Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
http://whatis.techtarget.com/definition/cybersecurity
3
Need for Cybersecurity
• The recent ransomware attacks have demonstrated need for having an
effective cybersecurity system in place.
• Cybersecurity incidents and breaches are on the rise, despite high
investments in security.
• Enterprise cybersecurity efforts have to be implemented using a holistic
approach with focus on governance, risk and security.
• Understanding cybersecurity-related risks and opportunities is now a
critical component to the oversight, governance, and management
responsibilities for enterprises.
• CAs can guide Enterprise leaders and board members on implementing
the right cybersecurity measures to protect enterprise data.
Why you need to learn Cyber Security?
IT is a way of life
Move to and accelerating. Technology push
Demonetization,
Digital is by Government to
E-Commerce, M- GST automation,
inevitable, curb corruption &
Commerce, digital payments,
increase
Digital is future and eBanking, Mobile eGovernance,
transparency,
Banking, online filing, etc.
Digital is Now! deliver services.
DIGITISATION!
5
Digital Disruption
6
CAs & Cyber Security
Business Compliance
Information requirements
Trusted
Tec
Custodians
Fiduciary Technology
Responsibility Deployed
7
Framework for Improving Critical Infrastructure
Cybersecurity
March 2017
cyberframework@nist.gov
Why does the NIST Cybersecurity Framework
matter?
• As cyberattacks become more complex, repelling them becomes
more difficult, especially without a single cohesive strategy.
• CSF aims to standardize practices to ensure uniform protection of
all US cyber assets.
Who does the NIST Cybersecurity Framework
affect?
• The CSF affects anyone who makes
decisions about cybersecurity in their
organization, and those responsible for
implementing new IT policies.
The Cybersecurity Framework...
• Includes a set of standards, methodologies, procedures, and processes
that align policy, business, and technological approaches to address
cyber risks.
• Of any size, in any sector in (and outside of) the critical infrastructure.
• That already have a mature cyber risk management and cybersecurity
program.
• That don’t yet have a cyber risk management or cybersecurity program.
• Needing to keep up-to-date managing risks, facing business or societal
threats.
• In the federal government, too…since it is compatible with FISMA
requirements and goals.
12
Cybersecurity Framework Components
Aligns industry standards and best Cybersecurity activities and
practices to the Framework Core in a informative references, organized
particular implementation scenario around particular outcomes
Framework
Implementation
Tiers
16
Cyber Security Framework Implementation: 7-Step Process
1: Prioritize and
Scope
7:
Implementation 2: Orient
Action Plan
6: Determine,
3: Create a
Analyze, and
Current Profile
Prioritize Gaps
4: Conduct a
5: Create a
Risk
Target Profile
Assessment
17
CA Firms have to enhance Cyber Security
Cyber Security
• Systems and • Enhance Cyber
processes for Security by using
securing • Data Security and right knowledge,
information and Information skills and tools
related Assets Protection
Trust in
Policy
Information & IS
18
RBI Guidelines on Cyber Security
The RBI guidance consists of the overall/introductory
framework and guidance and three annexures:
1. An indicative set of baseline cyber security and
resilience requirements.
2. Information on setting up and operationalising a
cyber security operation centre (C-SOC).
3. A template for reporting cyber incidents to the RBI.
19
How to effectively organise data &
information repository in a CAs office?
CA BABU JAYENDRAN
Sensitive Data in a CAs Office
Confidential / Non-
Sensitive & Private Data Avoid Misuse / Abuse Professional Ethics
Disclosure Covenants
• Entity who collects, receives, possess, such information, shall provide a Privacy Policy
for handling of or dealing in personal information.
• Disclosure to third party will require permission of provider
• Comply with reasonable security practices and procedures (meet ISO 27001 or
equivalent requirements)
• Penalty up to Rs. 5 Crores who is negligent in safeguarding
Emerging Cyber Risks & Attacks
• Ransomware
• Social Engineering
• Phishing - criminal activity that attempts to fraudulently obtain
sensitive information: email
• Vishing - using the phone to solicit your personal information
• Smishing - uses cell phone text messages to lure consumers
• Malware
• Computer Viruses, Worms, Trojan horses, Spyware, Adware
• designed to interfere with normal computer operation, usually
giving hackers a chance to gain access to your computer and
collect sensitive personal information.
• DDoS - Distributed Denial of Service
• attempt to make an online service unavailable by overwhelming it
with traffic from multiple sources.
• Data Leakage
• The unauthorized transfer of classified information from a
computer or datacenter to the outside world – EMPLOYEES!!!
How to identify a phishing email?
Sources of Cyber Risks
• E-mail - Ransomware / Malware / Phishing Attacks
• Software downloads - free utilities / software / apps
• Lack of User Awareness
• Social Media
• Free Downloads / Freebies / Offers
• Carelessness
Governance – Policy, Procedures & Practices
• Set up a Privacy, Backup & Security Policy
• Consider exploring Cloud as Data Storage / Backup Option with auto
sync features
• Microsoft Azure, Amazon Cloud have these options at nominal cost
• Employee / Trainee Awareness & Declaration
• Regular Confirmations from Staff on Confidentiality
• Office Resources not being used for personal purposes
• Unauthorized downloads / website usage prevention
• Client data not kept in private custody
• Internal Checks & Audits
• Client Awareness Workshops / email
Practical Tips for Protection - Organization
Perspective
• Use only Licensed Software / • Regularly scan wi-fi to identify the
Applications users
• Disable Admin Access in employee • Tools like “Who is on my Wi-Fi” can help
Computers
• Download only from authorized
• Keep anti-virus / malware updated websites
• Backup the data at least once a week • Consider encrypting of critical devices
• McAfee / Kaspersky / Symantec solutions
• Ensure wi-fi is protected and password
is frequently changed • Change Passwords Regularly
• Securities Exchange Commission (SEC), US, has stated that “Firms must
adopt written policies to protect their clients’ private information and
they need to anticipate potential cyber security events and have clear
procedures in place rather than waiting to react once a breach occurs
Questions?
43