Cyber Security Defense-in-Depth Control Pyramid part 1 explanation
 

Cyber Security Defense-in-Depth Control Pyramid part 1 explanation

on

  • 1,639 views

Cyber Security Defense-in-Depth Control Pyramid part 1 explanation

Cyber Security Defense-in-Depth Control Pyramid part 1 explanation

Statistics

Views

Total Views
1,639
Views on SlideShare
1,637
Embed Views
2

Actions

Likes
4
Downloads
73
Comments
5

1 Embed 2

https://twitter.com 2

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cyber Security Defense-in-Depth Control Pyramid part 1 explanation Cyber Security Defense-in-Depth Control Pyramid part 1 explanation Document Transcript

  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Management Layers Operational Layers For more information contact Skype; Mark_E_S_Bernard Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Governance - The top officials , executives held accountable for the outcomes. The direct reports responsible for executing the vision and direction for Cyber Security. Accountability cannot be delegated down the chain of command, however responsibilities and roles for consultation and communications can change. (see slide 3) Security Program – The business plan, strategy, vision, mission, strategic and tactical goals and objectives, the program framework and workflow, the supporting policies, procedures and standards, security operations, monitoring security events, incidents, implementation, maintenance of security program assets, security of supply chains, partners, vendors and suppliers. (see slide 4) Human Resources – the recruitment and selection, induction, orientation, responsibility for employee behaviour, internal investigations, assignment of assets, initialization of request for physical & logical access control, termination. Incident Management – security event monitoring and response to physical and logical security incidents, exists outside Information Technology to maintain an objective – independent opinion during investigations, coordination with general counsel and external parties including law enforcement as required. The incident response team can call upon anyone within the organization to assist. Access Control – Identity and Access Management, responsible for granting and revoking physical and logical security access, one stop shopping for effective resolution of security access requirements. Physical & Environmental – responsibility for maintaining the security parameter and enforcing security policy, security of visitors, escorting visitors, security of vendors & suppliers, security of mechanical engineering maintenance and installation. Information Systems Acquisition, Development and Maintenance – responsible of security within software procurement and decommissioning activities, security within the maintenance of existing systems and new systems, Communications & Operations Management – responsible for security of telecommunications within the enterprise and externally, operations within the operations group, key roles include managers, supervisors, contractors and regular employees administering business systems, hardware, software, servers, desktops, smart phones, laptops, cloud services, etc… Business Continuity & Disaster Recovery - This is the last fall back point, if all else has failed its time to pull up stakes and relocate of rebuilds an existing instance this layer.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Within “Layer 1 – Governance” inputs and outputsforming the integrationof governanceownership, custodianship,accountability,responsibilitywho needs to be consulted and who needs to be informed with various lines of business and the informationsecurity program. This layer of governancerequires participationof all stakeholders.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Within “Layer 1 – Governance” inputs and outputswith Risk Managementare crucial to establishingthe culture of risk management and to keep threats and vulnerabilitiesin check. In some cases such as vendor, supplier management and Cloud Computing many risks are ongoing and shared between two or more parties.In these circumstancesa Risk Registry is required to empower managementby monitoringthese risks with the external party on a monthly basis.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Within “Layer 1 – Governance“and Risk Management – Risk Registry is essential to proactively managingrisks and maintain alignmentwith Enterprise Risk Managementprogram.The key areas to monitor are strategic risk, financial risk operationalrisk and compliancerisk.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Within “Layer 2 – Security Program” inputs and outputsforming integrationwith variouslines of business with the informationsecurity program.i.e. governance, risk management, quality management, compliancemanagement, communicationsstrategy, awareness training, identityand access management, knowledgemanagement, document controland records management, active monitoringand internal/externalsaudit.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Within “Layer 2 – Security Program” with risk management requires the assessment of threatsand vulnerabilitiesfollowed by quality management activitieslike corrective action planningfor immediate risks and preventive design either to stop the reoccurrenceof risks or prevent risks from being realized, essentiallyeliminating risk trigger points. ControlDesign is a technique that was based on qualitymanagement techniques that we use to identify key controlareas, assets and validate control effectiveness, efficiency further leading to assessing the organizationsinvestments in security safeguards.
  • *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Within “Layer 2 – Security Program” and Risk Management throughControl Design allowsthe manager to initiatecorrective actions and/or preventive actionsto mitigateor eliminate risk. These CAPA action plans are recorded in the risk treatment plans against the key controlasset groups and monitoreduntil successfully completed and the completionneeds to be independentlyvalidated.Management s decisions are also recordedalong with the risk rating and value of the control in additionto residual risk estimating the level of risk following the successful completingof the risk treatmentplan.