Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA...
Transcript of Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA...
![Page 1: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/1.jpg)
CA A.Rafeq, FCA, CISA, CGEIT, CIAManaging Director, Wincer Infotech Limited
www.wincaat.com
S AT U R DAY, 1 7 T H O C T. 2 0 1 5 ( 9 . 3 0 A M T O 1 1 . 0 0 A M )
H OT E L P R I D E , BA N GA LO R E
Presentation at Special CPE Session
Using COBIT 5 to implement
Cyber Security of Web Applications
![Page 2: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/2.jpg)
Agenda/Session Plan
1. COBIT 5
in a Capsule
2. Essence
of Cyber
Security
3. Cyber
Security
using
Frameworks
4. Cyber
Security of
Web Apps
2
![Page 3: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/3.jpg)
3
![Page 4: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/4.jpg)
4
![Page 5: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/5.jpg)
5
![Page 6: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/6.jpg)
6
![Page 7: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/7.jpg)
7
![Page 8: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/8.jpg)
Ten Hot Tech Skills Gaining Speed
8
![Page 9: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/9.jpg)
Cloud
9
![Page 10: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/10.jpg)
Cyber security
10
![Page 11: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/11.jpg)
Macro to Micro: Top Down Approach
11
COBIT 5
Cyber Security
Web Applications
Applying COBIT 5 to Cyber Security of Web Applications
![Page 12: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/12.jpg)
1. COBIT in a Capsule
Principles and
EnablersProducts
ImplementationProcesses and
Practices
How to use
COBIT 5?
12
![Page 13: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/13.jpg)
Why use COBIT 5?
13
COBIT 5
COBIT 5
COBIT 5
COBIT 5
![Page 14: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/14.jpg)
What is COBIT 5?
The only
Business
Framework for
the Governance
and Management
of Enterprise IT.
14
![Page 15: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/15.jpg)
COBIT 5 Principles
15
![Page 16: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/16.jpg)
Principle 1: Meeting Stakeholder Needs
Enterprises exist to create value for their stakeholders
Value creation: realizing benefits at an optimal resource cost while optimizing risk.
16
![Page 17: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/17.jpg)
Principle 1: Meeting Stakeholder Needs
Stakeholder needs have to be transformed into an enterprises’ actionable strategy
The COBIT 5 stakeholder needs into specific, practical and customized goals
17
![Page 18: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/18.jpg)
18
![Page 19: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/19.jpg)
19
![Page 20: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/20.jpg)
Principle 2: Covering the Enterprise End–to–End
20
![Page 21: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/21.jpg)
Principle 3:Applying a Single Integrated Framework
Enablers
provide
structure to the
COBIT 5
knowledge base
21
![Page 22: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/22.jpg)
Principle 4: Enabling a Holistic Approach
22
![Page 23: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/23.jpg)
Principle 4: Enablers of COBIT 5
23
![Page 24: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/24.jpg)
24
![Page 25: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/25.jpg)
Principle 5:Separating Governance from Management`
COBIT 5 Governance and Management Key Areas
25
![Page 26: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/26.jpg)
COBIT 5 Processes
Governance of Enterprise
IT
Evaluate, Direct and Monitor
Align, Plan and Organize
Build, Acquire
and Implement
Deliver, Service
and Support
Monitor, Evaluate
and Assure
26
![Page 27: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/27.jpg)
27
COBIT 5 Process Reference Model
COBIT 5 Processes
![Page 28: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/28.jpg)
COBIT 5 Product Family
28
![Page 29: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/29.jpg)
COBIT 5 Implementation
29
![Page 30: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/30.jpg)
Implementing COBIT 5 best practices
1. COBIT 5 has a knowledge repository of best practices which is complete, consistent, and easily navigable
2. COBIT 5 guidance can be used and adapted for meeting any applicable legal, regulatory and contractual requirements.
3. Learn how to navigate through the knowledge repository and select relevant guidance?
30
![Page 31: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/31.jpg)
31
![Page 32: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/32.jpg)
2. Essence of Cyber Security
32
![Page 33: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/33.jpg)
Increasing dependence on the internet
Directly◦ Communication (Email, IM, VoIP)
◦ Commerce (business, banking, e-commerce, etc.)
◦ Control systems (public utilities, etc.)
◦ Information and entertainment
◦ Sensitive data stored on the Internet
Indirectly◦ Business, Education, Government have permanently replaced physical/manual processes with Internet-based processes
33
![Page 34: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/34.jpg)
‘Cybersecurity is the body of technologies,processes and practices designed to protectnetworks, computers, programs and data fromattack, damage or unauthorized’
http://whatis.techtarget.com/definition/cybersecurity
What is a Cyber Security?
34
![Page 35: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/35.jpg)
35
![Page 36: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/36.jpg)
Cybersecurity
Refers to preventative methods used to protect information from being stolen, compromised or attacked.
Requires an understanding of potential information threats, such as viruses and other malicious code.
Cybersecurity strategies include identity management, risk management and incident management.
36
![Page 37: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/37.jpg)
Why is Cyber Security required?
37
![Page 38: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/38.jpg)
Cybersecurity Attacks: Vulnerabilities
38
![Page 39: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/39.jpg)
Cyber Security Objectives
INTEGRITYauthenticity
AVAILABILITYaccess
CONFIDENTIALITYdisclosure
39
39
![Page 40: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/40.jpg)
Cyber Security Objectives in real world
INTEGRITYauthenticity
AVAILABILITYaccess
CONFIDENTIALITYdisclosure
USAGEpurpose
40
40
![Page 41: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/41.jpg)
Cybersecurity Roadblocks
No metrics to measure (in)security
Internet is inherently international
Private sector owns most of the infrastructure
“Cybersecurity Gap”: a cost/incentive disconnect?
◦ Businesses will pay to meet business imperatives
◦ Who’s going to pay to meet national security imperatives?
41
![Page 42: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/42.jpg)
Key considerations in implementing Cyber Security
42
![Page 43: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/43.jpg)
43
![Page 44: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/44.jpg)
ISACA’s Certification in Cyber Security
44
![Page 45: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/45.jpg)
45
3. Cyber Security using
Frameworks
![Page 46: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/46.jpg)
46
Implementing Cyber Security Framework
![Page 47: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/47.jpg)
Cybersecurity framework?
“The security professional needs to adhere to a framework.… once the security professional begins to bring order to the organization’s security program, they are implementing a framework.” --http://www.securitycurrent.com/en/writers/david-sheidlower/security-where-myths-should-go-to-die
Benefits:
◦ From chaos to order and organization
◦ Manageable practice
◦ From tools / mechanisms architecture / policy strategy / governance
47
![Page 48: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/48.jpg)
NIST Cybersecurity Framework
48
• Three parts: o The Framework Coreo The Framework Profileo The Framework Implementation Tiers
• Framework Core- A set of activities, outcomes, and informative
references- Providing the detailed guidance for developing
individual organizational Profiles
![Page 49: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/49.jpg)
Using the Framework
Building from standards, guidelines, and practices, the Framework provides a common taxonomy and mechanism for organizations to:
1) Describe their current cybersecurity posture;
2) Describe their target state for cybersecurity;
3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
4) Assess progress toward the target state;
5) Communicate among internal and external stakeholders about cybersecurity risk.
49
![Page 50: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/50.jpg)
Framework Core
50
• Five concurrent and continuous Functions— Identify— Protect— Detect— Respond— Recover
• (Altogether) the functions provide a high-level, strategicview of the lifecycle of an organization’s management of cybersecurity risk.
![Page 51: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/51.jpg)
51
• Functions organize basic cybersecurity activities at their highest level.• Categories are the subdivisions of a Function into groups of
cybersecurity outcomes closely tied to programmatic needs and particular activities. o Example Categories: “Asset Management,” “Access Control,” “Detection
Processes.”
![Page 52: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/52.jpg)
52
![Page 53: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/53.jpg)
53
![Page 54: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/54.jpg)
Framework Profile
54
• Represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories
• Aligning standards, guidelines, and practices to the Framework Core in a particular implementation scenario
• “Current” profile “Target” profile
• Comparison of Profiles may reveal gaps to be addressed to meet cybersecurity risk management objectives.
![Page 55: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/55.jpg)
Framework Profile
55
• The Framework document does not prescribe Profile templates, allowing for flexibility in implementation.
• Example profiles can be found: http://www.nist.gov/itl/upload/discussion-draft_illustrative-examples-082813.pdf
Example Profiles for Threat Mitigation:1. Mitigating intrusions2. Mitigating malware3. Mitigating insider threats
![Page 56: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/56.jpg)
56
![Page 57: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/57.jpg)
57
![Page 58: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/58.jpg)
Gartner Recommendations
58
Enterprises:
• Use the CSF as a legal framework to map your IT/OT risks.
• Avoid making long-term procurement- or compliance-based decisions from the
CSF's guidance in its current state as it is missing key components.
• Continue to apply standards that are well-accepted by your respective
industries.
Critical infrastructure companies with existing cybersecurity risk programs:
• Use the CSF to validate program completeness.
Enterprises with nascent cybersecurity risk management programs:
• Use the CSF as a starting point for cybersecurity risk planning, as a self-
assessment tool and as a reference to weigh consulting offerings.
Companies with considerable IT/OT assets:
• Use the CSF as an aid to align and integrate cybersecurity risk management
across corporate and industrial control/automation requirements.
![Page 59: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/59.jpg)
4. Implementing Cyber Security for
Web Apps
59
![Page 60: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/60.jpg)
Web application or Web Apps
An application program that is stored on a remote server and delivered over the Internet through a browser interface.
Refers to any program that is accessed over a network connection using HTTP, rather than existing within a device’s memory.
Often run inside a Web browser. May be client-based, where a small part of the program is downloaded to a user’s desktop, but processing is done over the Internet on an external server.
Any website component that performs some function for the user qualifies as a Web app.
60
![Page 61: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/61.jpg)
Web application security
Branch of Information Security that deals specifically with security of websites, web applications and web services.
At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems.
61
![Page 62: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/62.jpg)
Cyber Security in Context: Cyber wars
Corporate Cybersecurity = availability, integrity and secrecy of information systems and networksin the face of attacks, accidents and failures with the goal of protecting a corporation’s operations and assets
National Cybersecurity = availability, integrity and secrecy of the information systems and networksin the face of attacks, accidents and failures with the goal of protecting a nation’s operations and assets
62
![Page 63: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/63.jpg)
Types of Controls
63
![Page 64: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/64.jpg)
Assurance of Web Apps
64
Business
Processes
on the web
Applicable
Regulatory
requirements
Organization
Structure
And
Access policy
Technology
Deployed
and Security
Assurance
Process –
Frameworks
![Page 65: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/65.jpg)
Integrating COBIT 5 with Cyber Security of Web Applications
65
Tailored as per Enterprise Requirements
COBIT 5 for Cyber Security
Cyber Security of Web Applications
Security of Web Applications
COBIT 5
Cyber
Security
Web Apps
![Page 66: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/66.jpg)
Four strategic best practices for protecting Web applications
To address security-related issues as they pertain to Web applications, organizations can employ four broad, strategic best practices.
1. Increase security awareness
2. Categorize application risk and liability
3. Set a zero-tolerance enforcement policy
4. Integrate security testing throughout the development and delivery process
66
![Page 67: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/67.jpg)
Crystal Ball: In the Year 2025
PAST, PRESENT
Cyber security is a young and immature field
The attackers are more innovative than defenders
Defenders are mired in FUD (fear, uncertainty and doubt) and fairy tales
Attack back is illegal or classified
FUTURE
Cyber security will become a scientific discipline
Cyber security will be application and technology centric
Cyber security will never be “solved” but will be “managed”
Attack back will be a integral part of cyber security
67
67
![Page 68: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/68.jpg)
Seven Tips for Cyber Safety
68
1. Install OS/Software Updates
2. Run Anti-virus Software
3. Prevent Identity Theft
4. Turn on Personal Firewalls
5. Avoid Spyware/Adware
7. Back up Important Files
6. Protect Passwords
![Page 69: Using COBIT 5 to implement Cyber Security of Web · PDF fileCA A.Rafeq, FCA, CISA, CGEIT, CIA Managing Director, Wincer Infotech Limited SATURDAY, 17TH OCT. 2015 (9.30 AM TO 11.00](https://reader031.fdocuments.in/reader031/viewer/2022022505/5ab940487f8b9ac60e8dcd19/html5/thumbnails/69.jpg)
Summary
69