3. What makes it different form terrestrial Crime They are easy to learn how to commit They are often not clearly illegal When done leaves no or less trace They require few resources relative to the potential damage caused They can be committed in a jurisdiction without being physically present in it
4.
5. Cyber Crimes – Exploding Problem List of Top 20 Countries with the highest rate of Cybercrime (source: BusinessWeek/Symantec) Each country lists 6 contributing factors, share of malicious computer activity, malicious code rank, spam zombies rank, phishing web site hosts rank, bot rank and attack origin, to substantiate its cybercrime ranking. 11. India Share of malicious computer activity: 3% Malicious code rank: 3 Spam zombies rank: 11 Phishing web site hosts rank: 22 Bot rank: 20 Attack origin rank: 19
6. Extent of the Problem Source: National Crime Records Bureau, Statistics of Cyber Crimes, 2007
7. Extent of the Problem 2009 FBI-IC3 Internet Crime Report Friday, April 2nd, 2010
8. Extent of the Problem Ponemon Institute Research Report Publication Date: July 2010
12. Definition of risk Risk is an event that occurs with a certain frequency/ probability and that has consequences towards one or more goals/objectives Risk Level = Frequency/ Probability combined with Consequence x = DAMAGE ASSET PROBABILITY CONSEQUENCE RISK THREAT EXPLOIT VULNERABILITY
13. Approach - Work process and method Initiation & focusing Uncertainty Identification Risk Analysis Actions Planning Documentation Communication Implementation & follow-up The Risk Management Approach ensures that mapping of risk exposure, treatment of risks and follow-up are carried out in a structured manner
25. The CALDER-MOIR IT Governance Framework There are many IT-related management frameworks, standards and methodologies in use today. None of them, on their own, are complete IT governance frameworks, but they all have a useful role to play in assisting organizations manage and govern their IT operations more effectively. The CALDER-MOIR IT Governance Framework is designed to help you get maximum benefit from all these overlapping and competing frameworks and standards, and also to deploy the best practice guidance contained in the international standard for IT governance, ISO/IEC 38500.
26. Governance & Cyber Crime - Cost Comparison Ponemon Institute Research Report Publication Date: July 2010
27.
28. Cybercrime provisions under IT Act,2000 Offences & Relevant Sections under IT Act Tampering with Computer source documents Sec.65 Hacking with Computer systems, Data alteration Sec.66 Publishing obscene information Sec.67 Un-authorized access to protected system Sec.70 Breach of Confidentiality and Privacy Sec.72 Publishing false digital signature certificates Sec.73
22 December 2010 The new risk reality is a statement that illustrates the increased complexity of society. Picture 1: (Prestige sinking) Extreme environmental focus. Compliance, or lack of compliance? A symbol of a shipping accident. Picture 2: (Enron USA) Expectations on ethical standards in business. Demonstrates consequences of poor ethics. A symbol of corporate failure. Picture 3: (microphones) Requirements on transparency from media and non-governmental organisations (NGO) on the rise. Picture 4: (air pollution) Climate change is a consequence of human activity and pollution. Changes in weather patterns and more frequent natural catastrophes are risks business must take into account.
22 December 2010 Different definitions exists for Risk, let’s not go too deep into that now But the scales for probability and Consequence/Impact needs to be agree
22 December 2010 These are the core activities in regular Risk Management Often this exists and relevant risks may be found there, in addition findings from the BC Risk Assessment should be included in this risk picture
22 December 2010
22 December 2010 Widely used and, until the rise of BS 7799-1, probably the most recognized of the security frameworks, COBIT (Control OBjectives for Information and related Technology) is directed at information security. However, it should be noted that COBIT was created by a specific group and intended for a specific purpose. COBIT was created by ISACA (which used to be known as the Information Systems Audit and Control Association). Auditability is key to the COBIT, and the accounting and management background definitely shows in the choice of items in the COBIT list. Much of the activity suggested relates to measurement, performance, and reporting. Thus, in a sense, most of COBIT concentrates on what can be counted and demonstrated, sometimes disregarding what might actually be effective.
22 December 2010 The United States' Federal Information Systems Management Act mandates certain standards of information security and controls for US federal agencies. The legislation states that standards must be applied, but the standards are different for different agencies and applications. Detailed instructions can be found in directives for the military (Defense Information Technology Systems Certification and Accreditation Process or DITSCAP), the intelligence community (Director of Central Intelligence Directive 6/3 or DCID 6/3), and more generally the National Information Assurance Certification and Accreditation Process (NIACAP). The National Institute of Standards and Technology also has outlines.
22 December 2010 It really isn't fair to compare the Computer Security Resource Center (CSRC) of the United States' National Institute of Standards and Technology, with the security frameworks we have been discussing. The centre (which, even though it is only one office of the institute, is generally known simply as NIST in the security community) provides a wealth of security information and resources, which are freely available at the Website at http://csrc.nist.gov. The publications section is particularly useful, with a constantly updated stream of guidelines and aids, particularly the 800 series documents.
22 December 2010 As should be clear to everyone in both fields, the financial securities industry has very little to do with computer or information security, despite a heavy reliance on the technology. However, recent concerns in that community have concentrated on the area of internal controls, which have application in reviewing controls and safeguards, particularly in regard to insider attacks. This reference is shorthand for the second report from the Basel Committee on Banking Supervision, Risk Management Principles for Electronic Banking. Basel II Accord also looks at operational risk, which is more in line with the risk management that infosec people know and love. Shorthand for the Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Integrated Framework. Shorthand for the Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Integrated Framework. COSO outlines a three dimensional framework for examining controls. The United States' Sarbanes-Oxley law (frequently referred to as Sarbox or SOX) emphasizes that corporate management is responsible for the reliability of financial reports about publicly traded companies. Section 404 (and also 302, in a marvelous confusion with Web result codes) notes that the integrity of information systems supporting these financial reports must also be managed.