Transcription of แนวทางการบริหารความเสี่ยงด้าน IT และความเสี่ยงด้าน Cyber
1 IT Cyber 29 2560 Future of Blockchain and Cybersecurity 1. 2. IT and Cybersecurity Risks3. IT Risk Management Cyber Resilience Agenda70 s80 s90 s00 sTodayATMD ebit CardInternet BankingMobile BankingFinTechTraditional BankCloud ComputingCrowd-fundingBig Data AnalyticsSource: BOT . 2-3 .. 59 PromptPayFutureBlockchainArtificial Intelligent6,934 57,000 15 49 21 28 ID Digital Banking customersDepositLoanTrade FinanceCash ManagementCredit CardChequeProductsBranchEDCATM /CDMC hannelsInternetPayment GatewayMobileRetail SMECorp Known-CIAK nown non-CIAUnKnown, Unpredictable,Uncertain, UnexpectedIT Security Cybersecurity Cyber ResilienceSource.
2 Relationship between Cyber Resilience , Cybersecurity and Information Security, Threat Horizon 2014 , ACIS Professional CenterInformation SecurityCybersecurityCyber Resilience Top 10 HOT Topics for IT Internal Audit Source: Storming ahead 2017 Hot Topics for IT Internal Audit in Financial Services An internal audit viewpointDec 2017 (Thailand)BOT launches Cyber Assessment FrameworkOct 2017 (Thailand)BOT launches ITRMI mportance of IT Internal Audit IA3rdline of defense : IT Audit Know your bank s Cyber risk appetise Board, Audit Com and Senior Mgt Knowledge/ Awareness and People awareness Sufficient and capability of taskforce Cyber risk is business risk, business involvement?
3 Ready for timely response: plans + exercises 3rdparty management cloud computing Clear accountability of 3 lines of defense Internal Audit Universe cover Cyber resilence Is traditional wayof doing certain thingsstill work?Points of your concernSecure ArchitectureControl ProcessExerciseSOCI ncident ManagementProtectOperationManagementDete ctResponse/ RecoveryTestingMonitoringAnalyzeIncident HandlingSIEMC yber Resilience Management GovernanceComplianceAuditRisk ManagementBoard of Directors/CommitteeAwarenessCapabilityPa ge 6 Threat Intelligence FeedFraud Monitoring System3rd Party MgtCyber Resilience MgtCyber Resilience ManagementRapid Technology ChangeComplexity of Cyber /IT RiskScarce SkillsHow to handle your challengesStrategic UncertaintyNew law/regulation IT Cyber Resilience World Economic Forum 2015-2017 Cyberattack
4 10 Economic Forum (2017), Global Risks Report 2017 12thEditionCyber risk Cyber Resilience(1) Cyber (2)Collaboration & Intelligence Sharing (3) Cybersecurity(4)Financial Technology Literacy . Cyber Risk . gap 2561 Cyber Resilience Assessment Framework Cybersecurity . Regulators (1) TBA Information SharingGroup (ISG)(2) .. (3) ETDA .. (4) MAS, HKMA, ASTRI, etc.
5 Cyber Intended Outcome : . 3 ( 2560-2562) Cyber ResilienceInherent Cyber Risk (IR) Technology Usage & ConnectionDelivery ChannelsProduct & ServicesOrg. CharacteristicsCyber Incident RecordsAdvancedIntermediateBaselineLMHC yber Risk Management and Control(Maturity) PEOPLETECH PROCESSFI Self AssessmentGovernanceRisk IdentificationResponse & RecoveryProtectionDetection3rdParty ManagementBOT ReviewRisk Based ExpectedMaturityAdvancedIntermediateBase lineLMHBank s ExistingMaturityGAPs surface . Cyber CyberFramework : NIST,BIS,ISO270032,HKMA.
6 Deloitte, ( .. ) . Cyber Resilience Key Risk FactorsCyber Resilience Assessment FrameworkInherent Risk ProfileControl PrinciplesTechology & Connection Connections Public IPs Wireless Network BYOD EOL Technology Open Source S/W Platform Cloud ComputingIR 1 Delivery Channels ATM Internet Banking Mobile Banking Branchs Social MediaIR 2 Product & Service Cards Online Transfer ATM Service Cross Border ServiceIR 3 Org. Characteristics IT Enviroment Size IT Staffs Privileged Access IT Out. staffsIR 4 Cyber Incident Records DDoS Phishing Social Engineering Malware HackingIR 5 Inherent Cyber Risk : . surface cyberrisk . Cyber Resilience Financial InstitutionsWide Area Network (WAN)Branches, ATMs, EDCs, Oversea BranchesCorporate & RetailCustomersBusiness ITMX, SWIFT, Telco, VisaFin.
7 ConglomerateHQ, Subsidiaries, PeopleTechnologyProducts-Staff-Outsourci ng -Cloud- or Semi-Private Network MPLS, Leased Line3rd Party OutsourceIBM, MFECS ecured Protocol sFTP, SSHU nsecured ProtocolFTP, TelnetInternetTrue, TOT,UIH, MNO, CS LoxinfoIntranetPrivate or Semi-Private Network MPLS, Leased LineInternetIR1IR1IR2IR3IR3IR4 Technology & ConnectionDelivery ChannelsProduct & ServicesOrg. CharacteristicsCyber Incident RecordsIR1IR2IR3IR4IR5 Key Risk FactorsCloud Service ProviderAWS, Salesforces, Office365 IR5 Cyber Resilience Assessment FrameworkInherent Risk ProfileControl Principles . Cyber Resilience . Cyber Resilience Cyber Inherent RiskAdvancedIntermediateBaseline100% Baseline100% Baseline + Intermediate100% Baseline + Intermediate + AdvancedLMHLMHLMHC yber Risk Management and Control(Maturity) Cyber Inherent Risk Cyber Risk Management and Control(Maturity)s3rdParty Risk ManagementSituational Awareness1.
8 GovernanceCybersecurity Oversight, Strategy and Policies, Cyber Risk Management, Audit, Budgeting, Staffing and Training2. Risk IdentificationIT Asset Identification, Cyber Risk Assessment3. Protection Infrastructure Protection, Access Control, Data Security, Secure Coding, Patch Management, Remediation Management4. DetectionVulnerability Assessnent(VA)Penatration TestingCyber Incident DetectionThreat Monitoring/Analysis5. Response and RecoveryResponse Planning, Incident Management, Escalation and Reporting6. 3rdParty Risk ManagementExternal Connections3rd Party ManagementOngoing monitoringControl Principle: IR 6 Cyber Resilience Assessment FrameworkControl PrinciplesInherent Risk Profile.
9 Cyber Resilience Control Principles1. Governanace2. Identification3. Protection4. Detection5. Response and ManagementBaselineIntermediateAdvanced Board . -Board Cyber - Cyber risk appetite- . (IT Steering) Cyber - . Risk Audit Cyber - BU Cyber - IT Cyber - Cyber - Cyber BU Risk - . Cybersecurity- Cyber threat sharing - Cyber threat Intelligence ( / / ) -Risk owner IT- ( IT)- Challenge IT- IT-Challenge BU Cyber risk.
10 - - update Cyber incident / Threat - Cyber insurnaceBaselineIntermediateAdvanced - / . / - / - Cyber threat intelligence - Cyber risk appetite - Cyber risk appetite- IR . - Cyber threat . (Peer)- Cyber threat (telco, insurance)- Cyber . - - Cyber drill / Awareness- /.
