Fixing cybersecurity

risks.

CPA Mustapha Bernabas Mugisa CFE, CEH

www.summitcl.com

be transformed
6/5/2023
 Is this familiar
to you?

be transformed
6/5/2023 2
Common cyber threats and attack vectors
A Weak and or compromised credentials

46%
B Misconfiguration

38% 38% 38% 39% C Trust relationships

D Missing or poor encryption

29%
Technical vulnerabilities including zero-day exploits,
21% 21% E trojans, cross-site scripting, session high jacking, and man-
in-the-middle
F Ransomware

G Malicious insiders and or former employees and service

providers
A B C D E F G H
H Social engineering including phishing
Source: Project Frontline Uganda 2021
be transformed
published by www.summitcl.com Forensic. Advisory.
3 Security
 Cyber assurance: A comprehensive framework* - key controls to watch

Cybersecurity Governance
• Program governance • Organizational model • Steering committee structure • Tone at the top • Regulatory and legal landscape • Cybersecurity strategy

Secure
Program management Data protection Identity and access management Infrastructure security
a) Policies, standards, baselines, guidelines, a) Data classification a) Account provisioning a) Hardening standards
and procedures b) Data security strategy b) Privileged user management b) Security design/architecture
b) Talent and Budget management c) Information records management c) Access certification c) Configuration management
c) Asset management d) Enterprise content management d) Access management and d) Network defense
d) Change management e) Data quality management governance e) Security operations management
e) Program reporting f) Data loss prevention e) Generic account management
f) Risk and compliance management

Software security Cloud security Third-party management Workforce management

a) Secure build and testing a) Cloud strategy a) Evaluation and selection a) Physical security
b) Secure coding guidelines b) Cloud risk identification b) Contract and service initiation b) Phishing exercises
c) Application role design/access c) Cloud provider inventory c) Ongoing monitoring c) Security training and awareness
d) Development lifecycle d) Minimum controls baseline d) Service termination
e) Patch Management e) Cloud controls compliance

Vigilant Resilient
Threat and vulnerability management Monitoring Crisis management Enterprise resiliency
a) Threat modeling and intelligence a) Security Log Management (SLM) a) Response planning a) Business Impact Analysis (BIA)
b) Penetration testing b) Security Information and Event b) Tabletop exercises b) Business Continuity Planning
c) Vulnerability management Management (SIEM) c) War game exercises (BCP)
d) Emerging threats (e.g., mobile c) Cyber risk analytics d) Incident response and forensics c) Disaster Recovery Planning (DRP)
devices) d) Metrics and reporting e) Crisis communication plan
f) Third-party responsibilities be transformed

*The summitSECURITY cyber assurance framework is aligned with industry standards and maps to NIST, ISO, COSO, ITIL, and CIS CSC. Alternative adequate frameworks may be used.
 Cyber assurance risk assessment for improved governance Risk Assessment

Client Industry

Initial Developing Established Advanced Leading

Cybersecurity domains colored by risk 1 2 3 4 5
Governance

Program Management

Data Protection

Identity and access management Where do

you fall?
Infrastructure Security
Secure

When did the

Software Security
board last
Cloud Security read this kind
Third-party management of report?
Workforce management

Threat and vulnerability management

Vigilant

Monitoring

Initial Observed Maturity

Crisis management
Resilient

Current Maturity

Enterprise Resiliency Target Maturity

be transformed
NIST Cybersecurity Framework…
Function Category
Asset Management
What processes and Business Environment
assets need Governance
Identify Risk Assessment
protection?
Risk Management Strategy
Supply Chain Risk Management1.1
Identity Management, Authentication and
Access Control1.1
Awareness and Training
What safeguards are Data Security
Protect
available? Information Protection Processes &
Procedures
Maintenance
Protective Technology
Anomalies and Events
What techniques can
Detect Security Continuous Monitoring
identify incidents? Detection Processes
Response Planning
What techniques can Communications
contain impacts of Respond Analysis
Mitigation
incidents?
Improvements
Recovery Planning
What techniques can be transformed
Recover Improvements
restore capabilities? Communications 6
Cybersecurity objectives…

Confidentiality – restrict access

to authorized individuals
Integrity – data has not been
altered in an unauthorized
manner
Availability – information can
be accessed and modified by
authorized individuals in an
appropriate timeframe

Availability

be transformed
Payment Card Industry (PCI)
1. Anyone who stores, process, or transmits credit card
data must be PCI compliant
2. Common PCI validation requirements
▪ Report on Compliance (ROC)
▪ Self-Assessment Questionnaire (SAQ)
▪ Letter of Attestation
▪ Quarterly PCI scans
3. Sample PCI Data Security Standards Requirements
▪ Annual Penetration Testing (DSS 11.3)
▪ Security Awareness Training (DSS 12.6)
▪ Quarterly PCI scans (DSS 11.2)

These are best practices….

be transformed
The cyber insurance opportunity…

be transformed
6/5/2023 9
 People are not the
weakest link - they are
the primary attack vector.

be transformed
be transformed
Questions & Answers

Q&A
Mustapha B Mugisa, Mr Strategy
strategy@summitcl.com

be transformed