ny state's cybersecurity legislation requirements for risk management, security of...

NY Statersquos cybersecurity legislation

requirements for risk management security of

applications and the appointed CISO

March 23 2017

Alan Calder

IT Governance Ltd

wwwitgovernanceusacom

PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING

Introduction

bull Alan Calder

bull Founder of IT Governance Ltd

bull Author of IT Governance An International Guide to Data Security and ISO 2700127002

bull Led the worldrsquos first successful implementationof ISO 27001 (then BS 7799)

TM

wwwitgoverrnanceusacom

Copyright IT Governance Ltd 2017 ndash v10

Leading global provider

bull The single source for everything to do with cybersecurity cyber risk

management and IT governance

bull Our team of dedicated and knowledgeable trainers and consultants

have helped over 400 organizations worldwide achieve ISO 27001

certification

bull Our mission is to engage with business executives senior

managers and IT professionals and to help them

Protect Comply Thrive

and secure their intellectual capital

with relevant regulations

as they achieve strategic goals through better IT management

TM



Agenda

bull The responsibility to appoint a CISO

bull Application security program (internal and external) and review

by the CISO

bull Overview of the risk assessment policy and procedures

bull Setting up a program specific to your organizationrsquos information

systems and business operations

bull Identifying cyber threats and how to incorporate controls

bull Maintaining an audit trail to include detection and responses to

cybersecurity events

bull How ISO 27001 and vsRisk can provide the right tools to help

you implement a successful program that meets compliance

requirements

4

TM



1 year compliance deadlines

180 days 1 year 18 months 2 years

Section 50002 Cybersecurity Program

Section 50004 (b) Chief Information Security Officer (CISO)

Section 50006 Audit Trail

Section 50011 Third Party Service Provider Security Policy

Section 50003 Cybersecurity Policy

Section 50005 Penetration Testing and Vulnerability Assessments

Section 50008 Application Security

Section 50007 Access Privileges

Section 50009 Risk Assessment

Section 50013 Limitations on Data Retention

Section 50010 Cybersecurity Personnel and Intelligence

Section 50012 Multi-Factor Authentication

Section 50014 (a)Training and Monitoring

Section 50016 Incident Response Plan

Section 50014 (b)Training and Monitoring

Section 50015 Encryption of Nonpublic Information

bull This presentation covers the following compliance deadlines

TM



Appointing a chief information security

officer (CISO) (Section 50004 (a) 180-day requirement)

bull What to look for in a candidate

ndash A trustworthy advisor

ndash Understands the business processes and the organization as a whole

bull Covered entities may choose to

ndash Designate an internal staff member as CISOordm Benefits will have an advantage in understanding of how the business operates to better assess and

guide what is needed to protect the organization

ndash Outsource the role to an affiliate or third partyordm With this option comes the additional measure of appointing a senior-level staff member to oversee

the third party

ordm May not have a clear picture of the business operations

TM



Role of the CISO (Section 50004 (b) one-year requirement)

bull Provide an annual report to the board of directors on the

cybersecurity program and associated risks

bull The following must be taken into consideration by the CISO

ndash Cybersecurity policies and procedures

ndash All material cybersecurity risks

ndash Nonpublic information confidentiality the reliability and security of

information systems

ndash Effectiveness of the cybersecurity program

ndash Document of cybersecurity events that occurred during the year covered

in the report

TM



Application security (Section 50009)

bull Within the cybersecurity program in-house-developed applications

shall include

ndash written procedures guidelines and standards designed to ensure the use of

secure development practices

ndash procedures for evaluating assessing or testing the security of externally

developed applications utilized by the Covered Entity within the context of the

technology environment

bull All such procedures guidelines and standards shall be periodically

reviewed assessed and updated as necessary by the CISO (or a

qualified designee)

TM



Overview of the risk assessment policy and procedures (Section 50009)

bull Risk assessments of information systems should be done periodically to

inform the design of the cybersecurity program

bull The risk assessment mustndash be updated if there are any changes to information systems nonpublic information or

business operations

ndash allow for revision of controls to respond to threat or any technological developments

ndash consider risks of operations that relate to cybersecurity information systems collected or

stored nonpublic information and the effectiveness of controls to protect nonpublic

information and information systems

ndash be documented and implemented in accordance with written policies and procedures

bull Policies and procedures are to includendash measures for the evaluation and classification of identified cybersecurity threats or risks

ndash conditions set for the assessment of the security confidentiality and integrity and availability

information systems and nonpublic information including the suitability of current controls

relating to identified risks

ndash a plan to determine how identified risks based on the risk assessment will be mitigated or

accepted and how the cybersecurity program will address the risks

TM



Setting up a program specific to your

organizationrsquos information systems and

business operations

bull An effective program must place cybersecurity in the context of the business and should be guided by two related considerationsndash How does cybersecurity enable the business

ndash How does cyber risk affect the business

bull From this perspective cybersecurity focuses on competitive advantage and positions itself as a business enabler If done right cybersecurity helps drive a consistent high-quality customer experience

bull The companyrsquos technology infrastructure should be on the forefront but a cybersecurity strategy should go further and also coverndash Supply chainthird party suppliers

ndash Productservice development

ndash Customer experience

ndash External influencers

TM



Elements of a strong cybersecurity

strategy

bull Set a vision Describe how cybersecurity protects and enables value in your company

bull Sharpen your priorities Your resources are finite so focus on critical business assets

bull Build the right team Ensure your security program has an appropriate mix of skill sets including organizational change management crisis management third-party risk management and strategic communications

bull Enhance your controls To reflect the widening scope of your cybersecurity strategy yoursquoll need to adopt new methods for treating risk

bull Monitor the threat Cybersecurity requires an adaptive outlook Maintain awareness of the threat landscape

bull Plan for contingencies No one can be 100 secure so a strong incident response capability is essential in case something undesirable happens Incident response is not just a technology issue

bull Transform the culture People are the core of the business so cybersecurity is everyonersquos responsibility Encourage their buy-in by making cybersecurity relevant to each business area

TM



New York breaches rose 60 in 2016

New York State Attorney General Eric T Schneiderman released a

summary of the year 2016 to reveal

bull 1300 data breaches reported

bull 60 increase from 2015

bull 16 million New Yorkersrsquo personal records exposed

TM



2016 NY breaches caused by

TM



The threat landscape

Non-target specific

Employees

Terrorists

Hacktivists

Organized crime

Natural disasters

Nation states

Competitors

People

Processes

Technology

Threat actors Attack vectors Threat

targets

IP

Card data

PII

Money

Reputation

Commercial info

Malware

Web attacks

Denial of service

Social engineering

Exploit kits

Ransomware

Etc

Threat types

Identifying cyber threats

TM



Resources for threat alerts

bull Multi-State Information Sharing and Analysis Center (MS-ISAC)

ndash Provides alerts to current attacks and threats

ndash Partners with the Department of Homeland Security

ndash Free membership

ndash httpsmsisaccisecurityorg

bull Financial Services Information Sharing and Analysis Center FS-

ISAC)

ndash A global financial industrys resource for cyber and threat intelligence analysis

and sharing

ndash Requires a membership fee

ndash httpswwwfsisaccom

TM



Incorporating controls

bull Cybersecurity compliance must

support compliance with

appropriate rules and regulations

as well as organizational policies

and procedures by

ndash identifying risks

ndash preventing risks though the design

and implementation of controls

ndash monitoring and reporting on the

effectiveness of those controls

ndash resolving compliance difficulties as

they occur

ndash advising and training

Physical Personnel

Procedural ProductTechnical

TM



Annex A 14 control categories

5 Infosec policies

6 Organization of infosec 7 Human resources security

8 Asset management 9 Access control

12 Operations security

14 System acq dev amp

mtnce

16 Infosec incident management 17 Infosec aspects of BC mgmt

18 Compliance

11 Physical and environmental sec

15 Supplier relationships

10 Cryptography

13 Comms security

114 CONTROLS

TM



Maintaining an audit trail to include

responses to and detection of

cybersecurity events (Section 50006)

bull Each Covered Entity shall securely maintain systems that to the

extent applicable and based on its risk assessment

ndash are designed to reconstruct material financial transactions sufficient to

support normal operations and obligations for not fewer than five years

ndash include audit trails designed to detect and respond to cybersecurity

events that have a reasonable likelihood of materially harming any

material part of the normal operations for not fewer than three years

Maintain 5 years Maintain 3 years

Material financial transactions Audit trails of cybersecurity events

TM



Best-practice cyber risk management

ISO 27001 and vsRisk

bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way

bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner

bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense

TM



ISO 27000x family of standards

0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip

bull Control objectives

bull Controls

Introduction

Application

Terms and definitions

Security hellip


bull Controls

Introduction

Scope and norm ref


Structure and risk ass

Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM



Risk assessment software

TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources

bull Free green papers

NYDFS Cybersecurity Requirements

ordm Part 1 ndash The Regulation and the ISO 27001 standard

ordm Part 2 ndash Mapped alignment with ISO 27001

bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity

bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments

TM



IT Governance Ltd One-stop shop

All verticals all sectors all organizational sizes

TM



Books standards training and tools

bull New York DFS Cybersecurity amp ISO 27001

Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation

ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer

bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-

cybersecurity-documentation-toolkit

bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic

bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements

TM



Join in the conversation

bull Subscribe to our IT Governance LinkedIn group

NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504

TM



Questions and answers

Introduction

bull Alan Calder

bull Founder of IT Governance Ltd

bull Author of IT Governance An International Guide to Data Security and ISO 2700127002

bull Led the worldrsquos first successful implementationof ISO 27001 (then BS 7799)

TM








certification







TM



Agenda



by the CISO









requirements

4

TM






















TM












the third party


TM










information systems



in the report

TM





shall include








qualified designee)

TM







business operations












TM





business operations








TM




strategy








TM









TM




TM




Non-target specific

Employees

Terrorists

Hacktivists

Organized crime

Natural disasters

Nation states

Competitors

People

Processes

Technology


targets

IP

Card data

PII

Money

Reputation

Commercial info

Malware

Web attacks

Denial of service

Social engineering

Exploit kits

Ransomware

Etc

Threat types


TM










ISAC)


and sharing



TM








and procedures by







they occur


Physical Personnel


TM




5 Infosec policies





mtnce


18 Compliance



10 Cryptography

13 Comms security

114 CONTROLS

TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM








certification







TM



Agenda



by the CISO









requirements

4

TM






















TM












the third party


TM










information systems



in the report

TM





shall include








qualified designee)

TM







business operations












TM





business operations








TM




strategy








TM









TM




TM




Non-target specific

Employees

Terrorists

Hacktivists

Organized crime

Natural disasters

Nation states

Competitors

People

Processes

Technology


targets

IP

Card data

PII

Money

Reputation

Commercial info

Malware

Web attacks

Denial of service

Social engineering

Exploit kits

Ransomware

Etc

Threat types


TM










ISAC)


and sharing



TM








and procedures by







they occur


Physical Personnel


TM




5 Infosec policies





mtnce


18 Compliance



10 Cryptography

13 Comms security

114 CONTROLS

TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM



Agenda



by the CISO









requirements

4

TM






















TM












the third party


TM










information systems



in the report

TM





shall include








qualified designee)

TM







business operations












TM





business operations








TM




strategy








TM









TM




TM




Non-target specific

Employees

Terrorists

Hacktivists

Organized crime

Natural disasters

Nation states

Competitors

People

Processes

Technology


targets

IP

Card data

PII

Money

Reputation

Commercial info

Malware

Web attacks

Denial of service

Social engineering

Exploit kits

Ransomware

Etc

Threat types


TM










ISAC)


and sharing



TM








and procedures by







they occur


Physical Personnel


TM




5 Infosec policies





mtnce


18 Compliance



10 Cryptography

13 Comms security

114 CONTROLS

TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM






















TM












the third party


TM










information systems



in the report

TM





shall include








qualified designee)

TM







business operations












TM





business operations








TM




strategy








TM









TM




TM




Non-target specific

Employees

Terrorists

Hacktivists

Organized crime

Natural disasters

Nation states

Competitors

People

Processes

Technology


targets

IP

Card data

PII

Money

Reputation

Commercial info

Malware

Web attacks

Denial of service

Social engineering

Exploit kits

Ransomware

Etc

Threat types


TM










ISAC)


and sharing



TM








and procedures by







they occur


Physical Personnel


TM




5 Infosec policies





mtnce


18 Compliance



10 Cryptography

13 Comms security

114 CONTROLS

TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM












the third party


TM










information systems



in the report

TM





shall include








qualified designee)

TM







business operations












TM





business operations








TM




strategy








TM









TM




TM




Non-target specific

Employees

Terrorists

Hacktivists

Organized crime

Natural disasters

Nation states

Competitors

People

Processes

Technology


targets

IP

Card data

PII

Money

Reputation

Commercial info

Malware

Web attacks

Denial of service

Social engineering

Exploit kits

Ransomware

Etc

Threat types


TM










ISAC)


and sharing



TM








and procedures by







they occur


Physical Personnel


TM




5 Infosec policies





mtnce


18 Compliance



10 Cryptography

13 Comms security

114 CONTROLS

TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM










information systems



in the report

TM





shall include








qualified designee)

TM







business operations












TM





business operations








TM




strategy








TM









TM




TM




Non-target specific

Employees

Terrorists

Hacktivists

Organized crime

Natural disasters

Nation states

Competitors

People

Processes

Technology


targets

IP

Card data

PII

Money

Reputation

Commercial info

Malware

Web attacks

Denial of service

Social engineering

Exploit kits

Ransomware

Etc

Threat types


TM










ISAC)


and sharing



TM








and procedures by







they occur


Physical Personnel


TM




5 Infosec policies





mtnce


18 Compliance



10 Cryptography

13 Comms security

114 CONTROLS

TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM





shall include








qualified designee)

TM







business operations












TM





business operations








TM




strategy








TM









TM




TM




Non-target specific

Employees

Terrorists

Hacktivists

Organized crime

Natural disasters

Nation states

Competitors

People

Processes

Technology


targets

IP

Card data

PII

Money

Reputation

Commercial info

Malware

Web attacks

Denial of service

Social engineering

Exploit kits

Ransomware

Etc

Threat types


TM










ISAC)


and sharing



TM








and procedures by







they occur


Physical Personnel


TM




5 Infosec policies





mtnce


18 Compliance



10 Cryptography

13 Comms security

114 CONTROLS

TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM







business operations












TM





business operations








TM




strategy








TM









TM




TM




Non-target specific

Employees

Terrorists

Hacktivists

Organized crime

Natural disasters

Nation states

Competitors

People

Processes

Technology


targets

IP

Card data

PII

Money

Reputation

Commercial info

Malware

Web attacks

Denial of service

Social engineering

Exploit kits

Ransomware

Etc

Threat types


TM










ISAC)


and sharing



TM








and procedures by







they occur


Physical Personnel


TM




5 Infosec policies





mtnce


18 Compliance



10 Cryptography

13 Comms security

114 CONTROLS

TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM





business operations








TM




strategy








TM









TM




TM




Non-target specific

Employees

Terrorists

Hacktivists

Organized crime

Natural disasters

Nation states

Competitors

People

Processes

Technology


targets

IP

Card data

PII

Money

Reputation

Commercial info

Malware

Web attacks

Denial of service

Social engineering

Exploit kits

Ransomware

Etc

Threat types


TM










ISAC)


and sharing



TM








and procedures by







they occur


Physical Personnel


TM




5 Infosec policies





mtnce


18 Compliance



10 Cryptography

13 Comms security

114 CONTROLS

TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM




strategy








TM









TM




TM




Non-target specific

Employees

Terrorists

Hacktivists

Organized crime

Natural disasters

Nation states

Competitors

People

Processes

Technology


targets

IP

Card data

PII

Money

Reputation

Commercial info

Malware

Web attacks

Denial of service

Social engineering

Exploit kits

Ransomware

Etc

Threat types


TM










ISAC)


and sharing



TM








and procedures by







they occur


Physical Personnel


TM




5 Infosec policies





mtnce


18 Compliance



10 Cryptography

13 Comms security

114 CONTROLS

TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM









TM




TM




Non-target specific

Employees

Terrorists

Hacktivists

Organized crime

Natural disasters

Nation states

Competitors

People

Processes

Technology


targets

IP

Card data

PII

Money

Reputation

Commercial info

Malware

Web attacks

Denial of service

Social engineering

Exploit kits

Ransomware

Etc

Threat types


TM










ISAC)


and sharing



TM








and procedures by







they occur


Physical Personnel


TM




5 Infosec policies





mtnce


18 Compliance



10 Cryptography

13 Comms security

114 CONTROLS

TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM




TM




Non-target specific

Employees

Terrorists

Hacktivists

Organized crime

Natural disasters

Nation states

Competitors

People

Processes

Technology


targets

IP

Card data

PII

Money

Reputation

Commercial info

Malware

Web attacks

Denial of service

Social engineering

Exploit kits

Ransomware

Etc

Threat types


TM










ISAC)


and sharing



TM








and procedures by







they occur


Physical Personnel


TM




5 Infosec policies





mtnce


18 Compliance



10 Cryptography

13 Comms security

114 CONTROLS

TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM




Non-target specific

Employees

Terrorists

Hacktivists

Organized crime

Natural disasters

Nation states

Competitors

People

Processes

Technology


targets

IP

Card data

PII

Money

Reputation

Commercial info

Malware

Web attacks

Denial of service

Social engineering

Exploit kits

Ransomware

Etc

Threat types


TM










ISAC)


and sharing



TM








and procedures by







they occur


Physical Personnel


TM




5 Infosec policies





mtnce


18 Compliance



10 Cryptography

13 Comms security

114 CONTROLS

TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM










ISAC)


and sharing



TM








and procedures by







they occur


Physical Personnel


TM




5 Infosec policies





mtnce


18 Compliance



10 Cryptography

13 Comms security

114 CONTROLS

TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM








and procedures by







they occur


Physical Personnel


TM




5 Infosec policies





mtnce


18 Compliance



10 Cryptography

13 Comms security

114 CONTROLS

TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM




5 Infosec policies





mtnce


18 Compliance



10 Cryptography

13 Comms security

114 CONTROLS

TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM















TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM








TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM




0

to

3

4

to

10

Annex A A5

to

Annex A A18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security hellip


bull Controls

Introduction

Application


Security hellip


bull Controls

Introduction

Scope and norm ref



Bibliography

Control

Implementation

guidance

Other info

ISO 270012013

ISO 270002016

ISO 270022013

TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM



vsRisktrade (v2x)

NIST PCI DSS

TM



Valuable resources







TM





TM











TM






TM




TM



Valuable resources







TM





TM











TM






TM




TM





TM











TM






TM




TM











TM






TM




TM






TM




TM




ny state's cybersecurity legislation requirements for risk management, security of...

Business