Cybersecurity Strategy



Similar documents
BMC s Security Strategy for ITSM in the SaaS Environment

INCIDENT RESPONSE CHECKLIST

Client Security Risk Assessment Questionnaire

Big Data, Big Risk, Big Rewards. Hussein Syed

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

Security Controls What Works. Southside Virginia Community College: Security Awareness

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Securing the Service Desk in the Cloud

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Critical Controls for Cyber Security.

Cyber Security. John Leek Chief Strategist

External Supplier Control Requirements

The PerspecSys PRS Solution and Cloud Computing

Managed Security Services for Data

Information Blue Valley Schools FEBRUARY 2015

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

Professional Services Overview

Bellevue University Cybersecurity Programs & Courses

SECURITY. Risk & Compliance Services

Cybersecurity: What CFO s Need to Know

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

How To Protect Yourself From A Hacker Attack

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Department of Management Services. Request for Information

Injazat s Managed Services Portfolio

University of Pittsburgh Security Assessment Questionnaire (v1.5)

The Protection Mission a constant endeavor

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cloud models and compliance requirements which is right for you?

Corporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA Office: Fax:

Security aspects of e-tailing. Chapter 7

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Click to edit Master title style

Payment Card Industry Data Security Standard

Cybersecurity: An Innovative Approach to Advanced Persistent Threats

Information Security for the Rest of Us

How To Protect Your Data From Being Stolen

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Attachment A. Identification of Risks/Cybersecurity Governance

Logging In: Auditing Cybersecurity in an Unsecure World

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

F G F O A A N N U A L C O N F E R E N C E

POLICIES TO MITIGATE CYBER RISK

Information Security solutions that protect your business

Cisco Advanced Services for Network Security

QUESTIONS & RESPONSES #2

Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015

REQUEST FOR INFORMATION

Health & Life sciences breach security program. David Houlding MSc CISSP CIPP Healthcare Privacy & Security Lead Intel Health and Life Sciences

The Role of Security Monitoring & SIEM in Risk Management

SANS Top 20 Critical Controls for Effective Cyber Defense

Enterprise Computing Solutions

Five keys to a more secure data environment

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Cybersecurity The role of Internal Audit

Angel Investing in Cybersecurity: Understanding the Technology

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

PCI Requirements Coverage Summary Table

Strategic Plan On-Demand Services April 2, 2015

North American Electric Reliability Corporation (NERC) Cyber Security Standard

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

After reviewing all the questions, the most common and relevant questions were chosen and the answers are below:

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Assessing the Effectiveness of a Cybersecurity Program

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Managing internet security

Increase insight. Reduce risk. Feel confident.

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Hosting Services VITA Contract VA AISN (Statewide contract available to any public entity in the Commonwealth)

Avoiding the Top 5 Vulnerability Management Mistakes

How to Practice Safely in an era of Cybercrime and Privacy Fears

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

The ICS Approach to Security-Focused IT Solutions

Tenzing Security Services and Best Practices

PCI Requirements Coverage Summary Table

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Security Services. 30 years of experience in IT business

A COMPLETE APPROACH TO SECURITY

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

custom hosting for how you do business

Managing IT Security with Penetration Testing

HIPAA in the Cloud How to Effectively Collaborate with Cloud Providers

Network Security. Intertech Associates, Inc.

Securing the Cloud Infrastructure

Chapter 1 The Principles of Auditing 1

Overview of Topics Covered

Security Management. Keeping the IT Security Administrator Busy

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Vendor Questions and Answers

TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) 1. Reporting Function. The Applications Consultant reports directly to the CIO

Privacy + Security + Integrity

GEARS Cyber-Security Services

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

Transcription:

SYSTEM SOFT TECHNOLOGIES Cybersecurity Strategy Overview With the exponential growth of cyberspace over the past two decades has come increasing risk of data security breaches involving sensitive and private information. High-profile attacks occur almost daily, and hacking cases have grown in frequency, magnitude, and level of damage. Definition and measurement are the keys to improving cybersecurity defense capabilities. System Soft delivers a cybersecurity and data privacy audit program in conjunction with Sedgwick LLP, an international law firm, to preside over your company s legal and technical compliance objectives and safeguard your data assets. This is accomplished through a strategic approach that is guided by NIST (National Institute of Standards and Technology) standards. The Cybersecurity Strategy defines and provides direction to make decisions and allocate resources, and produces control mechanisms for the implementation of the strategy. Methodologies Our strategic framework is inspired by the NIST core functions of Identify, Protect, Detect, Respond, and Recover, with an emphasis on the identification step, as accomplished with our situational awareness and measurement studies. There are differences in the evaluation criteria between NIST profiles and CMM. In this case, NIST involves as-is and to-be analysis (which are more stringent than the tiers aware, repeatable, and adaptive ). CMM utilizes initial, repeatable, defined/measure, managed, and self-optimizing criteria. The ongoing cycle definitions of the Cybersecurity Strategy are as follows (see Figure 1): Situational Awareness Study of current Cybersecurity environment Data gathering using CS5L Measurement using the Capability Maturity Model CMM Cybersecurity standards Vulnerability mapping using NIST and ISO/EIM 27K standards Compliance and regulation check and planning Risk Management and planning, including incident mitigation Figure 1: Cycle Definitions

The Cybersecurity Strategy begins with an enterprise-wide evaluation of an organization s legal exposure and technological capabilities. This rigorous situational awareness study is followed by a process of data gathering and measurement conducted by our management system, the Cybersecurity Strategy 5 Layout (CS5L) Capability Maturity Model. The measurement stage applies to your employees, processes, and cybersecurity solutions companies which provide defenses in one or more of the layout areas in your enterprise. The 5 layouts are arranged as follows: Networks: Hardware and devices, Bring Your Own Device (BYOD), encryption, etc. Network: data gathering, encryption, etc. Application Security (AppSec): Access programs, wireless, telephony, etc. Security Awareness: Employee training, capabilities, procedural knowledge, etc. Internal defense: Anti-virus, data encryption, backup and recovery, version control, etc. Forensics: Denial of service attacks, breach attempts, etc. The Cybersecurity Strategy 5 Layout is used as a framework to measure and determine gaps in your cybersecurity capabilities using the 5 Layout approach (Fig. 2 and 3), which results in a standard measurement. From this, the strategy continues through its ongoing cycle into vulnerabilities, compliance, and risk management, resulting in a tactical plan that is built upon the NIST core functions and capability maturity according to the NIST profiles. An example of an effective tactical plan: Capability Maturity using the CS5L action steps to mature Risk Management actions - Corporate and officer risk actions - Defend Vulnerability actions - Defend Compliance actions Incident planning and actions Using Cybersecurity Strategy: CS5L 5 Layout Using the CS5L CMM framework, we gather data and measure using the 5 Layout approach (CS5L), which, in turn, results in standard measurement (CMM). Corporations throughout the world usually employ a variety of Cybersecurity Solutions Providers, which provide various defenses and monitor their security. They participate in providing data, build and maintain system interfaces, and are able to contribute iterative questions to their capability in their layout or layouts, of their defense solution. System Soft Technologies can manage that process. As seen in the diagram below, the CS5L system which is essentially a reporting system which gathers data into a SQL database named CyberSecurityStrategy, from each of the 5 layouts. These functionalities and components are graded (e.g., levels of training), using the Capability Maturity Model CMM hence the overall system name becomes CS5L CMM. This results in a model able to measure cybersecurity risk on an enterprise level and provide measurement and analysis to the end step, (6) Vulnerability Mapping, Compliance, and ultimately Risk Management. CS5L 5 Layout Approach The 5 layout Cybersecurity Defense Strategy, CS5L, is a developed standard for measuring people, procedures and systems at an enterprise. When engaged at a client site, System Soft Technologies deploys trained cybersecurity, systems, and analytical experts to support this five layout approach. The process begins with a situational awareness study, which is really a self-study because it is primarily done by the client, and thereafter the process is focused in two stages, data gathering and measurement. Both are performed using the 5 layouts (Figure 2).

Figure 2: Cybersecurity Strategy Layouts The 5 Layouts 1. Network (Communications) This entails vendors who provide VPN Virtual Private Network hardware, networking equipment, Firewall and software, e.g. CISCO. This is part of a defense layout to every endpoint and BYOD. It includes data gathering and network encryption on all devices, as well as user access. Analysis on the design and configuration of these networks and firewalls, with a focus on vulnerabilities, is also performed under Network. 2. AppSec (Software Systems) AppSec (Application Security) are applications developed by the client that interact with services hosted by the client, and applications that are installed on any part of their network hosted, end-client, or server. This includes: Wireless, DMZ servers, Telephony, Border Routing, Remote Administration, Web Security Gateway, Remote Access VPN, etc. Access policies, authentication and methods to systems and data. 3. Security Awareness (People, capability, and procedures) Security Awareness is often measured by the level of training, a part of which is sometimes called Employee Cybersecurity Awareness Training (ESAT). The purpose is to measure access to ESAT for all employees, agents, and/or B2B companies that have Tier 1. The ESAT program should work through an online Web app which is under the control of the IT department, in collaboration with Human Resources, and performs a simulated cybersecurity attack on employees known as Phishing, and then measures their performance. Thereafter, it runs training programs via email (via the Web) which, in turn, let users proceed at their pace by allowing stopping and restarting. Once complete, the dummy attack is performed again and measured. Security awareness should also include developer training for application development, administrative policy, privacy management, and risk assessment. 4. Internal Defense (In-house scanning, policies and controls) Internal Defense categories include: AV (Anti-Virus), Data Encryption, Disaster Recovery, Backup and Recovery, Installation and version control, USB usage, Managing Alerts, and Incident Mitigation. 5. Forensics (CSI and real-time monitoring) Forensics requires full system access for analysis and measurement of the entire IT configuration, and is followed by the design and delivery of custom plans for responsive action to prevent denial of service attacks and access breach attempts, e.g. Sourcefire Security (now a CISCO product).

Layout Internal Functions Within each layout are four important functions or steps which all lead to measurements. They are: 1. Defenses In each layout there are defined defenses. Most CSC s cover a specific defensive function, and others transfer defenses into other layouts, like firewall CSC s often do Forensics, and Networks do Firewalls.This is why the CS5L layouts follow the ISO/IEM 27K standards in their defense definition, and why some defenses are detailed in more than one layout. 2. Situational Awareness Study The situational awareness study is performed largely by your managers of the various layout areas, guided by the CS5L CCM. This does require that both technical and legal professionals visit your facilities to identify your key personnel and open communications. 3. Data Gathering CS5L gathers data to be by the CMM in two ways. First, by collecting answers to questions directed at Network and internal defenses, Forensics, Firewall, and training methodologies, which exposes deficiencies and outlines areas of need. The second is by gathering detailed security information using penetration testing tools and data feeds on existing systems, plus data sources from the various CSC s that may be in place. 4. Measurement Using a SAAS (software as a service) solution, SSTech consultants apply the data to the CMM. Thereafter, the technical analytics are performed at System Soft Technologies, and the legal analysis is done at Sedgwick s offices. Capability Maturity Modeling Profiles CMM Cybersecurity employs NIST profiles, by which we measure the clients cybersecurity health and capabilities. Our grading system rates each of the five layouts, based on the NIST established tiers. The tier system is structured as follows and is shown in Figure 3: 1. Initial (Grade E) Cybersecurity practices are often disorganized, rather than formalized, and performed on a reactionary basis. The process is not documented and therefore not repeatable. 2. Repeatable (Grade D) Formal cybersecurity policies are in place and basic risk management techniques are established and consistently repeatable. 3. Defined and Measured (Grade C) The organization has developed its own detailed process with more complete documentation and implementation. Methods are in place to handle changes in risk. 4. Managed (Grade B) The organization uses data collection and analysis to monitor and control its cybersecurity risks. 5. Self-Optimized (Grade A) Cybersecurity risk management processes are constantly being improved. The self-optimized organization has the capability to mature and teach their procedures as the business changes and employees come and go.

Figure 3: CS5L CMM Tiers CMM Measurement The 5 layout Cybersecurity Defense Strategy, CS5L, is a developed standard for measuring people, procedures and systems at an enterprise. When engaged at a client site, System Soft Technologies deploys trained cybersecurity, systems and analytical experts to support this five layout approach. In Stage 6, measurements are returned relating to the three areas, Vulnerability, Compliance and Risk Management. The components of each of those areas are shown below. Vulnerability Map the CMM to vulnerabilities Use the NIST Standards ISO/IEC 27001:2013 Validation of CMM Use Validation tools Compliance Industry-specific compliance design rules Regulatory Exposure HIPAA Compliance PCI Compliance SCADA Compliance Industry-specific compliance design rules (e.g., HIPAA, SCADA, PCI, etc.) Risk Management Contract Exposure Geopolitical Historical Incidents Policies/Controls Risk Planning Incident Mitigation Change in control System Soft Technologies provides a full-spectrum of IT services and system solutions using a combination of elite technical knowledge and unmatched expertise in the use of cutting-edge technologies. Our mission is to provide clients with innovative IT consulting and solutions, and to foster an environment that creates a collaborative business experience while producing business outcomes. Corporate Headquarters Atlanta Office Virginia Office Dallas Office India Office 3000 Bayport Drive 6 Concourse Parkway 2551 Dulles View Drive 5850 Granite Parkway 2nd Fl., Plot 16 Suite 840 Suite 2950 Suite 350 Suite 970 Sector III, HUDA Techno Enclave Tampa, Florida 33607 Atlanta, Georgia 30328 Herndon, Virginia 20171 Plano, Texas 75024 Opp. K., Raheja IT Park Ph: (727) 723-0801 Ph: (770) 391-0801 Ph: (703) 870-7407 Ph: (254) 647-0801 Madhapur, Hyderabad 500 081 Fax: (813) 289-5359 Fax: (770) 391-0849 Fax: (703) 870-7467 Fax: (214) 436-4677 Ph: 23115579/89 Fax: 23113349 2015 System Soft Technologies, All Rights Reserved

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information