SlideShare a Scribd company logo

Cyber Security Management.pdf

Robert Kloots
Robert Kloots

A structural approach to Cyber Security management, using NIST CSF, the Cyber Defense Matrix mechanism, the Open Security Architecture model, etc.

Business
1 of 19
Cyber Security Management A structural approach Robert Kloots, Brussels Nov 2022 Available for Interim Management
Topics  Main Cyber Security Goals  Cyber Security controls support COBIT  CSF policies, standards and guidelines  Cyber Security Framework (CSF)  CSF Quality Controls, Risk & Compliance  Cyber Security Function Deployment  Cyber Security Architecture  Object type specific CSF controls  Cyber Security Patterns  Add Cyber Security to WoW => SSDLC  Match NIST.SP.800-53rS Controls with deployed control measures  Manage Cyber Security Services Deployment 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 2
Main Cyber Security Goals  Confidentiality  Integrity  Availability  Non-repudiation  Audit 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 3 Provision of Trust services Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. Audit is the mechanism through which proof is obtained and validated. Logging of (trans-) actions is actually the source on which auditing relies.
CSF policies, standards and guidelines  Policies on right level of abstraction  Procedures and guidelines close to WoW  Many examples of best practices available  Dynamic set reflecting maturity of CICD and OPS. 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 4
Cyber Security controls support COBIT  Cyber Security Framework (CSF) offers pragmatic approach to incorporate Cyber Security Controls into CICD and Operations.  Drive for agile maturity, risk-based compliance  CSF is compatible with and complementary to COBIT  Similar support for ISO 27002  Fairly easy integration into management reporting 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 5 Also check out Cyber Security Risk Management
Cyber Security Framework (CSF) 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 6 IDENTIFY PROTECT DETECT RESPOND RECOVER
Cyber Security Framework (CSF) 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others Asset Management Business Environment Governance IDENTIFY Risk Management Strategy Supply Chain Management Risk Assessment Identity mgt, Authentic. & Access Control Awareness and Training Data Security PROTECT Maintenance Protective Technology Info Protection Processes and Procedures Anomalies and Events Security Continuous Monitoring Detection Processes DETECT Response Planning Communicati ons Analysis RECOVER Improvements Mitigation Recovery Planning Improvements Communica- tions RESPOND 7
 Define Data/Information classification enabling risk analysis & reporting  See “Cyber Security Risk Management” 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 8 CSF Quality Controls, Risk & Compliance Extract from NIST.SP.800-53r5 Risk Management Strategy IDENTIFY
 Target Organisation should apply CSF & NIST.SP.800-53r5.  NIST.SP.800-53r5 document has been converted into (Confluence) wiki  Which facilitates both Development and Operations, as well as Audit and Compliance to incorporate the obligatory mechanisms  Use of capabilities and controls will evolve following the roadmap timeline.  More discussion below 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 9 CSF Quality Controls, Risk & Compliance AC-2(1) Account Management | Automated System Account Management Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. AC-2(2) Account Management | Automated Temporary and Emergency Account Management Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. AC-2(3) Account Management | Disable Accounts Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]. AC-2(4) Account Management | Automated Audit Actions Automatically audit account creation, modification, enabling, disabling, and removal actions. AC-2(5) Account Management | Inactivity Logout Require that users log out when [Assignment: organization- defined time period of expected inactivity or description of when to log out]. Extract from NIST.SP.800-53r5 Identity mgt, Authentic. & Access Control PROTECT
Cyber Security Function Deployment 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 10 • Take inventory of existing CySec services and/or solutions, • Allocate to appropriate matrix- cell • Repeat for asset type: o Corporate digital assets o Employee assets o Customer assets o Vendor assets o Threat actor assets Asset types Operational functions Source: CYBER DEFENSE MATRIX by Sounil Yu Do we have something (inventory)... That we care about (impact)... That has weaknesses (vulnerabilities)... That someone is after (threats)?
Cyber Security Architecture  Formulate together with Business Partners and ICT Guilds,  Architectural view gets body, is maturing and integrated with Asset & Configuration Details  Reflects “Cyber Security Service Catalogue” 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 11 https://www.opensecurityarchitecture.org OSA Taxonomy
Object type specific CSF controls 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 12 PROD on premise DEV ACC/INT EG TEST PROD in Cloud Network controller (FW) Internal Source Applicat ion A Applicati on B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S D B D at a Bl o b Cloud specs Also check out Cyber object types and controls
Cyber Security Patterns Make controls explicit through Security patterns and functional grouping:  Group Controls through function/service, role, mandate  Allow for reusable components Cyber Security services are Lateral Services:  Offer Cyber Security controls  Allow for KPI + SLA 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 13 Server pattern Roles and Controls
Add Cyber Security to WoW => SSDLC 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 14 Check for security updates (CVSS) in your SBOM Include Threat modelling Follow control implementation throughout CICD
Add Cyber Security to WoW => SSDLC  Use STRIDE Threat Modeling  Finetune backlog using CVSS 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 15 Threat action Threat Definition Desired property Example masquerading Spoofing Pretend to be someone else Authenticity Hack victim's email and use Alteration Tampering Changing data or code Integrity Software executive file is tampered by hackers Denying Repudiation Claiming not to do a particular action Non-repudiability I have not sent an email to Alice Data Loss/Leakage Information disclosure Leakage of sensitive information Confidentiality Credit card informaiton available on the Internet Downtime Denial of Service Non-availability of service Availability Web application not responding to user requests Admin (root) Elevation of Privilege Able to perform unathorised action Authorization Normal use able to delete admin account.
Add Cyber Security to WoW => SSDLC  Convert Cyber Security controls into User stories & Epics, then code or config  Keep track of control throughout CICD using control number. Approximate steps:  Threat modelling => DFD  Software Architecture => Processing, Flows, Interfaces, APIs and IP##  Business Analysis => user stories  Development => software code  Control suites => test, test, test and pentest 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 16
Match NIST.SP.800-53 Controls with deployed control measures 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 17 Above numbers actually are from CIS Top 20 Critical Security Controls Map Control to to be deployed security function
Manage Cyber Security Services Deployment  Understand per asset its set of vulnerabilities, and which vulnerability is most prone to attacks, directly or through chain of attack.  Know per asset which (set of) mitigation measure(s) eliminates these attack risks  Maintain match functional security architecture with measures deployed in operation  (Introd)use AI and Cyber Risk methods to swiftly minimise your exposure.  Automatically fill Agile backlog (SECDEV/SOC/CSIRT) with these issues, risk based priority  Provide Opex Capex report on portfolio progress 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 18
Matchmaking Need and Mission You are welcome to check my availability to provide you with relevant Cyber Security Services matching your Needs, You can reach me @  robert.kloots@mediqaid.eu  Linkedin.com.in/kloots  Thank you for browsing this slidedeck ;-) 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 19

Recommended

Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response Planning
PECB
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
NIST Security Awareness SP 800-50
NIST Security Awareness SP 800-50NIST Security Awareness SP 800-50
NIST Security Awareness SP 800-50
David Sweigert
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
Cissp Training PPT
Cissp Training PPTCissp Training PPT
Cissp Training PPT
ADEPT TECHNOLOGY
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
ControlCase
 

Recommended

Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response Planning
PECB
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
NIST Security Awareness SP 800-50
NIST Security Awareness SP 800-50NIST Security Awareness SP 800-50
NIST Security Awareness SP 800-50
David Sweigert
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
Cissp Training PPT
Cissp Training PPTCissp Training PPT
Cissp Training PPT
ADEPT TECHNOLOGY
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
ControlCase
 
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
PECB
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
Eng Hasan Shamroukh CISCO Exams Author
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
Michael Torres
 
Adarsh Resume ISO27001
Adarsh Resume ISO27001Adarsh Resume ISO27001
Adarsh Resume ISO27001Adarsh HIRENALLUR
 
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsSOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
Mark S. Mahre
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
Mart Rovers
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
Eberly Wilson
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
Cyber object types and controls.pdf
Cyber object types and controls.pdfCyber object types and controls.pdf
Cyber object types and controls.pdf
Robert Kloots
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 

More Related Content

What's hot

Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
PECB
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
Eng Hasan Shamroukh CISCO Exams Author
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
Michael Torres
 
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsSOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
Mark S. Mahre
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
Mart Rovers
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
Eberly Wilson
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 

What's hot (20)

Information security governance
Information security governanceInformation security governance
Information security governance
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
Adarsh Resume ISO27001
Adarsh Resume ISO27001Adarsh Resume ISO27001
Adarsh Resume ISO27001
 
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security ControlsSOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 

Similar to Cyber Security Management.pdf

Cyber object types and controls.pdf
Cyber object types and controls.pdfCyber object types and controls.pdf
Cyber object types and controls.pdf
Robert Kloots
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021
Wendy Knox Everette
 
Integrating of security activates in agile process
Integrating of security activates in agile processIntegrating of security activates in agile process
Integrating of security activates in agile process
Zubair Rahim
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Alan Yau Ti Dun
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
Cisco Service Provider
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
Michelle Singh
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Ryan Hodgin
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide Deck
Cimetrics Inc
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfA Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
Jack Nichelson
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
YouAttestSlideshare
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...
Moshe Ferber
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
ICS
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
ControlCase
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
Tuan Phan
 

Similar to Cyber Security Management.pdf (20)

Cyber object types and controls.pdf
Cyber object types and controls.pdfCyber object types and controls.pdf
Cyber object types and controls.pdf
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
VMworld 2013: Get on with Business - VMware Reference Architectures Help Stre...
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021
 
Integrating of security activates in agile process
Integrating of security activates in agile processIntegrating of security activates in agile process
Integrating of security activates in agile process
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide Deck
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfA Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 

Recently uploaded

20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf
tjcomstrang
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
sarahvanessa51503
 
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdfModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
fisherameliaisabella
 
Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...
Lviv Startup Club
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
Cynthia Clay
 
Recruiting in the Digital Age: A Social Media Masterclass
Recruiting in the Digital Age: A Social Media MasterclassRecruiting in the Digital Age: A Social Media Masterclass
Recruiting in the Digital Age: A Social Media Masterclass
LuanWise
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
Adam Smith
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
SynapseIndia
 
Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
Operational Excellence Consulting
 
Exploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social DreamingExploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social Dreaming
Nicola Wreford-Howard
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
dylandmeas
 
Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
FelixPerez547899
 
3.0 Project 2_ Developing My Brand Identity Kit.pptx
3.0 Project 2_ Developing My Brand Identity Kit.pptx3.0 Project 2_ Developing My Brand Identity Kit.pptx
3.0 Project 2_ Developing My Brand Identity Kit.pptx
tanyjahb
 
Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...
dylandmeas
 
What is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdfWhat is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdf
seoforlegalpillers
 
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
taqyed
 
LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024
Lital Barkan
 
The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...
awaisafdar
 
Introduction to Amazon company 111111111111
Introduction to Amazon company 111111111111Introduction to Amazon company 111111111111
Introduction to Amazon company 111111111111
zoyaansari11365
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
ofm712785
 

Recently uploaded (20)

20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
 
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdfModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
ModelingMarketingStrategiesMKS.CollumbiaUniversitypdf
 
Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
Recruiting in the Digital Age: A Social Media Masterclass
Recruiting in the Digital Age: A Social Media MasterclassRecruiting in the Digital Age: A Social Media Masterclass
Recruiting in the Digital Age: A Social Media Masterclass
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
 
Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
 
Exploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social DreamingExploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social Dreaming
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
 
Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
 
3.0 Project 2_ Developing My Brand Identity Kit.pptx
3.0 Project 2_ Developing My Brand Identity Kit.pptx3.0 Project 2_ Developing My Brand Identity Kit.pptx
3.0 Project 2_ Developing My Brand Identity Kit.pptx
 
Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...Discover the innovative and creative projects that highlight my journey throu...
Discover the innovative and creative projects that highlight my journey throu...
 
What is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdfWhat is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdf
 
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
 
LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024
 
The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...
 
Introduction to Amazon company 111111111111
Introduction to Amazon company 111111111111Introduction to Amazon company 111111111111
Introduction to Amazon company 111111111111
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
 

Cyber Security Management.pdf

  • 1. Cyber Security Management A structural approach Robert Kloots, Brussels Nov 2022 Available for Interim Management
  • 2. Topics  Main Cyber Security Goals  Cyber Security controls support COBIT  CSF policies, standards and guidelines  Cyber Security Framework (CSF)  CSF Quality Controls, Risk & Compliance  Cyber Security Function Deployment  Cyber Security Architecture  Object type specific CSF controls  Cyber Security Patterns  Add Cyber Security to WoW => SSDLC  Match NIST.SP.800-53rS Controls with deployed control measures  Manage Cyber Security Services Deployment 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 2
  • 3. Main Cyber Security Goals  Confidentiality  Integrity  Availability  Non-repudiation  Audit 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 3 Provision of Trust services Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. Audit is the mechanism through which proof is obtained and validated. Logging of (trans-) actions is actually the source on which auditing relies.
  • 4. CSF policies, standards and guidelines  Policies on right level of abstraction  Procedures and guidelines close to WoW  Many examples of best practices available  Dynamic set reflecting maturity of CICD and OPS. 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 4
  • 5. Cyber Security controls support COBIT  Cyber Security Framework (CSF) offers pragmatic approach to incorporate Cyber Security Controls into CICD and Operations.  Drive for agile maturity, risk-based compliance  CSF is compatible with and complementary to COBIT  Similar support for ISO 27002  Fairly easy integration into management reporting 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 5 Also check out Cyber Security Risk Management
  • 6. Cyber Security Framework (CSF) 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 6 IDENTIFY PROTECT DETECT RESPOND RECOVER
  • 7. Cyber Security Framework (CSF) 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others Asset Management Business Environment Governance IDENTIFY Risk Management Strategy Supply Chain Management Risk Assessment Identity mgt, Authentic. & Access Control Awareness and Training Data Security PROTECT Maintenance Protective Technology Info Protection Processes and Procedures Anomalies and Events Security Continuous Monitoring Detection Processes DETECT Response Planning Communicati ons Analysis RECOVER Improvements Mitigation Recovery Planning Improvements Communica- tions RESPOND 7
  • 8.  Define Data/Information classification enabling risk analysis & reporting  See “Cyber Security Risk Management” 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 8 CSF Quality Controls, Risk & Compliance Extract from NIST.SP.800-53r5 Risk Management Strategy IDENTIFY
  • 9.  Target Organisation should apply CSF & NIST.SP.800-53r5.  NIST.SP.800-53r5 document has been converted into (Confluence) wiki  Which facilitates both Development and Operations, as well as Audit and Compliance to incorporate the obligatory mechanisms  Use of capabilities and controls will evolve following the roadmap timeline.  More discussion below 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 9 CSF Quality Controls, Risk & Compliance AC-2(1) Account Management | Automated System Account Management Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. AC-2(2) Account Management | Automated Temporary and Emergency Account Management Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. AC-2(3) Account Management | Disable Accounts Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]. AC-2(4) Account Management | Automated Audit Actions Automatically audit account creation, modification, enabling, disabling, and removal actions. AC-2(5) Account Management | Inactivity Logout Require that users log out when [Assignment: organization- defined time period of expected inactivity or description of when to log out]. Extract from NIST.SP.800-53r5 Identity mgt, Authentic. & Access Control PROTECT
  • 10. Cyber Security Function Deployment 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 10 • Take inventory of existing CySec services and/or solutions, • Allocate to appropriate matrix- cell • Repeat for asset type: o Corporate digital assets o Employee assets o Customer assets o Vendor assets o Threat actor assets Asset types Operational functions Source: CYBER DEFENSE MATRIX by Sounil Yu Do we have something (inventory)... That we care about (impact)... That has weaknesses (vulnerabilities)... That someone is after (threats)?
  • 11. Cyber Security Architecture  Formulate together with Business Partners and ICT Guilds,  Architectural view gets body, is maturing and integrated with Asset & Configuration Details  Reflects “Cyber Security Service Catalogue” 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 11 https://www.opensecurityarchitecture.org OSA Taxonomy
  • 12. Object type specific CSF controls 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 12 PROD on premise DEV ACC/INT EG TEST PROD in Cloud Network controller (FW) Internal Source Applicat ion A Applicati on B External Source 1S 3S 1T 3T 5T 6S 2T 5S 4T 4S 6T 2S D B D at a Bl o b Cloud specs Also check out Cyber object types and controls
  • 13. Cyber Security Patterns Make controls explicit through Security patterns and functional grouping:  Group Controls through function/service, role, mandate  Allow for reusable components Cyber Security services are Lateral Services:  Offer Cyber Security controls  Allow for KPI + SLA 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 13 Server pattern Roles and Controls
  • 14. Add Cyber Security to WoW => SSDLC 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 14 Check for security updates (CVSS) in your SBOM Include Threat modelling Follow control implementation throughout CICD
  • 15. Add Cyber Security to WoW => SSDLC  Use STRIDE Threat Modeling  Finetune backlog using CVSS 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 15 Threat action Threat Definition Desired property Example masquerading Spoofing Pretend to be someone else Authenticity Hack victim's email and use Alteration Tampering Changing data or code Integrity Software executive file is tampered by hackers Denying Repudiation Claiming not to do a particular action Non-repudiability I have not sent an email to Alice Data Loss/Leakage Information disclosure Leakage of sensitive information Confidentiality Credit card informaiton available on the Internet Downtime Denial of Service Non-availability of service Availability Web application not responding to user requests Admin (root) Elevation of Privilege Able to perform unathorised action Authorization Normal use able to delete admin account.
  • 16. Add Cyber Security to WoW => SSDLC  Convert Cyber Security controls into User stories & Epics, then code or config  Keep track of control throughout CICD using control number. Approximate steps:  Threat modelling => DFD  Software Architecture => Processing, Flows, Interfaces, APIs and IP##  Business Analysis => user stories  Development => software code  Control suites => test, test, test and pentest 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 16
  • 17. Match NIST.SP.800-53 Controls with deployed control measures 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 17 Above numbers actually are from CIS Top 20 Critical Security Controls Map Control to to be deployed security function
  • 18. Manage Cyber Security Services Deployment  Understand per asset its set of vulnerabilities, and which vulnerability is most prone to attacks, directly or through chain of attack.  Know per asset which (set of) mitigation measure(s) eliminates these attack risks  Maintain match functional security architecture with measures deployed in operation  (Introd)use AI and Cyber Risk methods to swiftly minimise your exposure.  Automatically fill Agile backlog (SECDEV/SOC/CSIRT) with these issues, risk based priority  Provide Opex Capex report on portfolio progress 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 18
  • 19. Matchmaking Need and Mission You are welcome to check my availability to provide you with relevant Cyber Security Services matching your Needs, You can reach me @  robert.kloots@mediqaid.eu  Linkedin.com.in/kloots  Thank you for browsing this slidedeck ;-) 22/11/2022 MediqAid Trust services; © Robert Kloots and yes there are reused graphics, owned by others 19