BUILDING CYBERSECURITY CAPABILITY, MATURITY, …

1 BUILDING CYBERSECURITY CAPABILITY, maturity , RESILIENCE1 CYBER SECURITY READINESS & RESILIENCEASSESS THE RISKS, SCALE THE CAPABILITIES, ENTERPRISE-WIDE 12/13/2017 2017 ISACA. All Rights maturity :Focusing onrisk-based capabilitiesis foundational to BUILDING resilienceWorkforce Readiness:60%of all attacks were carried out by malicious intent. Theworkforceisour greatest point of vulnerability and :SecOps describes effective integration of security and IT/OT operations inthree key areas: Mission priorities & dependencies Threat information Secure and available technologyRISK-BASEDCAPABILITIESFROM COMPLIANCE TO RESILIENCE12/13/2017 2017 ISACA. All Rights COPERNICAN SHIFT COMPLIANCE/CERTIFICATIONCAPABILITIESCOMP LIANCE /CERTIFICATIONCOMPLIANCE-BASED RISK REDUCTIONRESILIENCE-DRIVENRISK REDUCTIONC yber Security Assessment SolutionBENEFITS AND IMPACTSTANDARDIZED MATURITYORGANIZATION-WIDE,RISK-BASEDROAD MAP DEVELOPMENTCOMPLIANCE VIEWSD efines maturity for people, process and technology; includes hygiene; enables industry benchmarking tDefines the organization s risk profile and sets maturity targets Provides risk-based prioritization of gaps in capabilities, maturity to support roadmap development, investment options.

2 Provides views into compliance with industry-standard COBIT 5, ISO27001, NIST CSF, CMMI Threat Kill Chain, etc. WE PRESENT OUR RESULTS INLAYPERSON S TERMSSIMPLE GRAPHICS TO SUPPORT BOARD COMMUNICATION OURCOMPREHENSIVE SCOPELEVERAGES LEADING FRAMEWORKS, STANDARDS AND CONTROLS CMMI CYBER SECURITY CAPABILITY ASSESSMENT SUPPORTS THE LEADING INDUSTRY STANDARDSCOMPREHENSIVE CYBER ASSESSMENT ARCHITECTURE12/13/2017 2017 ISACA. All Rights ENSUREGOVERNANCE FRAMEWORKESTABLISH EVALUATE RESOURCE ENVIRONMENTGOVERNCYBERSECURITY RESOURCESESTABLISH STAKEHOLDER REPORTINGE stablish Information Security ManagementPolicyProcessIdentify Supply ChainRoleEvaluateResource Management NeedsEstablish Stakeholder Reporting RequirementsEstablish Governance SystemIdentifyCritical Infrastructure ParticipationDirect ResourceManagement NeedsDirect stakeholder communicationand reportingDirect Governance System Identify OrganizationalPrioritiesMonitor ResourceManagement NeedsMonitor stakeholder communicationMonitorGovernance SystemIdentify Critical Dependencies2.

3 ESTABLISH RISK MANAGEMENTESTABLISHRISK STRATEGYESTABLISH BUSINESS RISK CONTEXTIMPLEMENTRISK MANAGEMENTE stablish RiskManagementStrategyDetermine Mission DependenciesEstablish OrganizationRisk Mgmt. ProcessEstablish Risk ManagementDetermine Legal /RegulatoryRequirementsIntegrate Risk Mgmt. ProgramDefine OrganizationalRisk ToleranceDetermine StrategicRisk ObjectivesManage External ParticipationDetermine Critical InfrastructureEstablish Risk Mgmt. Responsibilities 7. ENSURE RESILIENCEESTABLISHINCIDENT RECOVERYE xecuteRecovery PlanRecovery Communications3. IDENTIFY AND MANAGE RISKSIMPLEMENT RISK IDENTIFICATIONENSURE ACCESSCONTROL MANAGEMENTESTABLISH ORGANIZATIONAL TRAININGESTABLISH DATA SECURITY PROTECTIONA sset Discovery & IdentificationManage Identitiesand CredentialsGeneral User TrainingSafeguard Data at RestVulnerability IdentificationManage Access to SystemsPrivilegedUser Training Safeguard Data in TransitSupply Chain Risk IdentificationManage Access Permissions3rdParty TrainingManage Asset LifecycleIdentification of Roles & ResponsibilitiesManage Network Integrity & Segregation Senior Leader TrainingCapacity PlanningInformation ClassificationConsiderationsManage Communication ProtectionsPhysical Security TrainingIntegrity and Data Leak Prevention4.

4 ENSURE RISK MITIGATIONESTABLISH SECURE APPLICATIONESTABLISH INFORMATION PROTETCION PROVISIONSESTABLISH PROTECTIONPLANNINGESTABLISHPROTECTIVE TECHNOLOGY PROVISIONSS ecure ApplicationDevelopmentEstablish Configuration BaselinesEstablish Information SharingEstablish Audit ProcessesManage System Engineering ProcessEstablish Change ControlDevelop and Maintain Response / RecoveryPlansSafeguard Removable MediaSafeguard Development EnvironmentEstablish Backup ProcessesIntegrate HR Security ComponentsSafeguard Operational EnvironmentManage Software Update/Release ProcessesEstablish Maintenance ProcessesEstablish Vulnerability Mgmt. (Patch)ProcessEstablish Mobile DeviceManagement5. ENSURE RISK DETECTIONESTABLISHCYBERSECURITY INCIDENT DETECTIONESTABLISH CONTINUOUSMONITORINGESTABLISHDETECTIONE stablish Network BaselinesMonitorNetworksEstablish Detection RolesAggregate/ Correlate DataMonitor PhysicalDetect MaliciousCodeDetermine ImpactsMonitor PersonnelDetect Mobile Codeand Browser ProtectionAlert ThresholdsMonitor 3rdPartiesImplement Vulnerability ScanningEst.

5 Security Review ProcessesTest Detection processes6. ENSURE RISK RESPONSEESTABLISHINCIDENT RESPONSEESTABLISH INCIDENT ANALYSISMITIGATEDETECTED INCIDENTSE xecuteResponse PlanImplement InvestigationProcessesEnsure Incident ContainmentResponse Roles & EventsEnsure Incident MitigationIncident ReportingImplement Forensics CapabilityEnsure Information SharingEstablish Response CategorizationCYBERSECURITY maturity ASSESSMENTWORKFLOW PROCESSS elect practices to determine practice area level maturityDefine the scope of the assessment and the organization s risk profile; Risk-based maturity targets are definedDefine organizational priorities; Approve roadmapDevelop risk mitigation roadmapMEASURED maturity / CSF / COBITTHREAT VIEWMEASURED maturity VS. INDUSTRYMEASURED maturity VS. RISK BASED TARGETSRISK PRIORITIZED GAPS AND TECHNICAL SOLUTIONSCISOCISOB oardOperationsLevelRISK PROFILERISK-BASED maturity TARGETSSELECT YOUR COMPANY S UNIQUE RISK PROFILE12/13/2017 2017 ISACA.

6 All Rights each Potential Vulnerability, users will assign the likelihood of each Risk Event resulting from Security ScenarioOnce likelihood of Security Scenarios have been assigned, users will assign an impact for each Risk EventVLVERY LOWLLOWHHIGHVHVERY HIGHRISK PROFILE DEFINES THE maturity TARGETS12/13/2017 2017 ISACA. All Rights RISK IDENTIFICATIONENSURE ACCESS CONTROL MANAGEMENTESTABLISH DATA SECURITY PROTECTIONESTABLISH GOVERNANCE ELEMENTSGOVERN CYBERSECURITY RESOURCESESTABLISH RISK STRATEGYIMPLEMENT RISK MANAGEMENTESTABLISH PROTECTION PLANNINGESTABLISH CYBERSECURITY INCIDENT DETECTIONESTABLISH DETECTION PROCESSESESTABLISH INCIDENT ANALYSISESTABLISH INCIDENT RECOVERYESTABLISH SECURE APPLICATION DEVELOPMENTESTABLISH INFORMATION PROTECTION PROVISIONSMITIGATE DETECTED INCIDENTSESTABLISH INCIDENT RESPONSEESTABLISH CONTINOUS MONITORINGESTABLISH PROTECTIVE TECHNOLOGY PROVISIONSESTABLISH ORGANIZATIONAL TRAININGESTABLISH BUSINESS RISK CONTEXTESTABLISH STAKEHOLDER REPORTINGESTABLISH BUSINESS ENVIRONMENT012345 maturity targets can be compared to industry benchmarks for maturityRisk Profile

7 Establishesinitial target maturity by capability areaCAPABILITY AREAC apability areas sorted by riskINDUSTRY TARGETRISK-BASED TARGETSTANDARDIZED DEFINITIONS OF MATURITY12/13/2017 2017 ISACA. All Rights , PROCESS, TECHNOLOGYG eneral personnel capabilities may be performed by an individual, but are not well definedLEVEL1 PERFORMEDLEVEL2 MANAGEDLEVEL3 DEFINEDLEVEL4 QUANTITATIVELY MANAGEDLEVEL5 OPTIMIZEDP ersonnel capabilities achieved consistently within subsets of the organization, but inconsistent across the entire organization Roles and responsibilities are identified, assigned, and trained across the organizationAchievement and performance of personnel practices are predicted, measured, and evaluated Proactive performance improvement and resourcing based on organizational changes and lessons learned (internal & external)

8 PEOPLEPROCESSTECHNOLOGYG eneral process capabilities may be performed by an individual, but are not well definedAdequate procedures documented within a subset of the organizationOrganizational policies and procedures are defined and standardized. Policies and procedures support the organizational strategyPolicy compliance is measured and enforcedProcedures are monitored for effectiveness Policies and procedures are updated based on organizational changes and lessons learned (internal & external) are captured. General technical mechanisms are in place and may be used by an individualPurpose and intent is defined (right technology, adequately deployed); Proper technology is implemented in each subset of the organizationEffectiveness of technical mechanisms are predicted, measured, and evaluatedTechnical mechanisms are formally identified and defined by a subset of the organization.

9 Technical requirements in place Technical mechanisms are proactively improved based on organizational changes and lessons learned (internal & external)MEASURING MATURITYBASED ON ACTIVITYOVERALL maturity FOR THIS PRACTICE AREA IS L1 AS NOT ALL BOXES WERE CHECKED FOR L2 LEVEL 1 PRACTICE AREA MATURITYIDENTIFYAND MANAGE RISKS IMPLEMENT RISK IDENTIFICATION VULNERABILYIDENTIFICATIONMATURITY LEVELACTIVITYAUDIT5 The organization collaborates with relevant partners ( , facilities management, system operations staff) to periodically catalog known vulnerabilities. 5 Staff have been trained and qualified to perform vulnerability identification activities as planned. 5 Relevant managers oversee performance of the vulnerability identification activities. 4 Issues related to vulnerability identification are tracked and reported to relevant managers.

10 4 Underlying causes for vulnerabilities are identified ( , through root-cause analysis) 4 Risks related to the performance of vulnerability identification activities are identified, analyzed, disposed of, monitored,and controlled. 4 Vulnerability identification activities are periodically reviewed to ensure they are adhering to the plan. 3 Stakeholders for vulnerability management activities have been identified and made aware of their roles. 3A standard set of tools and/or methods is used to identify vulnerabilities. 3 Vulnerability management tools identify those types of platform ( , OS, application, device) affected by known vulnerabilitie s 2 Approved and diverse vulnerability sources are identified and documented. 2 Automated vulnerability scanning tools review all applicable systems on the network (a & b required) a.