Developing and maintaining a security program for any organization can be a daunting exercise when tackling risk management. There is a wide range of controls and processes to identify where an enterprise may have vulnerabilities, lack of visibility, or a public footprint that attracts threat actors. Identifying areas where risk is present and highlighting where acceptable and unacceptable risks lie is an important step in tying together Information Technology initiatives and what the business requires from an information security standpoint. This typically covers an exhaustive number of topics such as encryption requirements and methodology covering data at rest as well as in motion, web and application security, business continuity and incident response and recovery efforts.
Fostering governance with business stakeholders assists with providing clear direction for policy creation and explicit mandates that the business requires to achieve an acceptable amount of risk being present. Specific industries also have legislated responsibilities to adhere to such as the federal PIPEDA (Personal Information Protection and Electronic Documents Act) or a provincial example like British Columbia's PIPA (Personal Information Protection Act).
This leads the conversation towards Security Frameworks which provide standards, guidelines, and best practices to help manage and reduce risk. Frameworks also assist with clearly connecting executive level direction and risk threshold (Organization Risk), business level process (Critical Infrastructure Risk) and operational controls to secure infrastructure. The frameworks that I speak most often to organizations about are the Center forInternet Security (CIS) Critical Security Controls Framework, National Institute of Standards andTechnology (NIST) Cybersecurity Framework, and the framework for International Organization for Standardization (ISO) 27000 series. These frameworks provide a standardized method for managing risk, prioritizing deficiencies that need to be addressed and ensuring that the organizations security program is taking a layered approach to defence.
Security Frameworks group processes and tools that are used when developing a layered security approach. The NIST CSF identifies five core functions the framework and categorized areas of control. The core functions are Identify, Protect, Detect, Respond and Recover as listed in the figure below.
Each of the Categories listed above identify grouped processes and controls that can improve the security posture of security control bucket. As an example, under the Protect Core Function we have the category Identity Management and AccessControl (PR.AC). This category contains the subcategories:
1. Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
2. Physical access to assets is managed and protected
3. Remote access is managed
4. Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
5. Network integrity is protected (e.g., network segregation, network segmentation)
6. Identities are proofed and bound to credentials and asserted in interactions
7. Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
The structure of the framework assists with identifying areas where processes, policies and controls are in place or in need of improvement and clearly identify structured industry best practices to assist with security maturity growth.
Selecting and implementing a security framework is a unique undertaking for each organization as the security maturity and capabilities, security requirements and risk threshold differs drastically for each business
Planning and setting goals for where the organization needs to be from a security perspective ensures all stakeholders are on the same page and working towards a common outcome. Identifying what assets need to be protected, what risk stakeholders are comfortable with being present and what goals can be set to ensure there is protection and recovery capabilities where they are most needed is the initial step to building out a successful security program.
The next step in implementing a framework involves identifying what the current capabilities are. Aligning those capabilities to the framework increases the efficacy of building a security program. The CIS Framework assists with that alignment by identifying ImplementationGroups and the NIST Framework uses Implementation Tiers which provide a growth path for organizational capabilities and maturity while in parallel controls are implemented. A description of the NIST Implementation Tiers:
· Tier 1: Partial - This means your cybersecurity practices are generally reactive to whatever cybersecurity event is occurring.
· Tier 2: Risk-Informed - This tier describes companies that may be aware of some risk and are regularly making plans for how to respond to that risk.
· Tier 3: Repeatable - The Repeatable tier applies to companies that have clearly outlined and regularly repeatable cybersecurity processes.
· Tier 4: Adaptive - Adaptive companies are proactive in terms of cybersecurity measures, preventing events instead of reacting to them.
Growing the enterprise capabilities from Tier 1 to Tier 4in the quickest manner possible is not crucial, progression can happen organically as the security program is treated as a lifecycle and business decisions that take cost and security posture into account at the appropriate growth stage are identified.
Following the exercise of identifying the organizations capabilities, performing a risk assessment of the current security efforts, determining what is currently working well and where it may be deficient or have gaps is a significant next step. Risk assessments can be performed by internal teams or independent external assessors and can be designed in advance to use the framework the organization has selected which provides great context for beginning the framework implementation. Identified deficiencies can be shared with the organizations stakeholders and a strategy developed to close the security gaps.
Once the current state of the security program is clearly defined and goals are set one can implement controls and begin remediation efforts using the developed framework aligned strategy. Implementing controls and measuring the reduction in risk as the security program and capabilities mature will set the stage for the risk management lifecycle to be well communicated and understood, measurable and efficient. I often refer to security as a ‘lifecycle’ and a ‘program’ as these efforts and outcomes need to be fostered and maintained for continued effectiveness. As business requirements change and the security landscape changes, the impact technology has on business outcomes requires a cyclical approach to analyzing how security policies, processes, and standards are applied and reviewing what controls are in place as technology footprints adapt to the growing needs of an organization.
Author: Josh Patton (Solutions Architect)