Pract ctical Cybersecu curity Ri Risk a and C Control Ma Maturi urity A y Asse ssessme ssments Brian Fricke, CISSP, CISM Chief Information Security Officer None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Like all Financial Institutions; we are required to perform appropriate Cyber Risk Assessments, Control Testing, and Status Reports to the Board. BUT HOW?! None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Two Key Ingredients A Risk Assessment: the determination of quantitative and qualitative estimates of the impact of an event, related to a well-defined situation, and a recognized threat. A Control Maturity Assessment: the process designed to provide reasonable assurance of the achievement of control objectives (control effectiveness). None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Risk Assessment Impact + Likelihood Inherent Risk Inherent Risk + Control Effectiveness Residual Risk None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Select a Control Framework Other Control Frameworks None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Control Maturity Dashboard Security https://www.linkedin.com/pulse/cybersecurity-risk-control-maturity-assessment-fricke-cissp-cism/ None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Risk Dashboard None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Risk Assessment Impact + Likelihood = Inherent Risk https://www.linkedin.com/pulse/cybersecurity-risk-control-maturity-assessment-fricke-cissp-cism/ None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Control Assessment Each sub-control receives a scored Control Rating. The total Inherent Risk + Control Effectiveness = scoring equals the overall Control Effectiveness (Assurance Residual Risk Rating). https://www.linkedin.com/pulse/cybersecurity-risk-control-maturity-assessment-fricke-cissp-cism/ None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Bottom Line Message: Your Organization’s overall level of Inherent Risk has been rated at High. The Company has implemented 130 of the 149 Critical Security Controls (87%). This is a 66% improvement from 2016. Of the 130 Controls implemented, 80% have a Maturity rating of equal to or greater than Generally Effective. This brings the Overall Cybersecurity Residual Risk to Moderate; which is within the Board's defined Risk Appetite. None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
• Establish a method of conducting Risk Assessments • Establish a method of conducting Control Maturity Assessments • (Link the two) • Empower control owners to make an impact to the organization • Report it to Management, Committees, Auditors, Regulators, and the Board • Never stop measuring, assessing, and improving. “You can’t manage what you can’t measure.” -Peter Drucker https://www.linkedin.com/in/brianrfricke The information presented will be made available. THANK YOU! https://www.linkedin.com/pulse/cybersecurity-risk-control-maturity-assessment-fricke-cissp-cism/ None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Recommend
More recommend