Step by-step-guide risk-security-dunn_firth_v.1.8
2 likes361 views
This document provides a step-by-step guide for up-and-coming Chief Information Security Officers (CISOs) on understanding risk and cybersecurity. It discusses the CISO's responsibilities in managing security risk, the four domains of cybersecurity risk, and tools like the NIST Cybersecurity Framework that can help CISOs assess and mitigate risk. The document also examines how the CISO role fits within an organization's structure and the importance of effective communication to balance risk and security priorities with business objectives.
Step by-step-guide risk-security-dunn_firth_v.1.8
- 6. allows you to accurately scope, measure, and prioritize all the necessary components of a risk assessment and remediation plan. The CISO and Balancing Risk Survey provided evidence of good business communicaition in organizations with CISOs. Security was not viewed at having an increased level of hindering or preventing the business from achieving their goals. On a scale of 1, not hindering business success at all, to 10 of success being dramatically hindered, organizations with and without CISOs had an average score of 5. A successful CISO understands the business and the organization’s financial objectives. Building a top notch security program that is costly is pointless if the business is forced into bankruptcy. The CISO and the Organization Structure Organizations that view the CISO’s role as responsible for risk resilience see the CISO as a ship captain successfully guiding them on their business journey. The CEO gives them the authority to prioritize security initiatives to protect the business, and reduce security risk in the overall organization. The CISO watches the forecast for big dangerous storms and guides the business through potential disasters. For good risk resilience cyber security should be viewed as a business risk and be reported to the CEO with the other risks of doing business such as the risks in the economy, risk in supplies, and financial risk. CISO Security Risk Assignment 2: Look for opportunities to build your communication and presentation skills by leading lunch and learns, presenting at security conferences, or leading security teaching events. Be sure to ask for open and honest feedback from your audience so you sharpen any of the presentation or communication skill areas that need more work. CISO Security Risk Assignment 3: As a CISO you will be asked to build a technical strategy for the organization to protect the business. This will require a constant investment in understanding the technical changes in technology, the associated security risks, and potential security benefits. Prioritize keeping on top of your technical skills and understanding new technology.
- 7. Establishing a Cyber Security charter between the CISO, the CEO, and the other members of management ensures the CISO role and responsibility are clear to the rest of the organization. The CISO charter grants authority to the CISO, provides boundaries for their authority and mandates performance the CISO and their security organization is held accountable for. As a new CISO you may not have a choice where you sit in the organization but may be able to influence the reporting structure as both you and the organization’s cyber security program mature. The Four Cybersecurity CISO Risk Domains Protect, Shield, Defend, Prevent The Protect, Shield, Defend, and Prevent domain defends the enterprise from cyber threats and prevent cybersecurity incidents within the expected risk resilience threshold. Monitor, Detect, and Hunt The Monitor, Detect, and Hunt domain actively validates the security controls in the protect, shield, defend, and prevent domain. This domain is responsible for looking for any threats that may have evaded the protect, shield, defend, and prevent controls and reports and suspicious or unauthorized events as quickly as they are detected. Respond, Recover, and Sustain If a cybersecurity incident happens, the Respond, Recover, and Sustain domain minimizes the impact and ensures that people follow the established policy and process so the organization can recover and sustain operation with minimal impact to the organization, its users, or its customers. Govern, Manage, Comply, Educate, and Manage Risk The Govern, Manage, Comply, Educate, and Manage Risk Domain provides continuous oversight, management, security control prioritization, and performance metrics. This domain is responsible for internal and external requirements compliance and ensuring how risk is mitigated aligns with the organization’s risk tolerance. Examples of Risk and Mitigation in the Four Domains Example Risk Example Mitigation / Control Protect, Shield, Defend, Prevent Prevent information leaking Employees are using Dropbox to share information with business partners. Block the ports Dropbox uses and provide employee training CISO Security Risk Assignment 4: Start practicing your business communication now. When communicating risk always include the impact business impact and represented by positive or negative financial value.
- 8. on the approved type and methods of data sharing. Defend the network Employees are using their own devices on a corporate network. Provide guest access network for employee personal devices and NAC address white listing for network access. Shield Research and development teams are downloading resources from open source sites onto their corporate laptops. Isolate the Research and Development activity from the corporate network and issue the team separate laptops for Research and Development and daily business use. Monitor, Detect, and Hunt Incident Management An IT engineer discovers ransomware on a system and immediately wipes the hard drive. Ensure the proper steps for incident response are visible throughout the organization and included in the regularly training. Data Leak An IT engineer discovers ransomware on a system and immediately wipes the hard drive. Ensure the proper steps for incident response are visible throughout the organization and included in the regularly training. Log Correlation Teams activate log capture but events are not tracked for related events or patterns. Implement a SIEM that aggregates information on all events on the networks and alerts on anything suspicious. Respond, Recover, and Sustain Asset Management Assets are discarded without erasing company data. Create a process for discarding assets and perform regular audits to ensure data is being properly erased. Business Continuity Recovery from backup is not tested on a regular basis and when implemented fails. Have regularly scheduled exercises and testing. Sustain Main telecom provider is taken down by DDOS attack. Engage with a second Telecom provider either splitting the Telecom business or splitting the engagement so that the second provider provides enough support to maintain basic functionality of the business. Govern, Manage, Comply, Educate, and Manage Risk
- 9. Compliance Organizations process credit cards without compliance checks Formal PCI Compliance Audit Documentation No documented Acceptable Use Policy Create Formal Policy Document Human Resource Management Train only full time employees on secure development principles but majority of development provided by in house contractors Ensure protection of the asset or customer drives the strategy and holistically considers all types of employees. The Two Sides of Cyber Security Risk IT centric CISO’s often view risk only in a negative context. Even worse these CISO’s have found themselves forced to use dramatic examples and impacts to receive the appropriate amount of attention. This forced hyperbole can damage their relationship with the rest of the business team who view them as the security version of chicken little, constantly raising false alarms of the “ The sky is falling, the sky is falling” and preventing them from achieving their business objectives. A CISO who is business risk‐focused views risk from a balanced perspective. Seeing the potential for a positive outcome, a negative outcome, and uses both potential outcomes to make a calculated risk decision. CISO Security Risk Assignment 5: Practice tracking the current security events in your organization. What CISO domain do they fall into? What security control would reduce the risk? What is the business trade off? CISO Security Risk Assignment 6: Create a list of IT and business processes that are common within an organization such as having a web storefront, using cloud services for a data center, or allowing personal devices in your offices. List the positive risk, the negative risk, the calculated risk, and examples of the various security controls used to reduce risk.
- 12. Framework and the CSC controls together provides a starting point to evaluate business risk and which security controls to implement first. How to Do a Risk Assessment The simplest way of thinking about risk in your organization is to consider: What needs to be protected Who does it need to be protected from The likelihood of something happening The impact if it does What actions need to be taken if it does if an incident happens A Risk Assessment is a Snapshot in Time A risk assessment provides a static look at a dynamic environment. One way to think about a risk assessment is to compare it to a person receiving a physical. A physical is a person’s snapshot in time of how healthy they are. The physical provides accurate health information for a limited window and another physical is required to confirm the person is issue free. Unplanned events can impact how healthy we are and a risk free healthy person can immediately become unhealthy due to an insect bite or a car accident. In the same way, a physical is frequently required to confirm the individual health, a risk assessment should be a continual dynamic process with new business, new environments, and new risks continuously being pulled into the overall risk profile of the organizations. CISO Security Risk Assignment 9: Frameworks and standards overlap and complement each other. Become familiar with all the popular frameworks and standards. Knowing other standards beyond the one your organization is using as a baseline is helpful if there is a discrepancy in how a standard is interpreted or additional details determine a clearer plan of action. CIS CSC https://www.cisecurity.org/critical‐controls/ COBIT http://www.isaca.org/cobit/pages/default.aspx ISO/IEC 270001:2013 http://www.iso.org/iso/catalogue_detail?csnumber=54534 NIST SP 800‐53 Rev.4 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800‐53r4.pdf HITRUST https://hitrustalliance.net/csf‐license‐agreement/ OpenSAMM http://www.opensamm.org/ BSIMM v.7 https://www.bsimm.com/
- 14. The Elements of Cybersecurity Risk Management Risk Management has multiple layers and it’s important to address risk at all of them Risk Strategy Risk Strategy is alignment is where all the business leaders agree and align on risk about the business strategy, risk appetite, and overall business goals vs all the types of business risk. Risk Tactical The tactical layer is where the risk strategy is prioritized and aligned with a deliverable roadmap. Positive negative risks are documented, and risk is managed with risk management tools that provide reports and executive insight. Risk Execution In the risk execution stage the roadmap is delivered on through budgeted resources. Policies are developed and followed, and continuous reporting is provided to the executive team to ensure any necessary adjustments are made on the tactical risk or strategic risk plan. Risk Register A Risk Register contains details the risks to the organization. It captures, describes and assesses risks as they are identified. A Risk Register can be a formal application or something simple such as a SharePoint designed to restrict access. When capturing a risk in a Risk Register it should include: Who owns the risk? This should be a manager who has the authority to assign and allocate budget and the person who is held accountable if there is an incident. The actions required to remediate the risk. A timeline for remediation and a future review date. Dates when actions were completed and the risk item closed. Securing Awareness Programs: The Foundation for Building a Culture that Balances Risk and Security A security awareness programs educate and empower employees as the organization's first protective shield from security threats and layering information security resilience into the organization ensures it is part of every business decision. Any amount of Security Awareness training provides a positive benefit to an organization but the most effective programs are frequent and use many different methods to deliver their message such as lunch and learns, email, online video training, and in classroom training. The training should highlight established basics as well as new information on evolving threats such as Ransomware.
- 15. The CISO and Balancing Risk Survey found that 88 % of the organizations surveyed had formal Security Awareness programs. The Survey also provided positive insight that 64 % of companies are providing more frequent training and 28 % of the more frequent training being on going or monthly. Summary Organizations With Security Awareness Programs Yes No The Frequency that Security Awareness Training is Provided Annual Frequent On going CISO Security Risk Assignment 11: Start building your security awareness program skills. Attend classes on building a security awareness and use those skills to educate your co‐workers, friends, and family on how good security hygiene and how to protect themselves. What risky security behavior do they do that puts them in harm’s way? Use their experiences and knowledge to help you build a broader knowledge of all the potential organizational risks such as foothold information for an attacker trying to compromise your organization's network. These could include: o Schools that name parents and where they work, o Churches that build databases of all extended family members, their ages, and addresses. o Sports programs that have poorly protected websites with personal employee information.
- 16. Being a CISO is a challenging and important career. It will put you in the pilot seat of protecting your organization. The keys to your success for managing the enormous number of threats, risk decisions, and appropriate business guidance discussion will be building your technical, communication, and business acumen skills. Building a foundation of communication in your organizations embeds the balance of risk and security into every decision. Your communication must clearly explain what the security risk are, where they are, and how to avoid them. How to communicate involves a clear, consistent message through executive briefings, an established risk decision process, and a frequently provided security awareness training that provides clear messaging of the risk, what the security rules are, and who to ask if they are unsure. One area a new CISO should focus on is the change in risk tolerance after an event. The CISO and Balancing Risk Survey found that the organizations view on risk tolerance was only moderately changed after an event. On a scale of 1 representing no change, to 10, representing a dramatic change in risk tolerance, the survey found that on average individuals responded only a moderate change of behavior of 5 instead of a higher score that would indicate events changed the risk tolerance in the organization. The CISO role continues to dynamically change, be ready for the new exepectations from the CISO role and the demanding environment. Build your business l business acumen, your knowledge of a governance, general risk principles and what compliance your organization and industry must compy to avoid fines and other negative consequences. It is important to consider not only where there CISO role fits in the organization, but also how the breadth of responsibilities is defined so you meet expectations and avoid any assumed gaps of accountability. Use the appropriate frameworks and standards to effectively cover the CISO domains of: 1. Protect, Shield, Defend, and Prevent 2. Govern, Manage, Comply, Educate, Manage Risk 3. Respond, Recover 4. Monitor, Hunt, and Detect And most important inspire the rest of your organization to join the cyber security team in protecting the business and making sure every decision understands the security risk to the business and makes the best possible decision that aligns with the organization's risk tolerance and financial objectives. Glossary2 Attack An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity. 2 All Glossary terms from NISTIR 7290 Revision 2 Glossary of Key Information Security Terms, download from http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf for a complete glossary list.