Pract ctical Cybersecu curity Ri Risk a and C Control Ma - - PowerPoint PPT Presentation
Pract ctical Cybersecu curity Ri Risk a and C Control Ma Maturi urity A y Asse ssessme ssments Brian Fricke, CISSP, CISM Chief Information Security Officer None of the data presented in this presentation represents the actual security
Brian Fricke, CISSP, CISM Chief Information Security Officer
None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Like all Financial Institutions; we are required to perform appropriate Cyber Risk Assessments, Control Testing, and Status Reports to the Board.
None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Two Key Ingredients A Risk Assessment: the determination of quantitative and qualitative estimates of the impact of an event, related to a well-defined situation, and a recognized threat. A Control Maturity Assessment: the process designed to provide reasonable assurance of the achievement of control objectives (control effectiveness).
None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Risk Assessment
Impact + Likelihood Inherent Risk Inherent Risk + Control Effectiveness Residual Risk
None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Select a Control Framework Other Control Frameworks
None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Security Control Maturity Dashboard
None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
https://www.linkedin.com/pulse/cybersecurity-risk-control-maturity-assessment-fricke-cissp-cism/
Risk Dashboard
None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Impact + Likelihood = Inherent Risk Risk Assessment
None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
https://www.linkedin.com/pulse/cybersecurity-risk-control-maturity-assessment-fricke-cissp-cism/
Inherent Risk + Control Effectiveness = Residual Risk Control Assessment Each sub-control receives a scored Control Rating. The total scoring equals the overall Control Effectiveness (Assurance Rating).
None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
https://www.linkedin.com/pulse/cybersecurity-risk-control-maturity-assessment-fricke-cissp-cism/
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices
None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices
None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
Bottom Line Message: Your Organization’s overall level of Inherent Risk has been rated at High. The Company has implemented 130 of the 149 Critical Security Controls (87%). This is a 66% improvement from 2016. Of the 130 Controls implemented, 80% have a Maturity rating of equal to or greater than Generally Effective. This brings the Overall Cybersecurity Residual Risk to Moderate; which is within the Board's defined Risk Appetite.
None of the data presented in this presentation represents the actual security posture of the presenter’s organization.
The information presented will be made available.
https://www.linkedin.com/pulse/cybersecurity-risk-control-maturity-assessment-fricke-cissp-cism/