End to End Visualization of. Expectations, and Dependencies

Size: px

Start display at page:

Download "End to End Visualization of. Expectations, and Dependencies"

Adam Roberts
6 years ago
Views:

1 Shared Cybersecurity Cb Responsibility Maps Combining i SIPOC + RACI Provides End to End Visualization of Roles, Responsibilities, Expectations, and Dependencies

2 Many Aspects of Cybersecurity are Beyond the Domain of IT Departments Cybersecurity Responsibilities are Shared Among Multiple Departments, Stakeholders, and Business Partners Finance and Risk Management (NIST CSF ID.RA) Ensures the organization understands the cybersecurity risk to mission, functions, reputation, organizational assets, individuals, and business partners Human Resources (NIST CSF PR.AT) Responsible for training personnel to perform information security related duties and responsibilities consistent with policies, procedures, and agreements Legal (NIST CSF ID.GV 3) Ensures the organization understands and manages legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations Business Process Owners (NIST CSF PR.IP) Ensures security policies, processes, and procedures are maintained and used to manage protection of information systems and assets Shared ResponsibilityMaps Provide End to End Visualization of These Roles, Responsibilities, Expectancies, and Dependencies

3 Responsibilities and Expectations External to Cybersecurity yprocesses and Activities All Cybersecurity Processes and Activities Receive Inputs All Cybersecurity Processes and Activities Create Outputs Someone or Something (Could be a Process, Department, or External Entity) Is Responsible for Providing the Inputs According to Predefined Specifications Someone or Something (Could be a Process, Department, or External Entity) Expects to Receive the Outputs According to Predefined Specifications

4 SIPOC: Defines Responsibilities and Expectancies External to Processes and Activities Suppliers Receive the input specifications from the process team and provides the inputs to the process team according to specifications Inputs The resources and their specifications defined by the process team Processes The steps the process team will execute to create the outputs Outputsp The deliverables created by the process team that will be delivered to the customer/consumer within predefined specifications Customers Expects to receive the outputs/deliverables developed according to predefined specifications by the process team

5 RACI: Responsible, Accountable, Consult, Inform Team Responsibilities for Process Execution Responsible (The Doers) Those who do the work to achieve the task. There is at least one role with a participation type of Responsible Accountable (The Buck Stops Here) The one ultimately answerable for correctness and thoroughness of the completed task Consult Those whose opinions are sought, typically subject matter experts. Two way communication Inform Those kept up to date on progress with whom there is one way communication

All Departments, Stakeholders, and Business Partners Serves to Penetrate

6 Shared Responsibility Mapping Combines SIPOC & RACI Defines and Visually Illustrates End to End Roles, Responsibilities, Expectations, and Dependencies of All Departments, Stakeholders, and Business Partners Serves to Penetrate Departmental Silos, Tool Conflicts, and Tribal Knowledge Improves Communications and Collaboration

7 Computer Security Incident Response Plan Shared Responsibility Map

Computer Security Incident Response Plan Process

Responsibility Maps can be delivered as stand alone

integrated into web frameworks that illustrate

8 Computer Security Incident Response Plan Process Resource (NIST R2 Base) Shared Cybersecurity Responsibility Maps can be delivered as stand alone documents, integrated into existing plans, or integrated into web frameworks that illustrate cybersecurity processes, activities, iii and associated resources

9 Shared CSIRP Responsibility Map of Step 2.1 Monitor and Detection Process High level and detailed views are available within a few clicks

10 Computer Security Incident Response Plan Step 2.1: Monitor & Detection

11 CSIRP Step 2.1 Monitor & Detection SIPOC & RACI Detail

Identifying Factors that Contribute to Unsatisfactory Outcomes Variation Impacts the Predictability of Effectiveness and Efficiencies Inputs and Process Activities are Sources

12 Identifying Factors that Contribute to Unsatisfactory Outcomes Variation Impacts the Predictability of Effectiveness and Efficiencies Inputs and Process Activities are Sources of Variation in the Management of the Quality of Deliverables Shared Responsibility Maps Illustrate Where and How Variation Impacts the Ability to Effectively Manage Cybersecurity

Example of a Factor Contributing to Less Than Desirable Cybersecurity

Anomalous Malware Behavior Extends the time from initial entry to

to spread laterally in the system The Solution: Human Resources

13 Example of a Factor Contributing to Less Than Desirable Cybersecurity Management A User Not Properly Trained to Recognize and Report Anomalous Malware Behavior Extends the time from initial entry to detection Extends dwell time Increases the opportunity for the malware to spread laterally in the system The Solution: Human Resources provides appropriate and continuous user cybersecurity training, testing, and proficiency tracking

Activity/Process Step 2 Step 2 Outputs & Customer Becomes Step 3 Supplier and Inputs Variation in

14 Shared Responsibility Maps Illustrate Multistep Activity/Process Dependencies Activity/Process Start Activity/Process Step 1 Step 1 Outputs & Customer Becomes Step 2 Supplier and Inputs Activity/Process Step 2 Step 2 Outputs & Customer Becomes Step 3 Supplier and Inputs Variation in Earlier Steps Influence Latter Dependent Activity and Process Steps Activity/Process Step 3 Activity/Process End

15 In Summary Shared Cybersecurity Responsibility Maps Enable End to End Definition and Visualization of Responsibilities for All Involved with Cybersecurity Clarifies Inputs and Outputs including Specifications Illustrates Where and How Variation Influences Deliverables

16 Contact Henry Draughon Process Delivery Systems (972) / / h d i ibili h l

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The