Date post: | 05-Dec-2014 |
Category: |
Technology |
Upload: | william-mcborrough |
View: | 402 times |
Download: | 0 times |
1
Mission Critical Global Technology Group
(MCGlobalTech)
Information Security Continuous Monitoring
Within A Risk Management Framework
2
Why Federal Information Security is Evolving
10 Million Cyber attacks daily at Department of Energy
400%+ Increase of cyber attacks since 2006
Foreign Intelligence organizations trying to hack into our military’s digital networks 100
80% Attacks leveraging known vulnerabilities & configuration setting weaknesses
3
Why Federal Information Security is Evolving
Security Incidents are increasing. IT Environments are in constant change. Risks need to be continuously assessed.
4
Organization Wide Risk Monitoring
5
Risk Management Framework (ISCM View)
6
Information Security Continuous Monitoring Strategy
7
Information Security Continuous Monitoring Steps Step 1 - Define Strategy: Effective ISCM begins with the development of a addressed the ISCM requirements and activities at each organizational tier; (Tier 1, Tier 2, Tier 3)
• Tier 1 – The risk mitigation strategy; executives must determine the
overall organizational risk tolerance and risk
• Tier 2 – Information generated from Tier 1 (Governance, Policy, Risk Tolerance, Strategy, etc.) is communicated to staff / business units owner, and process owner, to enable the reflect and implementation of the ISCM strategy in there is system and processes;
• Tier 3 – The ISCM is implemented to support risk management and risk tolerance at all three tier.
8
Information Security Continuous Monitoring Steps Step 2 – Establish Measures and Metrics:
• Goals, detect security anomalies, changes in IT operations, Information Systems, vulnerabilities awareness, control effectiveness, security status; control ongoing risk to the organization;
Step 3 – Establish Monitoring and Assessment Frequencies: • Organization determine the frequencies each security control is
assessed. The data generated with different latencies is used to create a holistic view of the security disposition
Step 4 – Implementing the ISCM Program • Data is collected for predefined metrics, security control assessments
are conducted, and this information is reported and used in accordance with organizational policies and procedures;
9
Information Security Continuous Monitoring Steps Step 5 – Analyze Data and Report Findings:
• Organization must develop procedures for analyzing and reporting assessment and monitoring results. This will includes the content and format of reports, frequency of reports, tools that are used, and most importantly requirements for analyzing and reporting the results of controls;
• Organizational officials should review the analyzed reports to determine whether to conducts mitigations activities or to transfer, avoid / reject or accept the risk;
Step 6 – Respond to Findings: • Repose to findings at all tiers may include risk mitigation, risk
acceptance, risk avoidance, or risk sharing in accordance with organizational tolerance.
10
Information Security Continuous Monitoring Steps Step 7 – Review and Update Program:
• Security controls assessments, security status metrics, and monitoring frequencies change according to the needs of the organization;
• The ISCM strategy should be reviewed to ensure it is sufficiently supports the organization and is operating within acceptable risk tolerance levels; that metrics remain relevant, and data is current and complete.
11
ISCM Recommendations for The Leadership Team Recommendations on ISCM for Leadership:
• Anchor to a specific risk framework or approach (i.e., NIST 800-137) • Develop risk ranking / scoring methods; • Prioritizes security projects, actions, and investments according to risk
rank; • Maintain situational awareness of all information systems and functions
across the organization; • Support a clear view and understanding of threat activities; • Continuously re-evaluate security controls, frequencies, and security
program; • Collect and analyze meaningful information security related data; • Communication Security status across all tiers of the organization; • Organization executives must have an active role in risk management;
12
Executive Summary
• The combination of preventive and detective monitoring controls is important in building an effective continuous monitoring program;
• The successful implementation of a continuous monitoring program will require common commitment through leadership support, authorizing official enforcement, and system owner responsibility;
• A well designed and implemented continuous monitoring program can improve the quality of agency information security programs by providing management with current, meaningful information on the security posture of their IT assets;
13
Contact Information
Mission Critical Global Technology Group
1776 I Street, NW 9th Floor
Washington, District of Columbia 20006 Phone: 571-249-3932
Email: [email protected]
William McBorrough Morris Cody Managing Principal Managing Principal [email protected] [email protected]