Viktor on Digital Evolution

To content | To menu | To search

Wednesday 5 April 2017

The first 100 days of the next generation CISO, CISO 360 Congress, Barcelona 5-7 July 2017

The first 100 days of the next generation CISO

Whether you are starting a new job, or engaging with a new customer in the role of a CISO- as-a- Service you are facing the challenge of how to effectively and efficiently identify areas of critical importance, establish partnership with key stakeholders, identify crown jewels within organizational value chain, map business risk to technology risk, and finally define and implement sound information security strategy that would foster security as a business enabler and not an obstacle.

Key takeaways:

- Effective communication examples with key partners such as Business process owners, Chief internal auditor/investigator, Chief enterprise risk officer, Legal advisor, Chief Finance Officer, Chief Information Officer, Chief of human resources, Ethics officer, Data privacy officer, and other.

- What are useful documents that can provide insights to critical business processes and related crown jewels.

- How to leverage innovative technology and processes such as machine learning to identify areas of critical importance and related key roles?

- How to build a successful security team?

Presentation slides: The first 100 days of next generation CISO

More on CISO 360 Congress.

Sunday 2 April 2017

CISO Challenge: Bridging the Gap between Tactical and Strategic Information Security Risk Management, CISO Summit Middle East, 27 March 2017, Dubai

CISO Challenge: Bridging the Gap between Tactical and Strategic Information Security Risk Management

• Effectively communicating key risk indicators through risk intelligence

• Collecting information on the most important business activities and prioritizing information security program activities accordingly

• Focusing on human-oriented rather than technology-oriented information security

Viktor Polic CISO Dubai 2017Presentation slides

CISO Summit agenda

Thursday 23 February 2017

COSC 3410 Computer security (Webster University Geneva - 2003, 2004, 2005, 2006, 2007, 2009, 2011, 2013, 2015, 2017)

Course description Students in this course will study the techniques for protecting data within a computer and protecting data as it moves through a network. Data and system security and reliability will be considered in a distributed environment. Topics will include encryption, authentication and digital signatures, threats to the computer system, and system reliability.

Statement of objectives

The course is designed to help students meet the following major objectives:

a. To introduce fundamental concepts in computer security.

b. To explore important computer security technologies and measures.

c. To explain process of implementing and managing computer security.

Schedule of sessions :

Week 1 Introduction and Course Overview Define Information Security, Protecting Confidentiality, Integrity and Availability of information, Personally Identifiable Information (PII), Data privacy

The Threat Environment: Attackers and their Attacks Security policy and risk management Governance and regulatory compliance

Week 2 Cryptography The Elements of Cryptography (Hands-on activity: Using encryption to exchange documents via e-mail) Public Key Infrastructure – Digital certificates Digital Signatures (Practical demo: Using encryption to protect integrity of a document) Cryptographic System Standards

Week 3 Securing computer networks Protection of wired and wireless computer networks (Hands-on activity: Setting up and protecting a wireless network) (Practical demo: Using a wireless network traffic analyzer/sniffer)

Week 4 Access control Identification (Practical demo: Using encryption for identification), AAA (Authentication, Authorization, Accountability), Identity Management, Directory Services

Week 5 Security Technologies Firewalls (Hands-on activity: Configuring a firewall) Virtual Private Networks (Hands-on activity: Setting up and using a VPN), Intrusion Detection and Intrusion Prevention Systems

Week 6 Host and Data Security Malicious code Viruses, Trojans, Worms Security hardening of operating systems, security baselines, vulnerability management, patch management (Practical demo: Securing a PC and testing vulnerability)

Week 7 Internet security Security Infrastructure for Internet Access (Practical demo: What is a proxy server? And a reverse proxy?) E-Commerce Security Requirements, Internet browser security, security of messaging Application security, XSS (Cross-site scripting) (Practical demo: Web site vulnerable to XSS attack – risk to Internet users) Security assessment of Web applications

Week 8 Data security Data backup, retention, and redundancy. Database security. Business continuity and Disaster recovery planning. Cloud computing

COSC 3500 IT Project Management (Webster University Geneva - 2016)

Course objectives. This course provides students a holistic and integrative view of project management. The course covers concepts and skills that are used by IT professionals to propose, plan, secure resources, budget, and lead IT project teams to a successful completion of their projects.

Course Statement of Objectives:

At the completion of this course this student will be able to:

• Identify the different types of information systems project • Understand the effect of the organization strategy on the project management. • Understand the project management frameworks • Identify project managements life cycle methodologies • Understand the project management planning, monitoring, controlling and reporting. • Learn about managing risk, stakeholders, quality, suppliers, and changes during a project management life cycle. • Understand the impact of human leadership on the project management procedure and outcome.

Schedule of sessions :

Week 1 Introduction to Project Management The Project Management and Information Technology Context Introduction to the term Project

Week 2 The Project Management Process Groups: A Case Study Project Integration Management Teams’ presentation and progress report documentation

Week 3 Project Scope Management Project Time Management Teams’ presentation and progress report documentation

Week 4– Project Cost Management

Week 5 Project Quality Management Project Human Resource Management Teams’ presentation and progress report documentation

Week 6 – Project Communication Management Project Risk Management Teams’ presentation and progress report documentation

Week 7 Project Procurement Management Project Stakeholder Management Teams’ presentation and progress report documentation

Week 8 Teams’ presentation of the final project and entire project document Final Exam

COSC 3050 Data Structures I (Webster University Geneva - 2016)

Course Description : Studies the design and implementation of the most common algorithms associated with the basic data types and with some elementary data structures using C++. The relationship of algorithm design to problem solving in general is studied. The course also covers algorithms to improve the robustness and user friendliness of programs.

Course Statement of Objectives:

At the completion of this course this student will be able to:

1. Demonstrate familiarity with good software development practices involving design, coding, and testing

2. Demonstrate a good understanding of the benefits of using dynamically allocated memory

3. Demonstrate a mastery of the fundamental programming techniques necessary to implement, test, and use the List, Stack, and Queue data structures

4. Compare and make a critical assessment of data structures for specific applications

5. Demonstrate an understanding of the benefits of reusability of code via templates

6. Demonstrate a mastery of multi-file project organization.

Schedule of sessions :

Week 1 Value and reference arguments Default argument values Class definitions File organization Namespaces Overloaded operators Class templates Const qualification Const member functions Constructors

Week 2 Pointers The ‘new’ and ‘delete’ operators Limitations of arrays Dynamically allocated arrays The ‘heap’ versus the ‘stack’ An “Array” class implementation Destructors Copy constructors

Week 3 Collections Limitations of dynamically allocated arrays Concept of ‘linked lists’ A “Linked List” class implementation Comparison of arrays and linked lists

Week 4 Function templates Function overloading Linked Lists re-visited; incorporate overloaded operators More complex applications using linked lists

Week 5 Basic Stack operations A “Stack” class implementation Reverse Polish Notation expressions Detailed discussion of other Stack applications

Week 6 Basic Queue operations A “Queue” class implementation Circular arrays Detailed discussion of Queue applications

Week 7 Variations of Linked Lists Linked lists with “head nodes” Doubly linked lists Circular linked lists Multiply-Ordered Lists Generalized Lists

Week 8 Course review and exam

COSC 3340 Mobile Computing (Webster University Geneva - 2014)

Course Description : This course will study the leading-edge mobile computing technologies for professional software developers. The course will be hands-on and project-based. The central focus of the course is to enable the understanding and critical evaluation of mobile applications.

Course Statement of Objectives:

At the completion of this course:

1. Student will be able to design fundamental mobile applications

2. Student will be able to explain mobile application design principles

3. Student will be able to apply design knowledge to application development
4. Student will be able to explain application development process

Schedule of sessions :

Week 1 Introduction to SDK and Xcode The Basics of objective-C programming Data types and variables Expressions Flow control Loop

Week 2 Introduction to classes, objects, and methods Inheritance In Class Lab: An Objective-C class for working with fractions

Week3 Working with files In Class Lab: NSData Class Basic File Operation: NSFileHandle

Week 4 Memory Management In Class Lab: Autorelease Pool Garbage collection

Week 5 Putting everything together: iPhone/iPad SDK In Class Lab: Creating a Fraction_Calculator project

Week 6 Apple iPhone Platform the UIKit for Interfaces Event Handling and Graphics Services In Class Lab: Layer Animation Model-View-Controller (MVC) pattern Add image and button action to application

Week 7 · iOS Design principles: Interface (UI) Development for Mobile Apps User Interface Frameworks Gesture‐based interfaces In Class Lab: Add user settings and gestures Split view controller and master view Selection responding Debugging and use debugger Testing views

Week 8 Course overview and final exam

COSC 2810 SYSTEMS ANALYSIS AND DESIGN (Webster University Geneva - 2014)

Course description : Covers the basic concepts involved in systems analysis, including effective communication, analysis tools, and phases of the systems development life cycle.

Course Statement of Objectives:

At the completion of this course this student will be able to:

1. Identify various technologies used in the information systems area.

2. Identify phases of system development life cycle.

3. Identify components of a business information system

4. Name and define different types of information systems

5. Identify the importance of documenting, modeling, and prototyping in a classical system development life cycle

6. Identify the components of an Entity Relationship Diagram and Data Flow Diagram.

7. Recognize errors in a ERD and DFD

8. Define the problem solving process conducted in a system development life cycle

9. Identify activities in a information system project system development life cycle

10. Identify tools and techniques used in a classical systems development life cycle.

11. Develop simple documentation for the basic activities conducted in a systems development life cycle.
Schedule of sessions :

Week 1 Introduction and system development life cycle- - Systems development tools and techniques -Systems development methods -SDLC phases -Case studies

Week 2Requirements modeling -Analyzing the business case -Joint Application Development (JAD) -Rapid Application Development (RAD) -Case studies

Week 3 Enterprise modeling -Entity-Relationship Diagrams (ERD) -Data flow Diagrams (DFD) -Data dictionary -Process descritpion tools -Development strategies -Cost-benefit analysis

Week 4 Development strategies -Development strategies -Cost-benefit analysis - Prototyping

Week 5 Systems design - Data design -DBMS components -Data relationships -Case studies

Week 6 System architecture -Enetrprise Resource Planning (ERP) -Processing methods -Impact of the Internet -Case studies

Week 7 System implementation, operations and support -Quality assurance -Testing -Documentation -Case studies

Week 8 Course review and Final exam

COSC 2670 Telecommunications (Webster University Geneva - 2009, 2010, 2011, 2012, 2016)

Course Description : In this course students examine the various technologies and applications of telecommunications. The course provides an analysis of the current and future trends in telecommunication technologies and services and includes an overview of the industry and the associated management and strategy issues.

Course Statement of Objectives:

At the completion of this course this student will be able to: • Explain current network standards • Explain the physical propagation of data through a network • Explain Ethernet LAN architecture • Explain TCP/IP Internetworking • Explain wireless networks • Explain Quality of Service • Discuss Networked Applications

Schedule of sessions :

Week 1 Course overview Introduction to Telecommunications Network Standards An Introduction to Networking Network Standards

Week 2 Physical Layer Propagation Ethernet LANs Physical Layer Propagation Ethernet LANs

Week 3 Ethernet LANs continued Wireless LANs Ethernet LANs Wireless LANs

Week 4 Telecommunications

Week 5 Wide Area Networks

Week 6 TCP/IP Internetworking

Week 7 An Introduction to Telecommunications Security

Week 8 Future technologies, Term Paper Presentations

COSC 2610 Operating Systems (Webster University Geneva - 2005, 2006, 2015)

Course Description: The course provides an overview of the concepts and theories of operating systems. Examines the major components found in all operating systems including the memory, process manager, and device and file managers. Networking and the Internet will also be presented, as these technologies are supported by modern operating systems. Practical examples would be presented on Linux and MS Windows

Course Statement of Objectives: The course will provide a working foundation in the basics of single-processor computer operating systems.

Schedule of sessions :

Week 1 Introduction and basic OS concepts - The shell, I/O, file system, memory management and processor management

Week 2 User interfaces, looking at Windows and Linux

Week 3 OS internals part one, looking at the Intel architecture

Week 4 OS internals part two, looking at Windows 2000 and Linux

Week 5 Networks and the client/server OS

Week 6 Windows 2000 Server

Week 7 The Internet

Week 8 Course review

TELE 5000 Advanced Topics: Telecommunications Management (Webster University Geneva - 2003, 2004)

Course Description: In this course, students examine the various technologies and applications of telecommunications. The course provides an analysis of the current and future trends in telecommunication technologies and services and includes an overview of the industry and the associated management and strategy issues.

Course Objectives:

The course is designed to help students meet the following major objectives:

a. To introduce fundamental concepts in telecommunications so that students will have the basis for understanding new and more complex services.

b. To explore the language and significance of important telecommunication technologies.

c. To provide explanations of the technologies through examples of applications and historical highlights.
Schedule of sessions :

WEEK 1 Introduction and Course Overview Fundamentals of telecommunications Basic Concepts Telephone Systems and Cabling

WEEK 2 Telecommunications Industry Overview Regulatory Affairs Network Service Providers and Local Competition The Public Network

WEEK 3 Advanced Technologies Specialised Network Services

Modems and Access Devices

WEEK 4 The Internet

WEEK 5 Wireless Services

WEEK 6 Telecommunications Convergence Converging Technologies, Company Convergence, Services Convergence

WEEK 7 Globalization issues and telecommunications Deregulation, Digital Divide, Health and Social Issues

WEEK 8 Fieldtrip: Visit to the ITU Telecom World 2003

WEEK 9 Presentation of Term papers Course Review

TELE 5220 Issues in Telecommunications Management (Webster University Geneva, 2002)

Course description In this course students examine a variety of topics related to the use of the Internet for IT and Telecommunications management. Among the topics are electronic commerce, search engines and search strategy, principles of Web design and use, Internet services and Internet applications, Intranets and extranets for organizational communications. Anticipated future developments will also be considered. The course material will be handed to students and will consist of articles, corporate white papers and case studies. Each topic will be illustrated with practical examples and best practices will be discussed. During the course students will participate in group exercises where each student would take a different it team function to simulate corporate environment and become aware of formal as well as informal management concerns. Corporate visits and presentations are envisaged.

Statement of objectives By the end of this course students will be able to give answers to following questions:

- How to support Internet-Centric business plan as IT and Telecommunication manager?

- How to efficiently and securely exploit the Internet as source for getting information and mean for providing corporate information?

- How to develop corporate Internet strategy and get ready for future technologies?

Schedule of sessions : 1. Intranets and extranets for organizational communications 2. Search engines and search strategy 3. Corporate Web presence 4. Network directory services 5. Corporate e-mail/groupware 6. Principles of Web design and use 7. Electronic commerce and security 8. Anticipated future development

Thursday 9 February 2017

Published article: Data Owners Responsibilities When Migrating To The Cloud, ISACA journal, published in volume 6/2014

Co-author with Dr. Ed Gelbstein: Data Owners Responsibilities When Migrating To The Cloud, ISACA journal, published in volume 6/2014

Abstract: This article is intended as a complement to the well thought out, detailed and useful article “IT Security Responsibilities Change When Moving To The Cloud” by Larry Wlosinski (ISACA Journal, Volume 3, 2013 by bringing in the role of another major player: the data owner.

While the whole purpose of computing is to process data, data management, data quality and other aspects of data governance tend to get little attention by the I.T. community and best practices in these domains rely on the work of other professional bodies such as the Data Management Association, developers and publishers of the Data Management Body of Knowledge (DMBOK).

Link to the article

Published article: Ethical hacking: The next level or the game is not over, ISACA journal, published in volume 4/2014

Author: Ethical hacking: The next level or the game is not over, ISACA journal, published in volume 4/2014

Information security vendors have recognized the need to optimize the process of managing ethical hacking projects with the goal to reduce their costs. They start offering ethical hacking services in the form of Security as a Service (SecaaS) solutions. The ability to acquire ethical hacking security assessment for information systems with medium or even low business impact would allow organizations to build more complete and accurate risk treatment plan and optimize resources for information security management.

http://www.isacajournal-digital.org/isacajournal/2014_volume_4?pg=16#pg16

Published article: Glow in the dark – how CISOs can find their way through the darkness of the web, CSO Journal, 8 May 2014

Author: Glow in the dark – how CISOs can find their way through the darkness of the web, CSO Journal, 8 May 2014

From a small sushi shop to a large enterprise, hackers are looking for access to a company’s crown jewels: data. Web vulnerabilities are an easy route to this information. Viktor Polic explores how vulnerability scanners and ethical hackers help him to understand weaknesses in web applications

http://www.csoonline.com/article/2152541/data-protection/glow-in-the-dark-how-cisos-can-find-their-way-through-the-darkness-of-the-web.html

Published article: The quest for weak links in information security, CSO Journal, 12 November 2013

Author: The quest for weak links in information security, CSO Journal, 12 November 2013

Viktor Polic walks through the most effective ways for organizations to evaluate risk levels and assess vulnerabilities

http://www.csoonline.com/article/743085/the-quest-for-weak-links-in-information-security

Wednesday 8 February 2017

Presentation on Improving corporate identification and authentication controls by using 2-factor mobile authentication - (ISC)2 Security Congress EMEA 2016, Dublin

Outline:

  • Introduction: 2016 massive data breaches
  • Threats to credentials
 - Brute force
 - Credentials dumping (pwdump, Mimikatz)
 - Input capture (keylogging)
 - Authentication interception
  • What are the alternatives to passwords
  • Communication channel segregation reduces the risk of business transaction meta-data collection and potential misuse
  • Solution: Cryptographic protocol construction based on two separate sub-systems enables externalization of user’s identity from business transaction

Presentation slides: Improving corporate identification and authentication controls by using 2-factor mobile authentication

Panelist: Cloud security - (ISC)2 Security congress EMEA, Dublin 2016

PANEL: CLOUD SECURITY

  • Do you really know who has access to your data? How do we manage third parties to ensure full visibility and control of information?
  • What are the lessons learned with cloud security to date - steps/missteps?
  • As Europe undergoes the biggest privacy & security regulatory reforms, how are cloud providers making it easier to embrace new compliance developments?
  • What changes are we likely going to see in cloud agreements? Are the new laws going to improve security in practice? How will this impact the role of the CISO?
  • What consequences to expect in terms of security, privacy?

Chaired by:

   Adrian Davis, Managing Director EMEA, (ISC)²

Panelists:

Jacqueline Johnson, Head of IT Security, Nordea Bank (Denmark)

Gezahegn Tadesse, Chief Technology Officer, Awash Bank (Ethiopia)

Fabio Cerullo, Managing Director, Cycubix Limited (Ireland)

Viktor Polic, Chief of Information Security and Assurance Services, International Labour Organization

Presentation on Using Big Data Analytics for Information Security Risk Management Decision Support - CISO Summit Europe, Copenhagen 2016

Summary: This study explained how information security related key risk indicators depend on heterogeneous data sources, high data volumes and high data velocity, and how large organizations with international presence and with combined internal and outsourced IT services are challenged with balancing risk monitoring scope with related costs. The case study presented a possible approach to cost optimization by using combined proprietary and open-source software solutions for big data analytics using commodity hardware. It also explored how some challenges such as finding and hiring people with right skills, establishing partnerships and collaboration are important.

Outline:

  • Bridge the gap between tactical and strategic risk management
  • Strategic level: Building risk intelligence capacity:
 - Assembling risk relevant information sources
 - Performing risk data analytics 
    * Risk profiling, clustering risk factors
    * InfoSec – business risk mapping
    * Identifying anomalies
    * Threats data feedback; Reports; Dashboards; Alarms
  • Building risk management knowledge creation engine based on Apache Spark and Tableau for data visualization
  • Spark: Applying machine learning:
 - Principal Component Analysis
 - Local Outlier Factor
 - k-Means analysis
  • Behavior analytics: more examples
  • Next step: Augmented Risk Preparedness - risk contextualization
  • Challenges:

- Develop tools and processes that efficiently address data velocity within lag time

- Effectively address source data quality

- Find and retain people with right skills

- Improve analytical methodologies (try new, test, simulate, peer review,…)

- Be ready for black swan events (foreseen but unexpected)

Presentation slides: Using Big Data Analytics for Information Security Risk Management Decision Support

Presentation on Optimizing Information Security Management process with focus on risk management - CISO Summit Europe, Geneva 2015

Outline:

• Risk impact awareness – Perform business impact analysis systematically on all categories of risk with subject matter experts

• Effective risk communication – Ensure that risk metrics and treatment plan recommendations reach risk owners in a timely and unbiased manner directly from risk analysis experts

• Formally integrate information and technology governance with risk management – that would ensure metrics as lag indicators (achievement of goals) and lead indicators (application of practice)

• Develop tools and processes to search for unexpected information security events (use analytics on as much data as feasible)

• Perform descriptive and/or predictive data mining to reduce risk uncertainty

• Shift focus to end-points where information is created, stored, processed and consumed

• Identify location of your most critical information and monitor in near-real time

• Focus on quality of software implementation

• Engage data owners in ISMS process (InfoSec role is broker between data owners and data custodians)

 – Information classification
 – Risk analysis and awareness
 – Security assessment and audit
 – Incident management and reporting

• Develop Risk Intelligence taking into account all risk components

 – Vulnerabilities – Standard enumeration exists(CVE)
 – Impact – Simpler to quantify in monetary units
 – Threats – Only technical threats are comparable
 – Monitor Key Risk Indexes (KRX) when above 3 risk components
are comparable as weighted averages of incident occurrence - And likelihoods, or even probabilities?

Presentation slides: Optimizing ISMS: Focus on risk management

Presentation on How to Maintain Proactive Security in the Post-"Heartbleed" "Shell Shock" World with the Case Study: Geneva e-voting system - CISO Summit Asia, Singapore 2014

Outline:

  • Information centric and people centric security
  • Revisiting identity and access management
  • Cryptographic controls risk analysis
  • What should CISOs focus on to ascertain data owners' confidence in information systems and maintain proactive nature of information security management?
  • What aspects of information security management process cannot be outsourced in order to remain in control of data ownership?
  • Holistic approach to information system audit (auditing application, infrastructure, and process) - case study: Geneva e-voting system

Presentation slides: How to Maintain Proactive Security in the Post-"Heartbleed" "Shell Shock" World?

- page 1 of 2