Corporate Governance & Cyber Defense

Today I will not provide you with another chapter from my book draft but talk about a topic that fascinates me since some time.   Awareness trainings are the neglected pillar of cybersecurity, especially when a CISO has a strong technical background, like I have. When I think about cybersecurity I think about SECURITY people that follow SECURITY processes and policies which are implemented with SECURITY tools, because as security engineer I learnt over many years how to to solve problems with algorithms, compilers, and machines. During my career the number of people I was responsible for increased a lot and at the same time these people are less and less IT-aware. Maybe you know this path and thinking, then I would recommend you to take a look into the event logs of a virus scanning tool or intrusion prevention system. Funny, but 99,99% of the events are caused through people! And what happens outside your infrastructure, or by "out of bound" attacks to circumvent detection s

 (Source: Wikipedia)   T he Basel Committee on Banking Supervision has drawn up the requirements Basel I to III, which have been implemented at national level in Germany by the Banking Act[1] (KWG). The KWG serves market regulation and market organisation in the banking sector by considering various types of risks and by introducing a notification and information obligation. In the banking environment the so-called "44er audit" (" 44er Prüfung ") describes the general obligation of an institution to provide information to the auditor, as defined in section 44 (1). Operational risk (BTR 4) is of particular interest for the purposes of this book, as it has been specified – more precisely section 25a and 25b – by the minimum risk management requirements (MaRisk). This all sounds very formal and like a lot of paperwork but it has a serious background. The ties between rogue nations, cybercrime and traditional crime are very close. Let's use North Korea as an exampl

  Basics T he financial sector is extensively regulated at international and national level. Industry standards such as PCI-DSS and SWIFT CSCF (Customer Security Controls Framework) play just as much a role as ISO 27001, EU-GDPR (General Data Protection Regulation), or national laws such as IT-SiG (IT-Sicherheitsgesetz), KWG (Kreditwesengesetz) in Germany (which is based on Basel I and Basel II and is specified with the MaRisk ( Mindestanforderung an das Risikomanagement ) and BAIT ( Bankenaufsichtliche Anforderungen an die IT ) requirements).  No news so far and I risk that you my reader will fall asleep. But wake up, the point is, that this different requirements need to be put under one hat and they have to be useful on an operational level in a easy manner. This is the big task for the 2nd Line-of-Defense (2LoD) in this game. Therefore I will briefly present a methodology to tame all the major and well-known regulations and the minimum measurements that should  be impl

  A fter we took a deeper look into the concepts to formalize and understand an attack we will now look into models for the defender.   I can imagine that talking about processes and models is boring. Unfortunately it is absolutely necessary, not only because we have our focus on a regulated environment. Equally important is the fact that you need a common language in your team and have to use a well-know set of frameworks to build your workflows, documents, operating procedures etc. on. At the end of this blog entry I will tell you one or two "war stories" what can happen if you don't follow standards.   Incidents Response Process ISO 27035 defines a high-level incident reponse process, but personally I prefer NIST SP 800-61 "Computer Security Incident Handling Guide", which has the following steps and process flow. (Source: NIST CSRC)   The process you should use, and that is not limited to the incident response process, should always match your current env