Cybersecurity and Business Analysis

Transcript

1. Cybersecurity and Business Analysis Heather Noggle IIBA Study Group February

   8, 2024

2. Heather Noggle •Public sector HR •Long career as full stack

   developer / BA / PM •Business owner •Board leader

3. Information Security and Business Analysis Introducing Cyber Hygiene Information Security

   and Business Analysis = Stewardship Information Security and Training for Business Analysts Impact of Information Security Work within Business Analysis Standards and Frameworks and Impact on Business Analysis

4. Introducing Cyber Hygiene • Password Best Practices • Password Manager

   • Multifactor Authentication • Update (Patch) Software • Cybersecurity Mindset (Awareness) • Antivirus/Antimalware • Know Your Devices • Back Up Your Data • Understand Social Engineering (Fraud) • Own Your Clicks

5. Why Information Security in Business? “Everyone” needs to secure information

   Each person needs to secure information Everything’s connected, including our fridges and printers Our cars Our devices Information security has therefore become cybersecurity

6. Cybersecurity Defined People, processes, and technology working together to protect

   the confidentiality, integrity, and availability of data. Keeping private data private and enabling proper access to public data.

7. Cybersecurity and Training for Business Analysts • IIBA – Certificate

   in Cybersecurity Analysis • ISC2 – Certified in Cybersecurity

8. IIBA Cybersecurity Training https://www.iiba.org/globalassets/certification/cca/files/iiba-cca- handbook.pdf

9. ISC2 Certified in Cybersecurity https://www.isc2.org/certifications/cc#The%20CC%20Exam (It’s almost free)

10. Impact of Business Analysis in Cybersecurity • With Change Comes

    Risk • “Shift Left” • Newer Focus in Business Analysis • A Lens to Use in Discussion • Security Built into Functionality

11. Change, Risk •Risk Avoidance •Risk Acceptance •Risk Mitigation •Risk Transfer

12. “Shift Left” From production all the way back into concepts

    – security embedded in software development. And before. Requirements need security consideration. Shape conversation.

13. Security Built Into Functionality • Explicit security requirements • Prompt

    – use that lens to get there • Zero trust • Always verify • Ensure no unintentional state change • Least privilege • Who’s got access? • Why? • Who should never access?

14. Standards and Frameworks • NIST Cybersecurity Framework – CSF https://www.nist.gov/cyberframework

    • Center for Information Security - CIS v8 https://www.cisecurity.org/controls/cis-controls-list

15. NIST Cybersecurity Framework Identify Detect Protect Respond Recover Adding Govern

    in v2

16. CIS v8 • 18 Controls • 153 Safeguards (within the

    controls) • Aligned with NIST CSF • Most BA emphasis will be on Protect items

17. CIS 18 Controls and Intersection with BA • Control 3

    – Data Protection 14 Safeguards • Control 14 – Security Awareness Training 9 Safeguards • Control 16 – Application Software Security 14 Safeguards

18. OWASP https://owasp.org/ OWASP Top 10 And other projects - https://owasp.org/projects/

19. Heather Noggle LinkedIn - https://www.linkedin.com/in/heathernoggle/ Codistac - https://codistac.com/ Videos -

    https://heathernoggle.com/cybersecurity-for-people- level-1-videos/ [email protected]