BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
1
CYBER SECURITY READINESS & RESILIENCE ASSESS THE RISKS, SCALE THE CAPABILITIES, ENTERPRISE-WIDE
SecOps: SecOps describes effective integration of security and IT/OT operations in three key areas: ? Mission priorities & dependencies ? Threat information ? Secure and available technology
SECOPS
ENTERPRISE SECURITY RISK MGMT
Capability Maturity: Focusing on risk-based capabilities is foundational to building resilience
C APAB I L I T Y MAT U R I T Y
2
12/13/2017
? 2017 ISACA. All Rights Reserved.
WORKFORCE READINESS
Workforce Readiness: 60% of all attacks were carried out by insiders. 75% involved malicious intent. The workforce is our greatest point of vulnerability and opportunity.
FROM COMPLIANCE TO RESILIENCE
"COPERNICAN SHIFT"
C APAB I L I T I E S
COMPLIANCE / C E R T I F I C AT I O N
COMPLIANCE/ CE RT I F I CAT I O N
COMPLIANCE-BASED RISK REDUCTION
3
12/13/2017
? 2017 ISACA. All Rights Reserved.
RISK-BASED C APAB I L I T I E S
RESILIENCE-DRIVEN RISK REDUCTION
Cyber Security Assessment Solution
BENEFITS AND IMPACT
STANDARDIZED MATURITY
ORGANIZATIONWIDE,
RISK-BASED
ROADMAP DEVELOPMENT
COMPLIANCE VIEWS
Defines maturity for people, process
and technology; includes hygiene; enables industry
benchmarking
t
Defines the organization's risk profile and sets maturity targets
Provides risk-based prioritization of gaps in capabilities, maturity to
support roadmap development, investment
options.
Provides views into compliance with industry-
standard COBIT 5, ISO27001, NIST CSF, CMMI
Threat Kill Chain, etc.
WE PRESENT OUR RESULTS IN
LAYPERSON'S TERMS
SIMPLE GRAPHICS TO SUPPORT BOARD COMMUNICATION
OUR
COMPREHENSIVE SCOPE
LEVERAGES LEADING FRAMEWORKS, STANDARDS AND CONTROLS
CMMI CYBER SECURITY CAPABILITY ASSESSMENT SUPPORTS THE LEADING INDUSTRY STANDARDS
COMPREHENSIVE CYBER ASSESSMENT ARCHITECTURE
1. ENSURE GOVERNANCE FRAMEWORK
ESTABLISH GOVERNANCE Establish Information Security Management Policy Process Establish Governance System
Direct Governance System Monitor Governance System
EST. BUSINESS EVALUATE RESOURCE ENVIRONMENT
GOVERN CYBERSECURITY RESOURCES
ESTABLISH STAKEHOLDER REPORTING
Identify Supply Chain Role
Evaluate Resource Management Needs
Establish Stakeholder Reporting Requirements
Identify Critical Infrastructure Participation
Identify Organizational Priorities
Identify Critical Dependencies
Direct Resource Management Needs
Monitor Resource Management Needs
Direct stakeholder communication and reporting
Monitor stakeholder communication
2. ESTABLISH RISK MANAGEMENT
ESTABLISH RISK STRATEGY
Establish Risk Management Strategy Establish Risk Management
Define Organizational Risk Tolerance Determine Critical Infrastructure
ESTABLISH BUSINESS RISK CONTEXT
Determine Mission Dependencies
Determine Legal / Regulatory Requirements
Determine Strategic Risk Objectives
IMPLEMENT RISK MANAGEMENT
Establish Organization Risk Mgmt. Process Integrate Risk Mgmt. Program Manage External Participation
Establish Risk Mgmt. Responsibilities
3. IDENTIFY AND MANAGE RISKS
IMPLEMENT RISK IDENTIFICATION
Asset Discovery & Identification
Vulnerability Identification
ENSURE ACCESS CONTROL MANAGEMENT
Manage Identities and Credentials
Manage Access to Systems
ESTABLISH
ESTABLISH DATA
ORGANIZATIONAL TRAINING SECURITY PROTECTION
General User Training
Safeguard Data at Rest
Privileged User Training
Safeguard Data in Transit
Supply Chain Risk Identification
Identification of Roles & Responsibilities
Information Classification Considerations
Manage Access Permissions
Manage Network Integrity & Segregation Manage Communication Protections
3rd Party Training Senior Leader Training Physical Security Training
Manage Asset Lifecycle
Capacity Planning
Integrity and Data Leak Prevention
4. ENSURE RISK MITIGATION
ESTABLISH SECURE APPLICATION
Secure Application Development
Manage System Engineering Process Safeguard Development Environment Manage Software Update/Release Processes
ESTABLISH INFORMATION PROTETCION PROVISIONS Establish Configuration Baselines Establish Change Control
Establish Backup Processes
Establish Maintenance Processes Establish Mobile Device Management
ESTABLISH PROTECTION PLANNING
Establish Information Sharing
ESTABLISH PROTECTIVE TECHNOLOGY PROVISIONS
Establish Audit Processes
Develop and Maintain Response / Recovery Plans
Integrate HR Security Components
Establish Vulnerability Mgmt. (Patch) Process
Safeguard Removable Media
Safeguard Operational Environment
5. ENSURE RISK DETECTION
ESTABLISH CYBERSECURITY INCIDENT DETECTION
Establish Network Baselines
ESTABLISH CONTINUOUS MONITORING
Monitor Networks
ESTABLISH DETECTION Establish Detection Roles
Aggregate / Correlate Data
Monitor Physical
Detect Malicious Code
Determine Impacts
Monitor Personnel
Detect Mobile Code and Browser Protection
6Alert Threshol1ds2/13/2017
? 2M0o1n7itoISr 3ArdCPAa.rtAielsl Rights ReservedIm. plement Vulnerability Scanning
Est. Security Review Processes
Test Detection processes
6. ENSURE RISK RESPONSE
ESTABLISH INCIDENT RESPONSE Execute Response Plan
Response Roles & Resp.
ESTABLISH INCIDENT ANALYSIS
Implement Investigation Processes
Analyze Risk Events
MITIGATE DETECTED INCIDENTS Ensure Incident Containment
Ensure Incident Mitigation
Incident Reporting Ensure Information Sharing
Implement Forensics Capability
Establish Response Categorization
7. ENSURE RESILIENCE
ESTABLISH INCIDENT RECOVERY Execute Recovery Plan
Recovery Communications
CYBERSECURITY MATURITY ASSESSMENT
Define the scope of the assessment and the organization's risk profile; Risk-based maturity targets are defined
CISO
RISK PROFILE
RISKBASED MATURITY TARGETS
Define organizational priorities; Approve roadmap
Board
WORKFLOW PROCESS
Operations Level
CISO
MEASURED MATURITY
VS. INDUSTRY
PRIORITIZE D
ROADMAP
Develop risk mitigation roadmap
Select practices to determine practice area level maturity
ISO / CSF / COBIT THREAT VIEW
MEASURED MATURITY VS. INDUSTRY
MEASURED MATURITY VS. RISK BASED TARGETS
RISK PRIORITIZED GAPS AND TECHNICAL SOLUTIONS
SELECT YOUR COMPANY'S UNIQUE RISK PROFILE
For each Potential Vulnerability, users will assign the likelihood of each Risk Event resulting from Security Scenario
VL L
VERY LOW
LOW
H VH
HIGH
VERY HIGH
Once likelihood of Security Scenarios have been assigned, users will assign an impact for each Risk Event
8
12/13/2017
? 2017 ISACA. All Rights Reserved.
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- leading and managing people and processes
- global supply chain control towers
- building cybersecurity capability maturity resilience
- the technological process madrid
- gartner s business analytics framework technology research
- business processes start with capabilities
- thinking big with business deloitte
- the business process transformation framework a new
- target operating model tom at a glance deloitte
- people process technology cern