During the Covid period, Fortune 1000 companies creates Risk Management Committees. In addition, public-listed companies are required to increase a new role of the board on cybersecurity after an offical release of SEC Guidance on Public Company Cybersecurity Disclosures in 2022.  

No matter in USA or Taiwan, developing and implementing effective cybersecurity governance has become a pressing need. What are differences between cybersecurity management and governance in term of roles and responsibilities? How do the governance practitioners take an oversight perspective on critical issues.  

In recent years the types of cybersecurity threats have been constantly changing, therefore, how to efficiently estimate the Information Security Risk within the organization is a topic that all Information security personnel as well as management shall focus on.Designing and building a feasible KRI and KPI to help the organization to identify, know and handle information security risks are worthy of notice.In order to let all the Information Security personnel who play different roles keep track of the current situation of information security risk in a timely manner, we would like to share not only the concept and the practical experience of designing the Information Security Risk Dashboard, but also the benefits we derived from the implementation for your reference.Hopefully, it would be helpful for you to design your own indicator and risk dashboard.

Change management is an important risk issue. This agenda will discuss the connection and key points of configuration management, change management, data leakage prevention best practice in ISO27001:2022, also combine management concepts with technical practice. It is hoped that the audience can understand and refer to the concepts and processes proposed by internationally recognized organizations (such as ISACA/ISC2/CIS/NIST) in the agenda.

Risk management without “Risk Analysis” is like driving in the dark without lights. It is like a person who has the knowledge and skill to drive a car but without direction and visibility to the danger along the way. Similarly, organizations often headstrong into implementing cyber risk management programs without clear visibility into their risks landscape. Oftentimes, Risk Analysis is done based on the subjectivity of the IT and cybersecurity professionals, which can vary from person to person and limit to the technology component. Furthermore, to make risk management even more difficult, as cybersecurity is a young industry, there is no agreement on the definition of risk, i.e. vulnerabilities, threat agents, CVE, or IOC. Therefore, risk analysis is inconsistent, risk decisions are misled, and risk appetite is misaligned. FAIR is a Risk Analysis methodology, an add-on component, to address consistency and repeatability in the Risk Management and ISMS processes.