This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP - Cyber Security in the Boardroom"

From OWASP
Jump to: navigation, search
m (Main)
m
 
(22 intermediate revisions by the same user not shown)
Line 6: Line 6:
 
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
 
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
  
==OWASP Cyber Security at the Executive & Board Level Project==
+
==OWASP - Cyber Security in the Boardroom==
  
Owasp Cyber Security at the Board Level Project is to provide the board of directors with a better understanding of cyber security & the challenges security professionals face order for them protect the companies they represent.
+
OWASP Cyber Security in the Boardroom initiative is to provide the board of directors with a better understanding of cyber security & the challenges security professionals face in order for them to protect the companies they represent.
  
Equally, provide cyber security professionals with a better understanding of the board of directors, what their roles and responsibilities are & how they function. This is in order to help these professionals understand the board's needs and communicate upwards effectively.
+
Equally, provide cyber security professionals with a better understanding of the board of directors expectations, what their roles and responsibilities are and, how they function. This is in order to help these professionals understand the board's needs and communicate upwards effectively.
  
==Introduction==
+
==Initiative Deliverables==
 +
# A Primer on Cyber Security for the Board
 +
# Guidelines for selecting and evaluating the head of the Cyber Security program  (e.g. CISO/CSO/CCO* )
 +
# Top 10 Criteria for leading a Cyber Security program
 +
# Cyber Threats per Industry Sector
 +
# Cyber Security Framework
  
Write a short introduction
+
==A Primer on Cyber Security for the Board==
  
 
 
==Description==
 
 
Write a description that is just a few paragraphs long
 
 
 
# '''Introduction'''
 
 
# '''Overview of Cyber Security for a Board of Directors'''
 
# '''Overview of Cyber Security for a Board of Directors'''
 
#* The Main Concepts of Cyber Security
 
#* The Main Concepts of Cyber Security
Line 30: Line 27:
 
#* Responding to a Cyber Security Incident
 
#* Responding to a Cyber Security Incident
 
#* Cyber Security Myths and Misconceptions
 
#* Cyber Security Myths and Misconceptions
#* Cyber Security & Corporate Responsibility
+
#* Cyber Security and Corporate Responsibility
 
# '''Overview of the Board of Directors for Cyber Security Professionals'''
 
# '''Overview of the Board of Directors for Cyber Security Professionals'''
 
#* Roles and Responsibilities of the Board
 
#* Roles and Responsibilities of the Board
 
#* Board of Director Liabilities
 
#* Board of Director Liabilities
 
#* Corporate Governance
 
#* Corporate Governance
#* Company Strategy & the role of Cyber Security
+
#* Company Strategy and the role of Cyber Security
 
# '''Appendix'''
 
# '''Appendix'''
 
#* Useful Cyber Security References
 
#* Useful Cyber Security References
 
#* Useful Board of Directors References
 
#* Useful Board of Directors References
 
#* Scenarios
 
#* Scenarios
 +
 +
==Selecting and evaluating the head of the Cyber Security Program ==
 +
Head of the Cyber Security Program; Selection & Evaluation Guidelines:
 +
# Background in dealing with information security challenges.
 +
# Deep understanding of the Security Mindset and the Security Culture.
 +
# Clear view of what it means treating security as an ‘enabler’ in the context of the organisation,
 +
# taking under consideration the business needs, strategy and vision.
 +
# The twin nature of regulatory compliance and the role of the DPO in Data Privacy.
 +
# Translating Risk from/to Business Needs.
 +
# Addressing and communicating the “so what” question(s).
 +
# The functional role of IT Security and how InfoSec deals with GRC, including the legal issues.
 +
# Expert input on the fast-evolving digital ecosystem.
 +
# Be able to distinguish between skills gap challenges versus talent acquisition oversights.
 +
# Measure risk, compliance and maturity.
 +
 +
== Top 10 Criteria for leading a Cyber Security program ==
 +
# Establish segregation of duties and ownership of responsibilities for the cyber security program
 +
# Managing risks in an evolving cyber landscape (Management Buy-in, Strategy, Planning, Governance, etc.)
 +
# Organisational culture (security culture, mindset)
 +
# Sector-focused prioritization of risks, types of attacks, threat actors.
 +
# Mission Critical vs Business Critical; systems, networks and data.
 +
# Digital Ecosystem (Architecture, Infrastructure, Cloud, Deployment, Physical Security, IAM, etc.)
 +
# Secure communications (incl. Data-at-Rest, Data-in-Transit, Data-in-Process)
 +
# Third-Party Risks (incl. Supply Chain)
 +
# Readiness, Containment and Treatment
 +
# Response and Continuity Plan
 +
 +
== Cyber Threats per Industry/Sector ==
 +
* Automotive
 +
* Oil & Gas
 +
* Consumer Products
 +
* Power & Utilities
 +
* Government & Public Sector
 +
* Life Sciences
 +
* Telecommunications & Media
 +
* Real Estate
 +
* Technology
 +
* Mining & Metals
 +
* Private Equity
 +
* Finance & Banking
 +
 +
== Cyber Security Framework ==
 +
How to build / consider starting with a framework:
 +
* Policies & Procedures Creation Guidelines
 +
* Data Classification Guidelines
 +
* Compliance
 +
* Information Security Risk Management
 +
* Information Security Incident Management
 +
* Information Systems Continuity Management
 +
* Third-Party Security
 +
 +
==Footnotes==
 +
<nowiki>*</nowiki>CCO: Cheif Cyber Security Officer
  
 
==Licensing==
 
==Licensing==
OWASP XXX is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
+
The Owasp Cyber Security in the Boardroom Initiative is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
  
 
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |
 
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |
  
== What is XXX? ==
+
== What is Cyber Security in the Boardroom? ==
 
 
OWASP XXX  provides:
 
  
** A whitepaper which achieves the above objectives to inform both board members and cyber security professionals.
+
OWASP cyber security in the Boardroom provides:
** A set of case studies which board members & security professionals can use as part of their training or to simulate cyber security scenarios.
 
  
 +
1) A primer on cyber security for the board
  
== Presentation ==
+
2) Selecting and evaluating the head of the cyber security program
  
Link to presentation
+
3) Top 10 criteria for leading a cyber security program
  
 +
4) Cyber threats per industry/sector
  
 +
5) Cyber security framework
  
 
== Project Leaders ==
 
== Project Leaders ==
 
* Sherif Mansour
 
* Sherif Mansour
* Greg
+
* Grigorios Fragkos
* Paul
 
  
== Related Projects ==
+
== Contributors ==
  
* [[OWASP_CISO_Survey]]
+
* Paul Harragan
  
 
| style="padding-left:25px;width:200px;" valign="top" |  
 
| style="padding-left:25px;width:200px;" valign="top" |  
Line 73: Line 122:
 
== Quick Download ==
 
== Quick Download ==
  
* Link to page/download
+
* TBA<div class="center" style="width: auto; margin-left: auto; margin-right: auto;"></div>
 
 
  
 +
== News and Events ==
 +
* TBD
 +
* TBD
 +
== In Print ==
 +
This project can be purchased as a print on demand book from Lulu.com
  
 
== Donate to OWASP ==
 
== Donate to OWASP ==
Line 81: Line 134:
 
|target=_blank
 
|target=_blank
 
|budget=Other (Website Donation) }}</div>
 
|budget=Other (Website Donation) }}</div>
 
== News and Events ==
 
* [20 Nov 2013] News 2
 
* [30 Sep 2013] News 1
 
 
 
== In Print ==
 
This project can be purchased as a print on demand book from Lulu.com
 
 
 
 
==Classifications==
 
==Classifications==
  
Line 109: Line 152:
 
=FAQs=
 
=FAQs=
  
 +
; Work in Progress
 +
;
 
; Q1
 
; Q1
 
: A1
 
: A1
Line 116: Line 161:
  
 
= Acknowledgements =
 
= Acknowledgements =
 +
; Work in Progress
 +
 
==Volunteers==
 
==Volunteers==
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:
+
OWASP Cyber Security in the Boardroom Initiative is developed by a worldwide team of volunteers. The primary contributors to date have been:
  
* xxx
+
* Sherif Mansour
* xxx
+
* Grigorios Fragkos
 
+
* Paul Harragan
==Others==
 
* xxx
 
* xxx
 
  
 
= Road Map and Getting Involved =
 
= Road Map and Getting Involved =
As of XXX, the priorities are:
 
* xxx
 
* xxx
 
* xxx
 
  
Involvement in the development and promotion of XXX is actively encouraged!
+
== Priorities ==
You do not have to be a security expert in order to contribute.
+
As of 12th December 2019, the priorities are:
Some of the ways you can help:
+
* A Primer on Cyber Security for the Board
* xxx
+
* Guidelines for selecting and evaluating the head of the Cyber Security program  (e.g. CISO/CSO/CCO)
* xxx
+
* Top 10 Criteria for leading a Cyber Security program
 +
* Cyber Threats per Industry Sector
 +
* Cyber Security Framework
  
  

Latest revision as of 16:48, 13 December 2019

OWASP Project Header.jpg

OWASP - Cyber Security in the Boardroom

OWASP Cyber Security in the Boardroom initiative is to provide the board of directors with a better understanding of cyber security & the challenges security professionals face in order for them to protect the companies they represent.

Equally, provide cyber security professionals with a better understanding of the board of directors expectations, what their roles and responsibilities are and, how they function. This is in order to help these professionals understand the board's needs and communicate upwards effectively.

Initiative Deliverables

  1. A Primer on Cyber Security for the Board
  2. Guidelines for selecting and evaluating the head of the Cyber Security program (e.g. CISO/CSO/CCO* )
  3. Top 10 Criteria for leading a Cyber Security program
  4. Cyber Threats per Industry Sector
  5. Cyber Security Framework

A Primer on Cyber Security for the Board

  1. Overview of Cyber Security for a Board of Directors
    • The Main Concepts of Cyber Security
    • The Challenges with Cyber Security
    • The Impacts of Cyber Security on an organisation
    • Responding to a Cyber Security Incident
    • Cyber Security Myths and Misconceptions
    • Cyber Security and Corporate Responsibility
  2. Overview of the Board of Directors for Cyber Security Professionals
    • Roles and Responsibilities of the Board
    • Board of Director Liabilities
    • Corporate Governance
    • Company Strategy and the role of Cyber Security
  3. Appendix
    • Useful Cyber Security References
    • Useful Board of Directors References
    • Scenarios

Selecting and evaluating the head of the Cyber Security Program

Head of the Cyber Security Program; Selection & Evaluation Guidelines:

  1. Background in dealing with information security challenges.
  2. Deep understanding of the Security Mindset and the Security Culture.
  3. Clear view of what it means treating security as an ‘enabler’ in the context of the organisation,
  4. taking under consideration the business needs, strategy and vision.
  5. The twin nature of regulatory compliance and the role of the DPO in Data Privacy.
  6. Translating Risk from/to Business Needs.
  7. Addressing and communicating the “so what” question(s).
  8. The functional role of IT Security and how InfoSec deals with GRC, including the legal issues.
  9. Expert input on the fast-evolving digital ecosystem.
  10. Be able to distinguish between skills gap challenges versus talent acquisition oversights.
  11. Measure risk, compliance and maturity.

Top 10 Criteria for leading a Cyber Security program

  1. Establish segregation of duties and ownership of responsibilities for the cyber security program
  2. Managing risks in an evolving cyber landscape (Management Buy-in, Strategy, Planning, Governance, etc.)
  3. Organisational culture (security culture, mindset)
  4. Sector-focused prioritization of risks, types of attacks, threat actors.
  5. Mission Critical vs Business Critical; systems, networks and data.
  6. Digital Ecosystem (Architecture, Infrastructure, Cloud, Deployment, Physical Security, IAM, etc.)
  7. Secure communications (incl. Data-at-Rest, Data-in-Transit, Data-in-Process)
  8. Third-Party Risks (incl. Supply Chain)
  9. Readiness, Containment and Treatment
  10. Response and Continuity Plan

Cyber Threats per Industry/Sector

  • Automotive
  • Oil & Gas
  • Consumer Products
  • Power & Utilities
  • Government & Public Sector
  • Life Sciences
  • Telecommunications & Media
  • Real Estate
  • Technology
  • Mining & Metals
  • Private Equity
  • Finance & Banking

Cyber Security Framework

How to build / consider starting with a framework:

  • Policies & Procedures Creation Guidelines
  • Data Classification Guidelines
  • Compliance
  • Information Security Risk Management
  • Information Security Incident Management
  • Information Systems Continuity Management
  • Third-Party Security

Footnotes

*CCO: Cheif Cyber Security Officer

Licensing

The Owasp Cyber Security in the Boardroom Initiative is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

What is Cyber Security in the Boardroom?

OWASP cyber security in the Boardroom provides:

1) A primer on cyber security for the board

2) Selecting and evaluating the head of the cyber security program

3) Top 10 criteria for leading a cyber security program

4) Cyber threats per industry/sector

5) Cyber security framework

Project Leaders

  • Sherif Mansour
  • Grigorios Fragkos

Contributors

  • Paul Harragan

Quick Download

  • TBA

News and Events

  • TBD
  • TBD

In Print

This project can be purchased as a print on demand book from Lulu.com

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg
Work in Progress
Q1
A1
Q2
A2
Work in Progress

Volunteers

OWASP Cyber Security in the Boardroom Initiative is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • Sherif Mansour
  • Grigorios Fragkos
  • Paul Harragan

Priorities

As of 12th December 2019, the priorities are:

  • A Primer on Cyber Security for the Board
  • Guidelines for selecting and evaluating the head of the Cyber Security program (e.g. CISO/CSO/CCO)
  • Top 10 Criteria for leading a Cyber Security program
  • Cyber Threats per Industry Sector
  • Cyber Security Framework


PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: Cyber Security at the Board Level Project
Purpose: Provide the board of directors with a better understanding of cyber security & the challenges security professionals face order for them protect the companies they represent. Equally, provide cyber security professionals with a better understanding of the board of directors, what their roles and responsibilities are & how they function. This is in order to help these professionals understand the board's needs and communicate upwards effectively.
License: ...
who is working on this project?
Project Leader(s):
  • Sherif Mansour @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: N/A
Project Roadmap: Not Yet Created
Key Contacts
  • Contact Sherif Mansour @ to contribute to this project
  • Contact Sherif Mansour @ to review or sponsor this project
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases