Transcription
Structuring the Chief Information SecurityOfficer OrganizationJulia H. AllenGregory Crabb (United States Postal Service)Pamela D. CurtisBrendan FitzpatrickNader MehravariDavid TobarSeptember 2015TECHNICAL NOTECMU/SEI-2015-TN-007CERT Divisionhttp://www.sei.cmu.edu
Copyright 2015 Carnegie Mellon UniversityThis material is based upon work funded and supported by USPS under Contract No. FA8721-05-C0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, afederally funded research and development center sponsored by the United States Department ofDefense.Any opinions, findings and conclusions or recommendations expressed in this material are those of theauthor(s) and do not necessarily reflect the views of USPS or the United States Department of Defense.This report was prepared for theSEI Administrative AgentAFLCMC/PZM20 Schilling Circle, Bldg. 1305, 3rd floorHanscom AFB, MA 01731-2125NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERINGINSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLONUNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED,AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FORPURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OFTHE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTYOF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, ORCOPYRIGHT INFRINGEMENT.This material has been approved for public release and unlimited distribution except as restrictedbelow.Internal use:* Permission to reproduce this material and to prepare derivative works from this materialfor internal use is granted, provided the copyright and “No Warranty” statements are included with allreproductions and derivative works.External use:* This material may be reproduced in its entirety, without modification, and freelydistributed in written or electronic form without requesting formal permission. Permission is requiredfor any other external and/or commercial use. Requests for permission should be directed to theSoftware Engineering Institute at permission@sei.cmu.edu.* These restrictions do not apply to U.S. government entities.Carnegie Mellon and CERT are registered marks of Carnegie Mellon University.DM-0002696
Table of 2Define Subfunctions, Activities, and Departments2.1 Process2.2 Departments, Subfunctions, and Activities3373Derive and Describe the CISO Organizational Structure3.1 Derive3.2 Describe3.2.1 Program Management3.2.2 Security Operations Center3.2.3 Emergency Operations and Incident Command3.2.4 Security Engineering and Asset Security3.2.5 Information Security Executive Council11111111121313154Sizing the CISO Organization165Recommended Next Steps18Appendix A:Mappings of Functions, Departments, Subfunctions, and Activities19Appendix B:Complete List of Source Acronyms29BibliographyCMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITY33i
CMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITYii
List of FiguresFigure 1:Four CISO Functions2Figure 2:Process for Deriving a CISO Organizational Structure4Figure 3:CISO Organizational StructureCMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITY11iii
CMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITYiv
List of TablesTable 1:Sample CISO Function to Source Mapping5Table 2:Source Acronyms6Table 3:Protect, Shield, Defend, and Prevent Departments, Subfunctions, and Activities7Table 4:Monitor, Hunt, and Detect Departments, Subfunctions, and Activities8Table 5:Respond, Recover, and Sustain Departments, Subfunctions, and Activities9Table 6:Govern, Manage, Comply, Educate, and Manage Risk Departments, Subfunctions,and Example Activities9Table 7:CISO Function to Source Mapping20Table 8:Complete List of Source Acronyms29CMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITYv
CMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITYvi
AcknowledgmentsThe authors acknowledge the contributions to this report of the SEI Library staff who providedextensive sources on CISO organizational functions and structures.CMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITYvii
CMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITYviii
AbstractChief Information Security Officers (CISOs) are increasingly finding that the tried-and-true,traditional information security strategies and functions are no longer adequate when dealing withtoday’s increasingly expanding and dynamic cyber risk environment. Many opinions andpublications express a wide range of functions that a CISO organization should be responsible forgoverning, managing, and performing. How does a CISO make sense of these functions and selectthe ones that are most applicable for their business mission, vision, and objectives?This report describes how the authors defined a CISO team structure and functions for a large,diverse U.S. national organization using input from CISOs, policies, frameworks, maturitymodels, standards, codes of practice, and lessons learned from major cybersecurity incidents.CMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITYix
CMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITYx
1 IntroductionChief Information Security Officers (CISOs), responsible for ensuring various aspects of theirorganizations’ cyber and information security, are increasingly finding that the tried-and-true,traditional information security strategies and functions are no longer adequate when dealing withtoday’s increasingly expanding and dynamic cyber risk environment. The continuous occurrenceof highly publicized, global cyber intrusions illustrate the inadequacy of reactive controls- andpractices-based approaches, which may be necessary but are not sufficient for protecting andsustaining their organizations’ critical cyber assets.The literature is filled with numerous descriptions of the wide range of functions that a CISOorganization should be responsible for governing, managing, and performing. How does a CISOmake sense of these and select those functions that are most applicable for his or herorganization’s mission, vision, and business objectives? In assisting a large, diverse, U.S. nationalorganization in answering this question, we considered the following inputs: sources describing the expanding operational risk environment with respect to IT operations,cybersecurity, business continuity, and disaster recovery numerous discussions over several years with CISOs and security professionals in-depth analysis of recent, large-scale, high-impact cybersecurity incidents including theidentification of what worked well and what did notFrom these inputs and our experience developing and applying the CERT Resilience ManagementModel [Caralli 2011], we identified four key functions that capture the majority of a CISO’sresponsibilities, as shown in Figure 1: Protect, Shield, Defend, and PreventEnsure that the organization’s staff, policies, processes, practices, and technologiesproactively protect, shield, and defend the enterprise from cyber threats, and prevent theoccurrence and recurrence of cybersecurity incidents commensurate with the organization’srisk tolerance. Monitor, Detect, and HuntEnsure that the organization’s staff, policies, processes, practices, and technologies monitorongoing operations and actively hunt for and detect adversaries, and report instances ofsuspicious and unauthorized events as expeditiously as possible. Respond, Recover, and SustainWhen a cybersecurity incident occurs, minimize its impact and ensure that the organization’sstaff, policies, processes, practices, and technologies are rapidly deployed to return assets tonormal operations as soon as possible. Assets include technologies, information, people,facilities, and supply chains. Govern, Manage, Comply, Educate, and Manage RiskEnsure that the organization’s leadership, staff, policies, processes, practices, andtechnologies provide ongoing oversight, management, performance measurement, andcourse correction of all cybersecurity activities. This function includes ensuring compliancewith all external and internal requirements and mitigating risk commensurate with theorganization’s risk tolerance.CMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITY1
Figure 1: Four CISO FunctionsUsing these four functions as the foundation, we proceeded to review selected policies, standards,and codes of practice to further decompose the functions into subfunctions and activities, whichwe then grouped into candidate organizational departments (Section 2) and a proposedorganization structure (Section 3). We describe some guidelines and rules of thumb on sizing theCISO organization (Section 4) and recommend several next steps (Section 5).We recommend that readers consider using this approach as a “strawman” or template forstructuring a CISO organization and for allocating roles and responsibilities to its variousorganizational units. Clearly, CISOs will want to adapt and tailor what is suggested here to meettheir specific requirements and priorities.CMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITY2
2 Define Subfunctions, Activities, and Departments2.1 ProcessWe selected the following policies, frameworks, maturity models, standards, and codes of practice(referred to as “sources”) to expand the definitions and scope of each of the four functionsdescribed in Section 1. These sources are broadly accepted as providing credible, reputableguidance that covers the scope of cybersecurity, information security, and continuity of operationsas it relates to cybersecurity: topics typically addressed in a large organization’s information security policy CERT Resilience Management Model, version 1.1 [Caralli 2011] U. S. National Institute of Standards and Technology Special Publication 800-53 Securityand Privacy Controls for Federal Information Systems and Organizations [NIST 2015] U.S. Department of Energy Cybersecurity Capability Maturity Model (C2M2) [DOE 2014] U. S. National Institute of Standards and Technology Framework for Improving CriticalInfrastructure Cybersecurity [NIST 2014] National Initiative for Cybersecurity Education (NICE) The National CybersecurityWorkforce Framework Version 1.0 [NICE 2013] 1 and the Office of Personnel Managementextensions to it [OPM 2014] SANS Critical Security Controls [SANS 2015]For each source, we mapped its specific topics to one of the four functions, Protect, Monitor,Respond, and Govern. Each source topic was expressed as a subfunction (i.e., the next level ofdetail in support of a function) with one or more supporting activities. As we constructed thismapping, we also recommended several subfunctions that might be “subcontracted” or“outsourced” to an internal or external party where the CISO organization retains an oversightresponsibility but does not directly perform the subfunction. Once the mappings were complete,we analyzed the collection of subfunctions and activities and grouped them into meaningfuldepartments, informed by several of the resources listed in the bibliography [EYGM 2014, Kark2010, Rehman 2013, Scholtz 2011, UW 2015]. Related departments were then collected andrepresented as a hierarchical organizational chart. This process is depicted in Figure 2. Additionalsteps of the process are described in Sections 2.2 and 3.1“The National Cybersecurity Workforce Framework establishes the common taxonomy and lexicon that is to beused to describe all cybersecurity work and workers irrespective of where or for whom the work is performed.The Framework is intended to be applied in the public, private, and academic sectors” [NICE 2013, pg. 3].CMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITY3
Figure 2: Process for Deriving a CISO Organizational StructureTable 1 presents several examples from the mapping described above (functions to departments tosubfunctions to activities, with supporting sources). Expansion of the source acronyms used inTable 1 appears in Table 2. The full mapping can be found in Appendix A; the full list ofacronyms from all sources is available in Appendix B.CMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITY4
Table 1:Sample CISO Function to Source MappingFunctionProtect, Shield,Defend, ivitiesSubcontractedToIS agementManage configurations for IT 2software and applicationsConfiguration ,EmergencyRecover, Sustain Operations andIncidentCommand CenterVirus andmalicious codemanagementIncidentmanagement andresponseDetect, analyze, andeliminate viruses andmalicious codeDetect, triage, analyze,respond to, and recoverfrom suspicious eventsand security incidentsProtection against KIM, TMviruses andmalicious codeSecurity incidentIMCmanagementSC, SITVM-1IRGovern, Manage, ProgramComply, Educate, ManagementManage RiskOfficeInformationsecurityprogram/planDevelop, implement, andmaintain an informationsecurity program and planInformationsecurity planPL, PMIR-1, IR- DE.AE,2, IR-3 noneMonitor, Hunt,Detect2KIM, TMNIST800-53GP2SANSCSCNICECWFThe most frequently occurring “subcontract to” function is IT or the organization’s IT service provider. It is important to note that if a security-related activity is performed by IT, theCISO organization retains oversight responsibility.CMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITY5
Table 2:Source Acronyms 3CERT-RMMNIST 800-53Incident Management and ControlKnowledge and Information ManagementTechnology ManagementCMIRPLConfiguration ManagementIncident ResponsePlanningACMTVMIRGP2Plan the ProcessPMSCProgram ManagementSystem andCommunications ProtectionSystem and InformationIntegrityCPMSINIST .CORC.RP3C2M2IMCKIMTMSANS CSCProtect: Information ProtectionProcessesand ProceduresDetect: Anomaliesand EventsDetect: Security ContinuousMonitoringDetect: DetectionProcessesRespond: Response PlanningRespond: CommunicationsRespond: AnalysisRespond: MitigationRespond:ImprovementsRecover: CommunicationsRecover: Recovery PlanningAsset, Change and Configuration ManagementThreat and Vulnerability ManagementEvent and Incident Response, Continuity ofOperationsCybersecurity Program ManagementNICE CWF3Secure Configurations forHardware and SoftwareOD:SOInformation Systems Security Operations5Malware DefensesOM:SASystem Administration18Incident Response andManagementPD:IRIncident ResponsePD:VAVulnerability Assessment and ManagementThere is no relationship between the source entries in each row of Table 2.CMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITY6
2.2 Departments, Subfunctions, and ActivitiesWe used the outcome of the mapping process to identify and allocate each subfunction to one ormore of the four functions. The aggregation of related subfunctions resulted from an affinitygrouping process. Each group of subfunctions was given a descriptive name that was then used toidentify and label candidate organizational departments.Table 3 lists the departments, subfunctions, and activities for the Protect/Shield function. Table 4,Table 5, and Table 6 contain similar information for the remaining three functions.Table 3:Protect, Shield, Defend, and Prevent Departments, Subfunctions, and ineering (allasset lifecyclerelatedactivities)Security requirementsSpecify and allocate/assign confidentiality, integrity, andavailability requirements.Security architectureDevelop and maintain a security architecture.Secure lifecycleAddress security throughout the development lifecycle.Secure lifecycleAddress security throughout the acquisition lifecycle.Certification andaccreditationPerform certification and accreditation prior to releasing newsystems to production.IdentityManagementIdentity and accessmanagementDefine and manage identities and access controls based onidentities (password management, single sign on, two-factorauthentication, PIN management, digital signatures, smart cards,biometrics, Active Directory, etc.)ApplicationSecurity(operations, notdevelopmentlifecycle)Software andapplication inventoriesDevelop and maintain software and application inventoriesSoftware andapplication controlsDefine, implement, assess, and maintain controls necessary toprotect software and applications in accordance with securityrequirements (operating systems, applications, databasemanagement systems, web-based PCI applications, COTS;maintenance) 4ConfigurationmanagementManage configurations for software and applicationsChange managementManage changes for software and applicationsHost and networkinventoriesDevelop and maintain network, hardware, device, and systeminventories (including wireless)Host and networkcontrolsDefine, implement, assess, and maintain controls necessary toprotect networks, hardware, and systems in accordance withsecurity requirements (intrusion prevention/detection)Network perimetercontrolsDefine, implement, assess, and maintain controls necessary toprotect the network/Internet perimeter in accordance with securityrequirements (firewalls, DMZ, network connections, third-partyconnectivity, remote access, VPNs) 5ConfigurationmanagementManage configurations for networks (including wireless),hardware, and systemsChange managementManage changes for networks, hardware, and systems4PCI: payment card industry; COTS: commercial off-the-shelf5DMZ: demilitarized zone; VPN: virtual private networkCMU/SEI-2015-TN-007 SOFTWARE ENGINEERING INSTITUTE CARNEGIE MELLON UNIVERSITY7
DepartmentSubfunctionActivityInformationasset securityInformation assetcategorizationDesignate and categorize information and vital assets (includingPII 6) (includes privacy requirements)Information assetinventoriesDevelop and maintain information asset inventoriesInformation assetcontrolsDefine, implement, assess, and maintain controls necessary toprotect information and vital assets (including media) inaccordance with security requirements (includes privacyrequirements, PII, encryption, PKI, backups, DLP, dataretention/destruction) 7Physical accesscontrolsDefine and enforce access controls for facilities and other physicalassets (such as networks and hosts)Physicalaccess controlTable 4 describes the departments, subfunctions, and activities for the Monitor function.Table 4:Monitor, Hunt, and Detect Departments, Subfunctions, and rationscenterIntelligence collectionand threat managementCollect, analyze, triage, and disposition information from all threatsourcesSituational awarenessand common operatingpictureCollect, analyze, and report information in (near) real time thatprovides situational awareness and a common operating pictureLoggingPerform audit logging (includes review and retention) of users,applications, networks, systems, and access to physical assetsMonitoringMonitor users, applications, networks, systems, and access tophysical assets (includes intrusion prevention/detection,email/spam filtering, web filtering)VulnerabilitymanagementScan for, analyze, and disposition vulnerabilitiesVirus and maliciouscode managementDetect, analyze, and eliminate viruses and malicious codeInformation security helpdesk (a.k.a. CIRT 8)Accept, triage, assign, and disposition all reported suspiciousevents and security incidentsIncident managementand responseDetec
AFLCMC/PZM 20 Schilling Circle, Bldg. 1305, 3rd floor Hanscom AFB, MA 01731-2125 . organization should be responsible for governing, managing, and performing. How does a CISO . represented as a hierarchical organizational chart. This process is depicted in Figure 2. Additional
![Upskilling and Structuring [Teams] for Predictive Analytics](/img/11/pd-2018-insurtech-session-6.jpg)
