CyberSecurity's Control Effectiveness

2,380 views
2,248 views

Published on

CyberSecurity's Control Effectiveness

Published in: Business
6 Comments
5 Likes
Statistics
Notes
No Downloads
Views
Total views
2,380
On SlideShare
0
From Embeds
0
Number of Embeds
38
Actions
Shares
0
Downloads
89
Comments
6
Likes
5
Embeds 0
No embeds

No notes for slide

CyberSecurity's Control Effectiveness

  1. 1. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com CyberSecurity requires the effective identification of risks and efficient implementation of controls designed to mitigate those risks. The efficient design and architecture of integrated control frameworks is crucial to limiting the potential negative impact on agility and competitiveness of many organizations. Making the determination if a control is effective or not requires the assessment of several characteristics of a the control in scope. One of the goals is to reduce the number of security events and incidents that resulted in outages of services for customers. Another goal is to lower operational controls, improving the return on investments in security. These integrated control frameworks are evidence based, designed to mitigate the risk of financial penalties and liabilities associated with lost confidentiality, lost data integrity or the lost availability of business information. Within the following diagram I have described how the effectiveness of a control can be assessed using multiple characteristics including conformity to standards, knowledge transfer, competence, verification and validation by testing. Each of these control points plays an important role in the overall risk management of data, information and knowledge under the care of respective organizations. These risks can impact the operational risk /costs, compliance risk /costs with direct implications to strategic risks and financial risks. Evidence can be observed or recorded this will depend upon the risk involved. More mature processes are documented so that knowledge can be transferred through mentoring and /or on-the-job training. Tacit knowledge is how humans record processes within their own brains and how we execute these process without documented standards or procedures to follow. In contrast explicit knowledge is documented making it easier to transfer and validate. This assessment is recorded in the spreadsheet with a ‘T’ for Tacit or ‘E’ for Explicit. The competence or skill of a professional executing the process is import to the effectiveness of mitigating the realization of a threat successfully exploiting existing vulnerabilities. This competency is contingent upon the professionals knowledge and experience. The CyberSecurity risk evaluator will use a scale of 1 – 6, where 1 = awareness and 6 is the equivalent of a PhD. Additional information regarding this assessment is available by contacting me. Last but not least we need to test the control and determine if it is functioning as designed and intended. Finally, the overall assessment of control effectiveness will be used as part of the formula combining the threat and vulnerability assessments and the output will be a risk rating reported to management for a risk based decision to accept, reject or mitigate the risk by initiating corrective and /or preventive action plans. . During the assessment of CyberSecurity risks we have evaluated potential threats in step one and ranked them. In step two we evaluated potential vulnerabilities to determine if there was a match between an identified threat and existing vulnerability. In step three we will evaluate existing controls to determine if they are functioning as planned and designed. At the conclusion of step three we will arrive at a decision point where management will choose to make improvements to existing controls or add new controls. Mandatory controls must be 100% implemented to be effective. Discretionary controls can be risk justified in-scope or out-of- scope. Once that decision has been made based on the risk to information assets we turn our attention to evaluating evidence.

×