BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1
WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not enough internal knowledge/expertise Not sure which framework or standard Board/C-Suite not confident (and not familiar) etc This presentation contains proprietary information and may not be distributed without the express written permission of the CMMI Institute. 2016 CMMI Institute.
OUR APPROACH IS BASED UPON INTERVIEWS WITH HUNDREDS OF ORGANIZATIONS AROUND THE WORLD
ORGANIZATIONS NEED HELP WITH CYBERSECURITY SITUATION UNDERSTANDING READINESS, RISK, RESILIENCE It s a risk based world AND ORGANIZATIONS ARE INSUFFICIENTLY PREPARED FOR CYBER THREATS 87 There is more talk about tech governance than action * % of board directors and C-level execs say they lack confidence in their organization s level of cybersecurity Cybersecurity policies and defenses are the #1 corporate governance technology challenge, yet only 21% of organizational leaders are briefed on risk topics at every senior leadership meeting 53% of organizations believe that malicious attacks are on the rise y/y, but 48% don t feel confident in their teams ability to address complex attacks Organizations need help framing the business case, prioritizing resources and spend to improve cyber readiness and a way to benchmark progress 4 5/6/2018 2017 ISACA. All Rights Reserved. Data Sources; ISACA State of Cyber Security Report 2017 E&Y Report
FROM COMPLIANCE TO RESILIENCE COPERNICAN SHIFT C A P A B I L I T I E S C O M P L I A N C E / C E R T I F I C A T I O N C O M P L I A N C E / C E R T I F I C A T I O N R I S K - B A S E D C A P A B I L I T I E S COMPLIANCE-BASED RISK REDUCTION RESILIENCE-DRIVEN RISK REDUCTION 5 5/6/2018 2017 ISACA. All Rights Reserved.
CYBER SECURITY READINESS & RESILIENCE ASSESS THE RISKS, SCALE THE CAPABILITIES, ENTERPRISE-WIDE SecOps: SecOps describes effective integration of security and IT/OT operations in three key areas: Mission priorities & dependencies Threat information Secure and available technology S E C O P S E N T E R P R I S E S E C U R I T Y R I S K M G M T C A P A B I L I T Y M A T U R I T Y Capability Maturity: Focusing on risk-based capabilities is foundational to building resilience W O R K F O R C E R E A D I N E S S Workforce Readiness: 60% of all attacks were carried out by insiders. 75% involved malicious intent. The workforce is our greatest point of vulnerability and opportunity. 6 5/6/2018 2017 ISACA. All Rights Reserved.
Cyber Security Assessment Solution BENEFITS AND IMPACT 1 2 3 4 STANDARDIZED MATURITY Defines maturity for people, process and technology; includes hygiene; enables industry benchmarking ORGANIZATION- WIDE, RISK-BASED Defines the organization s risk profile and sets maturity targets ROADMAP DEVELOPMENT Provides risk-based prioritization of gaps in capabilities, maturity to support roadmap development, investment options COMPLIANCE VIEWS Provides views into compliance with industrystandard COBIT 5, ISO27001, NIST CSF, CMMI Threat Kill Chain, etc. WE PRESENT OUR RESULTS IN LAYPERSON S TERMS SIMPLE GRAPHICS TO SUPPORT BOARD COMMUNICATION OUR COMPREHENSIVE SCOPE LEVERAGES LEADING FRAMEWORKS, STANDARDS AND CONTROLS
CMMI CYBER SECURITY CAPABILITY ASSESSMENT SUPPORTS THE LEADING INDUSTRY STANDARDS
DYNAMIC CYBER ASSESSMENT ARCHITECTURE 1. ENSURE GOVERNANCE FRAMEWORK 2. ESTABLISH RISK MANAGEMENT ESTABLISH GOVERNANCE GOVERN CYBERSECURITY RESOURCES ESTABLISH STAKEHOLDER REPORTING ESTABLISH RISK STRATEGY ESTABLISH BUSINESS RISK CONTEXT IMPLEMENT RISK MANAGEMENT Apply Information Security Management Policy Process Evaluate Resource Management Needs Apply Stakeholder Reporting Requirements Apply Risk Management Strategy Determine Mission Dependencies Apply Organization Risk Mgmt. Process Apply Governance System Direct Resource Management Needs Direct Stakeholder Communication and Reporting Apply Risk Management Determine Legal / Regulatory Requirements Integrate Risk Mgmt. Program Direct Governance System Monitor Resource Management Needs Monitor Stakeholder Communication Monitor Governance System Define Organizational Risk Tolerance Determine Critical Infrastructure Requirements Determine Strategic Risk Objectives Manage External Participation 3. IDENTIFY AND MANAGE RISKS IMPLEMENT RISK IDENTIFICATION Asset Discovery & Identification ENSURE ACCESS CONTROL MANAGEMENT Manage Identities and Credentials ESTABLISH ORGANIZATIONAL TRAINING General User Training ESTABLISH DATA SECURITY PROTECTION Safeguard Data at Rest Vulnerability Identification Manage Access to Systems Role-based User Training Safeguard Data in Transit Supply Chain Risk Identification Identification of Roles & Responsibilities Information Classification Considerations Manage Access Permissions 3 rd Party Training Manage Asset Lifecycle Manage Network Integrity & Segregation Manage Communication Protections 5. ENSURE RISK DETECTION ESTABLISH CYBERSECURITY INCIDENT DETECTION ESTABLISH CONTINUOUS MONITORING ESTABLISH DETECTION Capacity Planning Integrity and Data Leak Prevention 4. ENSURE RISK MITIGATION ESTABLISH SECURE APPLICATION ESTABLISH INFORMATION PROTETCION PROVISIONS ESTABLISH PROTECTION PLANNING ESTABLISH PROTECTIVE TECHNOLOGY PROVISIONS Secure Application Development Apply Configuration Baselines Apply Information Sharing Apply Logging and Audit Processes Secure Development Testing Apply Change Control Develop and Maintain Response Plans Manage System Engineering Process Safeguard Development Environment Manage Software Update/Release Processes 6. ENSURE RISK RESPONSE ESTABLISH INCIDENT RESPONSE ESTABLISH INCIDENT ANALYSIS Apply Backup Processes Apply Maintenance Processes Apply Mobile Device Management MITIGATE DETECTED INCIDENTS Develop and Maintain Recovery Plans Apply Personnel Security Apply Vulnerability Mgmt. (Patch) Process Apply Retention and Destruction Measures Apply Media Protections Safeguard Operational Environment 7. ENSURE RESILIENCE ESTABLISH INCIDENT RECOVERY Apply Network Baselines Monitor Networks Detect Malicious Code Aggregate / Correlate Data Monitor Physical Detect Mobile Code and Browser Protection Determine Impacts Monitor Personnel Apply Security Assessment Alert Thresholds Monitor 3 rd Parties Test Detection Processes 9 5/6/2018 2017 ISACA. All Rights Reserved. Execute Response Plan Implement Incident Investigation Processes Ensure Incident Containment Response Roles & Responsibilities Implement Forensics Capability Ensure Incident Mitigation Incident Reporting Ensure Information Sharing Apply Response Categorization Execute Recovery Plan Recovery Communications
CYBERMATURITY PLATFORM CISO Define the scope of the assessment and the organization s risk profile; Risk-based maturity targets are defined RISK PROFILE RISK- BASED MATURITY TARGETS Define organizational priorities; Approve roadmap Board WORKFLOW PROCESS Operations Level Select practices to determine practice area level maturity ISO / CSF / COBIT THREAT VIEW MEASURED MATURITY VS. RISK BASED TARGETS CISO MEASURED MATURITY VS. INDUSTRY RISK PRIORITIZED GAPS AND TECHNICAL SOLUTIONS Develop risk mitigation roadmap MEASURED MATURITY VS. INDUSTRY PRIORITIZED ROADMAP
SELECT YOUR COMPANY S UNIQUE RISK PROFILE 2 For each Potential Vulnerability, users will assign the likelihood of each Risk Event resulting from Security Scenario VL VERY LOW L LOW H HIGH VH VERY HIGH Once likelihood of Security Scenarios have been assigned, users will assign an impact for each Risk Event 11 5/6/2018 2017 ISACA. All Rights Reserved.
MEASURING MATURITY BASED ON ACTIVITY IDENTIFY AND MANAGE RISKS IMPLEMENT RISK IDENTIFICATION VULNERABILITY IDENTIFICATION MATURITY LEVEL ACTIVITY AUDIT 5 The organization collaborates with relevant partners (e.g., facilities management, system operations staff) to periodically catalog known vulnerabilities. 5 Staff have been trained and qualified to perform vulnerability identification activities as planned. 5 Relevant managers oversee performance of the vulnerability identification activities. 4 Issues related to vulnerability identification are tracked and reported to relevant managers. 4 Underlying causes for vulnerabilities are identified (e.g., through root-cause analysis) 4 Risks related to the performance of vulnerability identification activities are identified, analyzed, disposed of, monitored, and controlled. 4 Vulnerability identification activities are periodically reviewed to ensure they are adhering to the plan. 3 Stakeholders for vulnerability management activities have been identified and made aware of their roles. 3 A standard set of tools and/or methods is used to identify vulnerabilities. 3 Vulnerability management tools identify those types of platform (e.g., OS, application, device) affected by known vulnerabilities 2 Approved and diverse vulnerability sources are identified and documented. 2 Automated vulnerability scanning tools review all applicable systems on the network (a & b required) a. An SCAP-validated vulnerability scanner is used that looks for both code-based vulnerabilities and configuration-based vulnerabilities b. Vulnerability scans are executed on all applicable devices on a weekly or more frequent basis 2 Risk scores compare the effectiveness of system administrators and departments in reducing risk. 2 Vulnerability scanning occurs in authenticated mode using a dedicated account with administrative rights. (a1 & b OR a2 & b required) a1. Vulnerability Agents operate locally on each applicable end system to analyze the security configuration a2. Remote scanners have administrative rights on each applicable end system to analyze the security configuration b. Dedicated account is used for authenticated vulnerability scans (not used for any other activities) 2 Only authorized employees have access to the vulnerability management user interface and that roles are applied to each user. 2 There exists a documented plan for performing vulnerability identification activities. 2 Vulnerabilities are categorized and prioritized. 2 Specific vulnerabilities that may impact mission-critical personnel, facilities, and resources are identified and catalogued. 1 A repository is used for recording information about vulnerabilities and their resolutions. 1 Vulnerability management tools identify those types of platform (e.g., OS, application, device) affected by known vulnerabilities 1 The organization has identified potential logical vulnerabilities that might lead to known risks. 1 Tools are in place to periodically identify new/updated vulnerabilities that may impact organizational systems. 1 Subscription mechanisms ensure that current vulnerability lists are maintained. PRACTICE AREA MATURITY LEVEL 1 OVERALL MATURITY FOR THIS PRACTICE AREA IS L1 AS NOT ALL BOXES WERE CHECKED FO R L2
OUTPUT REPORTS MEASURED MATURITY VS. MEASURED MATURITY RISK-BASED TARGET CAPABILITY AREA IMPLEMENT RISK IDENTIFICATION ENSURE ACCESS CONTROL MANAGEMENT Capability areas sorted by risk ESTABLISH DATA SECURITY PROTECTION ESTABLISH GOVERNANCE ELEMENTS ESTABLISH BUSINESS ENVIRONMENT GOVERN CYBERSECURITY RESOURCES ESTABLISH STAKEHOLDER REPORTING ESTABLISH RISK STRATEGY ESTABLISH BUSINESS RISK CONTEXT IMPLEMENT RISK MANAGEMENT ESTABLISH ORGANIZATIONAL TRAINING ESTABLISH SECURE APPLICATION DEVELOPMENT ESTABLISH INFORMATION PROTECTION PROVISIONS ESTABLISH PROTECTION PLANNING ESTABLISH PROTECTIVE TECHNOLOGY PROVISIONS ESTABLISH CYBERSECURITY INCIDENT DETECTION ESTABLISH CONTINOUS MONITORING ESTABLISH DETECTION PROCESSES ESTABLISH INCIDENT RESPONSE ESTABLISH INCIDENT ANALYSIS MITIGATE DETECTED INCIDENTS ESTABLISH INCIDENT RECOVERY 13 5/6/2018 2017 ISACA. All Rights Reserved. 0 1 2 3 4 5
THE ROADMAP PRIORITIZES THE HIGHEST RISK PRACTICE AREAS 296 INCOMPLETE PRACTICES ALIGN TO HIGH RISK PRACTICES AREAS 3
4 ENTERPRISE VIEW OF NIST CYBERSECURITY FRAMEWORK ALIGNMENT THE ENTERPRISE CAN MONITOR THEIR PROGRESS AGAINST THE NIST CYBERSECURITY FRAMEWORK
UNIT VIEW OF NIST CYBERSECURITY FRAMEWORK ALIGNMENT EACH UNIT CAN MONITOR THEIR PROGRESS AGAINST THE NIST CYBERSECURITY FRAMEWORK 4 Unit 1 Unit 2
TRACKING TOOLS KEEP TEAM ON-TRACK
WHAT IS YOUR SITUATION? Excel sheets Manually intensive Too many FTEs Lack of reporting Too many consultants Not enough internal knowledge/expertise Not sure what framework or standard etc This presentation contains proprietary information and may not be distributed without the express written permission of the CMMI Institute. 2016 CMMI Institute.
BACK-UP This presentation contains proprietary information and may not be distributed without the express written permission of the CMMI Institute. 2016 CMMI Institute.
This presentation contains proprietary information and may not be distributed without the express written permission of the CMMI Institute. 2016 CMMI Institute.
GARTNER GRC VS IRM 21 5/6/2018 2017 ISACA. All Rights Reserved.