BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

1

CYBER SECURITY READINESS & RESILIENCE ASSESS THE RISKS, SCALE THE CAPABILITIES, ENTERPRISE-WIDE

SecOps: SecOps describes effective integration of security and IT/OT operations in three key areas: ? Mission priorities & dependencies ? Threat information ? Secure and available technology

SECOPS

ENTERPRISE SECURITY RISK MGMT

Capability Maturity: Focusing on risk-based capabilities is foundational to building resilience

C APAB I L I T Y MAT U R I T Y

2

12/13/2017

? 2017 ISACA. All Rights Reserved.

WORKFORCE READINESS

Workforce Readiness: 60% of all attacks were carried out by insiders. 75% involved malicious intent. The workforce is our greatest point of vulnerability and opportunity.

FROM COMPLIANCE TO RESILIENCE

"COPERNICAN SHIFT"

C APAB I L I T I E S

COMPLIANCE / C E R T I F I C AT I O N

COMPLIANCE/ CE RT I F I CAT I O N

COMPLIANCE-BASED RISK REDUCTION

3

12/13/2017

? 2017 ISACA. All Rights Reserved.

RISK-BASED C APAB I L I T I E S

RESILIENCE-DRIVEN RISK REDUCTION

Cyber Security Assessment Solution

BENEFITS AND IMPACT

STANDARDIZED MATURITY

ORGANIZATIONWIDE,

RISK-BASED

ROADMAP DEVELOPMENT

COMPLIANCE VIEWS

Defines maturity for people, process

and technology; includes hygiene; enables industry

benchmarking

t

Defines the organization's risk profile and sets maturity targets

Provides risk-based prioritization of gaps in capabilities, maturity to

support roadmap development, investment

options.

Provides views into compliance with industry-

standard COBIT 5, ISO27001, NIST CSF, CMMI

Threat Kill Chain, etc.

WE PRESENT OUR RESULTS IN

LAYPERSON'S TERMS

SIMPLE GRAPHICS TO SUPPORT BOARD COMMUNICATION

OUR

COMPREHENSIVE SCOPE

LEVERAGES LEADING FRAMEWORKS, STANDARDS AND CONTROLS

CMMI CYBER SECURITY CAPABILITY ASSESSMENT SUPPORTS THE LEADING INDUSTRY STANDARDS

COMPREHENSIVE CYBER ASSESSMENT ARCHITECTURE

1. ENSURE GOVERNANCE FRAMEWORK

ESTABLISH GOVERNANCE Establish Information Security Management Policy Process Establish Governance System

Direct Governance System Monitor Governance System

EST. BUSINESS EVALUATE RESOURCE ENVIRONMENT

GOVERN CYBERSECURITY RESOURCES

ESTABLISH STAKEHOLDER REPORTING

Identify Supply Chain Role

Evaluate Resource Management Needs

Establish Stakeholder Reporting Requirements

Identify Critical Infrastructure Participation

Identify Organizational Priorities

Identify Critical Dependencies

Direct Resource Management Needs

Monitor Resource Management Needs

Direct stakeholder communication and reporting

Monitor stakeholder communication

2. ESTABLISH RISK MANAGEMENT

ESTABLISH RISK STRATEGY

Establish Risk Management Strategy Establish Risk Management

Define Organizational Risk Tolerance Determine Critical Infrastructure

ESTABLISH BUSINESS RISK CONTEXT

Determine Mission Dependencies

Determine Legal / Regulatory Requirements

Determine Strategic Risk Objectives

IMPLEMENT RISK MANAGEMENT

Establish Organization Risk Mgmt. Process Integrate Risk Mgmt. Program Manage External Participation

Establish Risk Mgmt. Responsibilities

3. IDENTIFY AND MANAGE RISKS

IMPLEMENT RISK IDENTIFICATION

Asset Discovery & Identification

Vulnerability Identification

ENSURE ACCESS CONTROL MANAGEMENT

Manage Identities and Credentials

Manage Access to Systems

ESTABLISH

ESTABLISH DATA

ORGANIZATIONAL TRAINING SECURITY PROTECTION

General User Training

Safeguard Data at Rest

Privileged User Training

Safeguard Data in Transit

Supply Chain Risk Identification

Identification of Roles & Responsibilities

Information Classification Considerations

Manage Access Permissions

Manage Network Integrity & Segregation Manage Communication Protections

3rd Party Training Senior Leader Training Physical Security Training

Manage Asset Lifecycle

Capacity Planning

Integrity and Data Leak Prevention

4. ENSURE RISK MITIGATION

ESTABLISH SECURE APPLICATION

Secure Application Development

Manage System Engineering Process Safeguard Development Environment Manage Software Update/Release Processes

ESTABLISH INFORMATION PROTETCION PROVISIONS Establish Configuration Baselines Establish Change Control

Establish Backup Processes

Establish Maintenance Processes Establish Mobile Device Management

ESTABLISH PROTECTION PLANNING

Establish Information Sharing

ESTABLISH PROTECTIVE TECHNOLOGY PROVISIONS

Establish Audit Processes

Develop and Maintain Response / Recovery Plans

Integrate HR Security Components

Establish Vulnerability Mgmt. (Patch) Process

Safeguard Removable Media

Safeguard Operational Environment

5. ENSURE RISK DETECTION

ESTABLISH CYBERSECURITY INCIDENT DETECTION

Establish Network Baselines

ESTABLISH CONTINUOUS MONITORING

Monitor Networks

ESTABLISH DETECTION Establish Detection Roles

Aggregate / Correlate Data

Monitor Physical

Detect Malicious Code

Determine Impacts

Monitor Personnel

Detect Mobile Code and Browser Protection

6Alert Threshol1ds2/13/2017

? 2M0o1n7itoISr 3ArdCPAa.rtAielsl Rights ReservedIm. plement Vulnerability Scanning

Est. Security Review Processes

Test Detection processes

6. ENSURE RISK RESPONSE

ESTABLISH INCIDENT RESPONSE Execute Response Plan

Response Roles & Resp.

ESTABLISH INCIDENT ANALYSIS

Implement Investigation Processes

Analyze Risk Events

MITIGATE DETECTED INCIDENTS Ensure Incident Containment

Ensure Incident Mitigation

Incident Reporting Ensure Information Sharing

Implement Forensics Capability

Establish Response Categorization

7. ENSURE RESILIENCE

ESTABLISH INCIDENT RECOVERY Execute Recovery Plan

Recovery Communications

CYBERSECURITY MATURITY ASSESSMENT

Define the scope of the assessment and the organization's risk profile; Risk-based maturity targets are defined

CISO

RISK PROFILE

RISKBASED MATURITY TARGETS

Define organizational priorities; Approve roadmap

Board

WORKFLOW PROCESS

Operations Level

CISO

MEASURED MATURITY

VS. INDUSTRY

PRIORITIZE D

ROADMAP

Develop risk mitigation roadmap

Select practices to determine practice area level maturity

ISO / CSF / COBIT THREAT VIEW

MEASURED MATURITY VS. INDUSTRY

MEASURED MATURITY VS. RISK BASED TARGETS

RISK PRIORITIZED GAPS AND TECHNICAL SOLUTIONS

SELECT YOUR COMPANY'S UNIQUE RISK PROFILE

For each Potential Vulnerability, users will assign the likelihood of each Risk Event resulting from Security Scenario

VL L

VERY LOW

LOW

H VH

HIGH

VERY HIGH

Once likelihood of Security Scenarios have been assigned, users will assign an impact for each Risk Event

8

12/13/2017

? 2017 ISACA. All Rights Reserved.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

    ©2024 5y1.org, Inc. All rights reserved.