INFORMATION

SECURITY &
MANAGEMENT
 INFORMATION SECURITY
MANAGEMENT …

It is an approach by an organization to
ensure the availability, confidentiality,
and integrity of Information Technology
(IT) assets and safeguard or provide
defense from various cyberattacks.
 AVAILABILITY
Information security management deals with the
availability of the data through implementing procedures,
processes and protocols which ensures that significant
information is accessible to authorized users anytime. The
typical activities may include hardware maintenance and
repairs, installation patches and upgrades, a well design
incident response and disaster recovery processes to
avoid and prevent data loss in the event of cyberattack.
“It’s definitely obvious that an organization wouldn’t want
their information, in any form, to be exposed to or wouldn’t
want to go public in a manner that would harm the
entirety of their processes.”
 CONFIDENTIALITY
In terms of usage and importance, confidentiality and
privacy are of the same sense. When preserving the
confidentiality of the information, one important factors is
to ensure that only users that have been granted access
can read or modify the data. As such, information security
teams are obliged to assess the risks associated and that
appropriate privacy controls are in place.
“Best practices and unique platforms in connection to
data confidentiality are reviewed periodically to calibrate
and continuously monitor the employees or users if they
are compliant.”
 INTEGRITY
It deals with data integrity through control implementations
that validates and confirms the consistency and accuracy of
the stored data within its life cycle. To be considered secure,
the information security teams must be able to store it
properly and that it cannot just be modified or deleted
beyond the access rights of the appropriate users.
“All organizations generate and collate massive and
essential information, but does this information accurately
reported and even stored properly? Somewhere between
the lines are validation teams that ensures the
completeness and accuracy of the data, it is now in the
hands of the Information Security (InfoSec) Teams to store
it accordingly.”
PILLARS OF INFORMATION
SECURITY MANAGEMENT
Nowadays, companies store huge amount
of information resulting to an increase
threats of cyberattacks and data theft that
eventually give way to the important
development in the field of information
security management.
A. INFORMATION SECURITY
CONTROLS
WHAT DOES SECURITY CONTROL MEAN?
Security controls in Information Security
Management (ISM) are considered
safeguards or even called
countermeasures implemented in an
organization to minimize, detect, avoid
and/or counteract various information
security risks such as data alteration or
theft, breaches on information systems
and unauthorized use or access.
 FORMS OF SECURITY CONTROL
Preventive – This is a form of security control that is intended
to counteract incidents of cybersecurity breaches.
Detective – Detective security control is designed to locate
targeted unusual cybersecurity activities. Once the successful
or even potential breaches have been detected, notification
of the incidents to the cybersecurity professionals must be
done.
Corrective – Often in an organization, some security controls
are planned to be corrective in nature. After an incident has
occurred, corrective measures have been placed to reduce
data loss/ damage to the system or the business network, or at
large to the respective data bases and immediately restore
significant and critical processes and systems. A quick move
to revert back the security protocols and controls by showing
resilience into the incidents.
TYPES OF SECURITY CONTROLS

1. Physical Controls
2. Access Controls
3. Procedural Controls
4. Technical Controls
5. Compliance Controls
 PHYSICAL CONTROLS
This type of security control involves
safeguards/ countermeasures in a structure
specified to prevent or thoroughly
discourage unsanctioned/ unofficial/ illegal
access to serious information assets. Typical
examples include the use of motion or
thermal alarm systems, guards, remote and
face identity scanners, locks or even the
presence of closed-circuit surveillance
cameras
 ACCESS CONTROLS
These controls ensure that right
entitlements as to who they claim to be, and
consistently that they have appropriate
access to a specific data. Well known
example are passwords and security
questions.
PROCEDURAL CONTROLS
These controls are set to maintain a
computer system thru validation
procedures by using user manuals and
standard operating procedures (SOPs).

Examples: SOPs on back-up recovery,

computer system verification, development
and maintenance, records management,
account management, control procedures.
COMPLIANCE CONTROLS
These controls are considered the central
feature that is anchored within the
compliance risk management. Ordinarily,
these are standards or frameworks relating
to cybersecurity and data privacy laws.
B. GOVERNANCE, RISK AND
COMPLIANCE
WHAT IS GOVERNANCE?
It is a combination of supported procedures
and implemented by executives to
guarantee that numerous organizational
tasks, including information technology (IT)
operations, are well managed and aligned
to the business objectives.
THE FOLLOWING ARE THE BEST PRACTICES
ADOPTED BY SEVERAL COMPANIES:
Accountability
Having competent Board of
Directors/Trustees
Integrated high level of ethics and
integrity
Outlining roles and responsibilities
Effective solutions on risk
management
Alignment of goals versus the
current business strategies
 WHAT IS RISK
MANAGEMENT?
It involves the forecasting and dealing with
associated and non-associated risks or
opportunities interconnected or mostly
linked to the organization’s activities. In
cybersecurity environment, it is an
application of comprehensive and useful IT
risk management methodologies
incorporated into the enterprise risk
management function of the organization.
 RISKS
Malware – is a software that is intentionally designed to
cause harm/ damage to the computer/ network
Phishing – is an attempt, fraudulent in nature, to gather and
obtain sensitive information that eventually impersonates
oneself as a trustworthy entity
Data leakage – is a form of unauthorized access by
transmitting the data from the organization to the external
recipients or destination
Insider threat – is a malicious threat coming from the
employees of the organization
Hacking – Normally, it is an intentional attempt to exploit
the network or computer system
 RISKS
Zero-day exploits – it is a cyberattack that happen on the same
day a weakness/ attack is discovered in software
DDoS – “Distributed Denial-of-service” attack occurs usually
when multiple systems flood the bandwidth or resources of the
targeted system.
MitM Attack – “Man-in-the-middle” attack where a perpetrator
place himself in a situation that appears to be a normal
exchange of information between the user and the application
Social Engineering – are malicious activities done by human
infections
SQL Injection – is code injection technique wherein an attacker
injects a dump SQL to run and enter the database of the
organization
 RISK
MANAGEMENT
PROCESS
It is a framework that is implemented
to mitigate risk. This is started with
identifying the risks, followed by
analyzing the risks, prioritizing risks,
treating risks, and finally, monitoring
and reviewing the risk.
 PRINCIPLES OF RISK
MANAGEMENT
Based on ISO 31000-2018 standard, Risk Management
Guidelines, outlined the following principles:
1. Dynamic
2. Integration
3. Customized
4. Inclusive
5. Structured and Comprehensive
6. Practices continual improvement
7. Considers human and culture factors
8. Uses best available information
WHAT IS CYBER REGULATORY
AND COMPLIANCE?

These are yardsticks that are design to

ensure that meeting of numerous controls
are intact, prominently these are endorsed
by law or any regulatory agency.
THE FOLLOWING ARE THE POTENTIAL RISK
FOR NONCOMPLIANCE:
1. Huge financial consequences, some sort of
litigations, and fines or penalties for
breaching regulations.
2. Access to product and market relays
3. May result to loss of productivity and
revenue
4. A quick reputational damage
5. Government/ Regulatory ban/ sanctions
with license suspensions
6. A probable risk of injury and lawsuit
 BEST PRACTICES SURROUNDING
COMPLIANCE, IN GENERAL.
1. Establish your end goal and have a solid knowledge of
the industry’s regulatory requirements/standards.
2. Establish and implement strict effective policies and
procedures.
3. Create and provide a compliance program/training that
will cater improvement opportunities.
4. Create metrics for calibration and review of results.
5. Conduct and execute compliance audit, be it a surprise
or not.
C. CYBERSECURITY AUDIT
MANAGEMENT
WHAT IS CYBERSECURITY AUDIT?

For many, they called it a “checklist”

that helps them authenticates if the
policies and procedures are really
on the ground and that available
controls are present to address
them.
PURPOSE OF CYBER AUDIT
Internal Audit
Internal auditors are employees of the company that assesses
and analyzes mainly the firm’s internal controls. It also ensures
that the organization are compliant not just to the firm’s
policies and procedures but to the relevant laws.
External Audit
On the other hand, external audit focuses on the independent
assessment and review of the firm’s financial statements. This
type of audit engages professionals who are well versed in
checking the veracity of the firm’s financial standing.
Third-Party Audit
This type of audit is somewhat specific if the company wanted
to assess its degree of compliance in a certain standard, a good
example is a construction of Quality Management System
(QMS).
WHAT IS AUDIT MANAGEMENT?

It involves the simplification of audit

and to well-organize the
collaboration process or even the
workflow of compiling audits. It
encompasses the oversight to the
internal and external audit
personnel which establishes the
audit programs.
D. SECURITY PROGRAM
MANAGEMENT
It encompasses the projects,
activities, technologies, processes
or procedure which are put
together to aim a shared objective.
The main objective of security
program is to collate a well-
documented set of the firm’s
cybersecurity standards, workflows,
plans, guideline and policies and
procedures.
 COMPONENTS OF
SECURITY PROGRAM
a. Security policy development
b. Risk Management
c. Incident handling and response
d. Security architecture
e. Threats and vulnerability
E. A.VENDOR RISK
MANAGEMENT (VRM) OR
THIRD-PARTY RISK
MANAGEMENT (TPRM)
VRM involves the evaluation of
suppliers/vendors and/or partners
to check if they meet the minimum
requirements set. While, TPRM is
the assessment made for vendor
risk along with the whole supply
chain.
F. STRATEGIC PLANNING
An information strategic planning is a
guide use to help the organization in
terms of when to accept, avoid, transfer
or even mitigate risks associated with
information’s processes,
technologies/systems and the people.
A strong strategy can help the
enterprise protect the availability,
confidentiality and integrity of the
information.
CISO – Chief Information Security
Officer
THANK YOU FOR
LISTENING!
Don't hesitate to ask any questions!