Date post: | 12-Apr-2017 |
Category: |
Business |
Upload: | wwwsecurekmcom-secure-knowledge-management-inc |
View: | 178 times |
Download: | 2 times |
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
• Agility
• Governance
• Risk Management
• Verify & Validate
• Innovation
• Conclusion
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The Canadian Institute of Chartered Accountants
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
a) Flexibility, adaptability and scalability, to reflect new and evolving regulatory requirements beyond simple certification compliance, as well as investor and shareholder expectations.
b) Ownership and maintenance of process documentation, control activities and responsibility for evidence of operating effectiveness rest with the underlying business process owners and not a separate compliance or certification team.
c) Process documentation, control activities and evidence of operating effectiveness managed as corporate knowledge, in a way that provides for internal consistency and integrity and maximizes its reusability for other purposes, including its use in facilitating business and operational changes.
d) The return of Internal Audit to its primary role, that of providing an independent assessment of management’s business risk mitigation activities, from being the primary collector of evidence to support management’s assessment of control effectiveness.
e) Support and encouragement for the evolution and increased capability and maturity of business processes and controls, including fostering stronger and more effective, efficient and reliable control activities to replace less reliable or efficient control activities.
• Reduce risks and threats to the Confidentiality, Integrity and Availability of Information Assets and System Resources by providing policies, practices and standards designed to mitigate or eliminate all known risks and threat.
• Improve the effectiveness and efficiency of Security and Privacy Management by implementing a world class best practice and framework for consistent, concise security administration.
• Improve effectiveness and efficiencies of existing security and privacy mechanisms by formalizing new practices to monitor compliance and maintain sensitive data awareness.
• Improve reassurance testing and validation outcomes by Internal Audit and External Auditors to further assure Executive Management Team that the organization’s Information Assets and System Resources are in secure.
• Reduce the likelihood that an accidental security incident or breach of personal information caused by staff could have an adverse affect on the organization’s reputation or liabilities potentially leading to financial losses, by providing an ongoing Cybersecurity education and awareness program.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
a) Flexibility, adaptability and scalability, to reflect new and evolving regulatory requirements beyond simple certification compliance, as well as investor and shareholder expectations.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Cybersecurity Program Management
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Compliance
Management can
be broken down
into 4 general
categories
statutes,
regulations,
internal facing and
external facing.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
b). Ownership and maintenance of process documentation, control activities and responsibility for evidence of operating effectiveness rest with the underlying business process owners and not a separate compliance or certification team.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The NIST Cybersecurity
Framework includes 5 major
domains and 21 subtopics.
The integration of risk
management within the
governance over this standard
is crucial to the success of its
implementation.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
NIS
T C
SF C
on
form
ity
International Best Practices
Current Practices
Lower Risk & Unplanned Expenses
Reduce Defects and Incidents
Tier 1 Tier 2 Tier 3 Tier 4 0%
100%There are 4 tiers of maturity defined within the NIST Cybersecurity Framework.
• Tier 1: Partial• Tier 2: Risk-Informed• Tier 3: Risk-Informed and Repeatable• Tier 4: Adaptive
It is managements job to identify where the organizations sits within the defined maturity tiers and to plan a roadmap out that will move the origination towards a higher level of compliance and assurance.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
ISO/IEC 27001 was created
by the UK Government to
help manage security
between suppliers /vendors
and the Government.
ISO/IEC 27001 is comprised
of 261 mandatory and
discretionary controls.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Bridging the delta between
high-level frameworks and
operational level activities
is essential to achieve
success, resilience and
sustainability. By mapping
NIST CSF to ISO/IEC
27001/27002 and then to
ITIL /ISO 20000 you can achieve this goal.
IDENTIFY
Asset Management
Business Environment
Governance
Risk Assessment
RM Strategy
NIST, ISO/27001, ISO/55000,
SSAE 16 SOC1, ISAE 3402 SOC2
NIST, ITIL, COBIT, ISO/27001,
PMP, PCI DSS, SSAE 16 SOC1
NIST, ISO/27001, ISO/38500,
COBiT, SSAE 16 SOC1
NIST, ISO/27001, RCMP TRA,
ISO/31000, SSAE 16 SOC1
NIST, COSO ERM, ISA
ERM, ISO/31000
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
On this slide we look at the key control breakdown from the 5 NIST CSF
domains, to subtopics and major integrated control frameworks. Most
organizations have already invested into security and will be able to leverage
their investments under the new NIST Cybersecurity Framework.
PROTECT
Access Control
Awareness and Training
Data Security
Protection Procedures
Maintenance
Protective Technology
NIST, ISO/27001, PCI DSS, SSAE 16
NIST, ISO/27001, PCI DSS, SSAE 16
NIST, ISO/27001, Blooms
Taxonomy, PCI DSS, SSAE 16
NIST, ISO/27001, ISO/ 18001,
ISO/14001, FDA MDS2
NIST, ISO/27001, ITIL, PCI DSS,
SSAE 16, ISAE 3402
NIST, ISO/27001, CIPS, FDA
MDS2, PCI DSS, SSAE 16
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Organizations that have already invested in security and will be able to leverage
their investments under the new NIST Cybersecurity Framework.
DETECT
Anomalies and Events
Security Continuous
Monitoring
Detection ProcessNIST, ISO/27001, ITIL, SIRT,
SSAE 16, ISAE 3402
NIST, ISO/27001, ITIL, SIRT,
SSAE 16, ISAE 3402
NIST, ISO/27001, ITIL, SIRT,
SSAE 16, ISAE 3402
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
On this slide we look at the key control breakdown from the 5 NIST CSF
domains, to subtopics and major integrated control frameworks. Most
organizations have already invested into security and will be able to leverage
their investments under the new NIST Cybersecurity Framework.
RESPOND
Response Planning
Communications
Analysis
Mitigation
Improvements
NIST ISO/27001, ITIL, CSIRT,
SSAE 16, PCI DSS
NIST, ISO/27001, ISO/9001, SSAE 16,
ISAE 3402, PCI DSS
NIST, ISO/27001, Blooms
Taxonomy, SSAE 16, ISAE 3402
NIST, ISO/27001, ITIL, ISO/9001,
SSAE 16, ISAE 3402, PCI DSS
NIST, ISO/27001, ITIL, ISO/31000,
ISO 9001, SSAE 16, ISAE 3402
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
On this slide we look at the key control breakdown from the 5 NIST CSF
domains, to subtopics and major integrated control frameworks. Most
organizations have already invested into security and will be able to leverage
their investments under the new NIST Cybersecurity Framework.
RECOVER
Recovery planning
Improvements
Communications
NIST, ISO/27001, ISO/ 22301,
SSAE 16, ISAE 3402, PCI DSS
NIST, ISO/27001, ISO/9001,
SSAE 16, ISAE 3402, PCI DSS
NIST, ISO/27001, Blooms
Taxonomy, SSAE 16, ISAE 3402
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
On this slide we look at the key control breakdown from the 5 NIST CSF
domains, to subtopics and major integrated control frameworks. Most
organizations have already invested into security and will be able to leverage
their investments under the new NIST Cybersecurity Framework.
NIST CSF Reference Architecture
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
This is a reference
model used in security
architecture to help
design a security
program and share
knowledge with others
on how it all works
together.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
c). Process documentation, control activities and evidence of operating effectiveness managed as corporate knowledge, in a way that provides for internal consistency and integrity and maximizes its reusability for other purposes, including its use in facilitating business and operational changes.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
A Risk
Assessment is
necessary once all
assets have been
identified within
the scope of
service. These
assets are utilized
for the product or
service delivery
and the revenue
stream.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Once risks have been
identified the need to be
treated and the “risk
treatment plan” is the best
way of accomplishing this.
Managers have been
assigned and corrective and
preventive action plans
documented.
The corresponding service
desk ticket is included for
reference.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
From the strategic
planning view broken
down into annual mini-
projects the security
roadmap may be useful
to you when
communication to the
board of directors or
shareholders.
This roadmap helps to
clarify the message by
plotting security
activities over the next
3 years.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Risks associated with
strategic planning,
credit, market and
financial that are
considered open and
ongoing versus
mitigated and closed
can be added to the
Risk Registry. Within
the columns scale 1 – 5
impact a threshold can
be added for clarity.
These risk are for
internal report
purposes and probable
would not be shared or
reviewed with the
external party.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
d). The return of Internal Audit to its primary role, that of providing an independent assessment of management’s business risk mitigation activities, from being the primary collector of evidence to support management’s assessment of control effectiveness.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Traceability Matrix
In some of the 16 critical
industries it is necessary to
track changes to the
infrastructure.
This helps with root-cause-
analysis if something
breaks because e we have a
clearer picture of the
organization.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
e). Support and encouragement for the evolution and increased capability and maturity of business processes and controls, including fostering stronger and more effective, efficient and reliable control activities to replace less reliable or efficient control activities.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Co
ntr
ol D
esig
n
Innovation happens where different
people with different experiences
come together to solve problems.
For example the fishbone diagram
has been used for years to help
map out root cause analysis.
When you add the six primary
assets required to run a company,
service or program you begin to
see some granularity.
When you overlay the controls
used to mitigate known risks from
frameworks like ISO/IEC 27001 or
NIST it becomes easier to identify
security risks and weaknesses.
From a security investment
perspective you create a visual
perspective that can be used with
Executives to pinpoint
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Co
ntr
ol D
esig
n
When the control numbers have been
mapped to the applicable framework
the English text can be recalled to
add some clarity to the integrated
risk management control framework
that have been assembled.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Sustainable compliance is achievable and within the grasp of every organization regardless of size with the integration of internationally accepted quality
management standards like NIST Cybersecurity Framework and ISO/IEC 27001:2013. This approach
enforces governance and risk management while establishing an agile program that seeks out
innovation and quality.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
For more information contact LinkedIn; http://ca.linkedin.com/in/markesbernard