The document discusses integrating cybersecurity controls into an organization's Way of Working (WoW). It recommends defining cybersecurity goals and applying the NIST Cybersecurity Framework (CSF) and NIST Special Publication 800-53 controls. Specifically, the document suggests allocating controls to different object types like applications, platforms, and systems. It also advises converting controls into user stories and tests to integrate them into the software development lifecycle according to the WoW. The overall goal is to securely develop and operate systems using a risk-based approach aligned with the organization's processes.

1. CyberSec object types & controls
Belay controls as close as possible to Way of Working
Robert Kloots, Brussels
Nov 2022
Available for Interim Management

2. Topics
 Main Cyber Security Goals
 CSF policies, standards and guidelines
 Cyber Security Framework (CSF)
 CSF Quality Controls, Risk & Compliance
 Object type specific CSF controls
 Add Cyber Security to WoW => SSDLC
23/11/2022
MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others
2

3. Main Cyber Security Goals
 Confidentiality
 Integrity
 Availability
 Non-repudiation
 Audit
23/11/2022
MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others
3
Provision of Trust services
Non-repudiation is the
assurance that someone cannot
deny the validity of something.
Non-repudiation is a legal
concept that is widely used in
information security and refers
to a service, which provides
proof of the origin of data and
the integrity of the data.
Audit is the mechanism
through which proof is
obtained and validated.
Logging of (trans-)
actions is actually the
source on which
auditing relies.

4. CSF policies, standards and guidelines
 Policies on right level of abstraction
 Procedures and guidelines close to WoW
 Many examples of best practices available
 Dynamic set reflecting maturity of CICD and OPS.
23/11/2022
MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others
4

5. Cyber Security Framework (CSF)
23/11/2022
MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others
5
IDENTIFY
PROTECT
DETECT RESPOND
RECOVER

6. Cyber Security Framework (CSF)
23/11/2022
MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others
Asset
Management
Business
Environment
Governance
IDENTIFY
Risk
Management
Strategy
Supply Chain
Management
Risk
Assessment
Identity mgt,
Authentic. &
Access Control
Awareness
and Training
Data Security
PROTECT
Maintenance
Protective
Technology
Info Protection
Processes and
Procedures
Anomalies
and Events
Security
Continuous
Monitoring
Detection
Processes
DETECT
Response
Planning
Communicati
ons
Analysis
RECOVER
Improvements
Mitigation
Recovery
Planning
Improvements
Communica-
tions
RESPOND
6

7.  Define Data/Information
classification enabling risk
analysis & reporting
 See “Cyber Security Risk
Management”
23/11/2022
MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others
7
CSF Quality Controls, Risk & Compliance
Extract from NIST.SP.800-53r5
Risk
Management
Strategy
IDENTIFY

8.  Target Organisation should apply CSF & NIST.SP.800-53r5.
 NIST.SP.800-53r5 document has been converted into (Confluence) wiki
 Which facilitates both Development and Operations, as well as Audit and
Compliance to incorporate the obligatory mechanisms
 Use of capabilities and controls will evolve following the roadmap timeline.
 More discussion below
23/11/2022
MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others
8
CSF Quality Controls, Risk & Compliance
AC-2(1) Account Management | Automated
System Account Management
Support the management of system accounts using [Assignment:
organization-defined automated mechanisms].
AC-2(2) Account Management | Automated
Temporary and Emergency Account
Management
Automatically [Selection: remove; disable] temporary and
emergency accounts after [Assignment: organization-defined time
period for each type of account].
AC-2(3) Account Management | Disable
Accounts
Disable accounts within [Assignment: organization-defined time
period] when the accounts:
(a) Have expired;
(b) Are no longer associated with a user or individual;
(c) Are in violation of organizational policy; or
(d) Have been inactive for [Assignment: organization-defined time
period].
AC-2(4) Account Management | Automated
Audit Actions
Automatically audit account creation, modification, enabling,
disabling, and removal actions.
AC-2(5) Account Management | Inactivity
Logout
Require that users log out when [Assignment: organization-
defined time period of expected inactivity or description of when
to log out].
Extract from NIST.SP.800-53r5
Identity mgt,
Authentic. &
Access Control
PROTECT

9. Object type specific CSF controls
23/11/2022
MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others
9
PROD on
premise
DEV ACC/INTEG
TEST
PROD in
Cloud
Network
controller
(FW)
DEV/ACC-INTEG/PRODs Environments on
separate network segments
Data in DEV/ACC-INTEG is separated from PROD,
Privacy elements from production forbidden
Pseuonymisation in place
All servers have valid certificate(s)
Data in PROD doesn’t use testdata
Access rights on DEV/ACC-INTEG/PROD resources to be allocated
through RBAC/PAM
Monitoring on critical rights

10. 23/11/2022
MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others
10
Protect any interface/API from/to Internal Source (1S/2T)
Protect any interface/API from/to Application A (1T/2S/3S/4T/5S/6T)
=> Application + Infrastructure certificates, HTTPS
Encrypted dataflow
Logged dataflow
Internal
Source
Applicatio
n A
Application
B
External
Source
1S 3S
1T 3T
5T
6S
2T
5S
4T 4S
6T
2S
DB
Dat
a
Blob
Any DB/Datablob at rest
should be encrypted,
including logs.
Object type specific CSF controls
Mobile app in sandbox

11. 23/11/2022
MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others
11
Allocate controls to Object Types
• Per Asset, e.g. Application A
• Per API and API manager
• Per Platform -- SaaS for Dev (CRM/Openshift/Outsystems/etc)
• Per Platform -- IaaS (Azure/AWS/GCP)
• Per Platform – PaaS (CRM/OS/…)
• Per Solution – Azure AD/:S Dynamics/…)
Object type specific CSF controls
Cloud-IaaS (Azure/AWS/GCP/…)
Cloud-PaaS (Application platforms
Control list per Asset
type/instance,
Assembled in Security
patterns
Internal
Source
Applicatio
n A
Application
B
External
Source
1S 3S
1T 3T
5T
6S
2T
5S
4T 4S
6T
2S
DB
Dat
a
Blob

12. Object type specific CSF controls
23/11/2022
MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others
12
Control list per Asset
type/instance,
Assembled in Security
patterns
Allocate controls to Object Types
Per Platform – IaaS on/off premise
• AWS
• Azure
• GCP
• …
Cloud-IaaS (Azure/AWS/GCP/…)
Cloud-PaaS (Application platforms
Internal
Source
Applicatio
n A
Application
B
External
Source
1S 3S
1T 3T
5T
6S
2T
5S
4T 4S
6T
2S
DB
Dat
a
Blob

13. Object type specific CSF controls
23/11/2022
MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others
13
Control list per Asset
type/instance,
Assembled in Security
patterns
Allocate controls to Object Types
Per Platform – PaaS on/off premise
• Linux
• MS Windows
• …
PaaS DEV/Hosting platform
• Odoo
• Joomla
• Openshift
• Outsystems
• CRM
…
Cloud-IaaS (Azure/AWS/GCP/…)
Cloud-PaaS (Application platforms
Internal
Source
Applicatio
n A
Application
B
External
Source
1S 3S
1T 3T
5T
6S
2T
5S
4T 4S
6T
2S
DB
Dat
a
Blob

14. Object type specific CSF controls
23/11/2022
MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others
14
Control list per Asset
type/instance,
Assembled in Security
patterns
Allocate controls to Object Types
Per Platform – SaaS
• Azure AD
• SaaS app 01 … n
Cloud-IaaS (Azure/AWS/GCP/…)
Cloud-PaaS (Application platforms
Internal
Source
Applicatio
n A
Application
B
External
Source
1S 3S
1T 3T
5T
6S
2T
5S
4T 4S
6T
2S
DB
Dat
a
Blob

15. Add Cyber Security to WoW => SSDLC
 Convert Cyber Security controls into User stories & Epics, then code or config
 Keep track of control throughout CICD using control number.
Approximate steps:
 Threat modelling => DFD
 Software Architecture => Processing, Flows, Interfaces, APIs and IP##
 Business Analysis => user stories
 Development => software code
 Control suites => test, test, test and pentest
23/11/2022
MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others
15

16. Matchmaking Need and Mission
You are welcome to check my availability to provide you with relevant Cyber Security
Services matching your Needs,
You can reach me @
 robert.kloots@mediqaid.eu
 Linkedin.com.in/kloots
 Thank you for browsing this slidedeck ;-)
23/11/2022
MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others
16