how to implement a sustainable cybersecurity compliance framework

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT

• Agility

• Governance

• Risk Management

• Verify & Validate

• Innovation

• Conclusion



The Canadian Institute of Chartered Accountants


a) Flexibility, adaptability and scalability, to reflect new and evolving regulatory requirements beyond simple certification compliance, as well as investor and shareholder expectations.

b) Ownership and maintenance of process documentation, control activities and responsibility for evidence of operating effectiveness rest with the underlying business process owners and not a separate compliance or certification team.

c) Process documentation, control activities and evidence of operating effectiveness managed as corporate knowledge, in a way that provides for internal consistency and integrity and maximizes its reusability for other purposes, including its use in facilitating business and operational changes.

d) The return of Internal Audit to its primary role, that of providing an independent assessment of management’s business risk mitigation activities, from being the primary collector of evidence to support management’s assessment of control effectiveness.

e) Support and encouragement for the evolution and increased capability and maturity of business processes and controls, including fostering stronger and more effective, efficient and reliable control activities to replace less reliable or efficient control activities.

• Reduce risks and threats to the Confidentiality, Integrity and Availability of Information Assets and System Resources by providing policies, practices and standards designed to mitigate or eliminate all known risks and threat.

• Improve the effectiveness and efficiency of Security and Privacy Management by implementing a world class best practice and framework for consistent, concise security administration.

• Improve effectiveness and efficiencies of existing security and privacy mechanisms by formalizing new practices to monitor compliance and maintain sensitive data awareness.

• Improve reassurance testing and validation outcomes by Internal Audit and External Auditors to further assure Executive Management Team that the organization’s Information Assets and System Resources are in secure.

• Reduce the likelihood that an accidental security incident or breach of personal information caused by staff could have an adverse affect on the organization’s reputation or liabilities potentially leading to financial losses, by providing an ongoing Cybersecurity education and awareness program.



a) Flexibility, adaptability and scalability, to reflect new and evolving regulatory requirements beyond simple certification compliance, as well as investor and shareholder expectations.


Cybersecurity Program Management


Compliance

Management can

be broken down

into 4 general

categories

statutes,

regulations,

internal facing and

external facing.


b). Ownership and maintenance of process documentation, control activities and responsibility for evidence of operating effectiveness rest with the underlying business process owners and not a separate compliance or certification team.


The NIST Cybersecurity

Framework includes 5 major

domains and 21 subtopics.

The integration of risk

management within the

governance over this standard

is crucial to the success of its

implementation.


NIS

T C

SF C

on

form

ity

International Best Practices

Current Practices

Lower Risk & Unplanned Expenses

Reduce Defects and Incidents

Tier 1 Tier 2 Tier 3 Tier 4 0%

100%There are 4 tiers of maturity defined within the NIST Cybersecurity Framework.

• Tier 1: Partial• Tier 2: Risk-Informed• Tier 3: Risk-Informed and Repeatable• Tier 4: Adaptive

It is managements job to identify where the organizations sits within the defined maturity tiers and to plan a roadmap out that will move the origination towards a higher level of compliance and assurance.


ISO/IEC 27001 was created

by the UK Government to

help manage security

between suppliers /vendors

and the Government.

ISO/IEC 27001 is comprised

of 261 mandatory and

discretionary controls.


Bridging the delta between

high-level frameworks and

operational level activities

is essential to achieve

success, resilience and

sustainability. By mapping

NIST CSF to ISO/IEC

27001/27002 and then to

ITIL /ISO 20000 you can achieve this goal.

IDENTIFY

Asset Management

Business Environment

Governance

Risk Assessment

RM Strategy

NIST, ISO/27001, ISO/55000,

SSAE 16 SOC1, ISAE 3402 SOC2

NIST, ITIL, COBIT, ISO/27001,

PMP, PCI DSS, SSAE 16 SOC1

NIST, ISO/27001, ISO/38500,

COBiT, SSAE 16 SOC1

NIST, ISO/27001, RCMP TRA,

ISO/31000, SSAE 16 SOC1

NIST, COSO ERM, ISA

ERM, ISO/31000


On this slide we look at the key control breakdown from the 5 NIST CSF

domains, to subtopics and major integrated control frameworks. Most

organizations have already invested into security and will be able to leverage

their investments under the new NIST Cybersecurity Framework.

PROTECT

Access Control

Awareness and Training

Data Security

Protection Procedures

Maintenance

Protective Technology

NIST, ISO/27001, PCI DSS, SSAE 16

NIST, ISO/27001, PCI DSS, SSAE 16

NIST, ISO/27001, Blooms

Taxonomy, PCI DSS, SSAE 16

NIST, ISO/27001, ISO/ 18001,

ISO/14001, FDA MDS2

NIST, ISO/27001, ITIL, PCI DSS,

SSAE 16, ISAE 3402

NIST, ISO/27001, CIPS, FDA

MDS2, PCI DSS, SSAE 16


Organizations that have already invested in security and will be able to leverage


DETECT

Anomalies and Events

Security Continuous

Monitoring

Detection ProcessNIST, ISO/27001, ITIL, SIRT,

SSAE 16, ISAE 3402

NIST, ISO/27001, ITIL, SIRT,

SSAE 16, ISAE 3402

NIST, ISO/27001, ITIL, SIRT,

SSAE 16, ISAE 3402






RESPOND

Response Planning

Communications

Analysis

Mitigation

Improvements

NIST ISO/27001, ITIL, CSIRT,

SSAE 16, PCI DSS

NIST, ISO/27001, ISO/9001, SSAE 16,

ISAE 3402, PCI DSS


Taxonomy, SSAE 16, ISAE 3402

NIST, ISO/27001, ITIL, ISO/9001,

SSAE 16, ISAE 3402, PCI DSS

NIST, ISO/27001, ITIL, ISO/31000,

ISO 9001, SSAE 16, ISAE 3402






RECOVER

Recovery planning

Improvements

Communications

NIST, ISO/27001, ISO/ 22301,


NIST, ISO/27001, ISO/9001,



Taxonomy, SSAE 16, ISAE 3402






NIST CSF Reference Architecture


This is a reference

model used in security

architecture to help

design a security

program and share

knowledge with others

on how it all works

together.


c). Process documentation, control activities and evidence of operating effectiveness managed as corporate knowledge, in a way that provides for internal consistency and integrity and maximizes its reusability for other purposes, including its use in facilitating business and operational changes.


A Risk

Assessment is

necessary once all

assets have been

identified within

the scope of

service. These

assets are utilized

for the product or

service delivery

and the revenue

stream.


Once risks have been

identified the need to be

treated and the “risk

treatment plan” is the best

way of accomplishing this.

Managers have been

assigned and corrective and

preventive action plans

documented.

The corresponding service

desk ticket is included for

reference.


From the strategic

planning view broken

down into annual mini-

projects the security

roadmap may be useful

to you when

communication to the

board of directors or

shareholders.

This roadmap helps to

clarify the message by

plotting security

activities over the next

3 years.


Risks associated with

strategic planning,

credit, market and

financial that are

considered open and

ongoing versus

mitigated and closed

can be added to the

Risk Registry. Within

the columns scale 1 – 5

impact a threshold can

be added for clarity.

These risk are for

internal report

purposes and probable

would not be shared or

reviewed with the

external party.


d). The return of Internal Audit to its primary role, that of providing an independent assessment of management’s business risk mitigation activities, from being the primary collector of evidence to support management’s assessment of control effectiveness.


Traceability Matrix

In some of the 16 critical

industries it is necessary to

track changes to the

infrastructure.

This helps with root-cause-

analysis if something

breaks because e we have a

clearer picture of the

organization.


e). Support and encouragement for the evolution and increased capability and maturity of business processes and controls, including fostering stronger and more effective, efficient and reliable control activities to replace less reliable or efficient control activities.


Co

ntr

ol D

esig

n

Innovation happens where different

people with different experiences

come together to solve problems.

For example the fishbone diagram

has been used for years to help

map out root cause analysis.

When you add the six primary

assets required to run a company,

service or program you begin to

see some granularity.

When you overlay the controls

used to mitigate known risks from

frameworks like ISO/IEC 27001 or

NIST it becomes easier to identify

security risks and weaknesses.

From a security investment

perspective you create a visual

perspective that can be used with

Executives to pinpoint


Co

ntr

ol D

esig

n

When the control numbers have been

mapped to the applicable framework

the English text can be recalled to

add some clarity to the integrated

risk management control framework

that have been assembled.


Sustainable compliance is achievable and within the grasp of every organization regardless of size with the integration of internationally accepted quality

management standards like NIST Cybersecurity Framework and ISO/IEC 27001:2013. This approach

enforces governance and risk management while establishing an agile program that seeks out

innovation and quality.


For more information contact LinkedIn; http://ca.linkedin.com/in/markesbernard