Commercial Solutions CYBER SOLUTIONS HANDBOOK Making Sense of Standards and Framework Booz Allen Hamilton Commercial Solutions, combines industry knowledge and relevant experience with the right people and technologies to reduce risk, improve safety and increase profitability for your business. Together, we can enable you to thrive today, tomorrow and beyond.
CYBER SOLUTIONS HANDBOOK Making Sense of Standards and Frameworks The strength of an organization s cybersecurity program is now a market differentiator, and cybersecurity is a key business enabler. Today, chief information security officers (CISO) and their equivalents are facing increased responsibility amid a series of quickly evolving and often enterprise-wide challenges. Remediation-centric defense is not enough to combat current cyber threats, and CISOs must build an effective communication link between the server room and the board room in order to have an effective program. This paper is one of a series of handbooks that provide pragmatic insight and assistance on how to address the key issues facing cybersecurity leaders today. Businesses understand the importance of cybersecurity. Once relegated to the IT department as an afterthought, cybersecurity is now part of a company s core strategic planning and investment portfolio. Pressure is high to ensure that all of the company s assets and operations are secure; boards and executives are looking to CISOs for answers. Yet change is constant and quick, and standards and frameworks have risen to the forefront as a strategy to tackle this new environment. These paradigms present opportunity for insight and growth, but only if they are used in the appropriate context and it can be difficult to sort through this alphabet soup. This handbook provides context for the numerous cybersecurity standards and frameworks that currently exist. We put forth concrete recommendations for evolving the legacy mindset of program compliance to one of program maturity and risk-based security. However, there is no formula for security; there is a difference between being compliant and being secure. Focusing on maturity rather than checking the box provides organizations both the flexibility and the comprehensive view necessary to manage their risks and achieve their goals. Developing a robust maturity model is a significant undertaking, but there are existing models that can be used to rapidly evolve programs. Applying these models correctly, while taking into consideration the appropriate industry standards and frameworks, will align your security program to your organizational strategy, while providing concrete and risk-based guidance on how you can advance your program to enable the business. 2
Addressing an Alphabet Soup of Cybersecurity Standards and Frameworks In the rush to address an increasingly complex cyber environment and provide a standardized, structured approach to cybersecurity, we have, ironically, created innumerable options. From A (audits) to Z (Zachman Framework), it is easy to drown in the confusing alphabet soup of standards and frameworks. 1 As demonstrated by the examples below, these criteria span industries and vary in approach. There are well-known industry governance and control frameworks such as the Control Objectives for Information [and Related] Technology (COBIT) by ISACA, and international best practice standards such as the certifiable ISO/IEC 27001. Government entities, such as the National Institute for Standards and Technology (NIST), try to centralize and drive common practices, standards, lexicon, and requirements (e.g., the catalog of security controls in NIST Special Publication 800-53 ). We have control and risk management guidance focused on the financial industry, such as Basel (I, II, III), Gramm-Leach-Bliley Act (GLBA), and the Federal Financial Institutions Examinations Council (FFIEC). We see specialized guidance in the healthcare industry, such as the Health Information Trust 2 Alliance (HITRUST) framework and Health Insurance Portability and Accountability Act (HIPAA) controls. There are even structures for specifying product security standards, such as Common Criteria. So how can we begin to sift through all this information? Which framework might help you? The short answer is, probably most of them. Some you ll have to comply with, while others are great reference material. However, picking and choosing the right elements among all this available guidance is difficult, and still even if you are the most gifted security architect of all time mostly leaves you with a check- the-box approach. So what to do? Read on. 1 A large number of cybersecurity standards and frameworks have emerged in recent years; the acronym jargon used to describe these as made it all the more difficult to understand and apply relevant guidance 3
The NIST Cybersecurity Framework: Key Takeaways On top of these existing standards and frameworks, a new initiative kicked off in early 2013 when the Obama Administration enacted Executive Order 13636 and Presidential Policy Directive (PPD-21), primarily focused on improving cybersecurity among private sector critical infrastructure organizations. Many companies regard these directives as the writing on the wall for eventual federal regulation around cybersecurity for private companies. A primary product that emerged was a voluntary Cybersecurity Framework for managing cyber risks, spearheaded by NIST. Released in mid-february 2014, the Framework is a compilation of standards, guidelines, and best practices for managing cybersecurity-related risk, while protecting information confidentiality, individual privacy, and civil liberties. Although adoption of the NIST Framework is voluntary, many analysts suggest that it may be perceived as a future de facto standard of care, which could be used to measure companies in regulatory enforcements, class actions, and other lawsuits following cyber attacks and privacy breaches. The NIST Framework provides two important and fundamental elements for establishing or improving a cybersecurity program: (1) content and (2) an approach for using that content. When first glancing at the underpinnings, the Framework may appear as little more than a compilation of existing industry standards and frameworks. While its substance essentially points to such established industry guidance, this reflects the inputs gathered by NIST from among hundreds of industry cybersecurity practitioners. Consensus is good. In regard to approach, NIST provides some very high-level yet useful guidance for how to use the content. It describes using the Framework to establish an understanding of where the program currently is, and by infusing an understanding of cyber risk, security professionals can then develop targets and an action plan for meeting those targets. This is certainly an evolutionary step forward toward aligning security to organizational risk, but it still uses existing standards and frameworks (i.e., compliance material) as the guide for improvement. 4
Acknowledging the Difference between Compliance and Security Despite the good intentions of standards and frameworks, the fundamental truth is that there is no formula for security. Many companies are compliant with certain regulations because they are mandated by law. While avoiding legal exposures, fines, sanctions, and potential jail time is a good motivator, it does not make your company more secure. Standards and frameworks can help identify the landscape of potential areas you might want to address. They also might let you set a minimum level of performance. However, standards often force you to be either compliant or non-compliant. There is not always a middle ground or consideration for unique organizational risk. Too often you are either a one or a zero. If not used in the appropriate context, standards are a generic solution to a highly individualized problem set. Cybersecurity is intimately tied to your business strategy and operations, and it must be personalized to your organization. With the CISO role becoming a strategic business enabler, we can no longer afford to check a box. Your company s strategies, risks, goals, and operations should shape the cybersecurity program. This is even more critical with restricted budgets and resources, so you need to know where and how to scale your investments. The NIST Framework begins to shift the mindset of security leaders towards a risk-based approach. However, the NIST Framework is still a high-level construct designed to help think about the problem, and does not include robust or actionable guidance to mature a cybersecurity program. But the Framework s authors acknowledge this fact. They advise leveraging external guidance, including existing maturity models, to drive a security program forward. Valuing Maturity over Checkboxes Rather than focusing on a standard, look at your program with a maturity lens. Understand the various degrees of risk you face and then, within a well- established structure, decide where you need to invest and develop. It is up to you to prioritize the control areas that you must address first, your current maturity in those areas, and what you must do to increase your maturity. Focusing on your maturity provides you with an opportunity to identify where your program stands today, where it must be in the future, and how to get there. A maturity approach is not one size fits all. Rather, you need to conduct an honest assessment of your baseline maturity in the areas that are key to your success. You also must establish your target states. These targets will vary based on your business needs and various exposures to cyber risk. A large multinational corporation, for example, might determine that it needs an advanced capability to internally monitor the risk presented by its hundreds of suppliers, while a smaller company with just a few suppliers might be able to outsource this to an established, low-cost third party. The two target states for each of these control groups would be very different. By building your approach based on risk and maturity, instead of blindly complying with standards, you move the responsibility of security from an outside entity to your organization. 5
The Characteristics of a Strong Maturity Model Developing a strong maturity model is a significant undertaking; most organizations do not have the resources to take this on. However, there are existing models out there to use, developed by sector bodies or private companies. So what does a good model look like? It covers both a broad range of topics and provides significant depth in each topic to ensure comprehensive and detailed guidance needed to enhance your cybersecurity program. Effective cybersecurity maturity models include: Functional and enabling controls Functional controls are more technical/operational in nature (e.g., application security, vulnerability assessment), while enabling controls pertain to governance, risk management, and other organizational functions that support (i.e., enable) the technical operations Logical organization of high-level and low-level views Logically organized objectives and measures that are used to pinpoint and evaluate specific aspects of your security program A maturity spectrum of granular and measureable details A clear scale of maturity, defined by characteristics and indicators to accurately assess your level of maturity People, process, and technology dimensions Multifaceted views that let you evaluate each control area in its key component parts A foundation grounded in established best practices Developed from best practices across industry, government, and academia. 6
Using a Maturity Model to Evolve a Cybersecurity Program Appropriately applying a maturity model is as important as developing or choosing the right one. The following is an overview of one proven approach on how to put an effective maturity model into practice. As illustrated in Figure 1, this approach focuses on placing the model as the centerpiece of the organization setting the tone for both program structure and assessment. Figure 1 Cybersecurity Maturity Model Implementation Approach Step 1: Align Cybersecurity with Organizational Strategy Boil down your organization s strategic objectives and core value-generating operations into a set of short, declarative, and concrete statements. Understand which operations must continue to enable the sources of most value. In addition, consider the strategic actions your company is or will soon be taking in order to thrive in your future environment. These statements often can be written as We will or We must assertions. Examples include: We will expand globally, We must ensure our supply chain operations are not interrupted, or We will innovate by providing our customers new digital offerings. Once you have the strategic objectives, identify the cybersecurity risks that could impede them (see Figure 2). Figure 2 Strategic Objective Examples and Related Cybersecurity Risks Objective Globalization We will expand globally Cybersecurity Risks Note: Example Only Not Comprehensive Untrusted IT Equipment used in foreign offices Third party with unrestricted access to customer information Unsecured mobile devices Poor personnel screening practices Supply Chain We must ensure our supply chain operations are not interrupted. Research and Development We will innovate by providing our customers new digital offerings Malware introduced from third-party suppliers Non-transparent supplier security practices Corrupted data in business process workflows DDoS exposures in web-facing applications Poorly protected source code for new digital product Development environment is open to many individuals Poor situational awareness of internal access to sensitive R&D information 7
Step 2: Apply a Risk-based Prioritization It is unlikely that you will have the resources or time to focus on all parts of your business. You will need to prioritize. Leading companies often use threat and risk workshops to help identify and prioritize cyber risks, while gaining key points of consensus along the way. During these workshops, you will need to explore your risk tolerance as it relates to the various parts of your business. You may consider discussing potential strategic surprise threats that could deliver large-scale negative impact to the business. By conducting this exercise, you should gain a clear prioritization of the cyber risks that you need to address first. Step 3: Assess Your Maturity Once you identify your risk priorities, you can then begin to understand what control families would likely mitigate that risk. As mentioned above, your maturity model should address both functional and enabling control families. Addressing a risk will often involve multiple control families, and the integration of these families is critical to a robust and cohesive cybersecurity program. Figure 3 lists a high-level summary of which security control families could likely address a given risk. Figure 3 Sample Cybersecurity Risks and Applicable Control Families Objective Cybersecurity Risks Sample Applicable Control Families Globalization 1. Unsecured mobile devices Mobile Security Strategy & Policy Supply Chain 2. Non-transparent supplier security practices Governance Strategy & Policy Supplier Security Management Research and Development 3. Poor awareness of internal access to sensitive R&D information Personnel Screening Situational Awareness Now that you have an idea of (1) your biggest risks and (2) which cybersecurity control families most closely map to them, it is time to assess maturity. Perhaps you would like to understand organizational preparedness for poor situational awareness (risk #3). In this scenario, three primary control families are most applicable to helping mitigate this risk, and we would need to assess maturity for them all. To illustrate, we ll assess maturity in the situational awareness control family (see Figure 4). 8
Figure 4 Representative Assessment of the Situational Awareness Control Family To assess the maturity of the situational awareness control family, you need to break it down into discrete, manageable elements that you can assess, called control objectives. These control objectives are areas and actions you need to perform well in order to increase your capability for that control family. In this case, the elements that make up situational awareness are Security Event Collection, Analysis, and Response. Enhance your capabilities with these, and you will strengthen your situational awareness. Before you can assess where you need to be, you should first understand where you are today. Consider how effective your processes and technology are performing for each control objective. You also need to look at how well your people are performing within the entire control family. Note that since the same people cut across control objectives, they are usually assessed separately. You should have well-defined indicators of each level of maturity ( Lead through Platinum levels). These are concrete actions and characteristics that help you gauge your current baseline maturity. If you are using a company with a maturity model, be sure that they have developed clear and well-vetted levels that map to industry best practices. Otherwise, you will be measuring your maturity by gut instinct alone. Across the three objectives within this control family, maturity varies widely across the dimensions of people, process, and technology. The organization s process and technology maturity to collect and analyze event data is very low, meaning it would be very difficult to track internal employee access to sensitive R&D information. On the other hand, the people who conduct situational awareness activities have requisite skills and abilities. To manage this risk, however, the organization will need to invest in maturing the processes and technologies for event collection and analysis. 9
Step 4: Make a Plan After understanding your program s baseline maturity, you will need to establish your target states. Make sure these targets are relevant to your organization, industry, and strategic objectives. Don t assume that every control family needs to be at the highest maturity level that will be a very expensive and unnecessary mistake. You will need to define the target states that make the most sense for the amount of risk that your business leaders will tolerate. Once you have target states set and your gaps identified, you can begin to think of the gapclosing options to meet those target states. Patterns and priorities should begin to emerge. Keep in mind that the maturity ratings are much less important than the reasons behind them. This process should surface the specific challenges you need to address, regardless of the specific rating. From the gaps and priorities of your maturity assessment, you can build your plan. Identify the most critical needs, as well as what you can accomplish in the short and long term. Create a roadmap that shapes these needs into concrete initiatives. Each initiative should have a defined beginning, end, owners, timelines, resource requirements, and key dependencies. You should align your investment strategy behind these initiatives and map them back to the strategic initiatives that you identified at the beginning of this process. As you implement them, be sure to track your progress and report back to your executive leadership. You should be able to describe your efforts in the business context that your senior leaders will understand. 10
Example in Action: Top Financial Institution Integrates Corporate and Cybersecurity Strategies to Maximize Protection against Cyber Threats Challenge: Recognizing the key role of cybersecurity in their operations and objectives, the board of directors of a global Fortune 100 financial institution mandated a comprehensive review of the security program and an investment strategy that would enable the company s strategic objectives. Although they were in compliance with federal regulations, they knew that there was a difference between being compliant, and having strong cybersecurity. The organization needed a partner with an effective maturity model that was robust, comprehensive, and developed from industry best practices. They did not have the time, experience, or budget to develop one themselves, and they also felt the need for an objective perspective, so they came to Booz Allen Hamilton. Solution: Booz Allen worked with stakeholders to identify key threats facing the organization in the next 5 years, assess the maturity of its cyber program (focusing on 24 functional and enabling control families), and analyze organizational readiness to develop its program. The organization also collaborated with Booz Allen to compare the key findings, gaps, and recommendations from the maturity and organizational assessments to its draft investment plan. The client organization was able to use Booz Allen s proprietary maturity model to install a simplified, rational, and easy-to-communicate framework to engage stakeholders and enhance bank security. Through a series of threat workshops, the client was able to use this framework to identify and prioritize current and future threats, including emerging and "surprise" threats that it might encounter over the next 5 years. For the maturity assessment, the client organization utilized Booz Allen s CyberM 3 Reference Model, which helped identify key gap areas. Through collaboration with Booz Allen, the security organization was able to identify sensible recommendations for improving the security program. Together, the teams reviewed the client s existing investment strategy, and provided key recommendations that helped stakeholders successfully shape the organization s roadmap and program for the next 5 years. Result: By engaging Booz Allen experts and its maturity-based reference model, the board of directors was able to successfully merge the organization s security and corporate strategies to maximize protection against the increasing cybersecurity threat. 11
CONCLUSION As businesses adapt to running at the speed of cyber, they rush to apply standards and frameworks to help them make sense of it all. But there is no standard for security. There are no boxes you can check, and no matter how compliant you are, it does not mean you are any more secure. The solution is more difficult than that. It takes a deeper understanding of where your company wants to go and how your security program will help your company get there. It takes an honest assessment of your current maturity and a vision of where it needs to be. It takes smart decisions about where you invest your limited resources. Your Board of Directors and your CEO are looking to you for you for answers. That s because they know that cybersecurity is critical to their success. They know that cybersecurity is now a business enabler To learn how Booz Allen Hamilton can help your business thrive, contact: Booz Allen Hamilton Matthew Doan Senior Associate doan_matthew@bah.com 703-659-3689 Matthew Doan is a Senior Associate in Booz Allen's commercial cyber practice. In his role, he works with leaders across multiple industries in aligning cyber security programs to manage risk and meet the needs of the business. Mr. Doan specializes in programmatic assessment, enterprise risk management, strategysetting, and organizational design. Ian Bramson Lead Associate bramson_ian@bah.com 240-675-0840 Ian Bramson is a Lead Associate at Booz Allen, focusing on addressing challenges for commercial clients. Mr. Bramson blends business, technology, and strategy to develop enterprise cyber security solutions across multiple industries and the public sector. He specializes in strategic planning, organizational design, cyber diagnostics, governance, and change management. Laura Eise Lead Associate eise_laura@bah.com 262-391-1463 Laura Eise is a cybersecurity consultant in Booz Allen s commercial cyber practice. She works across multiple industries to assess and mature cybersecurity programs, and develop reference models for solving cyber challenges. Ms. Eise specializes in risk management, strategy development, training, and awareness. Copyright 2014 Booz Allen Hamilton Inc. The information contained herein is subject to change without notice. The only warranties for Booz Allen Hamilton products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Booz Allen Hamilton shall not be liable for technical or editorial errors or omissions contained herein. Trademark acknowledgements if needed.