Transcription of BUILDING CYBERSECURITY CAPABILITY, MATURITY, …
1 BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE1 cyber SECURITY READINESS & RESILIENCEASSESS THE risks , SCALE THE capabilities , ENTERPRISE-WIDE 12/13/2017 2017 ISACA. All Rights Maturity:Focusing onrisk-based capabilitiesis foundational to BUILDING resilienceWorkforce Readiness:60%of all attacks were carried out by malicious intent. Theworkforceisour greatest point of vulnerability and :SecOps describes effective integration of security and IT/OT operations inthree key areas: Mission priorities & dependencies Threat information Secure and available technologyRISK-BASEDCAPABILITIESFROM COMPLIANCE TO RESILIENCE12/13/2017 2017 ISACA.
2 All Rights COPERNICAN SHIFT COMPLIANCE/CERTIFICATIONCAPABILITIESCOMP LIANCE /CERTIFICATIONCOMPLIANCE-BASED RISK REDUCTIONRESILIENCE-DRIVENRISK REDUCTIONC yber Security Assessment SolutionBENEFITS AND IMPACTSTANDARDIZED MATURITYORGANIZATION-WIDE,RISK-BASEDROAD MAP DEVELOPMENTCOMPLIANCE VIEWSD efines maturity for people, process and technology; includes hygiene; enables industry benchmarking tDefines the organization s risk profile and sets maturity targets Provides risk-based prioritization of gaps in capabilities , maturity to support roadmap development, investment options. Provides views into compliance with industry-standard COBIT 5, ISO27001, NIST CSF, CMMI Threat Kill Chain, etc.
3 WE PRESENT OUR RESULTS INLAYPERSON S TERMSSIMPLE GRAPHICS TO SUPPORT BOARD COMMUNICATION OURCOMPREHENSIVE SCOPELEVERAGES LEADING FRAMEWORKS, STANDARDS AND CONTROLS CMMI cyber SECURITY CAPABILITY ASSESSMENT SUPPORTS THE LEADING INDUSTRY STANDARDSCOMPREHENSIVE cyber ASSESSMENT ARCHITECTURE12/13/2017 2017 ISACA. All Rights ENSUREGOVERNANCE FRAMEWORKESTABLISH EVALUATE RESOURCE ENVIRONMENTGOVERNCYBERSECURITY RESOURCESESTABLISH STAKEHOLDER REPORTINGE stablish Information Security ManagementPolicyProcessIdentify Supply ChainRoleEvaluateResource Management NeedsEstablish Stakeholder Reporting RequirementsEstablish Governance SystemIdentifyCritical Infrastructure ParticipationDirect ResourceManagement NeedsDirect stakeholder communicationand reportingDirect Governance System Identify OrganizationalPrioritiesMonitor ResourceManagement NeedsMonitor stakeholder communicationMonitorGovernance
4 SystemIdentify Critical Dependencies2. ESTABLISH RISK MANAGEMENTESTABLISHRISK STRATEGYESTABLISH BUSINESS RISK CONTEXTIMPLEMENTRISK MANAGEMENTE stablish RiskManagementStrategyDetermine Mission DependenciesEstablish OrganizationRisk Mgmt. ProcessEstablish Risk ManagementDetermine Legal /RegulatoryRequirementsIntegrate Risk Mgmt. ProgramDefine OrganizationalRisk ToleranceDetermine StrategicRisk ObjectivesManage External ParticipationDetermine Critical InfrastructureEstablish Risk Mgmt. Responsibilities 7. ENSURE RESILIENCEESTABLISHINCIDENT RECOVERYE xecuteRecovery PlanRecovery Communications3.
5 IDENTIFY AND MANAGE RISKSIMPLEMENT RISK IDENTIFICATIONENSURE ACCESSCONTROL MANAGEMENTESTABLISH ORGANIZATIONAL TRAININGESTABLISH DATA SECURITY PROTECTIONA sset Discovery & IdentificationManage Identitiesand CredentialsGeneral User TrainingSafeguard Data at RestVulnerability IdentificationManage Access to SystemsPrivilegedUser Training Safeguard Data in TransitSupply Chain Risk IdentificationManage Access Permissions3rdParty TrainingManage Asset LifecycleIdentification of Roles & ResponsibilitiesManage Network Integrity & Segregation Senior Leader TrainingCapacity PlanningInformation ClassificationConsiderationsManage Communication ProtectionsPhysical Security TrainingIntegrity and Data Leak Prevention4.
6 ENSURE RISK MITIGATIONESTABLISH SECURE APPLICATIONESTABLISH INFORMATION PROTETCION PROVISIONSESTABLISH PROTECTIONPLANNINGESTABLISHPROTECTIVE TECHNOLOGY PROVISIONSS ecure ApplicationDevelopmentEstablish Configuration BaselinesEstablish Information SharingEstablish Audit ProcessesManage System Engineering ProcessEstablish Change ControlDevelop and Maintain Response / RecoveryPlansSafeguard Removable MediaSafeguard Development EnvironmentEstablish Backup ProcessesIntegrate HR Security ComponentsSafeguard Operational EnvironmentManage Software Update/Release ProcessesEstablish Maintenance ProcessesEstablish Vulnerability Mgmt.
7 (Patch)ProcessEstablish Mobile DeviceManagement5. ENSURE RISK DETECTIONESTABLISHCYBERSECURITY INCIDENT DETECTIONESTABLISH CONTINUOUSMONITORINGESTABLISHDETECTIONE stablish Network BaselinesMonitorNetworksEstablish Detection RolesAggregate/ Correlate DataMonitor PhysicalDetect MaliciousCodeDetermine ImpactsMonitor PersonnelDetect Mobile Codeand Browser ProtectionAlert ThresholdsMonitor 3rdPartiesImplement Vulnerability ScanningEst. Security Review ProcessesTest Detection processes6. ENSURE RISK RESPONSEESTABLISHINCIDENT RESPONSEESTABLISH INCIDENT ANALYSISMITIGATEDETECTED INCIDENTSE xecuteResponse PlanImplement InvestigationProcessesEnsure Incident ContainmentResponse Roles & EventsEnsure Incident MitigationIncident ReportingImplement Forensics CapabilityEnsure Information SharingEstablish Response CategorizationCYBERSECURITY MATURITY ASSESSMENTWORKFLOW PROCESSS elect practices to determine practice area level maturityDefine the scope of the assessment and the organization s risk profile; Risk-based maturity targets are definedDefine organizational priorities.
8 Approve roadmapDevelop risk mitigation roadmapMEASURED MATURITY / CSF / COBITTHREAT VIEWMEASURED MATURITY VS. INDUSTRYMEASURED MATURITY VS. RISK BASED TARGETSRISK PRIORITIZED GAPS AND TECHNICAL SOLUTIONSCISOCISOB oardOperationsLevelRISK PROFILERISK-BASED MATURITY TARGETSSELECT YOUR COMPANY S UNIQUE RISK PROFILE12/13/2017 2017 ISACA. All Rights each Potential Vulnerability, users will assign the likelihood of each Risk Event resulting from Security ScenarioOnce likelihood of Security Scenarios have been assigned, users will assign an impact for each Risk EventVLVERY LOWLLOWHHIGHVHVERY HIGHRISK PROFILE DEFINES THE MATURITY TARGETS12/13/2017 2017 ISACA.
9 All Rights RISK IDENTIFICATIONENSURE ACCESS CONTROL MANAGEMENTESTABLISH DATA SECURITY PROTECTIONESTABLISH GOVERNANCE ELEMENTSGOVERN CYBERSECURITY RESOURCESESTABLISH RISK STRATEGYIMPLEMENT RISK MANAGEMENTESTABLISH PROTECTION PLANNINGESTABLISH CYBERSECURITY INCIDENT DETECTIONESTABLISH DETECTION PROCESSESESTABLISH INCIDENT ANALYSISESTABLISH INCIDENT RECOVERYESTABLISH SECURE APPLICATION DEVELOPMENTESTABLISH INFORMATION PROTECTION PROVISIONSMITIGATE DETECTED INCIDENTSESTABLISH INCIDENT RESPONSEESTABLISH CONTINOUS MONITORINGESTABLISH PROTECTIVE TECHNOLOGY PROVISIONSESTABLISH ORGANIZATIONAL TRAININGESTABLISH BUSINESS RISK CONTEXTESTABLISH STAKEHOLDER REPORTINGESTABLISH BUSINESS ENVIRONMENT012345 Maturity targets can be compared to industry benchmarks for maturityRisk Profile establishesinitial target maturity by capability areaCAPABILITY AREAC apability areas sorted by riskINDUSTRY TARGETRISK-BASED TARGETSTANDARDIZED DEFINITIONS OF MATURITY12/13/2017 2017 ISACA.
10 All Rights , PROCESS, TECHNOLOGYG eneral personnel capabilities may be performed by an individual, but are not well definedLEVEL1 PERFORMEDLEVEL2 MANAGEDLEVEL3 DEFINEDLEVEL4 QUANTITATIVELY MANAGEDLEVEL5 OPTIMIZEDP ersonnel capabilities achieved consistently within subsets of the organization, but inconsistent across the entire organization Roles and responsibilities are identified, assigned, and trained across the organizationAchievement and performance of personnel practices are predicted, measured, and evaluated Proactive performance improvement and resourcing based on organizational changes and lessons learned (internal & external)PEOPLEPROCESSTECHNOLOGYG eneral process capabilities may be performed by an individual, but are not well definedAdequate procedures documented within a subset of the organizationOrganizational policies and procedures are defined and standardized.
