Upload
danghanh
View
216
Download
3
Embed Size (px)
Citation preview
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 2
Seminar Logistics
5 minute break each hour
Finish at 3 PM ET, 12 PM PT
Periodic Polling Questions - must answer 90%!
Link to Materials - sent to you 1 hour prior with login
credentials
Content Questions
• Submit to Shawna via chat function
• E-mail [email protected] at the end of the webinar
• Access, Audio or Technical Support
• Submit to MISTI Webinar Series via chat function
Webinar Logistics
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 3
Shawna M Flanders
Senior Instructor for
MIS Training Institute
Technology
Assurance, Security,
Risk and Process
Professional 30+ Years
Background in
Financial Services and
Banking
Live in Florida
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 4
Session Overview
Risk Management is the primary process organizations can use to determine their current capability to identify, manage and respond to risk and a properly conducted risk assessment gives organizations the best depiction of their ability to maintain the confidentiality, integrity and availability of their information assets.
• As a result there is increased regulatory pressure from both industry and regulators for organizations to have a solid, demonstrated risk management process. This means asset identification and inventory, vulnerability and threat analysis, control inventory, risk assessment and response, risk monitoring and reporting and of course Incident Response, Business Continuity and Disaster Recovery.
In this session we will explore several of the more common risk assessment/analysis requirements for meeting both regulatory and industry requirements today and in upcoming years.
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 5
Agenda
In today’s sessions we will discuss the:
Risk Management Strategy and Program Development
The Risk Universe and it's Key Components
Inherent Risk Concept and Assessment Techniques
Scenario Analysis Development Fundamentals
Regulatory Requirements for Assessments
Conducting a Maturity Assessment (Gap between current and desired state)
Tips to Conducting Third Party Assessments
Risk Response Preparation and Execution Basics
Assessment Follow-up
By the end of today’s presentation attendees will have an additional perspective on the IT Risk Assessment process and some of the more critical components to incorporate into any program.
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 6
RISK MANAGEMENT STRATEGY AND
PROGRAM DEVELOPMENT
Effective Governance better ensures Effective Risk Management
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 7
Risk Governance
The building blocks of an effective Risk Management
program include:
Senior Management and Board of Director Support
Strong Risk Governance
Strategy Based on Enterprise Objectives
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 8
An effective risk strategy:
Considers how risk can impact the achievement of
enterprise objectives
Describes the desired state
Risk Strategy
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 9
The Risk Management Program is:
Based on the outcome of the Risk Assessment Process
Is designed to achieve strategy taking us from the current to
desired state
Risk Management Program
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 10
RISK UNIVERSE
Examining the Key Components
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 11
Risk Universe
The Risk Universe describes all factors that influence the
enterprise that could give rise to risk
The more comprehensive the Risk Universe, the better
starting point the enterprise has for assessing risk
Key to properly defining the complete Risk Universe is
having a comprehensive Asset Inventory
People
Processes
Technology
Information Assets
Intellectual Property (Strong Contracts)
Intangible Assets (Good Will)
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 12
The Risk Universe is a living document
A comprehensive Risk Universe considers and documents
possible risks regarding:
Supplier Relationships
Cloud Vendors
System and Hardware Support Vendors
Contractors
Industry
Geopolitical
Regulations and Laws
Enterprise Strategy
Internal Processes
Technology (Legacy, Emerging, Current)
Risk Universe
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 13
At least annually the risk team should assess the
completeness of the risk universe
All stakeholders should participate in the data collection
process
Sources to assist in the update process include:
Industry Bulletins
Regulatory Guidance
Services Management System
Change, Release, Incident, Problem Tickets
Asset and Configuration Records
Project Management Documentation
Security Incident Response, BCP, DR Results
Surveys and Interviews
Building and Improving the Risk Universe
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 14
INHERENT RISK
Concept and Assessment Techniques
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 15
Inherent Risk
Inherent Risk is the risk without taking any controls into
consideration
It’s the risk that is present in the product or service by its
design and intent
It can not be eliminated
It can not be altered through our implementation of
controls
It is the risk we need to acknowledge as probable if the
controls in place do not properly or effectively protect the
asset
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 16
Inherent Risk - Strength of Controls = Residual Risk
Management considers the Risk Appetite and Risk
Tolerance in determining whether the Inherent Risk is
something they are willing to accept.
If the Inherent Risk exceeds the appetite and tolerance, the
product will not be purchased, the service will not be offered
or the existing product or service will be sunset
Impact of Inherent Risk on Residual Risk
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 17
The Inherent Risk should be calculated and documented
as part of project initiation
Organizations should build an Inherent Risk Calculator to
bring consistency to how Inherent Risk is determined
The FFIEC Cyber Assessment released in 2015 provides
Banks and Credit Unions with a Inherent Risk Profile
Matrix to more easily determine the risk of various banking
products on a consistent basis
Items to consider include Platform, OS, Programming
Language, Number of Connections, Number of Users,
Significance of Regulations and Laws, Complexity of
System, Number of Supporting Vendors, etc.
Determining & Monitoring Inherent Risk
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 18
SCENARIO ANALYSIS
Development Fundamentals
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 19
Risk Scenarios
Before beginning a Risk Assessment the Risk
Management team must first conduct a Risk Identification
The goal is to define all the assets in the process along
with their threats, vulnerabilities and controls
The process starts with mapping the Enterprise Goals and
Objectives to Critical Business Processes
Next we map Critical Business Processes to Assets that
Support the processes
Then we map Vulnerabilities and Threats to the Assets
Then we map controls to the assets
Finally we determine what is the most probably situation
where a threat could negatively impact a vulnerability
This is the foundation of the Risk Scenario
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 20
Risk Scenarios are designed to tell a story and bring
realism to the Risk Assessment Process
The scenario has several parts including:
Actor – Who
Threat Type – What
Event – How/Where
Asset/Resource – What
Timing – When
Significance
Time to Detect
Time to Resolve
Risk Scenario
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 21
An external bad actor
Intentionally – Malious
Sent an email containing an exploit to an executive as a
part of a Whale Phishing Attack against an organization
that recently was in the new regarding an incident that
polluted a local stream which invoked a ransomware
attack impacting all the drives the executive had access to
both onsite as well as the cloud provider which housed the
companies board meeting documentation.
Because the executive had excessive access assets
impacted included Outlook, SharePoint, File Share, and
Business Objects as well as the host for the Board
Meeting Minutes
Timing – Friday 8pm, instant discovery, 5 days to restore
Example Scenario
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 22
Risk Assessments are most effect if there are a variety of
stakeholders participating in the process from the
business and IT
Before leaving the Identification Phase the team should
determine the team
Using tools such as:
RACI which documents for each major activity who is
accountable, responsible, supportive, consulted and
informed
SIPOC which document the process in 5-7 sub-processes
documenting the suppliers, input, process step description,
output and customer
Ownership and Participation
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 23
Which of the following statements best represent a complete
risk scenario?
A. Bad Actor attacked Payroll system on Friday and it was
resolved Monday afternoon
B. Employee accidentally released code before testing
which cause employees to get wrong W2 on 2/1. New
W2’s were sent to correct address 4 days later.
C. Regulation changed but company did not update process
so breach was not communicated until 60 days after
event took place
D. Tornado hit data center at 2pm and team assessed
damage one hour later determining that there was not
structural impact.
Poll #4
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 24
Risk Identification
Document Enterprise Objectives
Articulate What Critical Business Processes Are Impacted
By Enterprise Objectives
For Each Critical Business Process Document Its
Associated Assets
For Each Asset that relates’ to a Critical Business Process
document possible Threats and Vulnerabilities
For each Asset document the existing controls in place to
protect the asset
Risk Identification Summary
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 25
Risk Identification
Create one or more Complex Risk Scenarios (consider
adding Coinciding and Cascading events) based on the
most probable negative event that could cause a control to
fail
(Risk Scenario = Actor; Threat Type; Event;
Asset/Resource Impacted; Timing)
Update the Risk Assessment with All Scenarios (Risks)
discussed
Risk Identification Summary
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 26
RISK ASSESSMENT BASIS
Regulatory Requirements
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 27
Risk Assessment Intent
Regulation is a driver for why organizations conduct Risk
Assessments
From PCI to HIPAA, from FFIEC to NERC there is a need
to ensure organizations manage risk effectively
Publicly traded companies need to conduct and report on
risk to meet Rating Agency Requirements
Government Agencies need to conduct risk assessments
to meet FISMA regulations and NIST guidance
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 28
The degree of detail and the scope of the assessment
must consider the regulatory requirements which vary by
regulation
Also, the way the assessment is conducted and
documented will also vary. Some of the most common are:
FISMA – RMF
ISO31000
ISO27005
COSO ERM
NIST 800-30; 800-115
ISACA COBIT 5 for Risk
Risk Assessment Depth and Breathe
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 29
CONDUCTING A RISK ASSESSMENT
ASSESSMENT
Determining Current Risk
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 30
Once the Risk Scenario has been developed and the team
members have been selected it is time to prepare for the
assessment
The first step involves conducting interviews and survey’s
and gathering supporting documentation
Documentation should include:
Data Flow Diagrams; Process Flow Diagrams; Network
Diagrams; Policies, Procedures, Business, Functional and
Technical Specifications, etc.
The Risk Team serves as the facilitator's in the
assessment process
The more knowledgeable of the business process, the better
quality the questions and the more meaningful the
assessment becomes
Risk Analysis Preparation
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 31
Before scheduling the Risk Analysis the Risk Team should
develop and distribute a series of open ended questions
that will serve as the basis of the Risk Assessment
Then, with the assessment questions created and
distributed to the team, its time to schedule the
assessment
The Assessment should assess and document:
Known internal and external risk factors
Enterprises Risk Management capabilities to Identify,
Assess and Respond to risk
IT capabilities to meet stakeholder expectations
Risk Analysis
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 32
There are three methodologies for conducting the
analysis:
Qualitative – Opinion Dependent / Driven
Quantitative - Data Dependent / Driven
Semi-Quantitative - Combination
Semi-quantitative methodologies are preferred for
conducting the Risk Analysis as these assessments are
more data driven vs. opinion
The analysis should examine the Factors and then assess
the strength of the controls in place; can they adequately
protect the asset.
Conduction substantive testing using techniques including
re-performance and modeling provides greater reliability vs.
compliance testing which validates presence of condition
Risk Analysis
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 33
Upon completion of the Analysis it is time to document the
likelihood and impact of the scenario taking place
During the evaluate we focus on the most critical factors
that could give rise to risk which would increase the
probability that the scenario could happen
Next, by determining how often the scenario could occur,
the team then determines it potential impact
Impacts should be calculated regarding:
Productivity
Cost
Legal / Regulatory Penalties
Reputation / Customer Satisfaction
Risk Evaluation
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 34
CONDUCTING A MATURITY
ASSESSMENT
Gap between current and desired state
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 35
Maturity Assessment
One of the cornerstones of measuring the effectiveness
and efficiency of the risk management program is
conducting annual maturity assessments
There are several tools which are commonly used for such
assessments including:
PAM
CMMI
ISO15504
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 36
The first step of the assessment is educating leadership
as to the intent and assessment model to be used
Once that is discussed the risk team gathers
managements’ input into the scale and what additional
company specific criteria needs to be considered in
making the scoring decision as well as any scoping needs
Management will also be asked for a target score which
needs to be in alignment with the Risk Strategy and Risk
Appetite and Tolerance Statements
During the assessment the team will look at each process
under review and from that will give the process a score
from 0 to 5 based on its level of maturity using the
company defined scale
Maturity Assessment
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 37
Once the assessment is complete, the team will report the
results back to management for them to work on action
plans
Goal is to move from current state to desired process
The action plan will then be the basis of the corresponding
project that will remediate the gaps identified in the
assessment
Maturity Assessment
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 38
TIPS TO CONDUCTING THIRD PARTY
ASSESSMENTS
Dealing with 3rd Party Providers
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 39
Reiterating – Focus on Contract documents and third party
assessments
RFP
SOW
Intellectual Property
Café vs. Flat Fees
Non-Disclosure
Receptacle Agreement
SLA
MOU
ISA
Assessments
SSAE16; ROC; etc.
3rd Party Risk Assessments
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 40
Risk Assessment
Conduct Risk Analysis of Internal and External Risk
Factors, Risk Management Capability and IT Capability
Assess the strength of the controls in place to ensure they
adequately protect the asset
Perform a Risk Evaluation to Determine Likelihood and
Impact
(Risk Evaluation includes topics like productivity, cost to
recover and legal and regulatory fines)
Verify
Update Risk Register
Risk Assessment Summary
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 41
RISK RESPONSE PREPARATION AND
EXECUTION BASICS
Dealing with the Results
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 42
The next step is to determine treatment / response
Accept
Mitigate
Transfer / Share
Avoid
If the control effectively safeguards the asset within the
defined Risk Appetite; Risk Acceptance is justified
Otherwise to determine treatment:
Develop a Cost / Benefit Analysis
Develop a Return on Investment
Develop a Business Case with Executive Summary
The Risk Owner (business) will decide treatment
Risk Response
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 43
The treatment should be justified and documented in the
risk register
If the treatment is to mitigate, transfer/share or avoid, an
Action Plan should be created by the business owner and
be recorded in the risk register
Once the action plan is completed, each remediation
should be treated as a project
Project schedules should be created and the project
should follow the CDLC including adequate testing and
control baselining
Risk Response
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 44
ASSESSMENT FOLLOW-UP
Getting to Residual Risk
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 45
The risk team should be a part of the project team
reporting on the status of action plans and ensuring the
activities are moving toward successful completion
Upon project completion and the subsequent risk analysis,
the team will re-assess the residual risk
If now the risk remaining is within Risk Appetite and
Tolerance, management can come to final risk acceptance
Follow-up
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 46
Risk Response
Develop Cost Benefit Analysis, Return on Investments and
Business Case to supple remediation recommendations
Determine Risk Treatment based on Risk Appetite and
Tolerance (set by BOD and Exec’s)
(Accept, Mitigate, Transfer/Share, Avoid)
Determine Risk Priority
Senior Business Management Determines Risk Treatment
and Creating the Action Plan
Risk Response Summary
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 47
Risk Response
Create Action Plan
Execute Action Plan and Keep Plan Current
Conduct Post Treatment Analysis
Determine Final Risk Acceptance (if now within Risk
Appetite and Risk Tolerance)
Update Risk Register (and Profile if necessary)
Risk Response Summary
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 48
ONGOING MONITORING AND
REPORTING
The Living Process
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 49
As a precursor to go-live, Key Risk and Key Performance
Indicators should be established with threshold agreed
upon by management
Each control should be baselined by running the control
test immediately upon implementing into production
Trend tracking should also be established along with a
procedure for performing ongoing monitoring and
reporting
Ongoing Monitoring and Reporting
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 50
Risk is constantly changing
Controls need to be monitored and adjusted to respond to
those variations
The risk team needs to build a communications plan to
ensure that the right people get the right information in the
right time, using the right format to make key business
decisions
Ongoing Monitoring and Reporting
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 51
Risk Monitoring and Reporting
Assist the business in the development of KRI and KPI
Assist the business in the monitoring and reporting of
controls
Repeat steps above when a control goes out of control
Re-preform process at least annually or after significate
change or after outage/incident
Risk Monitoring and Reporting Summary
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 52
THE CORRECTIVE CONTROLS TOUR
Incident; Business Continuity, Disaster Recovery
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 53
Risk Assessments are considered the preventative
controls
The RM process is designed to Identify, Assess and
Respond to Risk
The output from the Risk Management process becomes
the input to the Business Impact Assessment
Risk Assessment Connection
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 54
Once the assessment is complete, critical business
processes and process owners have been identified along
with details regarding the business processes
That data serves as input into the BIA
The BIA team uses that data along with interviews and
workshops to determine the critical inputs and outputs;
resource needs and recovery requirements
Business Impact Assessment
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 55
This is considered a part of risk management “Respond”
AIW “Allowable Interruption Window” is determined in the
BIA
The IRP describes in detail how to:
Report
Record
Assign Incident Handler
Triage
Contain
Eradicate
Escalate / Communicate
Conduct Root Cause and Lessons Learned
Incident Response Plan
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 56
This is considered a part of risk management “Respond”
RTO “Recovery Time Objective” is determined in the BIA
It is the maximum downtime allowed before the process or
service could have a legal or regulatory impact
The BCP is business process specific and describes how
the business will recover if either a system or process has
failed and an alternative method for processing is
temporarily required
The BCP describes:
Recovery Teams
Call Library
Resource Requirements
Business Continuity Plan
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 57
This is considered a part of risk management “Respond”
RPO “Recovery Point Objective” is determined in the BIA
Amount of data that can be lost without impact to regulations
or laws
This is the IT Side of Resiliency
Backups and their individual recovery procedures are
critical to the success of your DR program
The DR Plan consists of:
DR Dependency Matrix
Recovery Plan for every asset type, application and system
Disaster Recovery Plan
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 59
Recap
Risk Management is critical for all organization's today, despite industry
We must understand:
What assets we have
How they are used
How they are protected
What events/incidents could impact their security
How to assess and recovery should these events/incidents occur
Understanding the Enterprise Risk Profile and which factors influence it is critical to managing the risk facing the enterprise and serves as the basis toward meeting out enterprise objectives
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 60
Recap – RA Process
Risk Identification Risk Assessment Risk Response Risk Monitoring and
Reporting
Identify the Risk Universe
Internal Risk Factors
External Risk Factors
Identify Business Objectives
Assoc. Business Processes
o Assoc. Assets
Assoc.
Vulnerabilities
Assoc. Threats
Assoc.
Controls
Build Risk Scenarios
Actor
Threat Type
Event
Asset/Resource (s)
Timing
Create Risk Registry Entry
Facilitate Risk Assessment
Risk Analysis
o Internal Risk Factors
o External Risk Factors
o Risk Management
Capability (Identify;
Assess; Respond)
o IT Capability
o Assess Effectiveness
of Current Controls
(Determine Current
State)
Risk Evaluation
o Determine Scenario
Likelihood and Impact
on
Productivity
Cost of
Response
Customer
Satisfaction
Reg/Legal Fines
and Penalties
VALIDATE ASSESSMENT
Update Risk Register
Create Business Case
Perform Cost / Benefit
Analysis
Determine Return on
Investments
Select Risk Treatment
Accept
Mitigate
Transfer / Share
Avoid
Create Action Plan
(and Project Schedule)
Update Risk Register
Maintain Risk Register
Conduct Post Treatment Risk
Analysis
Determine Final Risk Acceptance
Update Risk Register
Build Indicators
KPI
KRI
Monitor Indicators and
Control Testing Results
Report Results to SR.
Management
*Risk/Control Owners
Take Action as Needed*
Update Risk Register
Update Risk Profile (as
needed)
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 61
QUESTIONS / COMMENTS
Other Questions?
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 62
LINKS
Where to go for more information!
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 63
Privacy and Data Breaches
https://www.privacyrights.org/
Regulations and Privacy Laws
http://www.federalreserve.gov/bankinforeg/reglisting.htm
http://www.informationshield.com/intprivacylaws.html
US CERT
https://www.us-cert.gov/
National Vulnerabilities Database
https://web.nvd.nist.gov/view/vuln/search
NIST Cybersecurity Framework
http://www.nist.gov/cyberframework/
Links
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 64
SEC Documents on Cybersecurity Assessments
http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-
summary.pdf
http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+App
endix+-+4.15.14.pdf
Gartner APT Framework
http://www.networkworld.com/article/2171375/network-security/gartner---five-
styles-of-advanced-threat-defense--can-protect-enterprise-from-targe.html
Breach Laws
http://www.ncsl.org/research/telecommunications-and-information-
technology/security-breach-notification-laws.aspx
Links
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 65
KPI's
http://www.smartkpis.com/
http://www.shopify.com/blog/7365564-32-key-performance-indicators-kpis-for-
ecommerce
http://kpilibrary.com/topics/not-smart-but-smarter
KRI's
http://www.coso.org/documents/COSOKRIPaperFull-
FINALforWebPostingDec110_000.pdf
https://www.ior-institute.org/sound-practice-guidance/key-risk-indicators
KGI's
http://hci-itil.com/COBIT/CO/definitions/KGI.html
Links
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 66
Hardening Guidelines
Contains security configuration checklists http://checklists.nist.gov/
Another source for configurations http://iase.disa.mil/stigs/Pages/index.aspx
Guide for Security Focused Configuration Management of Information Systems
http://csrc.nist.gov/publications/nistpubs/800-128/sp800-128.pdf
Other Helpful Sites
Health and Human Resources
http://www.hhs.gov/
Homeland Security
http://www.dhs.gov/
Links
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 67
National Vulnerabilities Database
https://cve.mitre.org/
https://nvd.nist.gov/full_listing.cfm
Controls Listing
https://web.nvd.nist.gov/view/800-53/home
SANS Top 20
https://www.sans.org/critical-security-controls/
PCI 3.1
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
SSAE16
http://resource.onlinetech.com/soc-1-soc-2-soc-3-report-comparison/
Links
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 68
Incident Response
http://www.cert.org/incident-management/products-services/creating-a-
csirt.cfm?
ISO31000 & 31004 Risk
http://www.praxiom.com/iso-31000.htm
http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnum
ber=56610
Cert Secure Coding eNewsletter
http://www.cert.org/secure-coding/publications/secure-coding-
enewsletter.cfm
Separation of Duties
http://www.sans.edu/research/security-laboratory/article/it-separation-duties
http://www.bdoconsulting.com/resources/thought-
leaders/SegDutiesChecklist-19.pdf
http://www.isaca.org/Journal/Past-Issues/2009/Volume-5/Pages/A-Risk-
based-Approach-to-Segregation-of-Duties1.aspx
Links
© 2016 MIS Training Institute Holdings, Inc.
All rights reserved.Slide 69
THANK YOU!!
Shawna M. Flanders CRISC, CISM, CISA,
CSSGB, SSBB
Business – Technology Guidance Associates, LLC.
www.bustechga.com
Please complete the survey following this
webinar!