SYSTEM SOFT TECHNOLOGIES Cybersecurity Strategy Overview With the exponential growth of cyberspace over the past two decades has come increasing risk of data security breaches involving sensitive and private information. High-profile attacks occur almost daily, and hacking cases have grown in frequency, magnitude, and level of damage. Definition and measurement are the keys to improving cybersecurity defense capabilities. System Soft delivers a cybersecurity and data privacy audit program in conjunction with Sedgwick LLP, an international law firm, to preside over your company s legal and technical compliance objectives and safeguard your data assets. This is accomplished through a strategic approach that is guided by NIST (National Institute of Standards and Technology) standards. The Cybersecurity Strategy defines and provides direction to make decisions and allocate resources, and produces control mechanisms for the implementation of the strategy. Methodologies Our strategic framework is inspired by the NIST core functions of Identify, Protect, Detect, Respond, and Recover, with an emphasis on the identification step, as accomplished with our situational awareness and measurement studies. There are differences in the evaluation criteria between NIST profiles and CMM. In this case, NIST involves as-is and to-be analysis (which are more stringent than the tiers aware, repeatable, and adaptive ). CMM utilizes initial, repeatable, defined/measure, managed, and self-optimizing criteria. The ongoing cycle definitions of the Cybersecurity Strategy are as follows (see Figure 1): Situational Awareness Study of current Cybersecurity environment Data gathering using CS5L Measurement using the Capability Maturity Model CMM Cybersecurity standards Vulnerability mapping using NIST and ISO/EIM 27K standards Compliance and regulation check and planning Risk Management and planning, including incident mitigation Figure 1: Cycle Definitions
The Cybersecurity Strategy begins with an enterprise-wide evaluation of an organization s legal exposure and technological capabilities. This rigorous situational awareness study is followed by a process of data gathering and measurement conducted by our management system, the Cybersecurity Strategy 5 Layout (CS5L) Capability Maturity Model. The measurement stage applies to your employees, processes, and cybersecurity solutions companies which provide defenses in one or more of the layout areas in your enterprise. The 5 layouts are arranged as follows: Networks: Hardware and devices, Bring Your Own Device (BYOD), encryption, etc. Network: data gathering, encryption, etc. Application Security (AppSec): Access programs, wireless, telephony, etc. Security Awareness: Employee training, capabilities, procedural knowledge, etc. Internal defense: Anti-virus, data encryption, backup and recovery, version control, etc. Forensics: Denial of service attacks, breach attempts, etc. The Cybersecurity Strategy 5 Layout is used as a framework to measure and determine gaps in your cybersecurity capabilities using the 5 Layout approach (Fig. 2 and 3), which results in a standard measurement. From this, the strategy continues through its ongoing cycle into vulnerabilities, compliance, and risk management, resulting in a tactical plan that is built upon the NIST core functions and capability maturity according to the NIST profiles. An example of an effective tactical plan: Capability Maturity using the CS5L action steps to mature Risk Management actions - Corporate and officer risk actions - Defend Vulnerability actions - Defend Compliance actions Incident planning and actions Using Cybersecurity Strategy: CS5L 5 Layout Using the CS5L CMM framework, we gather data and measure using the 5 Layout approach (CS5L), which, in turn, results in standard measurement (CMM). Corporations throughout the world usually employ a variety of Cybersecurity Solutions Providers, which provide various defenses and monitor their security. They participate in providing data, build and maintain system interfaces, and are able to contribute iterative questions to their capability in their layout or layouts, of their defense solution. System Soft Technologies can manage that process. As seen in the diagram below, the CS5L system which is essentially a reporting system which gathers data into a SQL database named CyberSecurityStrategy, from each of the 5 layouts. These functionalities and components are graded (e.g., levels of training), using the Capability Maturity Model CMM hence the overall system name becomes CS5L CMM. This results in a model able to measure cybersecurity risk on an enterprise level and provide measurement and analysis to the end step, (6) Vulnerability Mapping, Compliance, and ultimately Risk Management. CS5L 5 Layout Approach The 5 layout Cybersecurity Defense Strategy, CS5L, is a developed standard for measuring people, procedures and systems at an enterprise. When engaged at a client site, System Soft Technologies deploys trained cybersecurity, systems, and analytical experts to support this five layout approach. The process begins with a situational awareness study, which is really a self-study because it is primarily done by the client, and thereafter the process is focused in two stages, data gathering and measurement. Both are performed using the 5 layouts (Figure 2).
Figure 2: Cybersecurity Strategy Layouts The 5 Layouts 1. Network (Communications) This entails vendors who provide VPN Virtual Private Network hardware, networking equipment, Firewall and software, e.g. CISCO. This is part of a defense layout to every endpoint and BYOD. It includes data gathering and network encryption on all devices, as well as user access. Analysis on the design and configuration of these networks and firewalls, with a focus on vulnerabilities, is also performed under Network. 2. AppSec (Software Systems) AppSec (Application Security) are applications developed by the client that interact with services hosted by the client, and applications that are installed on any part of their network hosted, end-client, or server. This includes: Wireless, DMZ servers, Telephony, Border Routing, Remote Administration, Web Security Gateway, Remote Access VPN, etc. Access policies, authentication and methods to systems and data. 3. Security Awareness (People, capability, and procedures) Security Awareness is often measured by the level of training, a part of which is sometimes called Employee Cybersecurity Awareness Training (ESAT). The purpose is to measure access to ESAT for all employees, agents, and/or B2B companies that have Tier 1. The ESAT program should work through an online Web app which is under the control of the IT department, in collaboration with Human Resources, and performs a simulated cybersecurity attack on employees known as Phishing, and then measures their performance. Thereafter, it runs training programs via email (via the Web) which, in turn, let users proceed at their pace by allowing stopping and restarting. Once complete, the dummy attack is performed again and measured. Security awareness should also include developer training for application development, administrative policy, privacy management, and risk assessment. 4. Internal Defense (In-house scanning, policies and controls) Internal Defense categories include: AV (Anti-Virus), Data Encryption, Disaster Recovery, Backup and Recovery, Installation and version control, USB usage, Managing Alerts, and Incident Mitigation. 5. Forensics (CSI and real-time monitoring) Forensics requires full system access for analysis and measurement of the entire IT configuration, and is followed by the design and delivery of custom plans for responsive action to prevent denial of service attacks and access breach attempts, e.g. Sourcefire Security (now a CISCO product).
Layout Internal Functions Within each layout are four important functions or steps which all lead to measurements. They are: 1. Defenses In each layout there are defined defenses. Most CSC s cover a specific defensive function, and others transfer defenses into other layouts, like firewall CSC s often do Forensics, and Networks do Firewalls.This is why the CS5L layouts follow the ISO/IEM 27K standards in their defense definition, and why some defenses are detailed in more than one layout. 2. Situational Awareness Study The situational awareness study is performed largely by your managers of the various layout areas, guided by the CS5L CCM. This does require that both technical and legal professionals visit your facilities to identify your key personnel and open communications. 3. Data Gathering CS5L gathers data to be by the CMM in two ways. First, by collecting answers to questions directed at Network and internal defenses, Forensics, Firewall, and training methodologies, which exposes deficiencies and outlines areas of need. The second is by gathering detailed security information using penetration testing tools and data feeds on existing systems, plus data sources from the various CSC s that may be in place. 4. Measurement Using a SAAS (software as a service) solution, SSTech consultants apply the data to the CMM. Thereafter, the technical analytics are performed at System Soft Technologies, and the legal analysis is done at Sedgwick s offices. Capability Maturity Modeling Profiles CMM Cybersecurity employs NIST profiles, by which we measure the clients cybersecurity health and capabilities. Our grading system rates each of the five layouts, based on the NIST established tiers. The tier system is structured as follows and is shown in Figure 3: 1. Initial (Grade E) Cybersecurity practices are often disorganized, rather than formalized, and performed on a reactionary basis. The process is not documented and therefore not repeatable. 2. Repeatable (Grade D) Formal cybersecurity policies are in place and basic risk management techniques are established and consistently repeatable. 3. Defined and Measured (Grade C) The organization has developed its own detailed process with more complete documentation and implementation. Methods are in place to handle changes in risk. 4. Managed (Grade B) The organization uses data collection and analysis to monitor and control its cybersecurity risks. 5. Self-Optimized (Grade A) Cybersecurity risk management processes are constantly being improved. The self-optimized organization has the capability to mature and teach their procedures as the business changes and employees come and go.
Figure 3: CS5L CMM Tiers CMM Measurement The 5 layout Cybersecurity Defense Strategy, CS5L, is a developed standard for measuring people, procedures and systems at an enterprise. When engaged at a client site, System Soft Technologies deploys trained cybersecurity, systems and analytical experts to support this five layout approach. In Stage 6, measurements are returned relating to the three areas, Vulnerability, Compliance and Risk Management. The components of each of those areas are shown below. Vulnerability Map the CMM to vulnerabilities Use the NIST Standards ISO/IEC 27001:2013 Validation of CMM Use Validation tools Compliance Industry-specific compliance design rules Regulatory Exposure HIPAA Compliance PCI Compliance SCADA Compliance Industry-specific compliance design rules (e.g., HIPAA, SCADA, PCI, etc.) Risk Management Contract Exposure Geopolitical Historical Incidents Policies/Controls Risk Planning Incident Mitigation Change in control System Soft Technologies provides a full-spectrum of IT services and system solutions using a combination of elite technical knowledge and unmatched expertise in the use of cutting-edge technologies. Our mission is to provide clients with innovative IT consulting and solutions, and to foster an environment that creates a collaborative business experience while producing business outcomes. Corporate Headquarters Atlanta Office Virginia Office Dallas Office India Office 3000 Bayport Drive 6 Concourse Parkway 2551 Dulles View Drive 5850 Granite Parkway 2nd Fl., Plot 16 Suite 840 Suite 2950 Suite 350 Suite 970 Sector III, HUDA Techno Enclave Tampa, Florida 33607 Atlanta, Georgia 30328 Herndon, Virginia 20171 Plano, Texas 75024 Opp. K., Raheja IT Park Ph: (727) 723-0801 Ph: (770) 391-0801 Ph: (703) 870-7407 Ph: (254) 647-0801 Madhapur, Hyderabad 500 081 Fax: (813) 289-5359 Fax: (770) 391-0849 Fax: (703) 870-7467 Fax: (214) 436-4677 Ph: 23115579/89 Fax: 23113349 2015 System Soft Technologies, All Rights Reserved