document phone number • Take detailed notes • Get person’s name/position • Report incidents Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 15
  • 16. Phishing • A social engineering scam • A scam that uses email or websites to deceive you into disclosing sensitive information • How does it work? – You receive an email or pop-up message – The message usually says that you need to update or validate your account information – It might threaten some dire consequence if you don’t respond – The message directs you to a bogus website – You type sensitive info….and that’s it… Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 16
  • 17. Technologies Categorization 20102011 Cyber Warfare “Social” Market Curiosity Security Mobile Sec IT Project Major Changes DLP IRM Size of figure = Application complexity/ Security Cloud cost of project Security Security Endpoint Management Security Data Network Protection Security Using Implementing Looking Market Maturity Source: STKI Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 17
  • 18. Cyber-Warfare http://edmahoney.wordpress.com/2010/01/13/cyber-war-home-theater/ Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 18
  • 19. Mobile sec Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 19
  • 20. “Social Security” Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 20
  • 21. Data Centric Approach Build a wall – “perimeter “Business of Security” – Security security” is built into the business process Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 21
  • 22. Data Security Domain Source: Securosis Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 22
  • 23. STKI Index-20102011 –Top Queries to STKI SIEM/SOC Miscellaneous Encryption Regulations 3% 2% 1% 7% Vendor/Product EPS/mobile 8% 14% Market/Trends DB/DC SEC 13% 9% Access/Authenti DCS cation 9% 12% GW Network Sec 10% 12% Source: STKI Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 23
  • 24. Internal vs. External Human Threats Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 24
  • 25. Leakage Mitigation in Israel AwarenessMethodology IRMVaultingMail Protection DB protection GW protection Encryption Device Control Endpoint DLP Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 25
  • 26. Protect your data • Data Loss Prevention- Network • Data Loss Prevention- Endpoint • Data Loss Prevention- Storage • Full Drive Encryption • Access Management • USB/Media • Entitlement Management Encryption/Device Control • Network Segregation • Enterprise Digital Rights • Server/Endpoint Hardening Management • USB/Media • Data Masking Encryption/Device Control • Entitlement Management • Database Encryption • DAM • Storage Encryption • Application Encryption • Email Filtering Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 26
  • 27. Top Insights • Most organizations still rely heavily on “traditional” security controls like system hardening, email filtering, access management, and network segregation to protect data. • Most organizations see unstructured data storage as their main security concern • Most organizations must meet at least 1 regulatory or contractual compliance requirement. Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 27
  • 28. Top Insights –con… • Many organizations tend “not to touch” their prod DB. DB protection: Estimated Technology Penetration EvaluatingNot Using this using technology 48% 52% Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 28
  • 29. Identity and Access Management Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 29
  • 30. Identity and Access Management this is where most activity occurs A Leper Colony – keep away!!! Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 30
  • 31. Thank you! Download this presentation: Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 31