Browse communities
Presenting a webinar?
Share this content

Enterprise-Wide Risk Management

Ronald S. Ross; NIST Fellow
For decades, organizations have managed risk at the information systems level. This information system focus provided a very narrow perspective that constrained risk-based decisions by senior leaders/executives to the tactical level—devoid, in many cases, of any direct linkage or traceability to the important organizational missions/business functions being carried out by enterprises. The concentration on information systems security by organizations resulted in a focus on vulnerability management at the expense of strategic risk management that is applied across enterprises. NIST Special Publication 800-39 introduces a three-tiered risk management approach that allows organizations to focus, initially, on establishing an enterprise-wide risk management strategy as part of a mature governance structure involving senior leaders/executives and a robust risk executive (function). The risk management strategy addresses some of the fundamental issues that organizations face in how risk is assessed, responded to, and monitored over time in the context of critical missions and business functions. The strategic focus of the risk management strategy allows organizations to influence the design of key mission and business processes—making these processes risk aware. Risk-aware mission/business processes drive enterprise architecture decisions and facilitate the development and implementation of effective information security architectures that provide roadmaps for allocating safeguards and countermeasures to information systems and the environments in which those systems operate.
Feb 3 2011
41 mins
Enterprise-Wide Risk Management
IT Security Risk NIST
  • Channel
  • Channel profile

Governance, Risk, and Compliance

Up Down
  • 2 Minutes on BrightTALK: BYOD from Policy to Technology Recorded: Jun 18 2013 2 mins
    "You look at how you're going to let this operate within your network. So you start with the policy, then you look at the technology that you need to deploy on these devices. Then you actually look at who has access to what." Jeffrey Vinson, Director and CISO of SecureNet Payment Systems, discusses the steps to progress through when preparing for BYOD in your business.
  • HIPAA and FTC Health Breach Law: Correcting The Perils Of Lax Security Recorded: Jun 13 2013 49 mins
    Join Raj for a complete regulatory overview including:

    - HIPAA Omnibus Update
    - FTC Health Breach Rule
    - Top 5 reasons organizations FAIL Security Assessments
    - Case Studies
    - Guidance
    - Success Stories
  • What You Need to Know Before the Auditors Ask Recorded: Jun 13 2013 47 mins
    Don't be caught off guard when your auditors show up and start asking internal control questions that you can't answer. In this roundtable session, listen, learn, and share your experiences around managing your internal control system with your ERP system and what to be prepared for BEFORE the auditors show up. There are always tips to learn from others in the compliance area and this session traditionally has lively dialogue, so don't miss this opportunity to prepare for your next audit.
  • Securing Mobile Apps: Old School Know How For the New World Order Recorded: Jun 13 2013 58 mins
    Mobile devices and applications are redefining business, revolutionizing productivity and driving competitive advantage. But as the volume of mobile applications increases, so too are mobile exploits. In the rush to enter the mobile software market, are we taking shortcuts that force us to repeat sins of the past? Like caching sensitive data, incomplete encryption and simple mistakes in coding? Don't let old-school vulnerabilities allow hackers to resurrect previously obsolete malware and exploits. With the experience of more than 1,400 incident response investigations, thousands of penetration tests and hundreds of application security tests, Trustwave SpiderLabs' Charles Henderson will show IT, security and development teams how to make sure they're not leaving sound security practices and due diligence behind as they develop new mobile applications.
  • HIEs & HIXs: What’s in Store for a New Class of Business Associates Recorded: Jun 13 2013 49 mins
    The HITECH Act created new categories of business associates that included health information organizations (HIO), these days referred to as HIEs, and health insurance exchanges (HIX). OCR is preparing to make sure these business associates follow the HIPAA rules.

    The omnibus rule compliance date is rapidly approaching. If you’re an HIE or an HIX, it’s time to make sure all of those policies are in place, the workforce is trained and all of those other tasks that pave the road to HIPAA compliance. This also includes, among other things, reaching out to all of your covered entity customers and negotiating that business associate agreement, testing security incident response plans and that business continuity plan. You will walk away with a solid understanding of the not-so-new privacy and security requirements and practical information you can use to ramp up your compliance efforts in preparation for the September 23, 2013 omnibus rule compliance deadline.
  • Business Driven Continuous Compliance Recorded: Jun 13 2013 40 mins
    While a key driver for adapting security technologies, compliance is still a huge burden for most organizations. In the presentation we will discuss novel approaches to both lower the cost of compliance and derive relevant business value from the process. Changing the compliance process from a periodical manual process into a continuous automated process ensures real time visibility into your compliance posture as well as the ability to react in real time to compliance issues rather than just after the fact. By overlaying the information collected with your enterprise IT asset model, the real time compliance information can also contribute to business driven risk management and help in making the right investment decisions in information security.
  • How to Pass Your Next Audit Without Putting Your Business on Hold Recorded: Jun 13 2013 38 mins
    Establishing PCI DSS compliance can be extremely resource intensive. For medium to large organizations, the many tasks involved in documenting, tracking and auditing network security procedures manually can take days. With an automated firewall operations, auditing and compliance solution, companies can substantially reduce the time and cost of PCI DSS compliance as it applies to the management of firewalls, routers and related network security infrastructure. Learn how to reduce the amount of time required for audit preparation by more than 50%, while enabling continuous compliance with the PCI standard.
  • Risk Analysis: Step One in Addressing Compliance Requirements Recorded: Jun 12 2013 44 mins
    Compliance with security regulations, standards and requirements is an ever-increasing presence impacting how business is conducted. These regulations are designed to compel organizations to effectively manage information risk and require a concrete method for protecting assets. Conducting a risk analysis is the first step in this process.

    The primary focus of the webinar will review a proven risk analysis methodology and approach for effectively managing information risk.
  • Malware Automation and How To Protect Against It Recorded: Jun 12 2013 36 mins
    Automation is key when it comes to production. The same is true for malware. Malware production has moved on from the traditional manual method to a more efficient automated assembly line. In this talk, I will take the audience on an over-the-shoulder look at how attackers automate malware production. Discussion will focus on the tools and methodologies the attackers use to produce thousands of malware on a daily basis. The talk will then conclude with a live demonstration of how malware is produced in an automated fashion.
  • Gaining Threat Intelligence and Combating the Four Most Common Attack Vectors Recorded: Jun 12 2013 36 mins
    The HP Security Research team (HPSR) is hard at work monitoring the threat landscape for new campaigns, profiling actors to understand their motivations, identifying the tools they use and determining how credible certain threats might be. It’s part of a long-term strategy for developing a new threat intelligence-sharing model. Why is that important? It will provide real-time info from the larger security community-- enterprises like yours, industry security organizations and security vendors-- that can be used to automate and catch these breaches immediately.

    Learn about HP’s findings, including these culprits: injection flaws, DDoS, various phishing techniques and zero day vulnerabilities. How can you address the inevitable breaches that will occur?
  • Getting From Reactive to Proactive Endpoint Security Recorded: Jun 12 2013 44 mins
    Antivirus only stopped 49% of malware in 2012. Is your data safe against the malware tools being deployed by cyber-criminals? Today’s hackers are using targeted attacks, drive-by downloads and exploiting human error to access your organization’s intellectual property. IT Security’s ability to move from reactive to proactive security involves deploying both intelligence and policy based protection. Full protection for both physical and virtual environments requires an integrated, layered defense on the endpoint. Join us to learn best practices and strategies for unrivaled security and blazing performance to defend your organization against today’s complex threats.
  • The Future of PCI: Securing Payments in a Changing World Recorded: Jun 12 2013 42 mins
    his session will provide an update on PCI Standards, guidance and new programs for 2013 and strategies for how organizations can take advantage of new technologies and advances in payments to secure cardholder data in the future.
  • The New “Denial of Service” Attack: Why You May No Longer be Protected Recorded: Jun 12 2013 49 mins
    There was a time when distributed denial of service (DDOS) attacks threatened business operations by simply “flooding the network pipe” with traffic congestion. But that has all changed. Today’s sophisticated and targeted attacks use a multitude of vectors to overwhelm and infiltrate websites and online services – disrupting an enterprise’s online presence and customer’s ability to do business with the company under attack.

    While enterprises once could rely solely on their cloud service providers, ISPs and perimeter security to protect against these attacks, many are just now learning they are vulnerable to the new types of denial of service attacks. Some of these highly targeted attacks are taking down online services while others are being used as a diversionary tactic that is used to distract from an advanced malware attack.

    This presentation will cover examples of high profile, multi vector attacks that use stealth components and application vulnerabilities to shut down or infiltrate an enterprise’s network. Attendees will learn what types of attacks cloud providers and service providers are stopping and what attacks need to be handled on the internal enterprise network. The presentation will also cover a framework that will help organizations move toward a more secure stance against denial of service attacks.
  • Unlocking the Key to Efficient Compliance and Audit Management Recorded: Jun 12 2013 45 mins
    Join Brady as he explains why placing priority on information security will lead your organization down the path of compliance by default – drastically reducing the time and resources needed for audit and compliance management and reporting.

    Discover how your organization can benefit from:

    · A proactive risk management strategy and full visibility into its risk posture
    · A streamlined and better-managed information security program
    · Simplified risk assessment and mitigation
    · Automated compliance with regulatory requirements
  • Vulnerable Where You Least Expect It: How Hackers Target Devices Recorded: Jun 12 2013 41 mins
    The IT community is used to network-based attacks from PCs, but how prepared are you against attacks from mobile devices brought in by our employees and networked equipment out in the field? This talk will present some recent examples of such threats and offer some possible solutions.
  • 2 Minutes on BrightTALK: Focus on the Right Security Metrics Recorded: Jun 11 2013 2 mins
    "Every organization is going to have very different security metrics, because it depends on the business and the metrics that are important to that business." Risk I/O CEO Ed Bellis took some time to discuss the importance of selecting measurable, actionable metrics by which to jduge your security program.
  • Closing the Loop: Automating Security Response Recorded: Jun 7 2013 44 mins
    Anthony Di Bello, Strategic Partnerships Manager with Guidance Software will discuss the benefits and technical implementation of an automated incident response workflow leveraging EnCase and FireEye technology. You will see how the two technologies work together to deliver an industry-first approach to detect, respond to and remediate today’s cyber-attacks. The integrated solution is designed to:

    · Dramatically reduces time-to-discovery and time-to-response
    · Enables security analysts to clearly prioritize their response based on threat severity
    · Delivers the next evolutionary step of the security stack with data-driven, automated actions
    · Reduces the risks and high costs associated with cyber-attacks through an end-to-end approach from detection to recovery
  • BYOD - A Layered Approach to Mitigate Security Incidents Recorded: Jun 7 2013 49 mins
    BYOD is the most radical shift in client computing for business since the rise of PCs. Allowing personally owned devices in corporate environments poses many security challenges. A user can very easily bring a compromised mobile device into the office causing a security incident. During this session Presidio will cover some of the current BYOD threats and trends as well as discuss strategies for building a layered security architecture to help detect and prevent security incidents and allow organizations to securely support BYOD adoption.
  • Investigating and Remediating Security Incidents: How Prepared Are You? Recorded: Jun 7 2013 38 mins
    Do you suspect you have a security incident? Time is of the essence. Your initial approach can determine how much damage the cyber security incident does—or does not do—to your organization.

    What if you could reduce the time it takes to investigate and remediate a security incident from days to minutes? Join us for this webcast to learn how you can improve your incident response by:

    •Locating every instance of a suspicious file across your endpoints and servers
    •Knowing if the malware executed, when, and what it did
    •Stopping an attack and preventing it from happening again
    •Analyzing files that arrive on your endpoints and servers to quickly determine their risk
  • Digital Forensics and Incident Response – Why You Need Them Both Recorded: Jun 7 2013 45 mins
    Nobody wants to fall sick, and yet we all do. By the same token, nobody expects their systems to be breached, and yet it happens. When that happens, companies need a blend of Digital Forensics and Incident Response expertise to deal with the incident. However, the distinction between these two related but different services and their roles in responding to a breach are often not clear to the victims of the breach. In this session, Vivek Chudgar, Director of FireEye Labs (APAC), will explain the key differences between Digital Forensics and Incident Response and demystify the role each service plays in effectively responding to a breach.
trends, developments, and technology
Increasing expectations for good governance, effective risk management and complex demands for legislative and regulatory compliance are presenting a growing challenge for organizations of all sizes. Tune in to live and recorded presentations by respected luminaries in the fields of governance, risk and compliance. Their thought leadership will provide you with practical advice on how to implement successful GRC strategies and processes for your organization.
  • Upcoming webinars (20)
  • Recorded webinars (415)
  • Subscribers (16,355)
Channel RSS feed
Up Down

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Enterprise-Wide Risk Management
  • Live at: Feb 3 2011 9:00 pm
  • Presented by: Ronald S. Ross; NIST Fellow
  • From:
Your email has been sent.
or close
You must be logged in to email this
OK