Upload File

accountability for corporate cybersecurity - who owns what?

  • Home
  • Business
  • Accountability for Corporate Cybersecurity - Who Owns What?
12
Accountability for Corporate Cybersecurity ‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐ Who Owns What? ‐‐‐‐‐‐‐‐‐‐‐ l ll f d d bl Clear, Visually Defined CorporateWide Accountability Within the NIST Cybersecurity Framework Bridging the gap between operations and strategy

Upload: henry-draughon

Post on 18-Aug-2015

41 views

Category:

Business


4 download

Report

Tags:

TRANSCRIPT

Page 1: Accountability for Corporate Cybersecurity - Who Owns What?

Accountability for Corporate Cybersecurity

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐Who Owns What?

‐‐‐‐‐‐‐‐‐‐‐l ll f d d b lClear, Visually Defined Corporate‐Wide Accountability

Within the NIST Cybersecurity Framework

Bridging the gap between operations and strategy

Page 2: Accountability for Corporate Cybersecurity - Who Owns What?

Cybersecurity is a Corporate Responsibilityy y p p y

“Boards that choose to ignore, or minimize, the importance of b i d h i il ” L i A A il C i i

b h h d f l b b l h h

cybersecurity, do so at their own peril,” Luis A. Aguilar, Commissioner, New York Stock Exchange1

Data security breaches have progressed from low probability, high consequence to high probability, high consequence

Cyber attacks are creating more concern about potential damage to 2corporate reputation, class action lawsuits, and costly downtime2

Senior executives are motivated to become involved in data breach response: Help reduce financial impact2

Protect their companies’ reputation and brand2

© 2015 Process Delivery Systems

1June 10, 2014 Speech ‐ Boards of Directors, Corporate Governance and Cyber‐Risks: Sharpening the Focus2Ponemon Institute – The Importance of Senior Executive Involvement in Breach Response, October 2014

Page 3: Accountability for Corporate Cybersecurity - Who Owns What?

Cross‐Functional Accountability for Effective Corporate C bersec rit Management is Req iredCorporate Cybersecurity Management is Required

The NIST Cybersecurity Framework is Comprehensive, Well‐Vetted, and Widely Adopted

The Framework’s Technical Aspects, Sophistication, and Complexity can Lead to Silos of Cybersecurity Management andComplexity can Lead to Silos of Cybersecurity Management and Response Within the Organization

Ownership of the Creation and Maintenance of the Corporate Security Plan Should Remain with Either the Security or IT Department

Many Aspects of Cybersecurity Accountability Naturally Reside Outside of the Security and IT Departments

© 2015 Process Delivery Systems

Page 4: Accountability for Corporate Cybersecurity - Who Owns What?

Assignment of CorporateC bersec rit Acco ntabilitCybersecurity Accountability

Responsibility Assignment Matrix (RACI Matrix) Used to Assign 

Responsible (The Doers) ‐ Those who do the work to achieve the

Accountability Across the Organization

Responsible (The Doers) ‐ Those who do the work to achieve the task. There is at least one role with a participation type of Responsible.

Accountable (The Buck Stops Here) The one ultimatelyAccountable (The Buck Stops Here) ‐ The one ultimately answerable for correctness and thoroughness of the completed task.

C lt Th h i i ht t i ll bj tConsult Those whose opinions are sought, typically subject matter experts. Two‐way communication.

Inform Those kept up to date on progress with whom there 

© 2015 Process Delivery Systems

is one‐way communication.

Page 5: Accountability for Corporate Cybersecurity - Who Owns What?

NIST Cybersecurity FrameworkWithin PDFrame orkWithin PDFramework

PDFramework – A Web Framework Designed to Deliver P d l C d R l f A bili i hProcedural Content and Roles of Accountability with 

Unprecedented Visual Clarity

© 2015 Process Delivery Systems

Page 6: Accountability for Corporate Cybersecurity - Who Owns What?

Within the Identify Category – Understandand Prioriti e the B siness En ironmentand Prioritize the Business Environment

© 2015 Process Delivery Systems

Page 7: Accountability for Corporate Cybersecurity - Who Owns What?

Understanding and Prioritizing the BusinessFactors Better Suited to CFO or Strategic CommitteeFactors Better Suited to CFO or Strategic Committee

© 2015 Process Delivery Systems

Page 8: Accountability for Corporate Cybersecurity - Who Owns What?

Awareness and Training Within theProtect CategorProtect Category

© 2015 Process Delivery Systems

Page 9: Accountability for Corporate Cybersecurity - Who Owns What?

Awareness and Training AccountabilityBelongs to the Director of Security, Various 

bl fDepartments are Responsible for Execution

© 2015 Process Delivery Systems

Page 10: Accountability for Corporate Cybersecurity - Who Owns What?

Data Breach Response Coordination Must BeCaref ll Designed and Effecti el E ec tedCarefully Designed and Effectively Executed

© 2015 Process Delivery Systems

Page 11: Accountability for Corporate Cybersecurity - Who Owns What?

Design and Execution of Public FacingResponse Efforts Better Suited for the

l dLegal and Communications Team

© 2015 Process Delivery Systems

Page 12: Accountability for Corporate Cybersecurity - Who Owns What?

Questions, Insights, andC t R t dComments Requested

Please visit the PDFramework version of the NIST Cybersecurity Framework at: 

h

• http://processdeliverysystems.com/v2pds_nist/index.htm

Henry DraughonOffice: (972) 980‐9041Cell: (214) 707‐4450hdraughon@processdeliverysystems comhdraughon@processdeliverysystems.comwww.processdeliverysystems.com

© 2015 Process Delivery Systems


BUILDING CYBERSECURITY IN SMALL AND MIDSIZE BUSINESSES › downloads › SB0365-whitepaper-cybersecurity… · AND MIDSIZE BUSINESSES CYBERSECURITY WHITEPAPER. CYBERSECURITY WHITEPAPER

GAO-12-8 Cybersecurity Human Capital: Initiatives …Page 1 GAO-12-8 Cybersecurity Human Capital United States Government Accountability Office Washington, DC 20548 November 29, 2011

Who Owns the Band’s IP? A discussion of who owns a …

Cybersecurity for Business Survival€¦ · US$117M sales (Reckitt Benckiser owns Dettol, Durex) US$290M sales (French building manufacturer) US$300M business cost (incl. reinstall

Cisco CyberSecurity Institute › c › dam › m › de_ch › cybersecurity... · Cisco CyberSecurity Institute Cisco CyberSecurity Institute Förderung der Cybersicherheitsexperten/-innen

The future of golf club management - GCMA · PDF filenow -and then.html slide 2 128MB 128GB . @dw2 Page 14 ... Dematerialisation Owns no taxis Owns no hotels Owns no inventory Owns

Who owns it?

Cybersecurity 3 cybersecurity costs and causes

Current Cybersecurity Maturity Models: How Effective in ...ceur-ws.org/Vol-2348/paper16.pdf · Smart Healthcare and Safety Systems awareness, visibility and accountability [2], and

Who Owns Compliance

Who Owns Nature?

Cybersecurity 5 improving cybersecurity

WHO OWNS AUSTRALIA

CYBERSECURITY RISK DISCLOSURE AND CYBERSECURITY DISCLOSURE ... · CYBERSECURITY RISK DISCLOSURE AND CYBERSECURITY DISCLOSURE GUIDANCE ABSTRACT Cybersecurity risk disclosure has received

Who Owns Dinkytown?

Big Data and Cybersecurity - Eversheds Sutherland · and the Health Insurance Portability and Accountability Act. Internationally, access to new sources of consumer data, and

Who owns Sweden?

Cybersecurity Workforce CompetenciesIntroduction: Cybersecurity Industry Snapshot Career Opportunities in the Cybersecurity Industry Defining a Common Set of Cybersecurity Professional

Global Privacy & Cybersecurity - Author nsights · 2019. 11. 25. · tional Cybersecurity Awareness Month and this year’s theme is personal accountability and pro - active behavior

February 2013 CYBERSECURITY - Government Accountability Office

AVIATION CYBERSECURITY - Atlantic Council · 1.3.3 Safety, security, enterprise cybersecurity, and aviation cybersecurity Where aviation cybersecurity crosses the traditional elements

September 2020 CYBERSECURITYUnited States Government Accountability Office Highlights of GAO-20-629, a report to congressional requesters September 2020 CYBERSECURITY Clarity of Leadership

Higher Education – who owns and who owes accountability in Korea? A Comparative Critique on public-private binary ambivalence in HE Terri Kim, PhD (London)

Data Storage Innovation Conference: Whoever Owns the Data Owns the Customer

CYBERSECURITY ROADMAP CYBERSECURITY OPERATIONS …

Who Owns Online Courses and Course Materials? Who Owns Online Courses and Course

Who owns Social?

REPORT The Security Architect and Cybersecurity...While the CISO owns the cybersecurity strategy, much of the work needed to implement that strategy falls to the security architect

Higher Education – who owns and who owes accountability in Korea? A Comparative Critique on public-private binary ambivalence in HE

Cybersecurity Human Capital - US Government Accountability Office

Who Owns Boston?

Cybersecurity Test and Evaluation Process Sponsored Documents/Cybersecurity... · Program Office Implementation Plan must include cybersecurity ... – Ensures cybersecurity is part

Who Owns Community?

CISPA Center for IT Security, Privacy and Accountability · 2017-06-12 · 2 phase BMBF funding CISPA building CISPA‐Stanford Center for Cybersecurity CISPA‐Stanford Center •

HEALTH CARE - NCCoE · 2017-07-20 · to currently available cybersecurity standards and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Based on our