ClientX

Enterprise
Cyber
Security
CLIENTX CYBER SECURIT Y STRATEGY
PROGRAM AND GOVERNANCE
 Alignment with
Business

Compliance
with law,
regulations and
internal process
ClientX
Security
Objectives
Individual and
collective
responsibility

Standardization
& continuous
improvement
 Reputation
Protection

Better
Compliance information
Achievement management
Availability of
Critical
Business

Better Attack Better Risk

Protection Management
Efficient
Best security
practices incident
response

ClientX Security Benefits

ClientX Security Value

ClientX

Risk Quality
SOC Services PMO Admin HR Legal Finance
Management Assurance

•Security Services
•IT services
 ClientX Security Value
Business
Requirements

Regulatory
Compliance Security Strategy

Resource
Legal Security
Governance
Security Program
Management
Dependency
Analsysis
Compliance Security
Drivers Organizational
Structure ISPA Audits EISA
Risk assessment
& management Personnel BCP

CIA Objectives Information Standards, Infrastructure

Compliance Security Guidelines, Security Current/Target Security
Enforcement Security Profile Risk Register Roadmap
Architecture Processes Architecture

Threats
ClientX Organization Structure

Director –
Director - HR Director – IT Director – Sales
Marketing
CEO
Director - Director - Director –
Director - Risks
Operations Engineering Finance
Information Security Departement
Functions
CyberSecurity Compliance
Risk Management
Governance Management

ClientX Risk management framework &

ClientX Security Strategy Compliance Assessment
methodology

ClientX Security Policy Architecture Risk Management Compliance Assurance

ClientX Enterprise Security Architecture Security Monitoring Compliance requirements

ClientX Infrastructure Security

Security Testing
Architecture

BCP activities Threat Detection & Monitoring

Security Governance Incident Response

Security Continuous improvement User Security Awareness/Security

Program Training Programs
ISD Organizational
Structure/Working Group

ISD Head/CIO

Security
ISMS Risk Incident Awareness/Security
Implementer(/Informa Enterprise Security Management(/Informa Management(/Informa Vulnerability BCP(/Information IT Security
Architect Management Security Manager) SME Compliance Auditor Practitioners SOC specialists
tion Security Manager) tion Security Manager) tion Security Manager) Trainers(/Information
Security Manager)

Security Monitoring IR CTI

CyberSecurity Steering Committee

Director - HR

Director -
Operations

Chair CEO
Director – IT
CyberSecurity
Steering
Committee
Director -
Engineering

Director –
Marketing
Stakeholders
Director –
Finance

Director – Sales

Director - Risks

CISO/CIO
ISD Inter-Department Relations
Information
Security
Dept

Enterprise
IT Dept QM Dept HR Finance Marketing Sales Legal PMO Risk
Architecture
 ClientX Security Strategy
ClientX CyberSecurity Strategy

High Quality infrastructure

and cybersecurity solution ClientX infrastructure and Timely Cybersecurity Continuous Cybersecurity
information protection attack/incident Response posture improvement
delivery

Criticality assessment Identification Protection Prevention Detection Infrastructure Management Training & Awareness Security Monitoring Incident Response Recovery Improvement programs

Adherence to ClientX
enterprise architectural Implement risk mitigation Configuration management
Critical Assets methods ISPA Technical controls automation Training for IT admins Critical component monitoring Deploy incident response plan Known process Frameworks/methodogies
security standards

Continuous cybersecurity Ensure confidentiality, Adherence to enterprise

posture improvement Relevant Threats integrity & availability ISMS ->ISPA mapping Playbooks to detect attack security architecture Awareness for all users Prioritize monitoring on alerts DR activities Governance

Playbooks based on incident

Risk assessment Due diligence and due care Process/people/technology behaviour

BIA
CyberSecurity Strategy
development phases
Critical Assets Security strategy CyberSecurity
identification Roadmap Implementation plan
G
o
v
e
r Risk analysis
Target state
Strategy Review
n identification
a
n
c
e Current State wrt Cyber resilience
Improvement
cyber resilience assessment/Maturity
Program
principles assessment
ClientX Security Strategy
Overview
• Document Security Organization structure
• Alignment with business objectives
• Alignment with regulatory requirements

Outline Security
• Confidentiality objectives
• Integrity objectives
• Availability objectives
• Personnel objectives

Strategy
• ISPA
• ClientX Current/Target Security Profile
• ClientX Enteprise Security Architecture
• Risk assessment & management
• Audits
• Compliance Enforcement
• BCP

Security • ISPA
• Monitoring metrics for ClientX Security Strategy Components

Governance
• Performance metrics for ClientX

• Security Requirements Change

Security Program
• Compliance
• Threats
• Business Requirements
• Strategy components change

Management
• Planning
• Risk Management
• Education & Awareness
• Ongoing Program assessment
• Gap Analysis
Outline Enterprise Security
Architecture – a gist
Security Governance
•Identify – Principles
•Authorize – Policies
•Implement – Stardards, Guidelines,
Procedures
•Enforcement
•Ongoing Assessment
Enterprise Security Data and Infrastructure
Architecture Security Design
•Security Technology •Map the ClientX Enterprise Security
Architecture(Conceptual, Logical, Architecture to ClientX Infrastructure
Physical) Architecture
•Policy driven •Identify stardards, guidelines and
•Identity Management procedures to ensure compliance to
•Border Protection the enterprise security architecture
•Access Management
•Security Operations
•Asset Management
•Security Administration
•Security Compliance
•Event Management
•Incident Management
Build ClientX Security Profile – a
gist

Future State Vision Gap Analysis Action Plan

Current Profile •Identify and prioritize risks •Identify the gap between •Create procedures to close
•Identify future state to current and future state the gap between current
•Critical Asset Identification ensure effective risk •Identify the steps to state and future
•ClientX Asset management ensure achievement of the •Perform Impact
Identification future state from current assessment
•ClientX Asset state •Create plan to implement
Classification – OCTAVE based on effort and impact
•Prioritizing ClientX Assets
•Current State Analysis
•Identify the current state
of the critical assets with
respect to the risks
identified
•Create current profile
•Analyze risks to critical
assets
BCP
Identify Identify critical Create policies Identify and Use checklist Measure,
potential functions, data and standards create backup and recovery monitor,
threats and processes for prevention plan for critical simulation update and
and recovery processes improve

BIA

Cotinous improvement
Test & Implement
Contingency Plan
Risk assessment

Policy & Standards

Incident Management Workflow
Security Program Management

Security
Program
Management

Ongoing
Security Risk Education &
Program Gap Analysis
Requirements management Awareness
Assessment

Business Business
Compliance Threats Strategy Planning
Requirements Opportunities
Security Program Management

Security
Operations

IT Systems
Security Profile Requirements Education and
Target Profile Gap analysis Awareness
Risk Build Target
Action Plan Gap Analysis Action Plan
Enterprise Implementation
assessment Profile Ongoing
Security Program
Architecture Assessment
Profile

Security
Security
Technology
Governance
Architecture
Appendix
CISO Functions

Cyber Security
Working Group –
Security Strategy

Security Policies,
Infrastructure User
Guidelines, Enterprise Security Incident
Security Risk management BCP-BIA/DR Awareness/Training
Standards, Architecture Management
Architecture Programs
Procedures

Metrics

Security Governance
Security By Design - EISA

Business
Owner

Change Security Operations

Business
User
Policy driven security –
conceptual framework
Policy
Management
Authority

Policy
Repository

Policy Decision
Point(Policy
Engine)

Policy
Enforcement
Point(PEP)

Security
Services Policy Policy
Policy Decision
Management Policy Repository Enforcement Security Services
Point(PDP) Resources
Authority(PMA) Point(PEP)
Resources
Policy driven security –
conceptual architecture

Policy Policy Engine Policy

Management Enforcement
Authority(PMA) Point(PEP)
•Identity Management •Access Control Services

•Access Management
•Configuration Management
Resources
•Policy Repository
•Policy Decision Point •Border Protection Services
•Detection Services
•Content Control Services
•Auditing Services
•Cryptographic Services

Policy Decision
Policy Point(PDP)
Security
Management Services
ClientX Security Program
•Security Governance
•Enterprise Security Architecture
ClientX Security •Data and Infrastructure Security Design
Strategy

•Critical Assets Identification

•Current State Analysis
ClientX Current •Risk Assessment
Security Profile

•Future State Vision

•Gap Analysis
•Action Plan
•Implementation Governance
ClientX Target •Change management
Security Profile
Business IT Architecture Steering
Committee
Chair IT Head

ClientX BIASC
SOC Head/Representative

IR Head/Representative

TRM Head/Representative

CTI Head/Representative

RM Head/Representative

Stakeholders

CISO/CIO

QM Head/Representative

Enterprise
Architect/Enterprise
Security Architect

Information Security
Manager

Specialist function –
HR/Legal/PMO/Risk
CISO Functions
ClientX Security Strategy
ClientX Security Policy Architecture
ClientX Enterprise Security Architecture
ClientX Infrastructure Security Architecture
ClientX Risk management
ClientX BCP activities
ClientX Incident Management
ClientX User Security Awareness/Security Training Programs
ClientX Security Governance
ClientX Security Program