Cybersecurity Governance, Risk and Compliance (GRC)

Posted on by Stef

Managing risk to information assets. Business strategy –> IT strategy

All managers need to work together on the overall plan.

Planning (strategic, tactical and operational)

Organising (structuring of resources)

Staffing

Directing (what and how to work towards goals)

Controlling (check progress and correct issues, gather necessary resources)

zzzzzzzzzzzzzzz

GOVERNANCE (Goals – strategic alignment with business strategy, better risk management, better resource management, better performance measurement -, Policies and Standards, Policy Lifecycle Management)

Separate responsibilities, hold board of directors accountable.

RISK MANAGEMENT (Assessment, Evaluation, Monitoring, Mitigation)

COMPLIANCE (Change management, Project evaluation, Architecture review, Configuration Management)

Cybersecurity Management: The six Ps

Collect, process and use Info | Interact | Make decisions

Planning Creating and implementing strategies for each of the major divisions in an organisation.

  • Strategic, tactical and operational
  • Policy
  • Personnel
  • Technology Rollout
  • Risk management
  • Security Program (See Programs)

Policy Preventing misuse. Three general policy categories:

  • Enterprise Information Security Policy (EISP),
  • Issue-specific Security Policies (ISSPs) : dos and don’ts with specific resources and penalties
  • System-Specifc Policies (SSPs) : additional instructions for the administration of each resource

Programs Separate operations

  • Security education training and awareness (SETA)
  • Disaster recovery or incident response programs (Contingency programs)
  • Risk management programs (Identify, assess and control risk)
  • Physical security program
  • Business continuity

Protection Selecting and managing controls to protect the organisations’s assets. Monitoring.

Directly related to risk management and includes the SETA program, cybersecurity technologies (Firewalls, VPNs, IDPSs, MFA, …) and personnel… all these activities are interrelated.

People the most critical resource.

Project Management Apply a project management discipline to all elements in the Infosec program. Identify, control, measure, adjust in the process

POSITIONING OF THE CYBERSECURITY DEPARTMENT

IT and Cybersecurity teams are not always aligned. Efficiency vs Security. Traditional approach is the confilicting roles or CISO and CIO, as the cybersecureity department is in the IT department

Good alternatives would be: A separate department for cybersecuirty that reports directly to the president or CEO (own budget, more weight) | A separate department under another division that doens’t have a conflict of interest |

Roles and Responsibilities

Technical and non-technical skills. Three main teams:

Define

CEO

COO CIO CFO CMO

Under the CIO is the CISO, which leads the different Infosec officers/managers

for the different teams/programs

Build

Administrate

The CyberSETA Program

Cybersecurity education is typically performed by colleges and universities but training and awareness programs can be performed by the organization, often by the IT or cybersecurity staff

CISSP and CISM from ISACA, GIAC (SANS program) and certs from ISC2

Cybersecurity Strategic Planning

Long-term direction and identification allocation and acquisition of necessary resources with a vision for the future of cybersecurity at the organisation

5-10 years

–> Tactical plan = 1/2 years –> Operational planning = day/wek/month

Goal: end state VS Objective: Intermediate progress

Planning for contingencies

NIST 800-34r1

When, NOT IF defenses are compromised

WHEN…. WHAT then?

The contingency planning management team, or CPMT, is responsible for developing the CP policy, plans, and subordinate teams.

COMPONENTS:

  • Business Impact Analisys (BIA) identify most critical systems or resources
    • Detemine mission/business processes and recover criticality
    • Identify resource requirements
    • Identify recovery priorities for system resources
  • Incident Response Plan (IR)
    • Planning team, builds and prepares the incident response reaction team, commonly called a computer security incident response team, or CSIRT
    • Incidents typically do not threaten the overall viability of an organization, just the information assets within it. Incident response is the organization’s set of planning and preparation activities for detecting, reacting to, and recovering from an incident.
  • Disaster Recovery Plan DR)
  • Business Continuity plan (BC)
    • when disaster affects buildings occupied. the BC time helps with moving to an alternate site

DEVELOP CP POLICY PLAN ~ CONDUCT BIA ~ IDENTIFY PREVENTIVE CONTROLS ~ CREATE CONTINGENCY STRATEGIES ~ DEVELOP A CONTINGENCY PLAN ~ENSURE PLAN TESTING, TRAINING AND EXERCISE ~ ENSURE PLAN MAINTENANCE

The plan should be regularly updated

Crisis managemt planning is focused on the human aspects of incidents and disasters

Planning for the cybersecurity program

Systems Development Life Cycle. The SDLC contains several phases depending on the specific type of SDLC methodology adopted. But generally, addresses: investigation, analysis, design, implementation,
and maintenance as major phases of the project. The resulting security SDLC or SecSDLC is more
closely adapted for developing or enhancing a cybersecurity program. While a number of models of
SDLCs can be used to illustrate it’s major steps, the model selected as the most optimal for cybersecurity program development or improvement is based on an older more simplistic approach known as the waterfall model.
The term waterfall model indicates that the work products of each phase fall into the next phase to serve as it’s starting point.

INVESTIGATION ~ ANALYSIS ~ DESIGN ~ IMPLEMENTATION ~ MAINTENANCE

Risk Management

Cybersec risk: the probability of loss, damage, destruction, or disclosure of an information asset.

Simply using best practices and recommendations from standards organizations like NIST and ISO might not meet an organisation’s needs. Need to identify and measure risk to know how to reduce it. Then repeat.

RISK APPETITE: acceptable risk for the compaany, in quantity and nature

An organisation risk cycle is usually done every 1 to 2 years. At its beginning, it’s important to draft a risk appetite statement.

Risk Tolerance: amount of risk for a particular information asset, different for each.

RESIDUAL RISK: risk that remains after reduction, under the defined threshold

SIGNIFICANT RISK: risk beyond the risk threshold

Risk manamegent methodologies

Common components between models:

  1. Where and what is the risk (risk identification)?
  2. How severe is the current level of risk (risk analysis)?
  3. Is the current level of risk acceptable (risk evaluation)?
  4. What do I need to do to bring the risk to an acceptable level (risk treatment)?

MODELS AND METHODOLOGIES

NIST 800-37r2

PREPARE

CATEGORIZE

SELECT

IMPLEMENT

ASSESS

AUTHORIZE

MONITOR

ISO 27005/31000

ESTABLISHING THE CONTEXT: purpose, scope, assumptions and contraints, source of info to be used, risk model and assessment. External contexts that would impact (business environment, regulations, threats and support). Internal context (governance structure, internal stakeholders, culture, maturity of cybersec program, experience in policy, planning and risk management in general)

RISK IDENTIFICATION, ANALYSIS AND EVALUATION (RISK ASSESSMENT) -> was process acceptable? If not, start over

Identification: inventory, classification and categorization, asset valuation, threat identify/assess, TVA assignment. TVA worksheet. TVA triples, for example T1V1A1

Analysis: likelihood of attack and assessing impact of successful attack. RIsk calculation. Reporting

NIST SP 800-30r1 Likelihood table and Impact table

Risk = likelihood x impact. 1 to 5. Resulting number 1 to 25

Evaluation: comparison of risk ratings to the organisatrion’s risk appetite, by identifying individual risk tolerance or thresholds for each asset, combining these risk tolerances into the risk appetite statement, comparing the risk associated with each asset to its risk tolerance, determining if significant risk remains.

Since we’re using a 1-25 scale for risk, we need the organization’s risk thresholds or risk tolerances to compare our risk ratings to. The organization may wish to establish an overall risk threshold of say 10 on the 25-point scale, which would mean any risk rating that is less than 10 is acceptable, while risk of 10 or more are not acceptable and identified as significant risk. The organization can and should establish different risk thresholds for different groups of assets.

RISK TREATMENT -> was process acceptable? If not, start over, if yes -> Risk acceptance

One of the challenges in risk treatment is that a strategy that improves the security for one asset may in fact improve the security of multiple assets and further reduce their risk. Imagine the organization installs a new advanced firewall, which could reduce the risk for all of the organization’s information assets. The organization then has to keep this in mind when selecting additional risk controls under one of these strategies. Treating the unacceptable risk. 5 basic risk treatment strategies:

  • Defense (avoidance strategy)
  • Transferance: shift risk to other assets/processes/organisations, by revising deployment model, outsourcing, purchasing agreements, customing SLAa or contracts with providers for example.
  • Mitigation: reduce impact cause by incident disaster via contingency planning and preparation.
    • incident response plan, disaster recovery, business continuity, and crisis management plans.
  • Acceptance: recognized as a valid strategy only when the organization has determined the level of risk posed to the information asset exceeds its value
  • Termination: Removing asset.

Implement security controls for vulnerabilities, layered protection, architectural designs and administrative controls.

Attacker’s gain greater than the cost: apply protections to increase the attacker’s cost and reduce their gain

Reduce attack surface

ENISA

by the European Union Agency for Cybersecurity

Preparation for risk management

ASSET INVENTORY: what, where, what groups

ASSET VALUATION: don’t spend more in protecting than it’s worth. It’s not just how much it costs to acquire: could consider cost of creating, maintenance, replacing, providing, protecting, value to owners (what’s the info worth to you), value of IP, value to adversaries, qualitative valuation (revenue generated, success critical, most profitable, expensive to replace or protect, greatest liability or embarassement to loose)

THREAT ASSESSMENT: which, which are most daangerous, which would be most costly to prevent and recover from attack. List ranging from most to least significant

Enterprise Cybersecurity Policy (EISP/ECSP)

It guides the development, implementation, and management of the cybersecurity program, even if usually 2-5 pages long. No frequent modifications usually required.

Policy should never conflict with law. It must be able to stand up in court if challenged and it must be properly supported and administered.

Policy can be difficult to implement.

Must contribute to organisation’s success | Management must ensure the adequate sharing of responsibility for the proper use of information assets and systems. | Users of information assets and systems should be involved in the development of policy.

POLICY, STANDARD, GUIDELINES AND PROCEDURES

The standard is the more detailed statement of what must be done to comply with policy.

Guidelines are recommendations the user may want to use to help comply with policy.

A procedure is a defined set of steps to comply with the policy

Practice or rather best practice, is a set of examples used to illustrate compliance with the policy

PURPOSE

SPECIFIC CYBERSECURITY ELEMENTS

NEEDS

CYBERSEC FUNCTIONS

FUNCTIONS, ROLES AND RESPONSIBILITIES

REFERENCE

Issue-specific Cybersecurity Policy (ISSP)

Also called acceptable use policies

Articulates expectations on how resources should be used, documents how they’re controlled, and identifies processes and authorities that provide this control. indeminifies company from criminal use

PURPOSE

AUTHORIZED USES

PROHIBITED USES

SYSTEMS MANAGEMENTS the users’ responsibilities to the asset, employer monitoring, physical security, references to related policies (example data management and backup), responsibilities

VIOLATIONS OF POLICY Penalties, How to report (When anonymous submissions are used, it should be reviewed by the organization’s legal department, if one exists, or by a committee of representatives from throughout the organization to ensure that no one can corrupt the process.),

POLICY REVIEW AND MODIFICATION

LIMITATIONS OF LIABILITY

Different ways to manage ISSP doc: individual policies, comprehensive policy, modular policy (recommended, policies generated are individual modules, with each one created by a policy group, balancing quality policies and administration)

System-specific Cybersecurity Policy (SysSP)

Applicable to any tech that requires configuration. Can be developed with or before ISSPs

Include a statement of managerial intent and guidance to technicians or engineers on selecting, configuring, and operating a specific technology. It may even include information that could be converted to access control lists or configuration rules set to define levels of access for each authorized user

MANAGERIAL GUIDANCE

TECHNICAL SPECIFICATIONS enforcing policies such as password changesm acces control lists/tables, tech config rules

Developing and Implementing Effective Cybersecurity Policy

Writing ~ Approval ~ Implementation

Policy Distribution: Policy management system

Policy Comprehension: minimal reading levels. Flesch Reading Easy and Flesch-Kincaid. Assessment with quizzes and other form of assessment

Policy Compliance: act or affirmation

Refusal? Include policy docs in employment contracts

Policy Enforcement

Cybersec Policy performance measurements

we measure what we value, and we value what we measure

assess both technical and managerial controls

  • DETERMINE EFFECTIVENESS OF POLICY, EFFICIENCY OF SERVICES, IMPACT OF A SECURITY EVENT

Must yield quantifiable info, Only repeatable processes should be considered, Measurements must be useful for tracking performance and directing resources.

Specify what you’re going to measure, then how, where, when

Macro-focus (overall performance) or Micro-focus (performance of individual control)

Prioritize with a simple low, medium, high priority ranking

Defining effective security, argument on how to define an effective program

NIST: develop a template.

Target. Usually percantage up to 100%

IMPLEMENTATION

Continuous improvement operation

  1. Prepare for collection
  2. Collect data and analyse results, comparing measurements against the target goals (GAP analysis)
  3. Identify corrections (treatment strategies)
  4. Develop business case for implementing business strategies, justify it
  5. Obtain resources
  6. Apply corrective actions

Related Posts

Fundamental cybersecurity measures

  • Stef
  • June 10, 2024
  • 0

Securing data requires a comprehensive approach to mitigate all possible vulnerabilities. Areas to make sure to cover are: SECURITY POLICIES INFRASTRUCTURE PHYSICAL MACHINES LAST BUT […]

Vulnerability Assessment

  • Stef
  • May 5, 2025
  • 0

FOOTPRINTING: Online search. Employee directories, locations,… for social engineering or tech attack Source Code Business/Gov websites with info on management team and financial holding WHOIS […]

Leave a Reply

Your email address will not be published. Required fields are marked *