Scribd
Upload
159 views18 pages

Building Cybersecurity Capability, Maturity, Resilience

CMMI

Uploaded by

ra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
159 views18 pages

Building Cybersecurity Capability, Maturity, Resilience

CMMI

Uploaded by

ra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

BUILDING CYBERSECURITY

CAPABILITY, MATURITY,
RESILIENCE
1
CYBER SECURITY READINESS & RESILIENCE
ASSESS THE RISKS, SCALE THE CAPABILITIES, ENTERPRISE-WIDE

Capability Maturity: Focusing


on risk-based capabilities is
foundational to building resilience
SecOps: SecOps describes effective
integration of security and IT/OT
operations in three key areas: SECOPS C APAB I L I T Y
• Mission priorities & dependencies M AT U R I T Y
• Threat information
• Secure and available technology ENTERPRISE
SECURITY
RISK
MGMT

Workforce Readiness: 60% of all attacks


were carried out by insiders. 75% involved
malicious intent. The workforce is our
WORKFORCE
READINESS greatest point of vulnerability and
opportunity.

2 12/13/2017 ® 2017 ISACA. All Rights Reserved.


FROM COMPLIANCE TO RESILIENCE
“COPERNICAN SHIFT”

COMPLIANCE /
C APAB I L I T I E S C E R T I F I C AT I O N

COMPLIANCE/ RISK-BASED
C E R T I F I C AT I O N C APAB I L I T I E S

COMPLIANCE-BASED RESILIENCE-DRIVEN
RISK REDUCTION RISK REDUCTION

3 12/13/2017 ® 2017 ISACA. All Rights Reserved.


Cyber Security Assessment Solution
BENEFITS AND IMPACT

WE PRESENT OUR RESULTS IN

LAYPERSON’S
TERMS
SIMPLE GRAPHICS TO SUPPORT
BOARD COMMUNICATION
ORGANIZATION-
STANDARDIZED WIDE, ROADMAP COMPLIANCE
MATURITY RISK-BASED DEVELOPMENT VIEWS
OUR

COMPREHENSIVE
SCOPE
LEVERAGES LEADING FRAMEWORKS,
STANDARDS AND CONTROLS
Defines maturity Defines the Provides risk-based Provides views into
for people, process organization’s risk prioritization of gaps in compliance with industry-
and technology; profile and sets capabilities, maturity to standard COBIT 5,
includes hygiene; maturity targets support roadmap ISO27001, NIST CSF, CMMI
enables industry development, investment Threat Kill Chain, etc.
benchmarking options.

t
CMMI CYBER SECURITY CAPABILITY ASSESSMENT
SUPPORTS THE LEADING INDUSTRY STANDARDS
COMPREHENSIVE CYBER ASSESSMENT ARCHITECTURE

1. ENSURE GOVERNANCE FRAMEWORK 2. ESTABLISH RISK MANAGEMENT


ESTABLISH GOVERNANCE EST. BUSINESS EVALUATE GOVERN CYBERSECURITY ESTABLISH STAKEHOLDER ESTABLISH RISK STRATEGY ESTABLISH BUSINESS IMPLEMENT RISK MANAGEMENT
RESOURCE ENVIRONMENT RESOURCES REPORTING RISK CONTEXT

Establish Information Security Identify Supply Chain Role Evaluate Resource Establish Stakeholder Reporting Establish Risk Determine Mission Dependencies Establish Organization
Management Policy Process Management Needs Requirements Management Strategy Risk Mgmt. Process

Establish Governance System Identify Critical Infrastructure Direct Resource Direct stakeholder Establish Risk Management Determine Legal / Integrate Risk
Participation Management Needs communication Regulatory Requirements Mgmt. Program
and reporting
Define Organizational Determine Strategic Manage External Participation
Direct Governance System Identify Organizational Priorities Monitor Resource Management Monitor stakeholder Risk Tolerance Risk Objectives
Needs communication
Determine Critical Infrastructure Establish Risk Mgmt. Responsibilities
Monitor Governance System Identify Critical Dependencies

3. IDENTIFY AND MANAGE RISKS 4. ENSURE RISK MITIGATION


IMPLEMENT RISK ENSURE ACCESS ESTABLISH ESTABLISH DATA ESTABLISH SECURE ESTABLISH INFORMATION ESTABLISH PROTECTION ESTABLISH PROTECTIVE
IDENTIFICATION CONTROL MANAGEMENT ORGANIZATIONAL TRAINING SECURITY PROTECTION APPLICATION PROTETCION PROVISIONS PLANNING TECHNOLOGY PROVISIONS

Asset Discovery & Manage Identities and General User Training Safeguard Data at Rest Secure Application Development Establish Configuration Establish Information Sharing Establish Audit Processes
Identification Credentials Baselines
Vulnerability Identification Manage Access to Systems Privileged User Training Safeguard Data in Transit Manage System Engineering Establish Change Control Develop and Maintain Response Safeguard Removable Media
Process / Recovery Plans
Supply Chain Risk Manage Access Permissions 3rd Party Training Manage Asset Lifecycle Safeguard Development Establish Backup Processes Integrate HR Security Safeguard Operational
Identification Environment Components Environment
Identification of Roles & Manage Network Integrity & Senior Leader Training Capacity Planning Manage Software Establish Maintenance Establish Vulnerability Mgmt.
Responsibilities Segregation Update/Release Processes Processes (Patch) Process
Information Classification Manage Communication Physical Security Training Integrity and Data Leak Establish Mobile Device
Considerations Protections Prevention Management

5. ENSURE RISK DETECTION 6. ENSURE RISK RESPONSE 7. ENSURE RESILIENCE


ESTABLISH CYBERSECURITY ESTABLISH CONTINUOUS ESTABLISH DETECTION ESTABLISH INCIDENT ESTABLISH INCIDENT MITIGATE DETECTED ESTABLISH INCIDENT RECOVERY
INCIDENT DETECTION MONITORING RESPONSE ANALYSIS INCIDENTS

Establish Network Baselines Monitor Networks Establish Detection Roles Execute Response Plan Implement Investigation Ensure Incident Containment Execute Recovery Plan
Processes

Aggregate / Correlate Data Monitor Physical Detect Malicious Code Response Roles & Resp. Analyze Risk Events Ensure Incident Mitigation
Recovery Communications

Determine Impacts Monitor Personnel Detect Mobile Code and Browser Incident Reporting Implement Forensics Capability
Protection
Ensure Information Sharing Establish Response
Alert Thresholds Monitor 3rd Parties Implement Vulnerability Scanning Categorization
6 12/13/2017 ® 2017 ISACA. All Rights Reserved.
Est. Security Review Processes Test Detection processes
Define the scope of the assessment and the
organization’s risk profile; Risk-based maturity
CYBERSECURITY targets are defined

MATURITY
ASSESSMENT RISK
PROFILE
RISK-
BASED
MATURITY
TARGETS

CISO

Define organizational
priorities; Approve
WORKFLOW Select practices to
determine practice
roadmap Board PROCESS Operations area level maturity
Level

ISO / CSF / MEASURED


COBIT MATURITY VS.
THREAT VIEW RISK BASED
TARGETS

MEASURED RISK PRIORITIZED


MATURITY VS. GAPS AND
INDUSTRY TECHNICAL
SOLUTIONS

CISO

Develop risk
mitigation roadmap

MEASURED PRIORITIZE
MATURITY D
VS. ROADMAP
INDUSTRY
SELECT YOUR COMPANY’S UNIQUE RISK PROFILE

For each Potential Vulnerability,


users will assign the likelihood
of each Risk Event resulting from
Security Scenario

VL
VERY LOW
L
LOW
H
HIGH
VH
VERY HIGH

Once likelihood of Security


Scenarios have been assigned,
users will assign an impact for
each Risk Event

8 12/13/2017 ® 2017 ISACA. All Rights Reserved.


RISK PROFILE DEFINES THE MATURITY TARGETS RISK-BASED TARGET
INDUSTRY TARGET

CAPABILITY AREA

IMPLEMENT RISK IDENTIFICATION


Capability areas sorted by risk
ENSURE ACCESS CONTROL MANAGEMENT

ESTABLISH DATA SECURITY PROTECTION

ESTABLISH GOVERNANCE ELEMENTS

ESTABLISH BUSINESS ENVIRONMENT

GOVERN CYBERSECURITY RESOURCES

ESTABLISH STAKEHOLDER REPORTING

ESTABLISH RISK STRATEGY

ESTABLISH BUSINESS RISK CONTEXT Risk Profile establishes


IMPLEMENT RISK MANAGEMENT

ESTABLISH ORGANIZATIONAL TRAINING


initial target maturity
ESTABLISH SECURE APPLICATION DEVELOPMENT by capability area
ESTABLISH INFORMATION PROTECTION PROVISIONS

ESTABLISH PROTECTION PLANNING

ESTABLISH PROTECTIVE TECHNOLOGY PROVISIONS Maturity targets can be


ESTABLISH CYBERSECURITY INCIDENT DETECTION

ESTABLISH CONTINOUS MONITORING


compared to industry
ESTABLISH DETECTION PROCESSES benchmarks for maturity
ESTABLISH INCIDENT RESPONSE

ESTABLISH INCIDENT ANALYSIS

MITIGATE DETECTED INCIDENTS

ESTABLISH INCIDENT RECOVERY

9 12/13/2017 ® 2017 ISACA. All Rights Reserved.


0 1 2 3 4 5
STANDARDIZED DEFINITIONS OF MATURITY
PEOPLE, PROCESS, TECHNOLOGY

LEVEL LEVEL LEVEL LEVEL LEVEL


1 2 3 4
QUANTITATIVELY
5
PERFORMED MANAGED DEFINED MANAGED OPTIMIZED

General personnel Personnel capabilities Roles and responsibilities are Achievement and Proactive performance
PEOPLE

capabilities may be achieved consistently within identified, assigned, and performance of personnel improvement and resourcing
performed by an individual, subsets of the organization, trained across the organization practices are predicted, based on organizational
but are not well defined but inconsistent across the measured, and evaluated changes and lessons learned
entire organization (internal & external)

General process Adequate procedures Organizational policies and Policy compliance is Policies and procedures are
PROCESS

capabilities may be documented within a subset of procedures are defined and measured and enforced updated based on
performed by an individual, the organization standardized. Policies and organizational changes and
Procedures are monitored
but are not well defined procedures support the lessons learned (internal &
for effectiveness
organizational strategy external) are captured.
TECHNOLOGY

General technical Technical mechanisms are Purpose and intent is defined Effectiveness of technical Technical mechanisms are
mechanisms are in place and formally identified and defined (right technology, adequately mechanisms are predicted, proactively improved based on
may be used by an individual by a subset of the deployed); Proper technology measured, and evaluated organizational changes and lessons
organization; technical is implemented in each subset learned (internal & external)
requirements in place of the organization

10 12/13/2017 ® 2017 ISACA. All Rights Reserved.


MEASURING MATURITY
BASED ON ACTIVITY
IDENTIFY AND MANAGE RISKS IMPLEMENT RISK IDENTIFICATION VULNERABILY IDENTIFICATION
MATURITY ACTIVITY
LEVEL AUDIT
5 The organization collaborates with relevant partners (e.g., facilities management, system operations staff) to periodically catalog known vulnerabilities.
5 Staff have been trained and qualified to perform vulnerability identification activities as planned.
5 Relevant managers oversee performance of the vulnerability identification activities.
4 Issues related to vulnerability identification are tracked and reported to relevant managers.
4 Underlying causes for vulnerabilities are identified (e.g., through root-cause analysis)
4 Risks related to the performance of vulnerability identification activities are identified, analyzed, disposed of, monitored, and controlled.
4 Vulnerability identification activities are periodically reviewed to ensure they are adhering to the plan.
3 Stakeholders for vulnerability management activities have been identified and made aware of their roles.
3 A standard set of tools and/or methods is used to identify vulnerabilities.
3 Vulnerability management tools identify those types of platform (e.g., OS, application, device) affected by known vulnerabilities
PRACTICE AREA MATURITY
2 Approved and diverse vulnerability sources are identified and documented.
2 Automated vulnerability scanning tools review all applicable systems on the network (a & b required)
a. An SCAP-validated vulnerability scanner is used that looks for both code-based vulnerabilities and configuration-based vulnerabilities
b. Vulnerability scans are executed on all applicable devices on a weekly or more frequent basis
LEVEL 1
2 Risk scores compare the effectiveness of system administrators and departments in reducing risk.
2 Vulnerability scanning occurs in authenticated mode using a dedicated account with administrative rights. (a1 OR a2 & b required)
O VERALL M AT URIT Y
a1. Vulnerability Agents operate locally on each applicable end system to analyze the security configuration FO R T HIS PRACT I CE
a2. Remote scanners have administrative rights on each applicable end system to analyze the security configuration ARE A IS L1 AS NO T
b. Dedicated account is used for authenticated vulnerability scans (not used for any other activities)
ALL BO XES W ERE
CHECKED FO R L2
2 Only authorized employees have access to the vulnerability management user interface and that roles are applied to each user.
2 There exists a documented plan for performing vulnerability identification activities.
2 Vulnerabilities are categorized and prioritized.
2 Specific vulnerabilities that may impact mission-critical personnel, facilities, and resources are identified and catalogued.
1 A repository is used for recording information about vulnerabilities and their resolutions.
1 Vulnerability management tools identify those types of platform (e.g., OS, application, device) affected by known vulnerabilities
1 The organization has identified potential logical vulnerabilities that might lead to known risks.
1 Tools are in place to periodically identify new/updated vulnerabilities that may impact organizational systems.
1 Subscription mechanisms ensure that current vulnerability lists are maintained.
OUTPUT REPORTS MEASURED MATURITY
RISK-BASED TARGET
MEASURED MATURITY VS.

CAPABILITY AREA

IMPLEMENT RISK IDENTIFICATION


Capability areas sorted by risk
ENSURE ACCESS CONTROL MANAGEMENT

ESTABLISH DATA SECURITY PROTECTION

ESTABLISH GOVERNANCE ELEMENTS

ESTABLISH BUSINESS ENVIRONMENT

GOVERN CYBERSECURITY RESOURCES

ESTABLISH STAKEHOLDER REPORTING

ESTABLISH RISK STRATEGY

ESTABLISH BUSINESS RISK CONTEXT

IMPLEMENT RISK MANAGEMENT

ESTABLISH ORGANIZATIONAL TRAINING

ESTABLISH SECURE APPLICATION DEVELOPMENT

ESTABLISH INFORMATION PROTECTION PROVISIONS

ESTABLISH PROTECTION PLANNING

ESTABLISH PROTECTIVE TECHNOLOGY PROVISIONS

ESTABLISH CYBERSECURITY INCIDENT DETECTION

ESTABLISH CONTINOUS MONITORING

ESTABLISH DETECTION PROCESSES

ESTABLISH INCIDENT RESPONSE

ESTABLISH INCIDENT ANALYSIS

MITIGATE DETECTED INCIDENTS

ESTABLISH INCIDENT RECOVERY

12 12/13/2017 ® 2017 ISACA. All Rights Reserved.


0 1 2 3 4 5
OUTPUT REPORTS (BENCHMARKS) MEASURED MATURITY
INDUSTRY MATURITY
MEASURED MATURITY VS. INDUSTRY MATURITY

CAPABILITY AREA

IMPLEMENT RISK IDENTIFICATION


Capability areas sorted by risk
ENSURE ACCESS CONTROL
MANAGEMENT
ESTABLISH DATA SECURITY
PROTECTION
ESTABLISH GOVERNANCE
ELEMENTS
ESTABLISH BUSINESS
ENVIRONMENT
GOVERN CYBERSECURITY
RESOURCES
ESTABLISH STAKEHOLDER
REPORTING
ESTABLISH RISK STRATEGY
ESTABLISH BUSINESS RISK
CONTEXT
IMPLEMENT RISK MANAGEMENT
ESTABLISH ORGANIZATIONAL
TRAINING
ESTABLISH SECURE APPLICATION
DEVELOPMENT
ESTABLISH INFORMATION PROTECTION
PROVISIONS
ESTABLISH PROTECTION PLANNING
ESTABLISH PROTECTIVE TECHNOLOGY
PROVISIONS
ESTABLISH CYBERSECURITY INCIDENT
DETECTION
ESTABLISH CONTINOUS
MONITORING
ESTABLISH DETECTION
PROCESSES
ESTABLISH INCIDENT RESPONSE
ESTABLISH INCIDENT ANALYSIS
MITIGATE DETECTED INCIDENTS
ESTABLISH INCIDENT RECOVERY

0 1 2 3 4 5
ROADMAP DEVELOPMENT
SPECIFIC PRACTICES AND PRIORITIZED FIRST BY RISK
NIST CYBERSECURITY ALIGNMENT BY PRACTICE AREA
FILTERED RESULTS

Cybersecurity
Framework

RISK- SELECTED
BASED MATURITY
MEASURED TARGET LEVEL 4

Information Protection Processes and


PR.IP
Procedures

A System Development Life Cycle to


PR.IP-2 16 25 37
manage systems is implemented
The organization’s personnel and partners
are provided cybersecurity awareness
education and are adequately trained to
PR.AT perform their information security-related
duties and responsibilities consistent with
related policies, procedures, and PRACTICES
agreements. Users are formally assigned roles and
PR.AT- Privileged users understand roles & responsibilities aligned to their work
1 2 4 role
2 responsibilities
Staff with supply chain risk
Information and records (data) are
management responsibilities are
managed consistent with the organization’s trained on the objectives of the supply
PR.DS
risk strategy to protect the confidentiality, chain risk management program
integrity, and availability of information.
The development and testing
PR.DS-
environment(s) are separate from the 1 1 3
7
production environment
TRACKING TOOLS KEEP TEAM ON-TRACK
CYBER SECURITY READINESS & RESILIENCE
ASSESS THE RISKS, SCALE THE CAPABILITIES

SECOPS C APAB I L I T Y
M AT U R I T Y

ENTERPRISE
SECURITY
RISK
MGMT

WORKFORCE
READINESS

17 12/13/2017 ® 2017 ISACA. All Rights Reserved.


QUESTION-FEEDBACK
SUMMARY
18

You might also like