SlideShare a Scribd company logo

Cyber Essentials and BSI standards - managing the business risk

Download as PPTX, PDF
Jisc
Jisc

A presentation from the Jisc security conference 2018 by Russell Price

Technology
1 of 30
Cyber Essentials and BSI standards - managing the business risk Russell Price chairman of Continuity Forum and the BSI Risk Management Committee
All rights reserved © 2018 Continuity ForumJISC slide 2 of 29 Cyber Essentials & British Standard BS 31111 Managing the business risk slide 2 of 29
All rights reserved © 2018 Continuity ForumJISC slide 3 of 29 “I think there is a world market for maybe five computers” Thomas Watson, President of IBM, 1943 Home Computers slide 3 of 29
All rights reserved © 2018 Continuity ForumJISC slide 4 of 29 “There is no reason anyone would want a computer in their home” Ken Olsen Digital Equipment Corp, 1977 Tech Explosion slide 4 of 29
All rights reserved © 2018 Continuity ForumJISC slide 5 of 29 A technology explosion New devices are connecting to the Internet at the rate of 328 million/month Digital Britain 1
All rights reserved © 2018 Continuity ForumJISC slide 6 of 29 Digital Britain Reality Check 91%• UK G20’s most cyber-dependent economy • £600bn online spending in 2018 • Tech Sector now £184bn • Growing at 3X the rate of other sectors Digital Britain 2
All rights reserved © 2018 Continuity ForumJISC slide 7 of 29 7 Digital Britain Reality Check 91%In the last 12 months we learned … • 43% had a Cyber Breach • 74% said Cyber security was a priority • 75% don’t have formal cyber policies • Probably underestimated? Cyber Risk Cartoon
All rights reserved © 2018 Continuity ForumJISC slide 8 of 29 “Risk of financial loss, operational disruption or reputational damage to an organisation due to a failure of its information technology systems from a broad spectrum of causes” Me Cyber risk Definition of sorts
All rights reserved © 2018 Continuity ForumJISC slide 9 of 29 Russell Price • Chairman of BSI UK Risk Management Committee RM/1) • Member ISO TC 262, 292 & BSI CAR/1 • Founding member & current Chair of Cyber Risk & Insurance Forum (CRIF) • ISO 22301, 22316, 31000, 31010, 270XX & Strategic Advisory Group • British Standard 31111, 65000 & 31100 • BIS Sector UK Cyber Security Review Chair -> Cyber Essentials • CBEST – ANSI/ASIS – EU – UNSIDR Risk Life Cycle
All rights reserved © 2018 Continuity ForumJISC slide 10 of 29 Risk Life Cycle Issue Management Early Issue Identification Pressure/Cost/Impact Opportunity to Influence Difficult to Influence Potential Current Crisis DormantEmerging Period of Increasing Awareness Origin Development ResolutionImpact Time / Development Cascade Too late!
All rights reserved © 2018 Continuity ForumJISC slide 11 of 29 BS7799
All rights reserved © 2018 Continuity ForumJISC slide 12 of 29 Information Security Management System Standards 1995 Twenty two years ago BS 7799 was published ISMS Standards
All rights reserved © 2018 Continuity ForumJISC slide 13 of 29 Information Security Management System Standards Source: ISO/IEC 27000: 2016 Vocabulary standard 4.2 Requirement standards 4.3 Guideline standards 4.4 Sector specific standards 4.5 Control specific guideline standards 4.3 27000 27001 27002 27013 27010 2703x 27006 27003 27014 27011 27009 27004 TR 27016 27015 27005 27007 TR 27008 27017 27018 27019 2704x Good Practice
All rights reserved © 2018 Continuity ForumJISC slide 14 of 29 Meeting the standards Demonstrating Good Practice BSI Standard makers 2016 Nailed down?
All rights reserved © 2018 Continuity ForumJISC slide 15 of 29 So we have it nailed down? NO! WEF 10 Global Risks
All rights reserved © 2018 Continuity ForumJISC slide 16 of 29 World Economic Forum Major Cyber Incident
All rights reserved © 2018 Continuity ForumJISC slide 17 of 29 Scenario modeling One Major Cyber Attack • Lloyd’s of London catastrophe modeling research • 15 US States including NYC and Washington DC affected • 93m people without power • $243bn impact on the global economy • $21.4bn claims Heat Map
All rights reserved © 2018 Continuity ForumJISC slide 18 of 29 Cyber Risk Must be better understood Connects & spreads between organizations Not a tech issue, a core BUSINESS RISK! Cyber essentials Critical societal risk!
All rights reserved © 2018 Continuity ForumJISC slide 19 of 29 The Basics
All rights reserved © 2018 Continuity ForumJISC slide 20 of 29 A first step • Boundary Firewalls and gateways • Secure Configurations • Access Control • Malware protection • Patch management Cyber Essentials Cyber Essentials is intended only to provide the most basic of technical capabilities. It is aimed at those who have IT knowledge. It is meant to be a starting point. CE Flowchart
All rights reserved © 2018 Continuity ForumJISC slide 21 of 29 What do we need to do?
All rights reserved © 2018 Continuity ForumJISC slide 22 of 29 What do we really need to do? Cyber Risk & Resilience Business Conversation
All rights reserved © 2018 Continuity ForumJISC slide 23 of 29 Cyber Risk | the business conversation • Awareness of the real business risks • Board understanding it is their responsibility • Create an expectation of dynamic capability • Process, Performance, Productivity & Profit • Convergence and change • Demand action… BS31111
All rights reserved © 2018 Continuity ForumJISC slide 24 of 29 Expectations of a Director
All rights reserved © 2018 Continuity ForumJISC slide 25 of 29 Expectations of a Director … to promote the success of the company, directors must consider the impact of the company’s operations on the community1. The duty to exercise reasonable care, skill and diligence requires directors to exercise the same care, skill and diligence that would be exercised by a reasonably diligent person with the knowledge, skill and experience that may be reasonably expected of: (i) a person carrying out the same functions in relation to the company as the director; and (ii) the actual director in question.2 Sections 172 & 174 , Companies Act Board Org Chart
All rights reserved © 2018 Continuity ForumJISC slide 26 of 29 Culture • Risk Ownership • Responsibility & Accountability • Knowledge, Skills, Attitudes & Behaviour (KSAB) Capability ACTIVE MONITORING, SECURITY TESTING, HORIZON SCANNING & REVIEW • Cyber Landscape Intelligence • Protection • Detection • Response & Recovery Board engagement & responsibility Risk Management • Understanding Context • Risk Identification • Risk Analysis • Risk Evaluation • Risk Treatment • Scanning & Review Governance • Evaluate • Direct • Monitor • Communicate • Assure Operational management & accountability BS3111 Risk Management
All rights reserved © 2018 Continuity ForumJISC slide 27 of 29 BS 31111 | Integration with the business Establishing context Risk Identification Risk Analysis Risk Evaluation Risk Treatment A clear strategy with your business objectives clearly stated. Should include all the internal & external uncertainties across the organisation. Risk Identification process that expects connection of the cyber environment to business objectives, whether or not they are under the influence of the firm. Develop a clear financial and operational understanding of the business effects of the risks identified quantified in a relevant commercial context. Intelligent analysis & prioritized actions based on context & relationship with business objectives. • Identifying the Risk Owner in the business not just IT • Describes the options & the controls available & assesses effectiveness • Test & review the control • Risk treatment agreed - Document the treatment plan • Assign to appropriate owner - Set completion or review timetable • Document expected change to the risk identified BSI Standard makers 2017 Cyber Temple
All rights reserved © 2018 Continuity ForumJISC slide 28 of 29 The Cyber Temple Sum up Learning Experience “The Principles described connect and support other standards and good practice frameworks and helps the business boost value and integration in planning and develop real world capabilities” Benefits & Outcomes Realised Governance & Accountability Culture RISKMANAGEMENT ENGAGEMENT COLLABORATION ADAPATABILTY MONITORING THREAT INTELLIGANCE INCIDENT RESPONSE ASSURANCE Ownership & Leadership Trust & Transparency Informed Making Decision Commitment & Regulation
All rights reserved © 2018 Continuity ForumJISC slide 29 of 29 A question of priorities The learning experience 1860’s 1970’s Close and Questions
All rights reserved © 2018 Continuity ForumJISC slide 30 of 29 Summary & Questions Contact | russell.price@continuityforum.org Phone | +44 (0) 7770 666004

Recommended

The State of Cyber
The State of CyberThe State of Cyber
The State of Cyber
businessforward
 
CRI-Exec-Cyber-Briefings (1)
CRI-Exec-Cyber-Briefings (1)CRI-Exec-Cyber-Briefings (1)
CRI-Exec-Cyber-Briefings (1)
OCTF Industry Engagement
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on board
IT Governance Ltd
 
Infosec russia cnemeth_v1.2.ppt
Infosec russia cnemeth_v1.2.pptInfosec russia cnemeth_v1.2.ppt
Infosec russia cnemeth_v1.2.ppt
Christophe Németh (CISSP / CISM)
 
Compliance IT Project Categories
Compliance IT Project CategoriesCompliance IT Project Categories
Compliance IT Project Categories
Mark Ritchie
 
IBM Security - Successful digital transformation
IBM Security - Successful digital transformationIBM Security - Successful digital transformation
IBM Security - Successful digital transformation
Sebastien JARDIN
 
CYBERSECURITY LEGISLATION
CYBERSECURITY LEGISLATIONCYBERSECURITY LEGISLATION
CYBERSECURITY LEGISLATION
3.com
 
Session 5.3 Alexander Ntoko
Session 5.3 Alexander NtokoSession 5.3 Alexander Ntoko
Session 5.3 Alexander Ntoko
Commonwealth Telecommunications Organisation
 

Recommended

The State of Cyber
The State of CyberThe State of Cyber
The State of Cyber
businessforward
 
CRI-Exec-Cyber-Briefings (1)
CRI-Exec-Cyber-Briefings (1)CRI-Exec-Cyber-Briefings (1)
CRI-Exec-Cyber-Briefings (1)
OCTF Industry Engagement
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on board
IT Governance Ltd
 
Infosec russia cnemeth_v1.2.ppt
Infosec russia cnemeth_v1.2.pptInfosec russia cnemeth_v1.2.ppt
Infosec russia cnemeth_v1.2.ppt
Christophe Németh (CISSP / CISM)
 
Compliance IT Project Categories
Compliance IT Project CategoriesCompliance IT Project Categories
Compliance IT Project Categories
Mark Ritchie
 
IBM Security - Successful digital transformation
IBM Security - Successful digital transformationIBM Security - Successful digital transformation
IBM Security - Successful digital transformation
Sebastien JARDIN
 
CYBERSECURITY LEGISLATION
CYBERSECURITY LEGISLATIONCYBERSECURITY LEGISLATION
CYBERSECURITY LEGISLATION
3.com
 
Session 5.3 Alexander Ntoko
Session 5.3 Alexander NtokoSession 5.3 Alexander Ntoko
Session 5.3 Alexander Ntoko
Commonwealth Telecommunications Organisation
 
Threat Intelligence Market
Threat Intelligence MarketThreat Intelligence Market
Threat Intelligence Market
Datsun Arnold
 
Senior Management Awareness presetnation
Senior Management Awareness presetnationSenior Management Awareness presetnation
Senior Management Awareness presetnation
Nanda Mohan Shenoy
 
Duncan hine input1_irm_and_outsourcing
Duncan hine input1_irm_and_outsourcingDuncan hine input1_irm_and_outsourcing
Duncan hine input1_irm_and_outsourcing
E-Government Center Moldova
 
Role of it governance cyberfrat
Role of it governance cyberfratRole of it governance cyberfrat
Role of it governance cyberfrat
Nanda Mohan Shenoy
 
Cyber Security Regulatory Landscape
Cyber Security Regulatory LandscapeCyber Security Regulatory Landscape
Cyber Security Regulatory Landscape
Samir Pawaskar
 
What to Do Before a Cyber Incident Occurs
What to Do Before a Cyber Incident OccursWhat to Do Before a Cyber Incident Occurs
What to Do Before a Cyber Incident Occurs
Colleen Beck-Domanico
 
Qatar's NIA Policy Program
Qatar's NIA Policy ProgramQatar's NIA Policy Program
Qatar's NIA Policy Program
Samir Pawaskar
 
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and OverviewTripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber Security
Nathan Desfontaines
 
EMA Megatrends in Cyber-Security
EMA Megatrends in Cyber-SecurityEMA Megatrends in Cyber-Security
EMA Megatrends in Cyber-Security
Enterprise Management Associates
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
Joseph Wynn
 
IT_Governance iia uganda_presentation_ruyooka_2011
IT_Governance iia uganda_presentation_ruyooka_2011IT_Governance iia uganda_presentation_ruyooka_2011
IT_Governance iia uganda_presentation_ruyooka_2011
Ambrose Ruyooka,PMP,CGEIT, CRISC
 
Advanced threat protection and big data
Advanced threat protection and big dataAdvanced threat protection and big data
Advanced threat protection and big data
Peter Wood
 
Cyber Security Threats Facing Small Businesses--June 2019
Cyber Security Threats Facing Small Businesses--June 2019Cyber Security Threats Facing Small Businesses--June 2019
Cyber Security Threats Facing Small Businesses--June 2019
Dawn Yankeelov
 
Jim Noble SEASIM Keynote
Jim Noble SEASIM KeynoteJim Noble SEASIM Keynote
Jim Noble SEASIM Keynote
SeattleSIM
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
OSIsoft, LLC
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
Judith Beckhard Cardoso
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
FERMA
 
Introduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber ResilienceIntroduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber Resilience
Christian F. Nissen
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
Tudor Damian
 
Security in RegTech's Playground
Security in RegTech's PlaygroundSecurity in RegTech's Playground
Security in RegTech's Playground
John ILIADIS
 
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Enterprise Management Associates
 

More Related Content

What's hot

Threat Intelligence Market
Threat Intelligence MarketThreat Intelligence Market
Threat Intelligence Market
Datsun Arnold
 
Qatar's NIA Policy Program
Qatar's NIA Policy ProgramQatar's NIA Policy Program
Qatar's NIA Policy Program
Samir Pawaskar
 

What's hot (15)

Threat Intelligence Market
Threat Intelligence MarketThreat Intelligence Market
Threat Intelligence Market
 
Senior Management Awareness presetnation
Senior Management Awareness presetnationSenior Management Awareness presetnation
Senior Management Awareness presetnation
 
Duncan hine input1_irm_and_outsourcing
Duncan hine input1_irm_and_outsourcingDuncan hine input1_irm_and_outsourcing
Duncan hine input1_irm_and_outsourcing
 
Role of it governance cyberfrat
Role of it governance cyberfratRole of it governance cyberfrat
Role of it governance cyberfrat
 
Cyber Security Regulatory Landscape
Cyber Security Regulatory LandscapeCyber Security Regulatory Landscape
Cyber Security Regulatory Landscape
 
What to Do Before a Cyber Incident Occurs
What to Do Before a Cyber Incident OccursWhat to Do Before a Cyber Incident Occurs
What to Do Before a Cyber Incident Occurs
 
Qatar's NIA Policy Program
Qatar's NIA Policy ProgramQatar's NIA Policy Program
Qatar's NIA Policy Program
 
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and OverviewTripwire University: Cyberwar Boot Camp – Introduction and Overview
Tripwire University: Cyberwar Boot Camp – Introduction and Overview
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber Security
 
EMA Megatrends in Cyber-Security
EMA Megatrends in Cyber-SecurityEMA Megatrends in Cyber-Security
EMA Megatrends in Cyber-Security
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
IT_Governance iia uganda_presentation_ruyooka_2011
IT_Governance iia uganda_presentation_ruyooka_2011IT_Governance iia uganda_presentation_ruyooka_2011
IT_Governance iia uganda_presentation_ruyooka_2011
 
Advanced threat protection and big data
Advanced threat protection and big dataAdvanced threat protection and big data
Advanced threat protection and big data
 
Cyber Security Threats Facing Small Businesses--June 2019
Cyber Security Threats Facing Small Businesses--June 2019Cyber Security Threats Facing Small Businesses--June 2019
Cyber Security Threats Facing Small Businesses--June 2019
 
Jim Noble SEASIM Keynote
Jim Noble SEASIM KeynoteJim Noble SEASIM Keynote
Jim Noble SEASIM Keynote
 

Similar to Cyber Essentials and BSI standards - managing the business risk

IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
Tudor Damian
 
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Enterprise Management Associates
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 

Similar to Cyber Essentials and BSI standards - managing the business risk (20)

How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
 
Introduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber ResilienceIntroduction to RESILIA and Cyber Resilience
Introduction to RESILIA and Cyber Resilience
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Security in RegTech's Playground
Security in RegTech's PlaygroundSecurity in RegTech's Playground
Security in RegTech's Playground
 
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
 
Securing the Supply Chain
Securing the Supply ChainSecuring the Supply Chain
Securing the Supply Chain
 
An Introduction To ICT Continuity Based On BS 25777
An Introduction To ICT Continuity Based On BS 25777An Introduction To ICT Continuity Based On BS 25777
An Introduction To ICT Continuity Based On BS 25777
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security SuccessOT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Success
 
Smart Cities - The Security Aspects
Smart Cities - The Security AspectsSmart Cities - The Security Aspects
Smart Cities - The Security Aspects
 
Smart Cities – The Security Aspects
Smart Cities – The Security AspectsSmart Cities – The Security Aspects
Smart Cities – The Security Aspects
 
NetSecOps: Everything Network Managers Must Know About Collaborating with Sec...
NetSecOps: Everything Network Managers Must Know About Collaborating with Sec...NetSecOps: Everything Network Managers Must Know About Collaborating with Sec...
NetSecOps: Everything Network Managers Must Know About Collaborating with Sec...
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas Company
 
SMi Group's Oil & Gas Cyber Security conference & exhibition
SMi Group's Oil & Gas Cyber Security conference & exhibitionSMi Group's Oil & Gas Cyber Security conference & exhibition
SMi Group's Oil & Gas Cyber Security conference & exhibition
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planning
 
Cobit5 and-grc
Cobit5 and-grcCobit5 and-grc
Cobit5 and-grc
 

More from Jisc

More from Jisc (20)

Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptx
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Cyber Essentials and BSI standards - managing the business risk

  • 1. Cyber Essentials and BSI standards - managing the business risk Russell Price chairman of Continuity Forum and the BSI Risk Management Committee
  • 2. All rights reserved © 2018 Continuity ForumJISC slide 2 of 29 Cyber Essentials & British Standard BS 31111 Managing the business risk slide 2 of 29
  • 3. All rights reserved © 2018 Continuity ForumJISC slide 3 of 29 “I think there is a world market for maybe five computers” Thomas Watson, President of IBM, 1943 Home Computers slide 3 of 29
  • 4. All rights reserved © 2018 Continuity ForumJISC slide 4 of 29 “There is no reason anyone would want a computer in their home” Ken Olsen Digital Equipment Corp, 1977 Tech Explosion slide 4 of 29
  • 5. All rights reserved © 2018 Continuity ForumJISC slide 5 of 29 A technology explosion New devices are connecting to the Internet at the rate of 328 million/month Digital Britain 1
  • 6. All rights reserved © 2018 Continuity ForumJISC slide 6 of 29 Digital Britain Reality Check 91%• UK G20’s most cyber-dependent economy • £600bn online spending in 2018 • Tech Sector now £184bn • Growing at 3X the rate of other sectors Digital Britain 2
  • 7. All rights reserved © 2018 Continuity ForumJISC slide 7 of 29 7 Digital Britain Reality Check 91%In the last 12 months we learned … • 43% had a Cyber Breach • 74% said Cyber security was a priority • 75% don’t have formal cyber policies • Probably underestimated? Cyber Risk Cartoon
  • 8. All rights reserved © 2018 Continuity ForumJISC slide 8 of 29 “Risk of financial loss, operational disruption or reputational damage to an organisation due to a failure of its information technology systems from a broad spectrum of causes” Me Cyber risk Definition of sorts
  • 9. All rights reserved © 2018 Continuity ForumJISC slide 9 of 29 Russell Price • Chairman of BSI UK Risk Management Committee RM/1) • Member ISO TC 262, 292 & BSI CAR/1 • Founding member & current Chair of Cyber Risk & Insurance Forum (CRIF) • ISO 22301, 22316, 31000, 31010, 270XX & Strategic Advisory Group • British Standard 31111, 65000 & 31100 • BIS Sector UK Cyber Security Review Chair -> Cyber Essentials • CBEST – ANSI/ASIS – EU – UNSIDR Risk Life Cycle
  • 10. All rights reserved © 2018 Continuity ForumJISC slide 10 of 29 Risk Life Cycle Issue Management Early Issue Identification Pressure/Cost/Impact Opportunity to Influence Difficult to Influence Potential Current Crisis DormantEmerging Period of Increasing Awareness Origin Development ResolutionImpact Time / Development Cascade Too late!
  • 11. All rights reserved © 2018 Continuity ForumJISC slide 11 of 29 BS7799
  • 12. All rights reserved © 2018 Continuity ForumJISC slide 12 of 29 Information Security Management System Standards 1995 Twenty two years ago BS 7799 was published ISMS Standards
  • 13. All rights reserved © 2018 Continuity ForumJISC slide 13 of 29 Information Security Management System Standards Source: ISO/IEC 27000: 2016 Vocabulary standard 4.2 Requirement standards 4.3 Guideline standards 4.4 Sector specific standards 4.5 Control specific guideline standards 4.3 27000 27001 27002 27013 27010 2703x 27006 27003 27014 27011 27009 27004 TR 27016 27015 27005 27007 TR 27008 27017 27018 27019 2704x Good Practice
  • 14. All rights reserved © 2018 Continuity ForumJISC slide 14 of 29 Meeting the standards Demonstrating Good Practice BSI Standard makers 2016 Nailed down?
  • 15. All rights reserved © 2018 Continuity ForumJISC slide 15 of 29 So we have it nailed down? NO! WEF 10 Global Risks
  • 16. All rights reserved © 2018 Continuity ForumJISC slide 16 of 29 World Economic Forum Major Cyber Incident
  • 17. All rights reserved © 2018 Continuity ForumJISC slide 17 of 29 Scenario modeling One Major Cyber Attack • Lloyd’s of London catastrophe modeling research • 15 US States including NYC and Washington DC affected • 93m people without power • $243bn impact on the global economy • $21.4bn claims Heat Map
  • 18. All rights reserved © 2018 Continuity ForumJISC slide 18 of 29 Cyber Risk Must be better understood Connects & spreads between organizations Not a tech issue, a core BUSINESS RISK! Cyber essentials Critical societal risk!
  • 19. All rights reserved © 2018 Continuity ForumJISC slide 19 of 29 The Basics
  • 20. All rights reserved © 2018 Continuity ForumJISC slide 20 of 29 A first step • Boundary Firewalls and gateways • Secure Configurations • Access Control • Malware protection • Patch management Cyber Essentials Cyber Essentials is intended only to provide the most basic of technical capabilities. It is aimed at those who have IT knowledge. It is meant to be a starting point. CE Flowchart
  • 21. All rights reserved © 2018 Continuity ForumJISC slide 21 of 29 What do we need to do?
  • 22. All rights reserved © 2018 Continuity ForumJISC slide 22 of 29 What do we really need to do? Cyber Risk & Resilience Business Conversation
  • 23. All rights reserved © 2018 Continuity ForumJISC slide 23 of 29 Cyber Risk | the business conversation • Awareness of the real business risks • Board understanding it is their responsibility • Create an expectation of dynamic capability • Process, Performance, Productivity & Profit • Convergence and change • Demand action… BS31111
  • 24. All rights reserved © 2018 Continuity ForumJISC slide 24 of 29 Expectations of a Director
  • 25. All rights reserved © 2018 Continuity ForumJISC slide 25 of 29 Expectations of a Director … to promote the success of the company, directors must consider the impact of the company’s operations on the community1. The duty to exercise reasonable care, skill and diligence requires directors to exercise the same care, skill and diligence that would be exercised by a reasonably diligent person with the knowledge, skill and experience that may be reasonably expected of: (i) a person carrying out the same functions in relation to the company as the director; and (ii) the actual director in question.2 Sections 172 & 174 , Companies Act Board Org Chart
  • 26. All rights reserved © 2018 Continuity ForumJISC slide 26 of 29 Culture • Risk Ownership • Responsibility & Accountability • Knowledge, Skills, Attitudes & Behaviour (KSAB) Capability ACTIVE MONITORING, SECURITY TESTING, HORIZON SCANNING & REVIEW • Cyber Landscape Intelligence • Protection • Detection • Response & Recovery Board engagement & responsibility Risk Management • Understanding Context • Risk Identification • Risk Analysis • Risk Evaluation • Risk Treatment • Scanning & Review Governance • Evaluate • Direct • Monitor • Communicate • Assure Operational management & accountability BS3111 Risk Management
  • 27. All rights reserved © 2018 Continuity ForumJISC slide 27 of 29 BS 31111 | Integration with the business Establishing context Risk Identification Risk Analysis Risk Evaluation Risk Treatment A clear strategy with your business objectives clearly stated. Should include all the internal & external uncertainties across the organisation. Risk Identification process that expects connection of the cyber environment to business objectives, whether or not they are under the influence of the firm. Develop a clear financial and operational understanding of the business effects of the risks identified quantified in a relevant commercial context. Intelligent analysis & prioritized actions based on context & relationship with business objectives. • Identifying the Risk Owner in the business not just IT • Describes the options & the controls available & assesses effectiveness • Test & review the control • Risk treatment agreed - Document the treatment plan • Assign to appropriate owner - Set completion or review timetable • Document expected change to the risk identified BSI Standard makers 2017 Cyber Temple
  • 28. All rights reserved © 2018 Continuity ForumJISC slide 28 of 29 The Cyber Temple Sum up Learning Experience “The Principles described connect and support other standards and good practice frameworks and helps the business boost value and integration in planning and develop real world capabilities” Benefits & Outcomes Realised Governance & Accountability Culture RISKMANAGEMENT ENGAGEMENT COLLABORATION ADAPATABILTY MONITORING THREAT INTELLIGANCE INCIDENT RESPONSE ASSURANCE Ownership & Leadership Trust & Transparency Informed Making Decision Commitment & Regulation
  • 29. All rights reserved © 2018 Continuity ForumJISC slide 29 of 29 A question of priorities The learning experience 1860’s 1970’s Close and Questions
  • 30. All rights reserved © 2018 Continuity ForumJISC slide 30 of 29 Summary & Questions Contact | russell.price@continuityforum.org Phone | +44 (0) 7770 666004

Editor's Notes

  1. We will have in excess of 30 Billion devices connected to the Net by 2020 and it is estimated around 75 billion by 2025 (Source Statista)