les joies et les peines de la transformation numérique ...© 2017 georges ataya legal and...

© 2017 Georges Ataya

Georges AtayaCISA, CGEIT, CISA, CISSP, MSCS, PBA

Professor, Solvay Brussels School of Economics and ManagementAcademic Director, IT Management EducationManaging Partner, ICT Control NV

Les joies et les peines de la transformation numérique


Executive Education in IT

Management

Executive Education in Information

Security Management

SOLVAY.EDU/IT


Executive

Education in IT

Management

Executive Master in IT

Management

Executive Programme in

. CIO Practices

. CIO Leadership

. IT Business Agility

. Enterprise and IT Architecture

. IT Sourcing

. IT Management Consulting

SOLVAY.EDU/IT


Executive Master in Information

Risk and Cybersecurity

Executive Programme in

. Security Governance

. Information Security

. Cybersecurity

Executive Education

in Information Security

Management

SOLVAY.EDU/IT


G3 – IT Risk and Legal concerns

M2 – IT Services and Run Management

G1 – The CIO Foundation

G2 – IT Governance Workshop

M1 – Applications Build and Management

B2 – Business Transformation

B3 – Digital Agility and Innovation

B1 – Enterprise Strategy and Architecture

M3 – IT Sourcing Management

G – track

IT Governance

M – track

IT ManagementB – track

Business Agility

Lectured tracks and modules

A1 – IT Finance and Portfolio Management

A2 – Soft Skills for IT professionals

A3 – Building Expert Opinion

A – track

Activating skills

© 2014 ictc.eu

WednesdayThursday MondayTuesday

S1 – Information Security Management

S2 – IT Security Practices

S3 – Cybersecurity Workshop

S – track

Info Security

Monday

© Copyright ICTC.EU 2017


6

PROGRAMME IN EUROPEAN DATA PROTECTIONLeading to certified DPO

Solvay.edu/gdpr


European Program in Data Protection

Next edition starting on March 22

Solvay.edu/gdpr

http://solvay.edu/gdpr

http://exed.solvay.edu/fr/13-gamme/10-digital-transformation-it-education

www.cybersecuritycoalition.be


Awareness Campaigns


Dpocircle.eu

• Free membership for DPO and GDPR professionals

.COM


Legal and Management Requirements

Define Data Protection

objectives and scope

Risk and Impact Assessment

Identify the gap in reaching

defined protection targets

Compliance Transformation

Manage compliance

Related transformation

Information Security and Privacy

Protect and secure

architectural components

Response and Breach Management

Prepare, React and notify

when needed

PROGRAM IN EUROPEAN DATA PROTECTION (GDPR)

SOLVAY.EDU/GDPR


.COM

Actively looking for

GDPR experts


13 juillet 2015ICT Control SA

14

Publications


15

Digital transformation is the profound andaccelerating transformation of business activities,processes, competencies and models to fullyleverage the changes and opportunitiesof digital technologies and their impact acrosssociety in a strategic and prioritized way, withpresent and future shifts in mind.


Focus of IT activities and orientations

Infrastructure Digital TransformationManagementApplication

© Copyright 2014 Georges Ataya


• Digitization will change the traditional retail-banking business model, in some

cases radically.

• The bad news is that change is coming whether or not banks are ready.

Source: The rise of the digital bankBy ’Tunde Olanrewaju, Principal in McKinsey’s London office


18


19

Source: “Leading Digital: Turning Technology into Business

Transformation”, George Westerman, Didier Bonnet & Andrew

McAfee, Harvard Business, Review Press, October 2014


Why should we care?


21


Sources of external threat

Intelligence

Agencies

Criminal

Groups

Terrorist

Groups

Activist

Groups

Armed

Forces

22


Regulatory context

23


Information

Business Process

Services

Infrastructure

Applications


Enterprise Security Architecture (cont.)

Business processes

Information

Services

Applications

Infrastructure

25


Information

Services

Processus Métier

Applications

Infrastructure

Information

Services

Processus Métier

Applications

Infrastructure

Future

Transformation projects

Evolution projects

Current


IT Security

Security mangement

Security programobjectives

Specific projects

Security operations

Information Security

Essential assets

Risks

Mitigation

Planning

Business as usual/Run

General Security

Physical security

Safety

Fraud, compliancy, etc.

Levels of security

* Security aspects

28


IDENTIFY

DETECT

PROTECT

RECOVER

RESPOND

FunctionsDevelop and implement

Cybersecurity

processes

30


DETECT

DE.AE-5: Incident alert

thresholds are established

DE.AE-1

DE.AE-2

DE.AE-3

DE.AE-4

• COBIT 5 APO12.06

• ISA 62443-2-1:2009 4.2.3.10

• NIST SP 800-53 Rev. 4 IR-4, IR-5,

IR-8

Anomalies and Events

(DE.AE): Anomalous activity

is detected in a timely

manner and the potential

impact of events is

understood. © 2015 ICTC.EU

The need for good business practices 31


fff

33

Bottom-up approach using the SANS CIS top 20 security controls

CSC 1: Inventory of Authorized and Unauthorized DevicesCSC 2: Inventory of Authorized and Unauthorized SoftwareCSC 3: Secure Configurations for Hardware and SoftwareCSC 4: Continuous Vulnerability Assessment and RemediationCSC 5: Controlled Use of Administrative Privileges

CSC 6: Maintenance, Monitoring, and Analysis of Audit LogsCSC 7: Email and Web Browser ProtectionsCSC 8: Malware DefensesCSC 9: Limitation and Control of Network PortsCSC 10: Data Recovery Capability

CSC 11: Secure Configurations for Network Devices

CSC 12: Boundary Defense

CSC 13: Data Protection

CSC 14: Controlled Access Based on the Need to Know

CSC 15: Wireless Access Control

CSC 16: Account Monitoring and Control

CSC 17: Security Skills Assessment and Appropriate

Training to Fill Gaps

CSC 18: Application Software Security

CSC 19: Incident Response and Management

CSC 20: Penetration Tests and Red Team Exercises

The SANS CIS top 20 security controls are based on most frequent

recurring finding about security weaknesses in organizations.

Implementing those controls is always regarded as good practice from

a bottom-up perspective.

Eliminate the vast

majority of

organization's

vulnerabilities

© 2017 Georges Ataya34

The Ten Most Critical Web Application Security Risks

Attackers can potentially use many different paths through your

application to do harm to your business or organization. Each of these

paths represents a risk that may, or may not, be serious enough to

warrant attention.

www.owasp.org the free and open software security community


Enablers


Building adequate lines of defense

source

37


A MANAGER FOR CYBER SECURITY INCIDENT MANAGEMENT


Governance


Incident Management


Program Development &

Management

Information Risk

Management & Compliance

38

http://www.isaca.org/Certification/CISM-Certified-Information-Security-Manager/Pages/default.aspx


Career Summary Expertise Summary Education/

Certification

Georges Ataya

• Professor and Academic

Director (SBS-EM)

• Managing Director ICT

Control advisory firm

• Past International Vice

President at ISACA

• Past Partner Ernst & Young

• Past Deputy International

CIO ITT World Directories

• Previously Project Manager

and Senior IT Auditor

• IT Governance (development of

Cobit 4 and COBIT 5)

• IT Governance and Value

governance (co-author VALIT and

supervision CGEIT BOK)

• Information Security

Management (Co-author CISM

Body of Knowledge)

• IT Audit and Governance

• Information security and risk

• Strategy and Enterprise

Architecture and IT Sourcing

• Master in Computer Science

(faculty of Sciences ULB)

• Postgraduate in Management

(Solvay Brussels School ULB)

• Certified Information Systems

Auditor (CISA); Certified

Information security Manager

(CISM); Certified in Risk and

control (CRISC); Certified

Information Systems Security

Professional (CISSP); Certified in

Governance of Enterptise IT

(CGEIT)

[email protected] – ataya.info – be.linkedin.com/in/ataya

les joies et les peines de la transformation numérique ...© 2017 georges ataya legal and...

Documents