SlideShare a Scribd company logo

Cyber Security Management.pdf

Robert Kloots
Robert Kloots

A structural approach to Cyber Security management, using NIST CSF, the Cyber Defense Matrix mechanism, the Open Security Architecture model, etc.

Business
1 of 19
Cyber Security Management A structural approach Robert Kloots, Brussels Nov 2022 Available for Interim Management
Topics  Main Cyber Security Goals  Cyber Security controls support COBIT  CSF policies, standards and guidelines  Cyber Security Framework (CSF)  CSF Quality Controls, Risk & Compliance  Cyber Security Function Deployment  Cyber Security Architecture  Object type specific CSF controls  Cyber Security Patterns  Add Cyber Security to WoW => SSDLC  Match NIST.SP.800-53rS Controls with deployed control measures  Manage Cyber Security Services Deployment 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 2
Main Cyber Security Goals  Confidentiality  Integrity  Availability  Non-repudiation  Audit 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 3 Provision of Trust services Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. Audit is the mechanism through which proof is obtained and validated. Logging of (trans-) actions is actually the source on which auditing relies.
CSF policies, standards and guidelines  Policies on right level of abstraction  Procedures and guidelines close to WoW  Many examples of best practices available  Dynamic set reflecting maturity of CICD and OPS. 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 4
Cyber Security controls support COBIT  Cyber Security Framework (CSF) offers pragmatic approach to incorporate Cyber Security Controls into CICD and Operations.  Drive for agile maturity, risk-based compliance  CSF is compatible with and complementary to COBIT  Similar support for ISO 27002  Fairly easy integration into management reporting 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 5 Also check out Cyber Security Risk Management
Cyber Security Framework (CSF) 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 6 IDENTIFY PROTECT DETECT RESPOND RECOVER
Cyber Security Framework (CSF) 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others Asset Management Business Environment Governance IDENTIFY Risk Management Strategy Supply Chain Management Risk Assessment Identity mgt, Authentic. & Access Control Awareness and Training Data Security PROTECT Maintenance Protective Technology Info Protection Processes and Procedures Anomalies and Events Security Continuous Monitoring Detection Processes DETECT Response Planning Communicati ons Analysis RECOVER Improvements Mitigation Recovery Planning Improvements Communica- tions RESPOND 7
 Define Data/Information classification enabling risk analysis & reporting  See “Cyber Security Risk Management” 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 8 CSF Quality Controls, Risk & Compliance Extract from NIST.SP.800-53r5 Risk Management Strategy IDENTIFY
 Target Organisation should apply CSF & NIST.SP.800-53r5.  NIST.SP.800-53r5 document has been converted into (Confluence) wiki  Which facilitates both Development and Operations, as well as Audit and Compliance to incorporate the obligatory mechanisms  Use of capabilities and controls will evolve following the roadmap timeline.  More discussion below 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 9 CSF Quality Controls, Risk & Compliance AC-2(1) Account Management | Automated System Account Management Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. AC-2(2) Account Management | Automated Temporary and Emergency Account Management Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. AC-2(3) Account Management | Disable Accounts Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]. AC-2(4) Account Management | Automated Audit Actions Automatically audit account creation, modification, enabling, disabling, and removal actions. AC-2(5) Account Management | Inactivity Logout Require that users log out when [Assignment: organization- defined time period of expected inactivity or description of when to log out]. Extract from NIST.SP.800-53r5 Identity mgt, Authentic. & Access Control PROTECT
Cyber Security Function Deployment 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 10 • Take inventory of existing CySec services and/or solutions, • Allocate to appropriate matrix- cell • Repeat for asset type: o Corporate digital assets o Employee assets o Customer assets o Vendor assets o Threat actor assets Asset types Operational functions Source: CYBER DEFENSE MATRIX by Sounil Yu Do we have something (inventory)... That we care about (impact)... That has weaknesses (vulnerabilities)... That someone is after (threats)?
Cyber Security Architecture  Formulate together with Business Partners and ICT Guilds,  Architectural view gets body, is maturing and integrated with Asset & Configuration Details  Reflects “Cyber Security Service Catalogue” 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 11 https://www.opensecurityarchitecture.org OSA Taxonomy
Object type specific CSF controls 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 12 PROD on premise DEV ACC/INT EG TEST PROD in Cloud Network controller (FW) Internal Source Applicat ion A Applicati on B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S D B D at a Bl o b Cloud specs Also check out Cyber object types and controls
Cyber Security Patterns Make controls explicit through Security patterns and functional grouping:  Group Controls through function/service, role, mandate  Allow for reusable components Cyber Security services are Lateral Services:  Offer Cyber Security controls  Allow for KPI + SLA 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 13 Server pattern Roles and Controls
Add Cyber Security to WoW => SSDLC 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 14 Check for security updates (CVSS) in your SBOM Include Threat modelling Follow control implementation throughout CICD
Add Cyber Security to WoW => SSDLC  Use STRIDE Threat Modeling  Finetune backlog using CVSS 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 15 Threat action Threat Definition Desired property Example masquerading Spoofing Pretend to be someone else Authenticity Hack victim's email and use Alteration Tampering Changing data or code Integrity Software executive file is tampered by hackers Denying Repudiation Claiming not to do a particular action Non-repudiability I have not sent an email to Alice Data Loss/Leakage Information disclosure Leakage of sensitive information Confidentiality Credit card informaiton available on the Internet Downtime Denial of Service Non-availability of service Availability Web application not responding to user requests Admin (root) Elevation of Privilege Able to perform unathorised action Authorization Normal use able to delete admin account.
Add Cyber Security to WoW => SSDLC  Convert Cyber Security controls into User stories & Epics, then code or config  Keep track of control throughout CICD using control number. Approximate steps:  Threat modelling => DFD  Software Architecture => Processing, Flows, Interfaces, APIs and IP##  Business Analysis => user stories  Development => software code  Control suites => test, test, test and pentest 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 16
Match NIST.SP.800-53 Controls with deployed control measures 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 17 Above numbers actually are from CIS Top 20 Critical Security Controls Map Control to to be deployed security function
Manage Cyber Security Services Deployment  Understand per asset its set of vulnerabilities, and which vulnerability is most prone to attacks, directly or through chain of attack.  Know per asset which (set of) mitigation measure(s) eliminates these attack risks  Maintain match functional security architecture with measures deployed in operation  (Introd)use AI and Cyber Risk methods to swiftly minimise your exposure.  Automatically fill Agile backlog (SECDEV/SOC/CSIRT) with these issues, risk based priority  Provide Opex Capex report on portfolio progress 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 18
Matchmaking Need and Mission You are welcome to check my availability to provide you with relevant Cyber Security Services matching your Needs, You can reach me @  robert.kloots@mediqaid.eu  Linkedin.com.in/kloots  Thank you for browsing this slidedeck ;-) 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 19

Recommended

Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Soc
SocSoc
SocMukesh Chaudhari
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsColleen Beck-Domanico
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 

Recommended

Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Soc
SocSoc
SocMukesh Chaudhari
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsColleen Beck-Domanico
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk MitigationMukalele Rogers
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationExigent Technologies LLC
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...robbiesamuel
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYMaganathin Veeraragaloo
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Cloud computing security from single to multiple
Cloud computing security from single to multipleCloud computing security from single to multiple
Cloud computing security from single to multipleKiran Kumar
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Cyber Security Management
Cyber Security ManagementCyber Security Management
Cyber Security ManagementIT Governance Ltd
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 
Cyber object types and controls.pdf
Cyber object types and controls.pdfCyber object types and controls.pdf
Cyber object types and controls.pdfRobert Kloots
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 

More Related Content

What's hot

Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk MitigationMukalele Rogers
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationExigent Technologies LLC
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...robbiesamuel
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Cloud computing security from single to multiple
Cloud computing security from single to multipleCloud computing security from single to multiple
Cloud computing security from single to multipleKiran Kumar
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 

What's hot (20)

Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk Mitigation
 
Security policy
Security policySecurity policy
Security policy
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Cloud computing security from single to multiple
Cloud computing security from single to multipleCloud computing security from single to multiple
Cloud computing security from single to multiple
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Cyber Security Management
Cyber Security ManagementCyber Security Management
Cyber Security Management
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
 

Similar to Cyber Security Management.pdf

Cyber object types and controls.pdf
Cyber object types and controls.pdfCyber object types and controls.pdf
Cyber object types and controls.pdfRobert Kloots
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...VMworld
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 
Integrating of security activates in agile process
Integrating of security activates in agile processIntegrating of security activates in agile process
Integrating of security activates in agile processZubair Rahim
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Ryan Hodgin
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCimetrics Inc
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfA Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfJack Nichelson
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Moshe Ferber
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 

Similar to Cyber Security Management.pdf (20)

Cyber object types and controls.pdf
Cyber object types and controls.pdfCyber object types and controls.pdf
Cyber object types and controls.pdf
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021
 
Integrating of security activates in agile process
Integrating of security activates in agile processIntegrating of security activates in agile process
Integrating of security activates in agile process
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide Deck
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfA Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 

Recently uploaded

Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Servicediscovermytutordmt
 
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… AbridgedLean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… AbridgedKaiNexus
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024christinemoorman
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfOrient Homes
 
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneVIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdfRenandantas16
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Roomdivyansh0kumar0
 
rishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdfrishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdfmuskan1121w
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechNewman George Leech
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewasmakika9823
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis UsageNeil Kimberley
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...lizamodels9
 
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...lizamodels9
 

Recently uploaded (20)

Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.
 
Best Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting PartnershipBest Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting Partnership
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
 
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… AbridgedLean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdf
 
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneVIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
 
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
 
rishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdfrishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdf
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman Leech
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
 
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
 

Cyber Security Management.pdf

  • 1. Cyber Security Management A structural approach Robert Kloots, Brussels Nov 2022 Available for Interim Management
  • 2. Topics  Main Cyber Security Goals  Cyber Security controls support COBIT  CSF policies, standards and guidelines  Cyber Security Framework (CSF)  CSF Quality Controls, Risk & Compliance  Cyber Security Function Deployment  Cyber Security Architecture  Object type specific CSF controls  Cyber Security Patterns  Add Cyber Security to WoW => SSDLC  Match NIST.SP.800-53rS Controls with deployed control measures  Manage Cyber Security Services Deployment 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 2
  • 3. Main Cyber Security Goals  Confidentiality  Integrity  Availability  Non-repudiation  Audit 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 3 Provision of Trust services Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. Audit is the mechanism through which proof is obtained and validated. Logging of (trans-) actions is actually the source on which auditing relies.
  • 4. CSF policies, standards and guidelines  Policies on right level of abstraction  Procedures and guidelines close to WoW  Many examples of best practices available  Dynamic set reflecting maturity of CICD and OPS. 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 4
  • 5. Cyber Security controls support COBIT  Cyber Security Framework (CSF) offers pragmatic approach to incorporate Cyber Security Controls into CICD and Operations.  Drive for agile maturity, risk-based compliance  CSF is compatible with and complementary to COBIT  Similar support for ISO 27002  Fairly easy integration into management reporting 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 5 Also check out Cyber Security Risk Management
  • 6. Cyber Security Framework (CSF) 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 6 IDENTIFY PROTECT DETECT RESPOND RECOVER
  • 7. Cyber Security Framework (CSF) 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others Asset Management Business Environment Governance IDENTIFY Risk Management Strategy Supply Chain Management Risk Assessment Identity mgt, Authentic. & Access Control Awareness and Training Data Security PROTECT Maintenance Protective Technology Info Protection Processes and Procedures Anomalies and Events Security Continuous Monitoring Detection Processes DETECT Response Planning Communicati ons Analysis RECOVER Improvements Mitigation Recovery Planning Improvements Communica- tions RESPOND 7
  • 8.  Define Data/Information classification enabling risk analysis & reporting  See “Cyber Security Risk Management” 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 8 CSF Quality Controls, Risk & Compliance Extract from NIST.SP.800-53r5 Risk Management Strategy IDENTIFY
  • 9.  Target Organisation should apply CSF & NIST.SP.800-53r5.  NIST.SP.800-53r5 document has been converted into (Confluence) wiki  Which facilitates both Development and Operations, as well as Audit and Compliance to incorporate the obligatory mechanisms  Use of capabilities and controls will evolve following the roadmap timeline.  More discussion below 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 9 CSF Quality Controls, Risk & Compliance AC-2(1) Account Management | Automated System Account Management Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. AC-2(2) Account Management | Automated Temporary and Emergency Account Management Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. AC-2(3) Account Management | Disable Accounts Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]. AC-2(4) Account Management | Automated Audit Actions Automatically audit account creation, modification, enabling, disabling, and removal actions. AC-2(5) Account Management | Inactivity Logout Require that users log out when [Assignment: organization- defined time period of expected inactivity or description of when to log out]. Extract from NIST.SP.800-53r5 Identity mgt, Authentic. & Access Control PROTECT
  • 10. Cyber Security Function Deployment 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 10 • Take inventory of existing CySec services and/or solutions, • Allocate to appropriate matrix- cell • Repeat for asset type: o Corporate digital assets o Employee assets o Customer assets o Vendor assets o Threat actor assets Asset types Operational functions Source: CYBER DEFENSE MATRIX by Sounil Yu Do we have something (inventory)... That we care about (impact)... That has weaknesses (vulnerabilities)... That someone is after (threats)?
  • 11. Cyber Security Architecture  Formulate together with Business Partners and ICT Guilds,  Architectural view gets body, is maturing and integrated with Asset & Configuration Details  Reflects “Cyber Security Service Catalogue” 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 11 https://www.opensecurityarchitecture.org OSA Taxonomy
  • 12. Object type specific CSF controls 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 12 PROD on premise DEV ACC/INT EG TEST PROD in Cloud Network controller (FW) Internal Source Applicat ion A Applicati on B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S D B D at a Bl o b Cloud specs Also check out Cyber object types and controls
  • 13. Cyber Security Patterns Make controls explicit through Security patterns and functional grouping:  Group Controls through function/service, role, mandate  Allow for reusable components Cyber Security services are Lateral Services:  Offer Cyber Security controls  Allow for KPI + SLA 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 13 Server pattern Roles and Controls
  • 14. Add Cyber Security to WoW => SSDLC 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 14 Check for security updates (CVSS) in your SBOM Include Threat modelling Follow control implementation throughout CICD
  • 15. Add Cyber Security to WoW => SSDLC  Use STRIDE Threat Modeling  Finetune backlog using CVSS 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 15 Threat action Threat Definition Desired property Example masquerading Spoofing Pretend to be someone else Authenticity Hack victim's email and use Alteration Tampering Changing data or code Integrity Software executive file is tampered by hackers Denying Repudiation Claiming not to do a particular action Non-repudiability I have not sent an email to Alice Data Loss/Leakage Information disclosure Leakage of sensitive information Confidentiality Credit card informaiton available on the Internet Downtime Denial of Service Non-availability of service Availability Web application not responding to user requests Admin (root) Elevation of Privilege Able to perform unathorised action Authorization Normal use able to delete admin account.
  • 16. Add Cyber Security to WoW => SSDLC  Convert Cyber Security controls into User stories & Epics, then code or config  Keep track of control throughout CICD using control number. Approximate steps:  Threat modelling => DFD  Software Architecture => Processing, Flows, Interfaces, APIs and IP##  Business Analysis => user stories  Development => software code  Control suites => test, test, test and pentest 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 16
  • 17. Match NIST.SP.800-53 Controls with deployed control measures 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 17 Above numbers actually are from CIS Top 20 Critical Security Controls Map Control to to be deployed security function
  • 18. Manage Cyber Security Services Deployment  Understand per asset its set of vulnerabilities, and which vulnerability is most prone to attacks, directly or through chain of attack.  Know per asset which (set of) mitigation measure(s) eliminates these attack risks  Maintain match functional security architecture with measures deployed in operation  (Introd)use AI and Cyber Risk methods to swiftly minimise your exposure.  Automatically fill Agile backlog (SECDEV/SOC/CSIRT) with these issues, risk based priority  Provide Opex Capex report on portfolio progress 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 18
  • 19. Matchmaking Need and Mission You are welcome to check my availability to provide you with relevant Cyber Security Services matching your Needs, You can reach me @  robert.kloots@mediqaid.eu  Linkedin.com.in/kloots  Thank you for browsing this slidedeck ;-) 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 19