ISC2CT Chapter Meeting April

Program Maturity - Cybersecurity and Operational Risk Management

Business executives leverage cybersecurity programs to understand residual risk. That helps them make informed decisions to mitigate risk to an acceptable level. This session provides guidance to improve program maturity in stages.

Maturity Level 1.

Minimal Compliance Development of an information security program should begin with a reputable baseline such as the NIST Cybersecurity Framework.

A framework communicates the minimum controls required to protect an organization. It is also necessary to include control requirements from applicable laws, regulations and contractual obligations. Compliance with external requirements is also a minimalistic approach when designing a program.

Maturity Level 2.

Common Controls Control frameworks provide mid-level guidance and are not intended to be prescriptive. That is by design. This level of maturity addresses common security safeguards that are not specified in the control framework. It is necessary to identify and implement them. Gap analysis: Deploy controls based on proven methodologies such as the 20 CIS Controls.

* Patching

* Penetration testing

* Web application firewall

Establish a risk-based approach for implementing controls.

Maturity Level 3.

Risk Management It is necessary to tailor controls to the organization and to adapt to changes in the threat landscape. We discuss 'Threat Landscape and Controls Analysis' and a Risk Register process.

Maturity Level 4.

Strong Risk management At this level the organization begins to demonstrate ownership of the cybersecurity program from an operational risk perspective. When management communicates low risk tolerance, that is synonymous with a commitment to strong risk management.

The cybersecurity program maintains controls specific to line of business products, services and assets

An operational risk management function maintains a risk scenarios inventory and conducts quantitative risk analysis

Incident response and business continuity exercises are conducted annually to include senior executives, lines of business leaders, information technology, legal, public relations and critical suppliers

A multi-generational plan can be used to improve program maturity. Strong risk management pays dividends over time with low occurrence of harsh negative events. When incidents do occur, controls are in place to limit business impact.