SlideShare a Scribd company logo

TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15

FitCEO, Inc. (FCI)
FitCEO, Inc. (FCI)

VIMRO provides a holistic cyber security methodology that combines frameworks from NIST, ISO, and MITRE. Their approach involves aligning business needs with security, implementing a security framework and maturity model, using key performance indicators to measure progress, and continuously evaluating processes to ensure optimized security controls. Their methodology is designed to prevent cyber attacks, detect threats, and enable organizations to respond effectively.

1 of 4
Download to read offline
Restricting Authenticating Tracking User Access? Time Is Not On Our Side! 12100 Sunrise Valley Dr. Suite 290-1 Reston, VA 20191 The Demystification of Successful Cyber Security! VIMRO’s Cyber Security Enabling Methodology Overview In order to avoid exposing your company, its clients, your employees (not to mention yourself!) to cybercrime, it is vital to invest in a good cyber security program. VIMRO’s approach to an effective cyber security program involves a holistic security methodology. Our methodology maximizes value and effec- tiveness because we have combined the most efficient tactics to include frame- works, best practice guides, and work papers from reputable security organiza- tions such as NIST, ISO2700/27002 and MITRE. Combining vetted complementary frameworks yields a program that is effec- tive and yet efficient; a program dynamic enough to anticipate new risks, yet iterative enough to become familiar. Equally important, a holistic methodolo- gy prevents oversights within your program. For example, while a cyber secu- rity framework alone equips you with the controls you must implement and manage, it leaves you without the metrics you need to validate those controls and the overall success of your cyber security system. A successful methodology is dynamic, adapting to ever-changing threats; and that can only happen if you treat it as an evolving process. For any methodol- ogy to work, you must adopt it in a controlled, systematic manner. Imple- menting a cyber security program too quickly or without the adequate resources reduces its effectiveness and demotivates the team members involved. The financial and operational benefits of holistic customized cyber security solutions.
COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS The following is an overview of a VIMRO cyber security system: • The foundation of our security system first aligns your organization’s business needs with your IT security, allowing you to focus on the critical business applications, systems, and processes that need strong security controls. For example, when you implement a new application, include a security represen- tative in the development of the budget and project plan. This is how you ensure that time and resources are allocated for security controls throughout the project; and for support throughout the new applica- tion’s lifecycle. If you overlook security requirements in the beginning stages of a project, the application and associated systems may require rework for failure to meet your company’s approved security stan- dards. And rework, delays, or budget excesses invariably reduce your new application’s ROI. (See VIM- RO’s paper: Omitting Static Code Security Analysis Can Cost You. BIG!) • The second layer of our foundation includes implementing a security framework. Many of VIMRO’s clients have adopted either the NIST Cybersecurity Framework(1) or ISO27001/ISO27002(2). • Along with the framework, organizations have adopted a cyber security Capability Maturity Model (CMM) that involves a strategy to optimize critical security controls, mechanisms, and processes (Level 5 in the CMM). The cyber security CMM includes: o Level 1 – Initial: Processes are unpredictable, poorly controlled, and reactive o Level 2 – Managed: Processes are characterized for projects and are still often reactive o Level 3 – Defined: Processes are characterized for the organization and are proactive, taking their procedures from the organization’s standards o Level 4 – Quantitatively Managed: Processes are measured and controlled o Level 5 – Optimizing: Focuses on process improvement • To manage performance leading toward the optimal level (Level 5) in the security CMM, we recom- mend Key Performance Indicator (KPI) metrics. Many clients start with MITRE Cyber Resiliency Met- rics(3). • VIMRO policies, standards, and procedures include all of the verbiage necessary to raise your organiza- tion to the upper levels of the cyber security CMM. These are critical to success. Without these, your organization will not even surpass Level 2 in the security CMM. • After writing your security policies, standards, and procedures, we implement technological mechanisms (these include IPS, DLP, SIEM, and so forth) to support your cyber security program, and train workforce members to apply the requirements of the formal documents to their practices • VIMRO’s risk management program includes continuous evaluation of your technological mechanisms and processes to validate them, and find areas, which need improvement, so that your company always maintains optimized security controls. The Demystification of Successful Cyber Security! (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL
COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS Below is an example application of the VIMRO methodology to one specific security control item: a firewall. The NIST Cybersecu- rity Framework includes Configuration Management in the family of controls. Using the firewall as our example: • An organization includes firewall configuration requirements in a policy; procedures are written for how the firewall will be implemented and managed. • The procedure includes a baseline security assessment vulnerability report. The baseline is to be updated whenever a change is made on the firewall. • The policy, procedure, and baseline reports define the controls (CMM Level 3) for the firewall. • In order to determine if the company is maintaining controls for the firewall to meet CMM Level 4, the firewall is audited using KPIs (a common approach is to conduct firewall configuration audits every six months). • Some examples of KPIs include: o There must be a change record for each change made to the firewall. The acceptable KPI for changes without corresponding records is 0. o A vulnerability assessment report must not result in high or medium scores. The acceptable KPI for high or medium findings in a vulnerabili- ty assessment is 0. • If during firewall configuration audits, some findings do not meet the KPI requirements, it is an opportunity to determine why this is the case. Perhaps there are too few people to meet the KPI objectives; perhaps skillsets are lacking and training on maintaining the firewall is necessary. For any items that do not meet KPIs, we implement a Corrective Action Plan (CAP), which sets expectation dates for the resolution of any issues cited. We conduct an audit immediately after said date to ensure that the items have been improved based on the CAP. This is an example of an optimized process (Level 5) for firewall controls practices. The Demystification of Successful Cyber Security! (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL For any items that do not meet KPI, we implement a Corrective Action Plan, which sets expectations dates for the resolution of any issues cited. Authored by VIMRO’s Cybersecurity Leaders
COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS All layers of our Cyber Security Enabling Methodology are equally critical and require your steady dedication. Systematic attention to each level of the process yields a solid foundation today that is also dynamic enough to safeguard you going forward. VIMRO’s holistic approach arms your organization to prevent, detect, and respond to cybercriminal attacks that threaten your business, clients, employees, or sensitive data. The Demystification of Successful Cyber Security! (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL “The holistic approach arms your organization to prevent, detect, and respond to cybercriminal attacks.......” Authored by VIMRO’s Cybersecurity Leaders Contact VIMRO to learn more details about our approach and how we can help you build and maintain an Optimized Cybersecurity Risk Management Program.

Recommended

The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.
FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
FitCEO, Inc. (FCI)
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?
VISTA InfoSec
 
Scammed: Defend Against Social Engineering
Scammed: Defend Against Social EngineeringScammed: Defend Against Social Engineering
Scammed: Defend Against Social Engineering
Resolver Inc.
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government Contracts
Robert E Jones
 
Keep Your Guard: Stay Compliant and Be Secure
Keep Your Guard: Stay Compliant and Be SecureKeep Your Guard: Stay Compliant and Be Secure
Keep Your Guard: Stay Compliant and Be Secure
Tripwire
 
Cyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its AnalysisCyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its Analysis
Rahul Neel Mani
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
Tuan Phan
 

Recommended

The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.
FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
FitCEO, Inc. (FCI)
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?
VISTA InfoSec
 
Scammed: Defend Against Social Engineering
Scammed: Defend Against Social EngineeringScammed: Defend Against Social Engineering
Scammed: Defend Against Social Engineering
Resolver Inc.
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government Contracts
Robert E Jones
 
Keep Your Guard: Stay Compliant and Be Secure
Keep Your Guard: Stay Compliant and Be SecureKeep Your Guard: Stay Compliant and Be Secure
Keep Your Guard: Stay Compliant and Be Secure
Tripwire
 
Cyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its AnalysisCyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its Analysis
Rahul Neel Mani
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
Tuan Phan
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk Management
Priyanka Aash
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Tripwire
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity Compliance
Robert E Jones
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
Tuan Phan
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for Security
Tripwire
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security Management
EC-Council
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
Gary Hayslip CISSP, CISA, CRISC, CCSK
 
Tripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability ManagementTripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability Management
Tripwire
 
IFCA Congress How the post-pandemic will shape the compliance agenda
IFCA Congress How the post-pandemic will shape the compliance agendaIFCA Congress How the post-pandemic will shape the compliance agenda
IFCA Congress How the post-pandemic will shape the compliance agenda
Hernan Huwyler, MBA CPA
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
Tuan Phan
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
Priyanka Aash
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
Gary Hayslip CISSP, CISA, CRISC, CCSK
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
Tripwire
 
Segregation of Duties
Segregation of DutiesSegregation of Duties
Segregation of Duties
PECB
 
Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and Often
Priyanka Aash
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
Robert E Jones
 
bsi-cyber-resilience-presentation
bsi-cyber-resilience-presentationbsi-cyber-resilience-presentation
bsi-cyber-resilience-presentation
Ajai Srivastava
 
Leveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityLeveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on security
Mike Lemire
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
Manuel Guillen
 
Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual ciso
Michael Ball
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security program
abdulkhalid murady
 

More Related Content

What's hot

Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk Management
Priyanka Aash
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Tripwire
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity Compliance
Robert E Jones
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
Tuan Phan
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for Security
Tripwire
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security Management
EC-Council
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
Gary Hayslip CISSP, CISA, CRISC, CCSK
 
Tripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability ManagementTripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability Management
Tripwire
 
IFCA Congress How the post-pandemic will shape the compliance agenda
IFCA Congress How the post-pandemic will shape the compliance agendaIFCA Congress How the post-pandemic will shape the compliance agenda
IFCA Congress How the post-pandemic will shape the compliance agenda
Hernan Huwyler, MBA CPA
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
Tuan Phan
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
Priyanka Aash
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
Gary Hayslip CISSP, CISA, CRISC, CCSK
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
Tripwire
 
Segregation of Duties
Segregation of DutiesSegregation of Duties
Segregation of Duties
PECB
 
Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and Often
Priyanka Aash
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
Robert E Jones
 
bsi-cyber-resilience-presentation
bsi-cyber-resilience-presentationbsi-cyber-resilience-presentation
bsi-cyber-resilience-presentation
Ajai Srivastava
 

What's hot (18)

Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk Management
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 Compliance
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity Compliance
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for Security
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security Management
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
 
Tripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability ManagementTripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability Management
 
IFCA Congress How the post-pandemic will shape the compliance agenda
IFCA Congress How the post-pandemic will shape the compliance agendaIFCA Congress How the post-pandemic will shape the compliance agenda
IFCA Congress How the post-pandemic will shape the compliance agenda
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
 
Segregation of Duties
Segregation of DutiesSegregation of Duties
Segregation of Duties
 
Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and Often
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
 
bsi-cyber-resilience-presentation
bsi-cyber-resilience-presentationbsi-cyber-resilience-presentation
bsi-cyber-resilience-presentation
 

Similar to TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15

Leveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityLeveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on security
Mike Lemire
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
Manuel Guillen
 
Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual ciso
Michael Ball
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security program
abdulkhalid murady
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
randalje86
 
Ignyte assurance platform NIST RMF datasheet.
Ignyte assurance platform NIST RMF datasheet.Ignyte assurance platform NIST RMF datasheet.
Ignyte assurance platform NIST RMF datasheet.
Ignyte Assurance Platform
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
amburyj3c9
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.ppt
ClashWithGROUDON
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
William McBorrough
 
Applying Lean for information security operations centre
Applying Lean for information security operations centreApplying Lean for information security operations centre
Applying Lean for information security operations centre
Naushad Rajani. - CISA, CISSP, CCSP, PMP, DCPP (Privacy)
 
Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023
Cyber Security Partners
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
Christophe Monnier
 
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdfCybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
SIEM
SIEMSIEM
SIEM
vikasraina
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
Ihor Uzhvenko
 
Managing Compliance
Managing ComplianceManaging Compliance
Managing Compliance
SecPod Technologies
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
Kaloyan Krastev
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Alan Yau Ti Dun
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Happiest Minds Technologies
 

Similar to TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15 (20)

Leveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on securityLeveraging compliance to raise the bar on security
Leveraging compliance to raise the bar on security
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual ciso
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security program
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Ignyte assurance platform NIST RMF datasheet.
Ignyte assurance platform NIST RMF datasheet.Ignyte assurance platform NIST RMF datasheet.
Ignyte assurance platform NIST RMF datasheet.
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.ppt
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
 
Applying Lean for information security operations centre
Applying Lean for information security operations centreApplying Lean for information security operations centre
Applying Lean for information security operations centre
 
Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
 
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdfCybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
 
SIEM
SIEMSIEM
SIEM
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
Managing Compliance
Managing ComplianceManaging Compliance
Managing Compliance
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
 

More from FitCEO, Inc. (FCI)

The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch FizzThe Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
FitCEO, Inc. (FCI)
 
Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!
FitCEO, Inc. (FCI)
 
HIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance GuideHIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance Guide
FitCEO, Inc. (FCI)
 
Data exfiltration so many threats 2016
Data exfiltration so many threats 2016Data exfiltration so many threats 2016
Data exfiltration so many threats 2016
FitCEO, Inc. (FCI)
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
FitCEO, Inc. (FCI)
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
FitCEO, Inc. (FCI)
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
FitCEO, Inc. (FCI)
 
VIMRO Cyber Security Methodology
VIMRO Cyber Security MethodologyVIMRO Cyber Security Methodology
VIMRO Cyber Security Methodology
FitCEO, Inc. (FCI)
 
Strengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
Strengthening the Weakest Link - Reducing Risks from Social Engineering AttacksStrengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
Strengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
FitCEO, Inc. (FCI)
 
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
FitCEO, Inc. (FCI)
 
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch FizzDark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
FitCEO, Inc. (FCI)
 
Internet of Things - A Different Kind of Scary v2
Internet of Things - A Different Kind of Scary v2Internet of Things - A Different Kind of Scary v2
Internet of Things - A Different Kind of Scary v2
FitCEO, Inc. (FCI)
 
Cyber Insurance - What you need to know
Cyber Insurance - What you need to knowCyber Insurance - What you need to know
Cyber Insurance - What you need to know
FitCEO, Inc. (FCI)
 
SCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US UtilitiesSCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US Utilities
FitCEO, Inc. (FCI)
 
PCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROPCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMRO
FitCEO, Inc. (FCI)
 
IPV6 a tale of two protocols
IPV6 a tale of two protocolsIPV6 a tale of two protocols
IPV6 a tale of two protocols
FitCEO, Inc. (FCI)
 
CODE INSPECTION VIMRO 2015 MHF
CODE INSPECTION VIMRO 2015 MHFCODE INSPECTION VIMRO 2015 MHF
CODE INSPECTION VIMRO 2015 MHF
FitCEO, Inc. (FCI)
 
MHF-joins-VIMRO-Press-Release-FINAL3
MHF-joins-VIMRO-Press-Release-FINAL3MHF-joins-VIMRO-Press-Release-FINAL3
MHF-joins-VIMRO-Press-Release-FINAL3
FitCEO, Inc. (FCI)
 

More from FitCEO, Inc. (FCI) (19)

The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch FizzThe Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
The Dark Net - The Devil in the Details - Larry Boettger and Michael Horsch Fizz
 
Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!
 
HIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance GuideHIPAA and HITECH Compliance Guide
HIPAA and HITECH Compliance Guide
 
Data exfiltration so many threats 2016
Data exfiltration so many threats 2016Data exfiltration so many threats 2016
Data exfiltration so many threats 2016
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
 
VIMRO Cyber Security Methodology
VIMRO Cyber Security MethodologyVIMRO Cyber Security Methodology
VIMRO Cyber Security Methodology
 
Strengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
Strengthening the Weakest Link - Reducing Risks from Social Engineering AttacksStrengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
Strengthening the Weakest Link - Reducing Risks from Social Engineering Attacks
 
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
Using Motive, Opportunity, and Means (M.O.M.) and ISO 27001 as Cyber Crime Pr...
 
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch FizzDark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
Dark Net The Devil in the Details - Larry Boettger and Michael Horsch Fizz
 
Internet of Things - A Different Kind of Scary v2
Internet of Things - A Different Kind of Scary v2Internet of Things - A Different Kind of Scary v2
Internet of Things - A Different Kind of Scary v2
 
Cyber Insurance - What you need to know
Cyber Insurance - What you need to knowCyber Insurance - What you need to know
Cyber Insurance - What you need to know
 
SCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US UtilitiesSCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US Utilities
 
PCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROPCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMRO
 
IPV6 a tale of two protocols
IPV6 a tale of two protocolsIPV6 a tale of two protocols
IPV6 a tale of two protocols
 
CODE INSPECTION VIMRO 2015 MHF
CODE INSPECTION VIMRO 2015 MHFCODE INSPECTION VIMRO 2015 MHF
CODE INSPECTION VIMRO 2015 MHF
 
MHF-joins-VIMRO-Press-Release-FINAL3
MHF-joins-VIMRO-Press-Release-FINAL3MHF-joins-VIMRO-Press-Release-FINAL3
MHF-joins-VIMRO-Press-Release-FINAL3
 

TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15

  • 1. Restricting Authenticating Tracking User Access? Time Is Not On Our Side! 12100 Sunrise Valley Dr. Suite 290-1 Reston, VA 20191 The Demystification of Successful Cyber Security! VIMRO’s Cyber Security Enabling Methodology Overview In order to avoid exposing your company, its clients, your employees (not to mention yourself!) to cybercrime, it is vital to invest in a good cyber security program. VIMRO’s approach to an effective cyber security program involves a holistic security methodology. Our methodology maximizes value and effec- tiveness because we have combined the most efficient tactics to include frame- works, best practice guides, and work papers from reputable security organiza- tions such as NIST, ISO2700/27002 and MITRE. Combining vetted complementary frameworks yields a program that is effec- tive and yet efficient; a program dynamic enough to anticipate new risks, yet iterative enough to become familiar. Equally important, a holistic methodolo- gy prevents oversights within your program. For example, while a cyber secu- rity framework alone equips you with the controls you must implement and manage, it leaves you without the metrics you need to validate those controls and the overall success of your cyber security system. A successful methodology is dynamic, adapting to ever-changing threats; and that can only happen if you treat it as an evolving process. For any methodol- ogy to work, you must adopt it in a controlled, systematic manner. Imple- menting a cyber security program too quickly or without the adequate resources reduces its effectiveness and demotivates the team members involved. The financial and operational benefits of holistic customized cyber security solutions.
  • 2. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS The following is an overview of a VIMRO cyber security system: • The foundation of our security system first aligns your organization’s business needs with your IT security, allowing you to focus on the critical business applications, systems, and processes that need strong security controls. For example, when you implement a new application, include a security represen- tative in the development of the budget and project plan. This is how you ensure that time and resources are allocated for security controls throughout the project; and for support throughout the new applica- tion’s lifecycle. If you overlook security requirements in the beginning stages of a project, the application and associated systems may require rework for failure to meet your company’s approved security stan- dards. And rework, delays, or budget excesses invariably reduce your new application’s ROI. (See VIM- RO’s paper: Omitting Static Code Security Analysis Can Cost You. BIG!) • The second layer of our foundation includes implementing a security framework. Many of VIMRO’s clients have adopted either the NIST Cybersecurity Framework(1) or ISO27001/ISO27002(2). • Along with the framework, organizations have adopted a cyber security Capability Maturity Model (CMM) that involves a strategy to optimize critical security controls, mechanisms, and processes (Level 5 in the CMM). The cyber security CMM includes: o Level 1 – Initial: Processes are unpredictable, poorly controlled, and reactive o Level 2 – Managed: Processes are characterized for projects and are still often reactive o Level 3 – Defined: Processes are characterized for the organization and are proactive, taking their procedures from the organization’s standards o Level 4 – Quantitatively Managed: Processes are measured and controlled o Level 5 – Optimizing: Focuses on process improvement • To manage performance leading toward the optimal level (Level 5) in the security CMM, we recom- mend Key Performance Indicator (KPI) metrics. Many clients start with MITRE Cyber Resiliency Met- rics(3). • VIMRO policies, standards, and procedures include all of the verbiage necessary to raise your organiza- tion to the upper levels of the cyber security CMM. These are critical to success. Without these, your organization will not even surpass Level 2 in the security CMM. • After writing your security policies, standards, and procedures, we implement technological mechanisms (these include IPS, DLP, SIEM, and so forth) to support your cyber security program, and train workforce members to apply the requirements of the formal documents to their practices • VIMRO’s risk management program includes continuous evaluation of your technological mechanisms and processes to validate them, and find areas, which need improvement, so that your company always maintains optimized security controls. The Demystification of Successful Cyber Security! (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL
  • 3. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS Below is an example application of the VIMRO methodology to one specific security control item: a firewall. The NIST Cybersecu- rity Framework includes Configuration Management in the family of controls. Using the firewall as our example: • An organization includes firewall configuration requirements in a policy; procedures are written for how the firewall will be implemented and managed. • The procedure includes a baseline security assessment vulnerability report. The baseline is to be updated whenever a change is made on the firewall. • The policy, procedure, and baseline reports define the controls (CMM Level 3) for the firewall. • In order to determine if the company is maintaining controls for the firewall to meet CMM Level 4, the firewall is audited using KPIs (a common approach is to conduct firewall configuration audits every six months). • Some examples of KPIs include: o There must be a change record for each change made to the firewall. The acceptable KPI for changes without corresponding records is 0. o A vulnerability assessment report must not result in high or medium scores. The acceptable KPI for high or medium findings in a vulnerabili- ty assessment is 0. • If during firewall configuration audits, some findings do not meet the KPI requirements, it is an opportunity to determine why this is the case. Perhaps there are too few people to meet the KPI objectives; perhaps skillsets are lacking and training on maintaining the firewall is necessary. For any items that do not meet KPIs, we implement a Corrective Action Plan (CAP), which sets expectation dates for the resolution of any issues cited. We conduct an audit immediately after said date to ensure that the items have been improved based on the CAP. This is an example of an optimized process (Level 5) for firewall controls practices. The Demystification of Successful Cyber Security! (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL For any items that do not meet KPI, we implement a Corrective Action Plan, which sets expectations dates for the resolution of any issues cited. Authored by VIMRO’s Cybersecurity Leaders
  • 4. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS All layers of our Cyber Security Enabling Methodology are equally critical and require your steady dedication. Systematic attention to each level of the process yields a solid foundation today that is also dynamic enough to safeguard you going forward. VIMRO’s holistic approach arms your organization to prevent, detect, and respond to cybercriminal attacks that threaten your business, clients, employees, or sensitive data. The Demystification of Successful Cyber Security! (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL “The holistic approach arms your organization to prevent, detect, and respond to cybercriminal attacks.......” Authored by VIMRO’s Cybersecurity Leaders Contact VIMRO to learn more details about our approach and how we can help you build and maintain an Optimized Cybersecurity Risk Management Program.