3

246 CISO Compass - Security Weekly

  • Upload
    others

  • View
    1

  • Download
    0

Embed Size (px)

Citation preview

Page 1: 246 CISO Compass - Security Weekly
Page 2: 246 CISO Compass - Security Weekly

246 ◾ CISO Compass

1.6 Address unauthorized assets 1.7 Deploy port-level access control 1.8 Utilize client certificates to authenticate hardware assets.

The CIS Controls also provide descriptions for executing each of the sub-controls, indicate the asset type (applications, devices, network, data) related to the control, and map the control to the NIST Cybersecurity Framework Function.

TONY SAGER: JUMP-STARTING CONTROLS PRIORITIZATION WITHIN A CONTROL FRAMEWORK

SVP, and Chief Evangelist, CIS (Center for Internet Security)

“What do I do first?” When I started taking the National Security Agency (NSA) cyberdefense mission “public” in the early 2000s, this was the most frequent question from audiences. That caught me surprise, so you can tell I was never a CISO with the responsibility to solve problems. As a career-long software vulnerability analyst and executive manager at NSA, I got to point out problems. I was also struck by the irony—never in history have cyberde-fenders had such great access to tools, training, guidance, threat information, control catalogs, and security frameworks. But all of this technology, infor-mation, and oversight had become a veritable “Fog of More”—more options, priorities, and opinions than an enterprise could manage. While security wizards can dream up countless ways that systems might be attacked, a use-ful priority scheme starts with how systems are being attacked. And while every enterprise is different, we all have more in common in cyberspace (e.g.,  technology, connectivity, attack types) than we do that is different. So, a community-level strategy of shared labor for threat analysis, translation into action, content development, and support is the only sensible path. If our social goal is to get all enterprises to a foundational level of security, and we will never get there if every enterprise has to go it alone. This is the motivation that led to what we now call the CIS Controls and the CIS Benchmarks, and is central to the work of the CIS. Starting from the community-developed content of the CIS Benchmarks and Controls provides an independent, vet-ted, and no/low-cost starting point for prioritization. They inherently address the most important needs for visibility, control, and ability to take defensive action. There is also a rapidly growing marketplace of complementary tools for implementation, adaptation, and measurement, as well as a way to map to any security framework. By starting from what we have in common and building to that, we gain great leverage for rapid action, consistency, and leverage to create a strong foundation for cyberdefense, and spend more of our scarce resources on things that really are unique about us.

Page 3: 246 CISO Compass - Security Weekly

The Security Control Framework Maze ◾ 247

An interesting new development in 2018 was the publication of Version 1.0 of the CIS Risk Assessment Methodology (CIS RAM), which recognizes the need to balance information security controls implementation with the organization’s purpose and objectives. The risk assessment method supplements the implementa-tion of controls to provide a common language between not only security profes-sionals, but also the regulators, business management, and legal authorities. Today, the language of “due care” and “reasonable safeguards” used in the legal system after a breach does not connect well with the traditional establishment of maturity levels provided by the frameworks. What does a “3” mean in terms of due care? Is it enough? When management accepted the risk of the system, did they consider the potential harm to the public? The legal system is operating on a “duty of care,” which require organizations to demonstrate they used controls to ensure the risk was reasonable to the organization and appropriate to other interested parties at the time of the breach. In an effort to bridge the gap in this communication, CIS and Halock Security Labs worked together to produce the CIS RAM. In short, the standard would allow an organization to demonstrate they implemented adequate controls, considering the “burden” to the organization of implementing the con-trols, thus finding balance between what you should do to protect others and what you can do as a business. CIS RAM is the first control standard to be applied to the new Duty of Care Risk Analysis Standard (DoCRA). It will be interesting to see how the acceptance of DoCRA progresses and the achieved level of adoption between the legal and security communities, as it directly marries the risk assess-ment techniques noted in the Risk Management chapter, the legal practices noted in the security incident and it’s the law chapters, and this chapter on security control frameworks. There are clearly benefits of morphing to a more seamless conversation between the cybersecurity, legal, and business communities.

information technology infrastructure Library (itiL)Information Technology Infrastructure Library (ITIL) is a set of books published by the British government’s Stationary Office between 1989 and 1992 to improve IT ser-vice management. The framework contains a set of best practices for IT core operational processes such as change, release and configuration management, incident and problem management, capacity and availability management, and IT financial management.

ITIL’s primary contribution is showing how the controls can be implemented for the service management IT processes.

Security technical implementation Guides (StiGS) and national Security Agency (nSA) GuidesConfiguration standards for Department of Defense Information Assurance are freely available and used as the basis for technical standards for many private organizations.


#%! My CISO Says

#%! My CISO Says

Technology
CISO - Mobile Applications

CISO - Mobile Applications

Documents
122 CISO Compass - securityweekly.com

122 CISO Compass - securityweekly.com

Documents
CRO CCO CIA BOD CISO

CRO CCO CIA BOD CISO

Documents
CISO Softskills Handbook

CISO Softskills Handbook

Documents
Digital Guardian CISO Mentoring Webinar Series...Digital Guardian CISO Mentoring Webinar Series Stories From the CISO Trenches 1 ... DuPont (11 years) Held additional IT, Research

Digital Guardian CISO Mentoring Webinar Series...Digital Guardian CISO Mentoring Webinar Series Stories From the CISO Trenches 1 ... DuPont (11 years) Held additional IT, Research

Documents
Ciso executive summit 2012

Ciso executive summit 2012

Documents
Stuff my ciso says

Stuff my ciso says

Technology
Virtual CISO - ICA Consultancy

Virtual CISO - ICA Consultancy

Documents
What Makes a Good CISO

What Makes a Good CISO

Technology
TM C CISO - TSTC

TM C CISO - TSTC

Documents
Session 30 IT Security: Threats, Vulnerabilities and Countermeasures Phillip Loranger, DoED CISO Robert Ingwalson, FSA CISO

Session 30 IT Security: Threats, Vulnerabilities and Countermeasures Phillip Loranger, DoED CISO Robert Ingwalson, FSA CISO

Documents
Office of the CISO

Office of the CISO

Documents
Owasp Ciso Guide Es

Owasp Ciso Guide Es

Documents
Through the cyber looking glass The perspective from a US federal CISO turned private sector CISO Patricia Titus Chief Information Security Officer (CISO)

Through the cyber looking glass The perspective from a US federal CISO turned private sector CISO Patricia Titus Chief Information Security Officer (CISO)

Documents
Global CISO Summit India 2015

Global CISO Summit India 2015

Documents
The CISO Current Report - YL Ventures Current Reports/CISO Curren… · The CISO Current Report Q4 2019 3 About the CISO Current YL Ventures frequently confers with an extended network

The CISO Current Report - YL Ventures Current Reports/CISO Curren… · The CISO Current Report Q4 2019 3 About the CISO Current YL Ventures frequently confers with an extended network

Documents
Clueless Board or Inarticulate CISO

Clueless Board or Inarticulate CISO

Technology
CHIEF INNOVATION SECURITY OFFICER (CISO)

CHIEF INNOVATION SECURITY OFFICER (CISO)

Documents
ciso secure virtual private networks

ciso secure virtual private networks

Documents
Delivering CISO Vision and Strategy - Optivfiles.accuvant.com/web/file/ddf1e7ff005a4c979d46540817ab3880/CISO... · Delivering CISO Vision and Strategy SERVICE DATA SHEET CISO Services

Delivering CISO Vision and Strategy - Optivfiles.accuvant.com/web/file/ddf1e7ff005a4c979d46540817ab3880/CISO... · Delivering CISO Vision and Strategy SERVICE DATA SHEET CISO Services

Documents
Security trends for Russian CISO

Security trends for Russian CISO

Technology
Data Protection Strategy Bob Maley, CEO, Strategic CISO & former CISO, State of Pennsylvania

Data Protection Strategy Bob Maley, CEO, Strategic CISO & former CISO, State of Pennsylvania

Documents
Cio ciso security_strategyv1.1

Cio ciso security_strategyv1.1

Documents
CISO Dream Team - Balbix

CISO Dream Team - Balbix

Documents
Owasp atlanta-ciso-guidevs1

Owasp atlanta-ciso-guidevs1

Documents
REPORT The CISO Ascends from Technologist to Strategic ... · 4 REPORT The CISO Ascends from Technologist to Strategic Business Enabler nnThe CISO gender gap is a serious challenge

REPORT The CISO Ascends from Technologist to Strategic ... · 4 REPORT The CISO Ascends from Technologist to Strategic Business Enabler nnThe CISO gender gap is a serious challenge

Documents
October CISO Hotsheet - nebula.wsimg.com

October CISO Hotsheet - nebula.wsimg.com

Documents
THE CISO CLOUD/SAAS - QOSMOS

THE CISO CLOUD/SAAS - QOSMOS

Documents
Virtual CISO-24By7Security-flyer-Feb2021

Virtual CISO-24By7Security-flyer-Feb2021

Documents