In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
6. *The following information was gathered from the Association of
International Certified Professional Accountants.
The Association of International Certified Professional
Accountants’ (AICPA) Cybersecurity Advisory Services
Certificate Program provides finance and accounting
professionals with the knowledge needed to be a
strategic business partner within their organization
and with clients.
7. Objectives
• Understand what a Cybersecurity Risk Management Program is
as well as what it does for your organization.
• Gain a brief knowledge of frameworks that are available.
• Gain an understanding of the pros and cons of implementing a
Cybersecurity Risk Management Program.
8. What is a Cybersecurity Risk Management
Program (CRMP)
Definition:
A set of policies, processes and controls designed to:
• protect information and systems from security events that could
compromise the achievement of the entity’s cybersecurity objectives
and
• detect, respond to, mitigate, and recover from, on a timely basis,
security events that are not prevented.
9. Purpose of a CRMP
• Maintain data confidentiality by ensuring that data is accessible
only to individuals who require such access.
• Maintain data integrity by ensuring that data is not improperly
used, modified, or destroyed.
• Maintain data availability by ensuring that data is available in a
timely, reliable, and continuous manner.
11. What a CRMP Does
The major promise a CRMP provides is that it ensures a level of
protection of an entity’s data and information and systems from
cybersecurity risks by:
• Identifying what needs to be protected
• Defining threats
• Defining likelihood of occurrence
• Determining the potential impact
• Determining threat level
12. Knowledge Check
The primary function of risk management is:
• Satisfying assessment requirements.
• Identifying what information needs to be protected.
• Evaluating the effectiveness of the IT security and risk management
process.
• Protecting critical assets and bringing risk levels down to tolerable levels.
13. Knowledge Check
The primary function of risk management is:
• Satisfying assessment requirements. This is the fist step within the process of
risk management but not the main goal.
• Identifying what information needs to be protected. This is the goal of a risk
assessment, not risk management.
• Evaluating the effectiveness of the IT security and risk management process.
Evaluation of the risk management process would need to occur after proper
risk management was in place.
• Protecting critical assets and bringing risk levels down to tolerable levels. An
effective risk management process will help to mitigate high risk levels which,
in turn, helps protect critical assets, as long as the process is mandated on a
regular basis to keep up with changing technology and knowledge.
14. CRMP Controls
• Having proper controls is one of the most fundamental parts of
an effective CRMP.
• These controls may take one of the following forms:
• Protection controls
• Detection controls
• Reaction controls
18. Discussion
What are some of the protection, detection, and reaction controls
you would expect an organization to have in place as part of its
IT security and CRMP?
19. Security Frameworks
A security framework is a method to align the policies, standards,
procedures, and guidelines that are needed to:
• Securely govern an organization’s infrastructure
• Meet security standards
• Continuously identify security gaps
• Comply with compliance requirements, and communicate risk to
executives.
20. Security Frameworks (cont.)
• A comprehensive set of leading practices
• A comprehensive strategy for identifying and managing potential
threats
• A blueprint for building an information cybersecurity
21. Security Framework Benefits
Adopting a security framework, or combination of security
frameworks enables:
• Proper planning of a security infrastructure
• Proactive incident response
• Focus on high risk, critical environments
• Justification of requests for annual security budgets
• Identification of personnel and resources gaps for protecting critical
systems and data
• The use of criteria that is vetted by industry
22. Cybersecurity Standards
What is a standard?
A mandatory requirement, code of practice or specification approved
by a recognized external standards organization, such as International
Organization for Standardization (ISO).
What are security standards?
Practices, directives, guidelines, principles or baselines that state what
needs to be done and focus areas of current relevance and concern.
23. Framework vs Standard
A Framework is a high level concept or guide for implementing
types of security controls.
A Standard is a rigid code of practice or specification of controls.
24. Common Security Frameworks and Standards
• NIST CSF
• NIST SP 800-53
• ISO 27001
• HITRUST CSF
• COBIT
• SANS Institute -CIS Critical Security Controls (SANS CIS CSC)
26. NIST Cybersecurity Framework (CSF)
• This framework’s prioritized, flexible, and cost-effective approach
helps to promote the protection and resilience of critical
infrastructure and other sectors important to the economy and
national security.
27. • It is made up of five concurrent and continuous functions:
–Identify
–Protect
–Detect
–Respond
–Recover
NIST CSF (Cont.)
29. NIST CSF (Cont.)
• Outlines implementation tiers to account for control maturity:
–Partial
–Risk informed
–Repeatable
–Adaptive
30. NIST Cybersecurity Framework (CSF) Pros
• Established industry standard
• Linkage (e.g., ‘crosswalks’) provided to other major frameworks
• Supplemental guidance
• Flexible
• Freely available – no license or subscription required
31. NIST Cybersecurity Framework (CSF) Cons
• Requires development of control details
• Focused in scope to information security
• Cannot be certified against
32. When to use NIST (CSF)
• Some organizations are requiring the use of the Framework by
their vendors.
• Regulators are strongly encouraging the use of the Framework.
• Many organizations and individuals may provide a CSF
assessment.
• No license or certification is required.
33. NIST SP 800-53
• A catalog of security and privacy controls
• A process for selecting controls
• Developed and issued by the National Institute of Standards and
Technology (NIST)
• Assists in implementing the Federal Information Security
Management Act of 2002 (FISMA)
34. NIST SP 800-53 Pros
• NIST provides a large catalog of documentation
• Developed by US government agencies
• Provides a baseline of minimum requirements
• Freely available –no license or subscription required
35. NIST SP 800-53 Cons
• Focused on stored or processed information and IT systems
• Narrow approach to security
• Rigid and detailed control set
• Not acknowledged outside the US
36. When to use NIST SP 800-53
• The organization is a US government agency
• The organization is a private business doing business with the
government
• When conducting a FISMA assessment
• When a detailed cybersecurity control library is needed
• No official third-party certification program (except within the
federal government—e.g., certification & accreditation process).
37. ISO 27001
• Provides best practice recommendations
• Created and published by the International Organization for
Standardization (ISO)
• Helps manage the security of assets
• The most well-known security standard
• Commonly used by IT departments specific to an organization
38. ISO 27001 Pros
• Focuses on both technology and important assets
• Concentrates on mitigating risk for valuable business information
• Can obtain a certificate issued by certified body
• Prioritization of business process security
• Respected and widely-known standard
• Internationally recognized
39. ISO 27001 Cons
• Poorly-structured planning and implementation guidance
• Wide approach to security lacks granularity
• Low awareness/acceptance in some geographic areas (including
the US)
• Not free (although very inexpensive)
40. When to use ISO 27001
• Need to be certified due to changing regulations or expanded
customer base
• Need to meet internationally recognized and accepted standards
• Multiple types of information to protect
• Need flexible methodology to fit any approach
41. HITRUST CSF
• Developed in collaboration with healthcare and information
security professionals
• Both a risk-and compliance-based framework
• Widely-adopted security framework for the healthcare industry
• Helps prepare for when new regulations and security risks are
introduced
• Based on the ISO 27001 framework
• Version 9.1 incorporates EU and GDPR privacy regulation
42. HITRUST Pros
• Integrated approach to protecting health records
• Updated frequently, including mapping to other security and
compliance frameworks
• Aids regulatory compliance efforts
• Consistent with healthcare industry trends
• Can obtain a certificate issued by a certified body
• Can be tailored based on a variety of factors including
organization type, size, systems, and regulatory requirements
43. HITRUST Cons
• Provides a prescriptive set of controls
• Focused on protecting data
• Requires use of proprietary HITRUST CSF platform
• Requires subscription for full access to framework
44. When to use HITRUST
• Need compliance with HIPAA security rule
• Need to protect ePHI and PHI data in the healthcare industry
• Primary business partners or customers are in the healthcare
industry
• Need flexibility to scale control obligations according to the type,
size, and complexity of the organization
45. COBIT
• Created and published by ISACA
• COBIT is often adopted by public companies
• COBIT is used as a compliance tool for Sarbanes-Oxley
• Used for governance and management of enterprise IT
• Four main domains
–Plan and organize
–Acquire and Implement
–Deliver and support
–Monitor and evaluate
46. COBIT Pros
• Business focused
• Process oriented
• General acceptance with third parties and regulators
• Can be partially implemented
• Managed by ISACA
• Has good implementation guidance
• Provides a holistic approach to security
47. COBIT Cons
• Broad coverage (not to be limited to a single area) which can
often lead to gaps in coverage.
• Multiple implementation guides must be reviewed and
implemented in order to achieve compliance.
–Information security
–Assurance
–Risk
• Cannot be certified against.
48. When to use COBIT
• When you need defined controls for business objectives
• Publicly-traded company
• When your organization needs a persistent information
governance environment
49. SANS CIS CSC
• Recommended actions for cyber defense
• Provides specific and actionable ways to stop attacks
• Prioritizes/focuses on a smaller number of actions with high
pay-off results
• Transforms threat data into actionable guidance
50. SANS CIS CSC Pros
• Prioritization for high-value immediate payoff
• Rapidly defines starting point
• Derived from common attack patterns
• Freely available
51. SANS CIS CSC Cons
• Focused solely on current critical threats
• Weak on IT Security Management
• Narrow security domain focus
• Largely technical security controls
52. When to use SANS CIS CSC
• SANS CIS CSC works well as a subset of controls for other
frameworks
• Use to quickly increase cyber defense and reduce cyber risks
• As a baseline for technical security control consideration
53. Knowledge Check
What is a common goal for all security frameworks?
• Provide a voluntary framework for cybersecurity
• Provide common set of standards to improve cybersecurity
• Provide strict requirements for cybersecurity
• Provide best practices for meeting regulatory compliance goals
54. Knowledge Check Solution
What is a common goal for all security frameworks?
• Provide a voluntary framework for cybersecurity. Not all security frameworks
are voluntary and some are required for regulatory compliance.
• Provide common set of standards to improve cybersecurity. The goal of all
security frameworks is to improve the security of the organization by
implementing well tested and defined practices.
• Provide strict requirements for cybersecurity. To be compliant with some
regulations, some frameworks have strict guidance, though this is not the
primary goal of security frameworks.
• Provide best practices for meeting regulatory compliance goals. The goal of all
security frameworks is to improve the security of the organization by
implementing well tested and defined practices not regulatory compliance.
-Controls that restrict access to appropriate personnel
-Annual cybersecurity awareness and training controls
-Privileged access to information and systems must be specifically requested and approved by appropriate personnel (i.e. management) before being delegated to the requesting individual
-Logging network traffic permitted through the entity's firewall
-Monitoring system changes by having appropriate approving individuals sign off on each change after it occurs
-Identifying vulnerabilities & mitigating potential exposure
-Monitoring user access for both privileged & nonprivileged user accounts
-Security audits for compliance
-Periodic security assessments to identify potential threats
-Having proper incident response policies in place
-Practicing incident response procedures so that all staff are aware of their roles and action items during a crisis event
-Updating the incident response policies and procedures based on how effective and efficient they were during practice rounds or
after real-life events
Protection controls:
•Controls restricting access to appropriate personnel
•Cybersecurity awareness and training controls, and a requirement that they occur annually
•Privileged access must be specifically requested and approved by appropriate personnel before being delegated to the requesting individual
•Building access can only be obtained through appropriate personnel’s badge access
•Background checks must be performed on all possible hiring personnel before their hiring status is approved
Detection controls:
•Log of network traffic permitted past the firewalls
•Monitoring system changes by having appropriate approving individuals sign off on each change
•Monitoring user access of both privileged and nonprivileged user accounts
•Security audits for compliance
•Periodic security assessments to identify potential vulnerabilities and mitigate potential exposure
Reaction controls:
•Having proper incident response policies in place
•Practicing incident response procedures so that all staff are aware of their roles and action items during a crisis event
•Updating the incident response policies and procedures based on how effective and efficient they were during practice rounds or
ISO 9001
By far the most popular family is that of ISO 9000. A family of quality management standards, there are fourteen in total. Of these, ISO 9001:2015 is the only one that can be certified to. It was first published in 1987, and has since been updated about every 7 years. The standard details how to put a Quality Management System (QMS) in place to better prepare your organization to produce quality products and services. It is customer focused, and places an emphasis on continuous improvement and top management processes that extended throughout the organization.
The standard was updated in 2015, and now places a greater emphasis on risk management. The standard is generic, and can be used in any organization in any sector. Over 1,000,000 ISO certifications have been given out in over 170 countries according to the ISO Survey of Management System Standard Certifications.
The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002.