Role of it governance cyberfrat
-
Upload
nanda-mohan-shenoy -
Category
Services
-
view
27 -
download
2
Transcript of Role of it governance cyberfrat
Role of IT Governance and IS Audit in Cyber Risk Mitigation
Nanda Mohan Shenoy DCAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empanelled CPE Trainer
Director
1
Disclaimer
• The views expressed in the presentation
are the personal views of the speaker and
not the Organisation which he represents.
• The audience is expected to exercise due
diligence and cross check the facts before
forming any opinion or judgment
• The audience may agree to the view of the
speaker or agree to disagree with the
views of the speaker
2
Incident?
3
Indian Context
• What is wonder?– Day after day countless
people die. Yet the
living wish to live
forever. O Lord, what
can be a greater
wonder
– Day after day countless
cyber attacks happen .
Yet the CISO thinks his
organisation will not be
attacked. O Lord, what
can be a greater
wonder
4
Tyres of Cyber Suraksha
• Governance
• Technical
• HR Controls
• Operational
5
Governance
6
Board Room Agenda
Information
Security
Cyber
Security
Wanna
Cry
RBI/IRDA/
SEBI
7
Summary of Board Responsibility
1. Approve the following policiesi. IT Policy
ii. IS Policy
iii. IS Audit Framework
iv. Change Management Policy
v. Cyber Security Policy
vi. BCP Policy
vii. Outsourcing Policy
2. Members be part of the
i. IT Strategy Committee
ii. ACB
3. Review the results of the
i. Risk Assessment
ii. BCP
4. Outsourcing Policy responsibility
5. Undergo an awareness session on Cyber Security
Board
Board
Board
Board
Board
Board
Board
Board
Board
Board
Board
Board
Board
Board
8
9
Thanks to Regulators
• Cyber Security Policy (distinct from Information Security Policy)
• Cyber Crisis Management Plan (Resilience)
• Cyber Security Preparedness Indicators
• Vulnerability/Risk Assessment
9
Amul –The taste of the Board
– IT Policy
– Infosec Policy
– Cyber Security
Policy
10
Confused
Focus
• Information Security
– Protection of Assets
– ISO 27001 has 14 control groups 35 Control Objectives and 114 Controls
– Only 1 CG A16 talks about Incident Management
• Cyber Security
– Protect
– Detect
– Respond
– Recover– The Incident
Management of ISO 27001 :2013 A.16 has these controls.
– It can be seen as an expansion of A.16
11
Board Room Language
• CISO to talk the
language of the board
• They only understand
two things
– Topline
– Bottomline
• Not too technical
• Wear multiple hats
• Facts & Figures
12
Audit
• All
• U
• Do
• Is
• Tick
13
14
Current Gaps
• IRDA talks only about IS & Cyber Security –learn from the banking industry and make it separate
• Once the Cyber Security becomes separate the Audit of that also is imminent
• The Cyber Security Audit also should be included separately as a part of the IS Audit Charter or a separate Audit Charter for Cyber Security
• So a Separate Assurance is required for Cyber Security
14
Concluding Remarks
MERE PAAS
GOVERNANCE HAI
AAJ MERE PAAS
WEBSENSE HAI,WAF
HAI,BLUE COAT HAI,
SMOKE SCREEN HAI,
RADARK HAI, KYA HE
TUMHARE PAAS
15