Your SlideShare is downloading. ×
CyberSecurity's Integrated Control Framework
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

CyberSecurity's Integrated Control Framework

931
views

Published on

CyberSecurity's Integrated Control Framework

CyberSecurity's Integrated Control Framework

Published in: Business, Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
931
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
49
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com The following CyberSecurity Risk Mitigating Processes based on an Integrated Control Framework will help your CyberSecurity Program development and implementation. The processes described on page 2 and diagram A essentially represent the minimum amount of effort required by organization who intend on mitigating the risk of a security event or incident leading to a breach of security and unauthorized disclosure. Page 1 of 3 Diagram A
  • 2. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com • Governance: During this process the security program is aligned with organizational goals and objectives by the leaders that are responsible for assets like information and resources like people. • Risk Management: During this process the security program threats and vulnerabilities are balanced against existing controls and decisions are made to add or remove risk mitigation controls based on the importance of assets. • Compliance Management: During this process the security program identifies legal obligations defined in statutes, regulations, contract sand maps them to the master control deck providing real-time, continuous evidence. • Vulnerability Management: During this process the security program identifies and mitigates known vulnerabilities. In addition, the VM process also examines Enterprise Architecture for unknown vulnerabilities and treats those vulnerabilities. • Communication Management: During this process the security program identifies opportunities to share security related information by creating appropriate communication pieces and carefully selecting and leveraging channels. • Awareness Training: During this process we share tools and techniques used to apply security to daily roles and responsibilities within the organization raising awareness and influencing employees to become more security consciousness. • Access and Identity: During this process the security program ensures that persons accessing the organizations information and systems can be positively identified and that they have access to the information and resources required to fulfill their roles and responsibilities. • Asset Management: During this process the security program ensures that assets are identified and registered so that risk management, vulnerability management, change management, configuration management and availability management can be effective. • Document Control: During this process the security program identifies and controls documentation that is crucial to produce consistent and reproducible results. • Records Management: During this process the security program identifies records that are crucial to produce evidence of conformity with standards and compliance with legal obligations. • Internal /External Auditing: During this process the security program provides assurance by verifying and validating that the security program is operating effectively and makes recommendations where appropriate and necessary for the continuous improvement of the program. • Monitoring and Reporting: During this process the security program identifies security events and incidents for follow up action . These events can range from systems faulting to attempts to access unauthorized information or system resources potentially leading to a breach of security and activation of the security incident response process or business continuity plans. The following descriptions overview the CyberSecurity Program processes. The tasks within each process are formally documented within policies, procedures and standards and become part of the document control and records management process. Details of these documents can be requested as needed. Page 2 of 3
  • 3. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com Page 3 of 3 The CyberSecurity Program must be built on a solid proven and tested control framework with international acceptance. The information security standard framework of choice would be ISO/IEC 27001:2013. This framework has been used by many countries to create regulations and statutes designed to protect information assets. This is a benchmark set of security controls that can be added to depending on the nature of the business and its risk exposure. The standard has two sets of controls, one considered to be mandatory outlined in ISO/IEC 27001:2013 these 148 control points provide the overarching management system as described in the previous two pages summarized in diagram A. The second set of 113 controls can be risk justified in or out of scope for the CyberSecurity Program. These controls are outlined in Annex ‘B’. More details describing these control points are available is supplementary standard documents like ISO/IEC 27002:2013. I provided a high-level summary of each section and the total control points in diagram B. These control points are important to identify as each one has been designed to mitigate a specific known risk that is common within all business environments that utilize technology to process and safeguard information. Below in Diagram ‘C’ I described the overarching Enterprise Security Program where the 113 control listed in Annex A would be integrated or assimilated into existing business processes. Diagram B Diagram C