Role of IT Governance and IS Audit in Cyber Risk Mitigation

Nanda Mohan Shenoy DCAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empanelled CPE Trainer

Director

1

Disclaimer

• The views expressed in the presentation

are the personal views of the speaker and

not the Organisation which he represents.

• The audience is expected to exercise due

diligence and cross check the facts before

forming any opinion or judgment

• The audience may agree to the view of the

speaker or agree to disagree with the

views of the speaker

2

Incident?

3

Indian Context

• What is wonder?– Day after day countless

people die. Yet the

living wish to live

forever. O Lord, what

can be a greater

wonder

– Day after day countless

cyber attacks happen .

Yet the CISO thinks his

organisation will not be

attacked. O Lord, what

can be a greater

wonder

4

Tyres of Cyber Suraksha

• Governance

• Technical

• HR Controls

• Operational

5

Governance

6

Board Room Agenda

Information

Security

Cyber

Security

Wanna

Cry

RBI/IRDA/

SEBI

7

Summary of Board Responsibility

1. Approve the following policiesi. IT Policy

ii. IS Policy

iii. IS Audit Framework

iv. Change Management Policy

v. Cyber Security Policy

vi. BCP Policy

vii. Outsourcing Policy

2. Members be part of the

i. IT Strategy Committee

ii. ACB

3. Review the results of the

i. Risk Assessment

ii. BCP

4. Outsourcing Policy responsibility

5. Undergo an awareness session on Cyber Security

Board

Board

Board

Board

Board

Board

Board

Board

Board

Board

Board

Board

Board

Board

8

9

Thanks to Regulators

• Cyber Security Policy (distinct from Information Security Policy)

• Cyber Crisis Management Plan (Resilience)

• Cyber Security Preparedness Indicators

• Vulnerability/Risk Assessment

9

Amul –The taste of the Board

– IT Policy

– Infosec Policy

– Cyber Security

Policy

10

Confused

Focus

• Information Security

– Protection of Assets

– ISO 27001 has 14 control groups 35 Control Objectives and 114 Controls

– Only 1 CG A16 talks about Incident Management

• Cyber Security

– Protect

– Detect

– Respond

– Recover– The Incident

Management of ISO 27001 :2013 A.16 has these controls.

– It can be seen as an expansion of A.16

11

Board Room Language

• CISO to talk the

language of the board

• They only understand

two things

– Topline

– Bottomline

• Not too technical

• Wear multiple hats

• Facts & Figures

12

Audit

• All

• U

• Do

• Is

• Tick

13

14

Current Gaps

• IRDA talks only about IS & Cyber Security –learn from the banking industry and make it separate

• Once the Cyber Security becomes separate the Audit of that also is imminent

• The Cyber Security Audit also should be included separately as a part of the IS Audit Charter or a separate Audit Charter for Cyber Security

• So a Separate Assurance is required for Cyber Security

14

Concluding Remarks

MERE PAAS

GOVERNANCE HAI

AAJ MERE PAAS

WEBSENSE HAI,WAF

HAI,BLUE COAT HAI,

SMOKE SCREEN HAI,

RADARK HAI, KYA HE

TUMHARE PAAS

15

nmds@bestfitsolutions.in, 09820409261

������

���ந�றி

ध�यवाद

16