How IT-Compliance can boost your cybersecurity TUV Rheinland i-sec GmbH Dipl.-W.-Inf. Stefan Eigler, CISA, CISM, CCSP Practice Leader - Mastering Risk & Compliance Another Industrial Revolution? /* TÜV Rheinland Protecting society since 1872 */ ! Industry 1.0 Industry 2.0 Industry 3.0 Industry 4.0 Mechanical Production Mass Production & Electricity Electronic & IT Systems Cyber-physical Systems, Social, Mobile, Analytics, Cloud The 4th Industrial Revolution will be defined by the use of “cyber-physical” systems. 4/18/2019 How IT Compliance can boost your cybersecurity ‘An advanced, persistent cyberattack is only a matter of time …’ It’s critical to continuously assess cyber risks, prioritize security investments and implement cyber defences and controls that will keep your digital enterprise protected Faster time to market Greater economies of scale Improved customer experience And many more … The Digital Transformation is disrupting organizations no matter the size, industry or location Increased exposure to cyber attacks Data theft Misconduct of intellectual property Damage operational processes Higher potential of digital fraud 4/18/2019 How IT Compliance can boost your cybersecurity The digital landscape From a simple product to cyber physical systems and IoT Products  Mechanical & Software components are not deeply intertwined  Not connected and “zero” intelligence Cyber Physical Systems (CPS)  Combination of mechanical and software components  Connected System (wired or wireless)  Intelligent embedded System 4 4/18/2019 How IT Compliance can boost your cybersecurity Internet of Things (IoT) CONFIDENTIALITY  Combination of mechanical and software components  Network of physical devices, vehicles, …  Intelligent embedded System  Collect and exchange information Cybersecurity dimensions Cybersecurity as a baseline for safety and privacy Safety Cybersecurity Protection of the environment against the IoT product. Protection of the IoT product against cybercriminals. Privacy Ensuring the informational self-determination of the end customer and protection of customer’s data. ! 5 Testing IoT Products and Systems comprehensively needs a highly diverse knowledge. 4/18/2019 How IT Compliance can boost your cybersecurity Cybersecurity in digital Transformation Tie cybersecurity strategy to digital transformation goals and make it visible Information Security Compliance BCM Metrics & Reporting ISMS Risk Management GRC Cyber Security ! Requirements Reports Incident Management Risks Metrics Trends ! SOC Log Data IT-Security ! 6 4/18/2019 Relevant Deviations How IT Compliance can boost your cybersecurity Flow Data Security Relevant Informationen Security Intelligence Sensors Trend/ History Cybersecurity in Digital Transformation Safety, Reliability and Privacy: digital security imperatives The New Model for Digital Security Data 7 Confidentiality Privacy Integrity Safety Availability Reliability Source: Gartner Security & Risk Management Summit: „Tutorial: Gartner Essentials: Top Cybersecurity Trends People Environments IT Compliance A definition  IT compliance describes in corporate management compliance with legal, internal and contractual regulations in the IT landscape of a company  IT compliance is to be seen in the context of IT governance, which extends the topic to the areas of controlling, business processes and management  The focus of IT compliance as a sub-area is on those aspects of compliance requirements that affect a company's IT systems  Compliance requirements in IT include information security, availability, retention and privacy  Companies are subject to numerous legal obligations, non-compliance can lead to high fines and liability obligations. Additionally EU directives, international conventions, corporate conventions and trade customs need to be taken into consideration 8 4/18/2019 How IT Compliance can boost your cybersecurity IT Compliance Example map Germany Requirements on IT 9 4/18/2019 How IT Compliance can boost your cybersecurity IT Compliance Example: EU General Data Protection Regulation (‚GDPR‘) - Overview  Came into force May 25th 2018  Hefty fines up to 2-4% (10 – 20 Mill. €) of annual turnover (group perspective)  Strengthening of data subjects rights  Accountability of the board  Risk based approach  Technical & organizational measures to be implemented  Privacy by De