WIXLIB

BUILDING CYBERSECURITYCAPABILITY, MATURITY,RESILIENCE1

CYBER SECURITY READINESS & RESILIENCEASSESS THE RISKS, SCALE THE CAPABILITIES, ENTERPRISE-WIDESecOps: SecOps describes effectiveintegration of security and IT/OToperations in three key areas: Mission priorities & dependencies Threat information Secure and available technologyCapability Maturity: Focusingon risk-based capabilities isfoundational to building resilienceSECOPSC APAB I L I T YM AT U R I T 3/2017 2017 ISACA. All Rights Reserved.Workforce Readiness: 60% of all attackswere carried out by insiders. 75% involvedmalicious intent. The workforce is ourgreatest point of vulnerability andopportunity.

FROM COMPLIANCE TO RESILIENCE“COPERNICAN SHIFT”312/13/2017C APAB I L I T I E SCOMPLIANCE /C E R T I F I C AT I O NCOMPLIANCE/C E R T I F I C AT I O NRISK-BASEDC APAB I L I T I E SCOMPLIANCE-BASEDRISK REDUCTIONRESILIENCE-DRIVENRISK REDUCTION 2017 ISACA. All Rights Reserved.

Cyber Security Assessment SolutionBENEFITS AND IMPACTWE PRESENT OUR RESULTS INLAYPERSON’STERMSSIMPLE GRAPHICS TO SUPPORTBOARD REHENSIVESCOPEDefines maturityfor people, processand technology;includes hygiene;enables industrybenchmarkingtDefines theorganization’s riskprofile and setsmaturity targetsProvides risk-basedprioritization of gaps incapabilities, maturity tosupport roadmapdevelopment, investmentoptions.Provides views intocompliance with industrystandard COBIT 5,ISO27001, NIST CSF, CMMIThreat Kill Chain, etc.LEVERAGES LEADING FRAMEWORKS,STANDARDS AND CONTROLS

CMMI CYBER SECURITY CAPABILITY ASSESSMENTSUPPORTS THE LEADING INDUSTRY STANDARDS

COMPREHENSIVE CYBER ASSESSMENT ARCHITECTURE1. ENSURE GOVERNANCE FRAMEWORK2. ESTABLISH RISK MANAGEMENTESTABLISH GOVERNANCEEST. BUSINESS EVALUATERESOURCE ENVIRONMENTGOVERN CYBERSECURITYRESOURCESESTABLISH STAKEHOLDERREPORTINGESTABLISH RISK STRATEGYESTABLISH BUSINESSRISK CONTEXTIMPLEMENT RISK MANAGEMENTEstablish Information SecurityManagement Policy ProcessIdentify Supply Chain RoleEvaluate ResourceManagement NeedsEstablish Stakeholder ReportingRequirementsEstablish RiskManagement StrategyDetermine Mission DependenciesEstablish OrganizationRisk Mgmt. ProcessEstablish Governance SystemIdentify Critical InfrastructureParticipationDirect ResourceManagement NeedsDirect stakeholdercommunicationand reportingEstablish Risk ManagementDetermine Legal /Regulatory RequirementsIntegrate RiskMgmt. ProgramIdentify Organizational PrioritiesMonitor Resource ManagementNeedsMonitor stakeholdercommunicationDefine OrganizationalRisk ToleranceDetermine StrategicRisk ObjectivesManage External ParticipationDirect Governance SystemMonitor Governance SystemIdentify Critical Dependencies3. IDENTIFY AND MANAGE RISKSDetermine Critical InfrastructureEstablish Risk Mgmt. Responsibilities4. ENSURE RISK MITIGATIONIMPLEMENT RISKIDENTIFICATIONENSURE ACCESSCONTROL MANAGEMENTESTABLISHORGANIZATIONAL TRAININGESTABLISH DATASECURITY PROTECTIONESTABLISH SECUREAPPLICATIONESTABLISH INFORMATIONPROTETCION PROVISIONSESTABLISH PROTECTIONPLANNINGESTABLISH PROTECTIVETECHNOLOGY PROVISIONSAsset Discovery &IdentificationManage Identities andCredentialsGeneral User TrainingSafeguard Data at RestSecure Application DevelopmentEstablish ConfigurationBaselinesEstablish Information SharingEstablish Audit ProcessesVulnerability IdentificationManage Access to SystemsPrivileged User TrainingSafeguard Data in TransitManage System EngineeringProcessEstablish Change ControlDevelop and Maintain Response/ Recovery PlansSafeguard Removable MediaSupply Chain RiskIdentificationManage Access Permissions3rd Party TrainingManage Asset LifecycleSafeguard DevelopmentEnvironmentEstablish Backup ProcessesIntegrate HR SecurityComponentsSafeguard OperationalEnvironmentIdentification of Roles &ResponsibilitiesManage Network Integrity &SegregationSenior Leader TrainingCapacity PlanningManage SoftwareUpdate/Release ProcessesEstablish MaintenanceProcessesEstablish Vulnerability Mgmt.(Patch) ProcessInformation ClassificationConsiderationsManage CommunicationProtectionsPhysical Security TrainingIntegrity and Data LeakPrevention5. ENSURE RISK DETECTIONEstablish Mobile DeviceManagement6. ENSURE RISK RESPONSE7. ENSURE RESILIENCEESTABLISH CYBERSECURITYINCIDENT DETECTIONESTABLISH CONTINUOUSMONITORINGESTABLISH DETECTIONESTABLISH INCIDENTRESPONSEESTABLISH INCIDENTANALYSISMITIGATE DETECTEDINCIDENTSESTABLISH INCIDENT RECOVERYEstablish Network BaselinesMonitor NetworksEstablish Detection RolesExecute Response PlanImplement InvestigationProcessesEnsure Incident ContainmentExecute Recovery PlanAggregate / Correlate DataMonitor PhysicalDetect Malicious CodeResponse Roles & Resp.Analyze Risk EventsEnsure Incident MitigationDetermine ImpactsMonitor PersonnelDetect Mobile Code and BrowserProtectionIncident ReportingImplement Forensics CapabilityMonitor 3rd PartiesImplement Vulnerability ScanningEnsure Information SharingEstablish ResponseCategorizationAlert Thresholds612/13/2017Est. Security Review Processes 2017 ISACA. All Rights Reserved.Test Detection processesRecovery Communications

Define the scope of the assessment and theorganization’s risk profile; Risk-based maturitytargets are ISKBASEDMATURITYTARGETSCISODefine organizationalpriorities; ApproveroadmapBoardWORKFLOWPROCESSCISODevelop riskmitigation APOperationsLevelSelect practices todetermine practicearea level maturityISO / CSF /COBITTHREAT VIEWMEASUREDMATURITY VS.RISK BASEDTARGETSMEASUREDMATURITY VS.INDUSTRYRISK PRIORITIZEDGAPS ANDTECHNICALSOLUTIONS

SELECT YOUR COMPANY’S UNIQUE RISK PROFILEFor each Potential Vulnerability,users will assign the likelihoodof each Risk Event resulting fromSecurity ScenarioVLLHVHVERY LOWLOWHIGHVERY HIGHOnce likelihood of SecurityScenarios have been assigned,users will assign an impact foreach Risk Event812/13/2017 2017 ISACA. All Rights Reserved.

RISK PROFILE DEFINES THE MATURITY TARGETSCAPABILITY AREAIMPLEMENT RISK IDENTIFICATIONCapability areas sorted by riskENSURE ACCESS CONTROL MANAGEMENTESTABLISH DATA SECURITY PROTECTIONESTABLISH GOVERNANCE ELEMENTSESTABLISH BUSINESS ENVIRONMENTGOVERN CYBERSECURITY RESOURCESESTABLISH STAKEHOLDER REPORTINGESTABLISH RISK STRATEGYRisk Profile establishesinitial target maturityby capability areaESTABLISH BUSINESS RISK CONTEXTIMPLEMENT RISK MANAGEMENTESTABLISH ORGANIZATIONAL TRAININGESTABLISH SECURE APPLICATION DEVELOPMENTESTABLISH INFORMATION PROTECTION PROVISIONSESTABLISH PROTECTION PLANNINGMaturity targets can becompared to industrybenchmarks for maturityESTABLISH PROTECTIVE TECHNOLOGY PROVISIONSESTABLISH CYBERSECURITY INCIDENT DETECTIONESTABLISH CONTINOUS MONITORINGESTABLISH DETECTION PROCESSESESTABLISH INCIDENT RESPONSEESTABLISH INCIDENT ANALYSISMITIGATE DETECTED INCIDENTSESTABLISH INCIDENT RECOVERY912/13/2017 2017 ISACA. All Rights Reserved.012345RISK-BASED TARGETINDUSTRY TARGET

STANDARDIZED DEFINITIONS OF MATURITYTECHNOLOGYPROCESSPEOPLEPEOPLE, PROCESS, ANAGEDDEFINEDQUANTITATIVELYMANAGEDOPTIMIZEDGeneral personnelcapabilities may beperformed by an individual,but are not well definedPersonnel capabilitiesachieved consistently withinsubsets of the organization,but inconsistent across theentire organizationRoles and responsibilities areidentified, assigned, andtrained across the organizationAchievement andperformance of personnelpractices are predicted,measured, and evaluatedProactive performanceimprovement and resourcingbased on organizationalchanges and lessons learned(internal & external)General processcapabilities may beperformed by an individual,but are not well definedAdequate proceduresdocumented within a subset ofthe organizationOrganizational policies andprocedures are defined andstandardized. Policies andprocedures support theorganizational strategyPolicy compliance ismeasured and enforcedPolicies and procedures areupdated based onorganizational changes andlessons learned (internal &external) are captured.General technicalmechanisms are in place andmay be used by an individualTechnical mechanisms areformally identified and definedby a subset of theorganization; technicalrequirements in placePurpose and intent is defined(right technology, adequatelydeployed); Proper technologyis implemented in each subsetof the organizationEffectiveness of technicalmechanisms are predicted,measured, and evaluated1012/13/2017 2017 ISACA. All Rights Reserved.Procedures are monitoredfor effectivenessTechnical mechanisms areproactively improved based onorganizational changes and lessonslearned (internal & external)

MEASURING MATURITYBASED ON ACTIVITYIDENTIFY AND MANAGE RISKSMATURITYLEVELIMPLEMENT RISK IDENTIFICATIONVULNERABILY IDENTIFICATIONACTIVITYAUDIT5The organization collaborates with relevant partners (e.g., facilities management, system operations staff) to periodically catalog known vulnerabilities.5Staff have been trained and qualified to perform vulnerability identification activities as planned.5Relevant managers oversee performance of the vulnerability identification activities.4Issues related to vulnerability identification are tracked and reported to relevant managers.4Underlying causes for vulnerabilities are identified (e.g., through root-cause analysis)4Risks related to the performance of vulnerability identification activities are identified, analyzed, disposed of, monitored, and controlled.4Vulnerability identification activities are periodically reviewed to ensure they are adhering to the plan.3Stakeholders for vulnerability management activities have been identified and made aware of their roles.3A standard set of tools and/or methods is used to identify vulnerabilities.3Vulnerability management tools identify those types of platform (e.g., OS, application, device) affected by known vulnerabilities2Approved and diverse vulnerability sources are identified and documented.2Automated vulnerability scanning tools review all applicable systems on the network (a & b required)a. An SCAP-validated vulnerability scanner is used that looks for both code-based vulnerabilities and configuration-based vulnerabilitiesb. Vulnerability scans are executed on all applicable devices on a weekly or more frequent basis2Risk scores compare the effectiveness of system administrators and departments in reducing risk.2Vulnerability scanning occurs in authenticated mode using a dedicated account with administrative rights. (a1 OR a2 & b required)a1. Vulnerability Agents operate locally on each applicable end system to analyze the security configurationa2. Remote scanners have administrative rights on each applicable end system to analyze the security configurationb. Dedicated account is used for authenticated vulnerability scans (not used for any other activities)2Only authorized employees have access to the vulnerability management user interface and that roles are applied to each user.2There exists a documented plan for performing vulnerability identification activities.2Vulnerabilities are categorized and prioritized.2Specific vulnerabilities that may impact mission-critical personnel, facilities, and resources are identified and catalogued.1A repository is used for recording information about vulnerabilities and their resolutions.1Vulnerability management tools identify those types of platform (e.g., OS, application, device) affected by known vulnerabilities1The organization has identified potential logical vulnerabilities that might lead to known risks.1Tools are in place to periodically identify new/updated vulnerabilities that may impact organizational systems.1Subscription mechanisms ensure that current vulnerability lists are maintained.PRACTICE AREA MATURITYLEVEL 1O VERALL M AT URIT YFO R T HIS PRACT I CEARE A IS L1 AS NO TALL BO XES W ERECHECKED FO R L2