Information Security Framework - Part 2

Loading...

Do curso por University at Buffalo

Cyber Security in Manufacturing

71 classificações

University at Buffalo

Cyber Security in Manufacturing

71 classificações

Curso 7 de 9 em Specialization Digital Manufacturing & Design Technology

The nature of digital manufacturing and design (DM&D), and its heavy reliance on creating a digital thread of product and process data and information, makes it a prime target for hackers and counterfeiters. This course will introduce students to why creating a strong and secure infrastructure should be of paramount concern for anyone operating in the DM&D domain, and measures that can be employed to protect operational technologies, systems and resources. Acquire knowledge about security needs and the application of information security systems. Build the foundational skills needed in performing a risk assessment of operational and information technology assets. Gain valuable insights of implementing controls to mitigate identified risks. Main concepts of this course will be delivered through lectures, readings, discussions and various videos. This is the seventh course in the Digital Manufacturing & Design Technology specialization that explores the many facets of manufacturing’s “Fourth Revolution,” aka Industry 4.0, and features a culminating project involving creation of a roadmap to achieve a self-established DMD-related professional goal. To learn more about the Digital Manufacturing and Design Technology specialization, please watch the overview video by copying and pasting the following link into your web browser: https://youtu.be/wETK1O9c-CA

Na lição

Introduction to Digital Manufacturing Security

The purpose of this module is to introduce you to the information security need, framework and processes, as it applies to creating a strong and secure Digital Manufacturing and Design infrastructure.

Information Security Framework - Part 14:35

Information Security Framework - Part 27:06

Conheça os instrutores

Shambhu Upadhyaya
Professor
Computer Science and Engineering

In this lesson we will briefly describe

Risk Management using a three lines defense model.

In 2013, the Institute of Internal Auditors,

IAA, proposed a three lines of

defense model for the better understanding of risk management.

This model is essentially

a risk management framework that simplifies the process of communication

and provides effective governance of risk management and

assurance by clearly defining roles and duties.

It is a simplified and resilient approach for risk management,

and can be applied to any business very easily.

It is comprised of three key elements namely;

risk identification and assessment,

risk management and risk monitoring.

The first line of defense has the following objectives;

identify and assess risks,

identify potential losses that can be caused by the threat,

provide risk response to design an effective risk mitigation strategy.

This is followed by the creation of a risk assessment report which helps in designing

a risk mitigation strategy which in turn helps to

reduce the impact of identified threat on the organization.

The second line of defense has the following objectives;

define a risk management strategy that facilitates and

monitors the implementation of effective risk management practices,

a controllership function that monitors

financial risks and financial reporting issues of an organization.

The third line of defense performs operations such

as internal and external audit which provides

insight on the levels of assurance provided by

business operations and risk management functions.

The audit process provides an assurance on

the effectiveness of governance, risk management,

and internal controls, including the manner in which

the first and second lines of defense achieve risk management and objectives.

The cracks of this three lines of defense model is to highlight the need for

higher levels of independence and objectivity as we go from first level to the third.

Hence the third line reports to the governing body.

Also, the primary context here is that each line of defense should be

adequately designed to catch threats undetected by the previous lines of defense.

Therefore, recommended practices for

appropriate risk management in an organization are one;

risk and control processes should be

structured in accordance with the three lines of defense model.

Two, each line of defense should have defined policies and rolls.

Three, there should be proper coordination among

all three lines of defense to enhance efficiency and effectiveness.

Four, risks can control functions operating at different lines should communicate

efficiently to help support different functions to

foster overall efficiency of the risk management process.

Enterprise risk management is a quite in all topic,

but it's very relevant for this course and it will be revisited in the next lesson.

As the final topic of this lesson,

let us briefly review the available standards that will help

create the Information Security Framework for a DMD application.

First, NIST Cyber Security Framework.

In 2013, NIST introduced a framework for improving critical infrastructure security as

a response to President Obama's executive order

to strengthen the resilience of nation's critical infrastructure.

This essentially draws from the practices developed by

the International Organization for Standardization called ISO.

It contains five functions namely; identify, protect,

detect, respond, and recover and has a 40-year risk management framework.

Second; COSO Model, the Committee of

sponsoring organizations of the Treadway Commission called COSO,

issued a joint initiative in 2013 to fight fraud.

It basically provides guidance on enterprise risk management,

internal control and fraud deterence.

The model has five components namely; control environment,

risk assessment, control activities,

information and communication, and monitoring.

ISO 31000; this was issued in

2009 and still provides guidance on risk management for small and medium-sized companies.

However, it can be used by any organization,

regardless of size and type of activity.

The guidelines are quite generic.

GAIT, Guide to the Assessment of IT Risk,

or simply GAIT is the Risk Management Guide issued by the Institute of internal auditors

for assessing the scope of IT in

an organization using a top-down and risk-based methodology.

Like the other tools,

it identifies the risks and recommends mitigation strategies.

Links to the various enterprise risk management models

are available in the resources section of this module.

In the next lesson, my colleague,

Mr. Shriram Wilai Anoor will join us to provide

additional expertise in Operational Technologies and Information Technologies,

and Enterprise Risk Management

Explore nosso catálogo

Registre-se gratuitamente e obtenha recomendações, atualizações e ofertas personalizadas.

O Coursera proporciona acesso universal à melhor educação do mundo fazendo parcerias com as melhores universidades e organizações para oferecer cursos on-line.

© 2019 Coursera Inc. Todos os direitos reservados.

Baixar na App Store

Baixar no Google Play