2017

7 November | Singapore

Vulnerability Assessment
Programme Agenda
DISCUSSION TOPIC 1
Conducting Vulnerability Assessments
> Vulnerability Assessments and Pen Tests
> Incident Response and Breach Readiness
> Performing Cyber Risk Assessments

DISCUSSION TOPIC 2
Examining Threats & Attack Scenarios
> IoT Malware
> DDoS Attacks
> Ransomware Threats

DISCUSSION TOPIC 3
Creating & Managing a Credible Cyber Security Programme
> Implementing a Cyber Security Framework
> Developing Cyber Security Policy
> The Critical Seven Steps for Cyber Security

DISCUSSION TOPIC 4
Incident Response, Mitigation & Recovery
> Disaster Recovery
> Business Continuity Planning (BCP)
> Crisis Management

© Confidential I All Rights Reserved I ecfirst I 1999-2017

Vulnerability Assessment Programme Agenda page 2

DISCUSSION TOPIC 1
Conducting Vulnerability Assessments
Vulnerability Assessments & Pen Tests
> How has your organisation been compromised that you know of (internally or externally)?
> How frequently does your organisation formally assess firewall systems?
> Which specific security technologies/controls has your organisation deployed to monitor unauthorised
traffic patterns (e.g., attack signatures)?
> Does your organisation have dedicated connections to other organisations’ networks
(vendors, business partners)?
> Identify the number of mission-critical applications in your organisation.
> What is the frequency with which your organisation performs Web/application pen test exercises?
> What do you consider to be a significant area of cyber risk within the organisation?

Incident Response & Breach Readiness

> Has your organisation experienced security incidents or breaches in the past 12 months? Describe.
> What type of data were lost or compromised?
> Who were impacted, including an estimate of the number and type of customers?
> What breach notification action has the business taken to address impacted customers?
> What corrective steps have been implemented to reduce the risk of security incidents and breaches?
> What encryption capabilities have been implemented so if a critical server or application is compromised,
the data are still secure? Describe.

Performing Cyber Risk Assessments

> What is the frequency and scope for your organisation to conduct comprehensive and thorough cyber risk assessments?
Who is responsible for performing this exercise?
> What is the scope of the technical vulnerability assessment performed? Frequency?
> What is your risk management program to address compliance and cyber security gaps identified
during the risk assessment exercise?
> Does the organisation follow a specific framework or guidance document for its risk assessment?
> Are there areas that are NOT typically examined during an enterprise risk assessment?
> How does your organisation address the risk from your information supply chain (e.g., business associates)?
> How does your organisation address the risk from your cloud service providers?

© Confidential I All Rights Reserved I ecfirst I 1999-2017

Vulnerability Assessment Programme Agenda page 3

DISCUSSION TOPIC 2
Examining Threats & Attack Scenarios
IoT Malware
> How has your organisation established a comprehensive inventory of IoT devices/systems?
> How have you identified the various types of IoT devices on your infrastructure?
> What risks do you see IoT devices introducing in your business environment?
> How are you assessing the security risks associated with IoT devices?
> How is your organisation managing the risks associated with IoT devices?
> What malware has your organisation discovered on IoT devices and what has that impact been?
> What is your organisation’s specific policy on IoT security?

DDoS Attacks
> When has your organisation formally conducted a business impact analysis? Describe the frequency
and key decisions/facts based on the exercise.
> What are the business risks if your organisation experiences a DDoS attack?
> What percentage of your mission-critical assets are in your data centre? In the cloud? How vulnerable
are these assets to a DDoS attack?
> What security controls has your organisation implemented to actively monitor vital systems and applications?
> What is your organisation’s experience with a DDoS attack?

Ransomware Threats
> How often does your organisation perform social engineering exercises, such as a phishing attack?
> Has your organisation experienced a ransomware attack? What was the impact to your team and business?
> What is the policy of the organisation if there were a ransomware attack?
> How credible is your organisation’s capabilities to recover data compromised during a ransomware attack?
Describe process and time to recover/rebuild systems/applications.
> What capabilities has your organisation implemented to safeguard against malicious software?
> What are the first few steps that your organisation will immediately perform if there is a ransomware attack?

© Confidential I All Rights Reserved I ecfirst I 1999-2017

Vulnerability Assessment Programme Agenda page 4

DISCUSSION TOPIC 3
Creating & Managing a Credible Cyber Security
Programme
Implementing a Cyber Security Framework
> What do you think about your organisation formally adopting a cyber security framework?
> Identify seven key security tools/products that your organisation has deployed.
> Describe key cyber security priorities for your organisation in 2017? 2018?
> How credible is your organisation’s posture with patch management? Describe.
> How credible is your organisation’s posture with configuration management? Describe.
> How actively is your organisation monitoring critical systems and applications?
> Which specific security tools has your organisation implemented to manage critical systems and applications?

Developing Cyber Security Policy

> Has your organisation developed an enterprise cyber security plan?
> What is your organisation’s enterprise cyber security plan?
> How do your senior executives think about your cyber security plan and its implementation?
> What is your organisation’s security incident management plan? What standard or guidance is it based upon?
> How are your comprehensive library of policies aligned with the enterprise security plan?
> What are your plans for your organisation’s physical security?

The Critical Seven Steps for Cyber Security

> How has your organisation identified the person responsible for the role of a CISO and compliance
professionals/officers?
> What is your formal job description associated with the roles responsible for cyber security and compliance?
> How do roles responsible for cyber security and compliance report to senior executive (e.g., Managing Director, CEO, GM)
> How frequently does your organisation conduct a thorough security risk and vulnerability assessment and, is it
enterprise-wide?
> How do you use encryption solutions for data in motion, data at rest and data in the cloud?
> When do you conduct cyber security and compliance training for all members of your organisation’s workforce?
> What is your formal review and Business Associate Contracts (BACs) review process and timeline—and is it consistent?
> How does your organisation regularly assess progress/resolution of identified risks from risk and vulnerability
exercises?
> What is your organisation’s audit/verification process to make sure all compliance requirements are continually met?

© Confidential I All Rights Reserved I ecfirst I 1999-2017

Vulnerability Assessment Programme Agenda page 5

DISCUSSION TOPIC 4
Incident Response, Mitigation & Recovery
Disaster Recovery
> What is your process to update your IT Disaster Recovery (DR) Plan on a regular basis?
> How much data are at risk if there is a disruptive event?
> What type of your organisation’s data are of the most value to your organisation? Why?
> How frequently and who is responsible for updating the DR Plan?
> How does your organisation’s DR Plan accurately identify vendors/suppliers that would provide equipment/services
during the recovery phase?
> Where do you keep your DR Plan so it is readily accessible throughout the organisation?

Business Continuity Planning (BCP)

> What is the formal, documented directive from senior executives about recovery objectives and time-frames
if the business experiences a disruptive event?
> What is your organisation’s BCP that outlines the procedures to be followed in the event of an emergency or
significant disruption?
> How does your organisation formally test the effectiveness of its business continuity plan on a periodic basis
at least once a year and maintain evidence of that review?
> How frequently does your organisation formally update its business continuity plan?
> How do the individuals responsible for the business continuity plan engage/communicate with team members
responsible for the IT DR Plan?
> How prepared is the organisation with alternate site capability? Describe.

Crisis Management
> What is your organisation’s crisis management plan and how clearly defined do you believe it is?
> How have you determined your “worst case scenario(s)” of events that could disrupt business operations,
finance, and other critical priorities?
> How long will it take to enact your plan, from the moment a crisis takes place?
> What are your organisation’s assignments of crisis management duties and decisions to a specific individual
or group of individuals? How was this determined?
> What specific training have your crisis management team members received to perform critical tasks?
> Who were your key work partners in developing a comprehensive, detailed crisis communications plan?
When was the most recent time this was reviewed and tested?

© Confidential I All Rights Reserved I ecfirst I 1999-2017