a hypothetical company’s cybersecurity analysis

YukoSoma 13 views 8 slides Nov 02, 2025
Slide 1
Slide 1 of 8
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8

About This Presentation

a hypothetical company’s cybersecurity analysis

Size: 708.68 KB
Language: en
Added: Nov 02, 2025
Slides: 8 pages

Slide Content

  Clients ( Japan ) Enterprise NW Finance Segment (Suel ) DMZ Public Network Product Service NW Segment (Kuala Lumpur) Multi Tenant Cloud Service (Global) Physical FW Web Server For Dev & Prod HR/ Finance System Tenant A Segment (Singapore) Tenant B Segment ( Tokyo ) Physical Backup Site( Seoul ) Physical FW Datacenter ( Bangkok ) Software Dev. And Support Provider ( Bangalore ) IT Management (WFH in Singapore) Physical FW Physical FW Enterprise   NW Sales Segment ( Tokyo ) File Server1 Physical FW VPN Serve r Wireless AP WEP CA: Certification Authority TLS 1.3 TLS 1.0 Physical FW Bank (HK) Payment Service Provider (Tokyo) Product Service Database for Dev & Test & Prod Backup Database Cloud FW M365 New Mail Server2 ( Singapore ) v Old Mail Server1 Service Provider’s Service Provider ( Israel ) Tier-2 vendor (Ukraine ) SOC Team (Singapore) Monitoring Windows Server 2012 R2 File Server CSIRT ( Beijing ) Japanese Customer Support Team (Cyberjaya) Help desk team (Penang Island) Red Team ( Florida, US ) Digital Certificate for Electronic Commerce Messed Up Corporation’s System diagram in 2025 TLS 1.0 Cloud Service Vendor (Beijing) Windows10 Firm Banking v Fig.2: System and Organizational Risk Source: Author BYOD 1 Log Storage NTP Server Pen Testing Router

  Clients ( Japan ) Enterprise NW Finance Segment ( Fukuoka ) DMZ Public Network Product Service NW Segment for test (Tokyo) Multi Tenant Cloud Service (Japan) Physical FW NIPS NIDS XDR/EDR Web Server HR/ Finance System Tenant A Segment (Tokyo) Tenant B Segment ( Tokyo ) Cloud Service Vendor (Tokyo) Physical Backup Site(Tokyo) Physical FW Datacenter Backup Site(Tokyo) Software Dev. And Support Provider (Cyberjaya) IT Management (WFH in Tokyo) Physical FW Physical FW Enterprise   NW Sales Segment ( Tokyo ) Backup File Server1 Physical FW VPN Serve r Wireless AP WPA-3 802.11be Wi-Fi 7 Online Application TLS 1.3 TLS 1.3 Physical FW Bank (Tokyo) Payment Service Provider (Tokyo) Production Environment Cloud FW M365 New Mail Server2 (Tokyo ) v SOC Team (Cyberjaya) Monitoring Cloud FW Cloud FW Datacenter (Fukuoka) CSIRT Japanese Customer Support Team ( Kuala Lumpur ) Help desk team Red Team ( Cyberjaya) HSM Digital Certificate for Electronic Commerce System Diagram Plan of Messed Up Corporation After Acquisition by Much Better Corp. in 2026 DLP Suite Windows12 Electronic Banking MFA MFA MFA MFA MFA MFA MFA MFA MFA Windows Server 2025 File Server MDM NTP Server SIEM/Log Storage Fig.3: Remediations of System and Organizational Risks Source: Author BYOD 2 HSM IAM ・ PAM ( Cyberjaya ) Pen Testing FIM Physical FW Product Service NW Segment for Development (Fukuoka) Web Server Load Balancer Web Server WAF Database Router

Requiring to Deploy Security Governance Framework Confirm Corporate Objectives & Business Needs with each business Unit Deploy Information Security Objectives Prioritize Disaster Recovery Align with IRP/DRP/BCP Deploy Consistent Security by…. Perform Walk thru, Tabletop Test Develop Test Plans HR Accounting Procurement Confirm Compliance Objectives Finance Legal Security IT Sales Senior Management Perform Internal Audit Develop Security Strategy Implement Security Policies/Standards Perform CBA (Cost-Benefit Analysis) Conduct BIA (Business Impact Analysis) Determine System Boundaries Create System Dependencies within a network architecture Create Inventory of Data, System and Network Assets Creat e Capacity Plan Deploy DR Sites Information Security Manager Senior Management Prepare for 3 rd Party Audit Risk Profile Business Process Owner Fig.1: Deploying Infosec Governance Source: Author, based on references Much Better Corporation 3 Regulations (Internal/External) Assurance Industry security frameworks Business Driver User Awareness Create Dataflow Diagrams

Asset Valuation KRI is input for TCO Create a List of Lifecycle Costs TCO (Total Cost of Ownership) Supplementary Document for Purchase Request Approval of Temporary Security Budget Calculate ROI, VAR (Value at Risk) to Create Business Case CBA (Cost Benefit Analysis) Develop a Risk Profile for Business Continuity Planning BIA (Business Impact Analysis) Estimated Annual Loss Amount ALE (Annual Loss Expectancy) Risk Profile Evaluate the Impact on Business Processes (e.g. APT) IA ( Impact Analysis ) Approval of Annual Security Budget AV (Asset Valuation) Calculate the business value of the asset . Confirm the Presence of Potential Losses (e.g. APT) Calculate the cost of implementing security controls. ALE = SLE x ARO Determine AIW 、 RTO 、 RPO KRI (Key Risk Indicator) Information Security Metrics Trend Report Trend of Quantified Values Deviation from Security Baseline KPI (Key Performance Indicator) Source Information for Monthly Information Security Metrics Report Quantified Value TA (Threat Analysis) Estimate the Economic Loss Due to Downtime Operational Consequences During System Outage Information Security Risk Assessment (Actual Annual Loss Amount) Communication Change Management (Patch Application, Configuration Review, Additional Monitoring) Historical Incident Data RA (Risk Assessment) Recovery Plan Risk = Likelihood × Impact Action List VA (Vulnerability Assessment) VA (Value Analysis) FAIR (Factor Analysis of Info Risk) PIA (Privacy Risk Assessment) Corporate Business Functions Business Objectives Support, Alignment, and Communication KPI is input for KRI Number of manually calculated payroll cases Incident Response Time TCO is input for CBA Annual Badget Approval Communication Alignment KCI (Key Control Indicator) KGI (Key Goal Indicator) From A cquisition Operation to Disposal overall Cost Fig.4: Risk Assessment Flow Source: Author, based on references Much Better Corporation GAP Analysis 4 Due Diligence For Procurement And M&A Allocate Risk Owner

Perform CBA Investment Decision Plan to implement a new IT system Is there a change in the business process? Yes No IT decided not Performing BIA for this Completely New System Development New Function go-live Pre-operational Security Risk Assessment (Patch Application, Configuration Review, Additional Monitoring) IT Senior Management Conduct Regular BIA (Business Impact Analysis) Create Business Case Perform Risk Assessment Conduct Ad Hoc BIA (Business Impact Analysis) Calculate ROI IT Management Risk Profile Risk Profile Information Security Manager Business Process Owner Fig.5: Implementing something new flow Source: Author, based on references Much Better Corporation 5

1 year RPO (Recovery Point Objective) for System A AIW (Allowable Interruption Window) or MTD (Maximum Tolerable Downtime) for System B RTO (Recovery Time Objective) for System B MTO (Maximum Tolerable Outage) for System B RPO (Recovery Point Objective) for System C 1 hour 1 hour 24 hours 100 hours Power outage risk at the company SLA Violation with the business Units It results in non-compliance Without that data Real-Time-Only Data 7 year Cause Financial, Legal, Reputational damage RPO (Recovery Point Objective) for System B A task requires viewing data from 1 year ago Systemic Risk Event Fig.6: Crisis Management Timeline Source: Author, based on references Much Better Corporation 6

Business Process Owner Determine Escalation Routes and Reporting Lines Conduct Regular Business Impact Analysis (BIA) Disaster Recovery Plan (DRP) Business Continuity Plan (BCP) Identify Incident Components, Triger Event Conduct post-incident review of each event occurred Define of Incident Activation IT System Recovery Strategy Define Elements of a Disaster Define of Disaster Recovery Activation Identify Business Continuity Components Definition of Business Continuity Activation Develop Test Plans for Each Conduct Validity Assessment of Each Plan Review, Improve, and Strengthen Each Plan Strategy to Avoid Financial Loss Systemic Risk Event High tariff System Outage Zero- Day Attack IT Management Ransom ware Escalation Escalation Incident Response Plan (IRP) Short-Term Emergency Response AI Malfunction Preparation for Legal Action System Upgrade Risk Profile Senior Management APPI Major Change Disaster Notification and Confirmation Incident Notification and Confirmation Disaster Notification and Confirmation Develop Incident Response Procedures Develop Disaster Recovery Procedures Develop Business Continuity Procedures Confusion Success Information Security Manager Digital Currency Readiness Climate Change Fig.7: Strategic BCP Source: Author, based on references Much Better Corporation 7 Not met To RTO

References ・ ISACA. CISM Review Manual, 15th Edition. ・ ISACA. CISM Review Questions, Answers & Explanations Manual, 10th Edition. ・ National Institute of Standards and Technology (NIST). SP 800-171 Rev.3. May, 2024 https://csrc.nist.gov/pubs/sp/800/171/r3/final ・ National Institute of Standards and Technology (NIST). SP 800-53 Rev.5. Jan . 28, 2021 https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final ・ National Institute of Standards and Technology (NIST). The NIST Cybersecurity Framework (CSF) 2.0, Feb. 26, 2024. https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final ・ International Organization for Standardization (ISO). ISO/IEC 27002:2022: Information security, cybersecurity and privacy protection — Information security controls. Feb. 15, 2022 ・ International Organization for Standardization (ISO). ISO/IEC 27001:2022: Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Oct. 25, 2022 ・ International Organization for Standardization (ISO). ISO/IEC 27014:2020 : Information security, cybersecurity and privacy protection — Governance of information security - 2020   https://www.iso.org/obp/ui/en/#iso:std:iso-iec:27014:ed-2:v1:en ・ International Organization for Standardization (ISO). ISO/IEC 27017:2015   Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services . Dec. 2025 ・ International Organization for Standardization (ISO). ISO/IEC 29134:2023 Information technology — Security techniques — Guidelines for privacy impact assessment. 2023. https://www.iso.org/obp/ui/en/#iso:std:iso-iec:29134:ed-2:v1:en ・ PCI SSC. Payment Card Industry (PCI) Data Security Standard Requirements and Testing Procedures, Version 4.0.1, Jun. 2024. https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf ・ Japan Personal Information Protection Commission . Privacy Impact Assessment. September 14, 2021. https://www.meti.go.jp/policy/it_policy/privacy/ppc2.pdf ・ Japan Cabinet Secretariat, Japan Digital Agency. ISMAP ( Information System Security Management and Assessment Program ) Controls https://www.ismap.go.jp/csm?id=kb_article_view&sys_kb_id=757ef62ac3755250076ededb05013195 8
Tags
cybersecurity cism
Categories
Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 13
  • Slides 8
  • Age 5 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
0 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
0 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
0 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
0 views
Know for Certain 21
Know for Certain
0 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
0 views
View More in This Category