BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Similar documents
THE POWER OF TECH-SAVVY BOARDS:

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Certified Information Security Manager (CISM) Course Overview

Designing and Building a Cybersecurity Program

INTELLIGENCE DRIVEN GRC FOR SECURITY

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

CYBERSECURITY MATURITY ASSESSMENT

NCSF Foundation Certification

Cyber Resilience. Think18. Felicity March IBM Corporation

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

MITIGATE CYBER ATTACK RISK

Securing an IT. Governance, Risk. Management, and Audit

THE TRIPWIRE NERC SOLUTION SUITE

CompTIA Cybersecurity Analyst+

Why you should adopt the NIST Cybersecurity Framework

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

The Common Controls Framework BY ADOBE

K12 Cybersecurity Roadmap

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Manchester Metropolitan University Information Security Strategy

SOLUTION BRIEF Virtual CISO

Defensible Security DefSec 101

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Improving Cybersecurity through the use of the Cybersecurity Framework

Nebraska CERT Conference

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Information Technology Branch Organization of Cyber Security Technical Standard

Reinvent Your 2013 Security Management Strategy

HIPAA RISK ADVISOR SAMPLE REPORT

Cybersecurity Auditing in an Unsecure World

Turning Risk into Advantage

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Cyber Semantic Landscape Ontology and Taxonomy

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Developing a Model for Cyber Security Maturity Assessment

CISM Certified Information Security Manager

Business continuity management and cyber resiliency

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Security Metrics Framework

TEL2813/IS2820 Security Management

Healthcare Security Success Story

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

the SWIFT Customer Security

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

NCSF Foundation Certification

SDLC Maturity Models

Department of Management Services REQUEST FOR INFORMATION

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

What It Takes to be a CISO in 2017

Threat and Vulnerability Assessment Tool

COMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

align security instill confidence

Certified Information Systems Auditor (CISA)

How to Develop Key Performance Indicators for Security

Cybersecurity Today Avoid Becoming a News Headline

Industrial Defender ASM. for Automation Systems Management

Rethinking Information Security Risk Management CRM002

National Initiative for Cyber Education (NICE) and the Cybersecurity Workforce Framework: Attract and Retain the Best in InfoSec.

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

RSA IT Security Risk Management

CYBERSECURITY RESILIENCE

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Building a Resilient Security Posture for Effective Breach Prevention

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Using Metrics to Gain Management Support for Cyber Security Initiatives

Security Architecture

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Helping the C-Suite Define Cyber Risk Appetite. The executive Imperative

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

EU General Data Protection Regulation (GDPR) Achieving compliance

Automating the Top 20 CIS Critical Security Controls

The Business Value of including Cybersecurity and Vendor Risk in ERM

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks

Security Management Models And Practices Feb 5, 2008

Session ID: CISO-W22 Session Classification: General Interest

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Digital Service Management (DSM)

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Security and Privacy Governance Program Guidelines

Convergence of BCM and Information Security at Direct Energy

Do You Know Your Organization's Top 10 Security Risks?

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Transcription:

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1

WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not enough internal knowledge/expertise Not sure which framework or standard Board/C-Suite not confident (and not familiar) etc This presentation contains proprietary information and may not be distributed without the express written permission of the CMMI Institute. 2016 CMMI Institute.

OUR APPROACH IS BASED UPON INTERVIEWS WITH HUNDREDS OF ORGANIZATIONS AROUND THE WORLD

ORGANIZATIONS NEED HELP WITH CYBERSECURITY SITUATION UNDERSTANDING READINESS, RISK, RESILIENCE It s a risk based world AND ORGANIZATIONS ARE INSUFFICIENTLY PREPARED FOR CYBER THREATS 87 There is more talk about tech governance than action * % of board directors and C-level execs say they lack confidence in their organization s level of cybersecurity Cybersecurity policies and defenses are the #1 corporate governance technology challenge, yet only 21% of organizational leaders are briefed on risk topics at every senior leadership meeting 53% of organizations believe that malicious attacks are on the rise y/y, but 48% don t feel confident in their teams ability to address complex attacks Organizations need help framing the business case, prioritizing resources and spend to improve cyber readiness and a way to benchmark progress 4 5/6/2018 2017 ISACA. All Rights Reserved. Data Sources; ISACA State of Cyber Security Report 2017 E&Y Report

FROM COMPLIANCE TO RESILIENCE COPERNICAN SHIFT C A P A B I L I T I E S C O M P L I A N C E / C E R T I F I C A T I O N C O M P L I A N C E / C E R T I F I C A T I O N R I S K - B A S E D C A P A B I L I T I E S COMPLIANCE-BASED RISK REDUCTION RESILIENCE-DRIVEN RISK REDUCTION 5 5/6/2018 2017 ISACA. All Rights Reserved.

CYBER SECURITY READINESS & RESILIENCE ASSESS THE RISKS, SCALE THE CAPABILITIES, ENTERPRISE-WIDE SecOps: SecOps describes effective integration of security and IT/OT operations in three key areas: Mission priorities & dependencies Threat information Secure and available technology S E C O P S E N T E R P R I S E S E C U R I T Y R I S K M G M T C A P A B I L I T Y M A T U R I T Y Capability Maturity: Focusing on risk-based capabilities is foundational to building resilience W O R K F O R C E R E A D I N E S S Workforce Readiness: 60% of all attacks were carried out by insiders. 75% involved malicious intent. The workforce is our greatest point of vulnerability and opportunity. 6 5/6/2018 2017 ISACA. All Rights Reserved.

Cyber Security Assessment Solution BENEFITS AND IMPACT 1 2 3 4 STANDARDIZED MATURITY Defines maturity for people, process and technology; includes hygiene; enables industry benchmarking ORGANIZATION- WIDE, RISK-BASED Defines the organization s risk profile and sets maturity targets ROADMAP DEVELOPMENT Provides risk-based prioritization of gaps in capabilities, maturity to support roadmap development, investment options COMPLIANCE VIEWS Provides views into compliance with industrystandard COBIT 5, ISO27001, NIST CSF, CMMI Threat Kill Chain, etc. WE PRESENT OUR RESULTS IN LAYPERSON S TERMS SIMPLE GRAPHICS TO SUPPORT BOARD COMMUNICATION OUR COMPREHENSIVE SCOPE LEVERAGES LEADING FRAMEWORKS, STANDARDS AND CONTROLS

CMMI CYBER SECURITY CAPABILITY ASSESSMENT SUPPORTS THE LEADING INDUSTRY STANDARDS

DYNAMIC CYBER ASSESSMENT ARCHITECTURE 1. ENSURE GOVERNANCE FRAMEWORK 2. ESTABLISH RISK MANAGEMENT ESTABLISH GOVERNANCE GOVERN CYBERSECURITY RESOURCES ESTABLISH STAKEHOLDER REPORTING ESTABLISH RISK STRATEGY ESTABLISH BUSINESS RISK CONTEXT IMPLEMENT RISK MANAGEMENT Apply Information Security Management Policy Process Evaluate Resource Management Needs Apply Stakeholder Reporting Requirements Apply Risk Management Strategy Determine Mission Dependencies Apply Organization Risk Mgmt. Process Apply Governance System Direct Resource Management Needs Direct Stakeholder Communication and Reporting Apply Risk Management Determine Legal / Regulatory Requirements Integrate Risk Mgmt. Program Direct Governance System Monitor Resource Management Needs Monitor Stakeholder Communication Monitor Governance System Define Organizational Risk Tolerance Determine Critical Infrastructure Requirements Determine Strategic Risk Objectives Manage External Participation 3. IDENTIFY AND MANAGE RISKS IMPLEMENT RISK IDENTIFICATION Asset Discovery & Identification ENSURE ACCESS CONTROL MANAGEMENT Manage Identities and Credentials ESTABLISH ORGANIZATIONAL TRAINING General User Training ESTABLISH DATA SECURITY PROTECTION Safeguard Data at Rest Vulnerability Identification Manage Access to Systems Role-based User Training Safeguard Data in Transit Supply Chain Risk Identification Identification of Roles & Responsibilities Information Classification Considerations Manage Access Permissions 3 rd Party Training Manage Asset Lifecycle Manage Network Integrity & Segregation Manage Communication Protections 5. ENSURE RISK DETECTION ESTABLISH CYBERSECURITY INCIDENT DETECTION ESTABLISH CONTINUOUS MONITORING ESTABLISH DETECTION Capacity Planning Integrity and Data Leak Prevention 4. ENSURE RISK MITIGATION ESTABLISH SECURE APPLICATION ESTABLISH INFORMATION PROTETCION PROVISIONS ESTABLISH PROTECTION PLANNING ESTABLISH PROTECTIVE TECHNOLOGY PROVISIONS Secure Application Development Apply Configuration Baselines Apply Information Sharing Apply Logging and Audit Processes Secure Development Testing Apply Change Control Develop and Maintain Response Plans Manage System Engineering Process Safeguard Development Environment Manage Software Update/Release Processes 6. ENSURE RISK RESPONSE ESTABLISH INCIDENT RESPONSE ESTABLISH INCIDENT ANALYSIS Apply Backup Processes Apply Maintenance Processes Apply Mobile Device Management MITIGATE DETECTED INCIDENTS Develop and Maintain Recovery Plans Apply Personnel Security Apply Vulnerability Mgmt. (Patch) Process Apply Retention and Destruction Measures Apply Media Protections Safeguard Operational Environment 7. ENSURE RESILIENCE ESTABLISH INCIDENT RECOVERY Apply Network Baselines Monitor Networks Detect Malicious Code Aggregate / Correlate Data Monitor Physical Detect Mobile Code and Browser Protection Determine Impacts Monitor Personnel Apply Security Assessment Alert Thresholds Monitor 3 rd Parties Test Detection Processes 9 5/6/2018 2017 ISACA. All Rights Reserved. Execute Response Plan Implement Incident Investigation Processes Ensure Incident Containment Response Roles & Responsibilities Implement Forensics Capability Ensure Incident Mitigation Incident Reporting Ensure Information Sharing Apply Response Categorization Execute Recovery Plan Recovery Communications

CYBERMATURITY PLATFORM CISO Define the scope of the assessment and the organization s risk profile; Risk-based maturity targets are defined RISK PROFILE RISK- BASED MATURITY TARGETS Define organizational priorities; Approve roadmap Board WORKFLOW PROCESS Operations Level Select practices to determine practice area level maturity ISO / CSF / COBIT THREAT VIEW MEASURED MATURITY VS. RISK BASED TARGETS CISO MEASURED MATURITY VS. INDUSTRY RISK PRIORITIZED GAPS AND TECHNICAL SOLUTIONS Develop risk mitigation roadmap MEASURED MATURITY VS. INDUSTRY PRIORITIZED ROADMAP

SELECT YOUR COMPANY S UNIQUE RISK PROFILE 2 For each Potential Vulnerability, users will assign the likelihood of each Risk Event resulting from Security Scenario VL VERY LOW L LOW H HIGH VH VERY HIGH Once likelihood of Security Scenarios have been assigned, users will assign an impact for each Risk Event 11 5/6/2018 2017 ISACA. All Rights Reserved.

MEASURING MATURITY BASED ON ACTIVITY IDENTIFY AND MANAGE RISKS IMPLEMENT RISK IDENTIFICATION VULNERABILITY IDENTIFICATION MATURITY LEVEL ACTIVITY AUDIT 5 The organization collaborates with relevant partners (e.g., facilities management, system operations staff) to periodically catalog known vulnerabilities. 5 Staff have been trained and qualified to perform vulnerability identification activities as planned. 5 Relevant managers oversee performance of the vulnerability identification activities. 4 Issues related to vulnerability identification are tracked and reported to relevant managers. 4 Underlying causes for vulnerabilities are identified (e.g., through root-cause analysis) 4 Risks related to the performance of vulnerability identification activities are identified, analyzed, disposed of, monitored, and controlled. 4 Vulnerability identification activities are periodically reviewed to ensure they are adhering to the plan. 3 Stakeholders for vulnerability management activities have been identified and made aware of their roles. 3 A standard set of tools and/or methods is used to identify vulnerabilities. 3 Vulnerability management tools identify those types of platform (e.g., OS, application, device) affected by known vulnerabilities 2 Approved and diverse vulnerability sources are identified and documented. 2 Automated vulnerability scanning tools review all applicable systems on the network (a & b required) a. An SCAP-validated vulnerability scanner is used that looks for both code-based vulnerabilities and configuration-based vulnerabilities b. Vulnerability scans are executed on all applicable devices on a weekly or more frequent basis 2 Risk scores compare the effectiveness of system administrators and departments in reducing risk. 2 Vulnerability scanning occurs in authenticated mode using a dedicated account with administrative rights. (a1 & b OR a2 & b required) a1. Vulnerability Agents operate locally on each applicable end system to analyze the security configuration a2. Remote scanners have administrative rights on each applicable end system to analyze the security configuration b. Dedicated account is used for authenticated vulnerability scans (not used for any other activities) 2 Only authorized employees have access to the vulnerability management user interface and that roles are applied to each user. 2 There exists a documented plan for performing vulnerability identification activities. 2 Vulnerabilities are categorized and prioritized. 2 Specific vulnerabilities that may impact mission-critical personnel, facilities, and resources are identified and catalogued. 1 A repository is used for recording information about vulnerabilities and their resolutions. 1 Vulnerability management tools identify those types of platform (e.g., OS, application, device) affected by known vulnerabilities 1 The organization has identified potential logical vulnerabilities that might lead to known risks. 1 Tools are in place to periodically identify new/updated vulnerabilities that may impact organizational systems. 1 Subscription mechanisms ensure that current vulnerability lists are maintained. PRACTICE AREA MATURITY LEVEL 1 OVERALL MATURITY FOR THIS PRACTICE AREA IS L1 AS NOT ALL BOXES WERE CHECKED FO R L2

OUTPUT REPORTS MEASURED MATURITY VS. MEASURED MATURITY RISK-BASED TARGET CAPABILITY AREA IMPLEMENT RISK IDENTIFICATION ENSURE ACCESS CONTROL MANAGEMENT Capability areas sorted by risk ESTABLISH DATA SECURITY PROTECTION ESTABLISH GOVERNANCE ELEMENTS ESTABLISH BUSINESS ENVIRONMENT GOVERN CYBERSECURITY RESOURCES ESTABLISH STAKEHOLDER REPORTING ESTABLISH RISK STRATEGY ESTABLISH BUSINESS RISK CONTEXT IMPLEMENT RISK MANAGEMENT ESTABLISH ORGANIZATIONAL TRAINING ESTABLISH SECURE APPLICATION DEVELOPMENT ESTABLISH INFORMATION PROTECTION PROVISIONS ESTABLISH PROTECTION PLANNING ESTABLISH PROTECTIVE TECHNOLOGY PROVISIONS ESTABLISH CYBERSECURITY INCIDENT DETECTION ESTABLISH CONTINOUS MONITORING ESTABLISH DETECTION PROCESSES ESTABLISH INCIDENT RESPONSE ESTABLISH INCIDENT ANALYSIS MITIGATE DETECTED INCIDENTS ESTABLISH INCIDENT RECOVERY 13 5/6/2018 2017 ISACA. All Rights Reserved. 0 1 2 3 4 5

THE ROADMAP PRIORITIZES THE HIGHEST RISK PRACTICE AREAS 296 INCOMPLETE PRACTICES ALIGN TO HIGH RISK PRACTICES AREAS 3

4 ENTERPRISE VIEW OF NIST CYBERSECURITY FRAMEWORK ALIGNMENT THE ENTERPRISE CAN MONITOR THEIR PROGRESS AGAINST THE NIST CYBERSECURITY FRAMEWORK

UNIT VIEW OF NIST CYBERSECURITY FRAMEWORK ALIGNMENT EACH UNIT CAN MONITOR THEIR PROGRESS AGAINST THE NIST CYBERSECURITY FRAMEWORK 4 Unit 1 Unit 2

TRACKING TOOLS KEEP TEAM ON-TRACK

WHAT IS YOUR SITUATION? Excel sheets Manually intensive Too many FTEs Lack of reporting Too many consultants Not enough internal knowledge/expertise Not sure what framework or standard etc This presentation contains proprietary information and may not be distributed without the express written permission of the CMMI Institute. 2016 CMMI Institute.

BACK-UP This presentation contains proprietary information and may not be distributed without the express written permission of the CMMI Institute. 2016 CMMI Institute.

This presentation contains proprietary information and may not be distributed without the express written permission of the CMMI Institute. 2016 CMMI Institute.

GARTNER GRC VS IRM 21 5/6/2018 2017 ISACA. All Rights Reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback