Overview
With the exponential growth of cyberspace over the past two decades has come increasing risk of data security breaches involving sensitive and private information. High-profile attacks occur almost daily, and hacking cases have grown in frequency, magnitude, and level of damage. Definition and measurement are the keys to improving cybersecurity defense capabilities.
System Soft delivers a cybersecurity and data privacy audit program in conjunction with Sedgwick LLP, an interna-tional law firm, to preside over your company’s legal and technical compliance objectives and safeguard your data assets. This is accomplished through a strategic approach that is guided by NIST (National Institute of Standards and Technology) standards. The Cybersecurity Strategy defines and provides direction to make decisions and al-locate resources, and produces control mechanisms for the implementation of the strategy.
Methodologies
Our strategic framework is inspired by the NIST core functions of Identify, Protect, Detect, Respond, and Recover, with an emphasis on the identification step, as accomplished with our situational awareness and measurement studies.
There are differences in the evaluation criteria between NIST profiles and CMM. In this case, NIST involves “as-is” and “to-be” analysis (which are more stringent than the tiers “aware”, “repeatable”, and “adaptive”). CMM utilizes “initial”, “repeatable”, “defined/measure”, “managed”, and “self-optimizing” criteria.
The ongoing cycle definitions of the Cybersecurity Strategy are as follows (see Figure 1):
• Situational Awareness Study of current Cybersecurity environment
• Data gathering using CS5L
• Measurement using the Capability Maturity Model CMM Cybersecurity standards • Vulnerability mapping using NIST
and ISO/EIM 27K standards • Compliance and regulation check
and planning
• Risk Management and planning, including incident mitigation
Figure 1: Cycle Definitions
SYSTEM SOFT TECHNOLOGIES
The Cybersecurity Strategy begins with an enterprise-wide evaluation of an organization’s legal exposure and technological capabilities. This rigorous situational awareness study is followed by a process of data gathering and measurement conducted by our management system, the Cybersecurity Strategy 5 Layout (CS5L) Capability Maturity Model.
The measurement stage applies to your employees, processes, and cybersecurity solutions companies which pro-vide defenses in one or more of the layout areas in your enterprise.
The 5 layouts are arranged as follows:
Networks: Hardware and devices, Bring Your Own Device (BYOD), encryption, etc. • Network: data gathering, encryption, etc.
• Application Security (AppSec): Access programs, wireless, telephony, etc. • Security Awareness: Employee training, capabilities, procedural knowledge, etc. • Internal defense: Anti-virus, data encryption, backup and recovery, version control, etc. • Forensics: Denial of service attacks, breach attempts, etc.
The Cybersecurity Strategy 5 Layout is used as a framework to measure and determine gaps in your cybersecurity capabilities using the 5 Layout approach (Fig. 2 and 3), which results in a standard measurement. From this, the strategy continues through its ongoing cycle into vulnerabilities, compliance, and risk management, resulting in a tactical plan that is built upon the NIST core functions and capability maturity according to the NIST profiles. An example of an effective tactical plan:
• Capability Maturity using the CS5L—action steps to mature • Risk Management actions
- Corporate and officer risk actions - Defend Vulnerability actions - Defend Compliance actions • Incident planning and actions
Using Cybersecurity Strategy: CS5L—5 Layout
Using the CS5L CMM framework, we gather data and measure using the 5 Layout approach (CS5L), which, in turn, results in standard measurement (CMM). Corporations throughout the world usually employ a variety of Cybersecurity Solutions Providers, which provide various defenses and monitor their security. They participate in providing data, build and maintain system interfaces, and are able to contribute iterative questions to their capa-bility in their layout or layouts, of their defense solution. System Soft Technologies can manage that process. As seen in the diagram below, the CS5L system which is essentially a reporting system which gathers data into a SQL database named “CyberSecurityStrategy“, from each of the 5 layouts. These functionalities and components are graded (e.g., levels of training), using the Capability Maturity Model CMM —hence the overall system name becomes “CS5L CMM”.
This results in a model able to measure cybersecurity risk on an enterprise level and provide measurement and analysis to the end step, (6)–Vulnerability Mapping, Compliance, and ultimately Risk Management.
CS5L—5 Layout Approach
The 5 layout Cybersecurity Defense Strategy, CS5L, is a developed standard for measuring people, procedures and systems at an enterprise. When engaged at a client site, System Soft Technologies deploys trained cyberse-curity, systems, and analytical experts to support this five layout approach. The process begins with a situational awareness study, which is really a ‘self-study’ because it is primarily done by the client, and thereafter the process is focused in two stages, data gathering and measurement. Both are performed using the 5 layouts (Figure 2).
The 5 Layouts
1. Network (Communications)
This entails vendors who provide VPN Virtual Private Network hardware, networking equipment, Firewall and software, e.g. CISCO. This is part of a defense layout to every endpoint and BYOD. It includes data gathering and network en-cryption on all devices, as well as user access. Analysis on the design and configuration of these networks and firewalls, with a focus on vulnerabilities, is also performed under Network.
2. AppSec (Software Systems)
AppSec (Application Security) are applications developed by the client that interact with services hosted by the client, and applications that are installed on any part of their network…hosted, end-client, or server. This includes: Wireless, DMZ servers, Telephony, Border Routing, Remote Administration, Web Security Gateway, Remote Access VPN, etc. Ac-cess policies, authentication and methods to systems and data.
3. Security Awareness (People, capability, and procedures)
Security Awareness is often measured by the level of training, a part of which is sometimes called Employee Cybersecu-rity Awareness Training (ESAT). The purpose is to measure access to ESAT for all employees, agents, and/or B2B com-panies that have Tier 1. The ESAT program should work through an online Web app which is under the control of the IT department, in collaboration with Human Resources, and performs a simulated cybersecurity attack on employees known as Phishing, and then measures their performance. Thereafter, it runs training programs via email (via the Web) which, in turn, let users proceed at their pace by allowing stopping and restarting. Once complete, the ‘dummy’ attack is performed again and measured. Security awareness should also include developer training for application development, administrative policy, privacy management, and risk assessment.
4. Internal Defense (In-house scanning, policies and controls)
Internal Defense categories include: AV (Anti-Virus), Data Encryption, Disaster Recovery, Backup and Recovery, Installa-tion and version control, USB usage, Managing Alerts, and Incident MitigaInstalla-tion.
5. Forensics (CSI and real-time monitoring)
Forensics requires full system access for analysis and measurement of the entire IT configuration, and is followed by the design and delivery of custom plans for responsive action to prevent denial of service attacks and access breach attempts, e.g. Sourcefire Security (now a CISCO product).
Figure 2:
Cybersecurity
Strategy Layouts
Layout Internal Functions
Within each layout are four important functions or steps which all lead to measurements. They are: 1. Defenses
In each layout there are defined defenses. Most CSC’s cover a specific defensive function, and others trans-fer defenses into other layouts, like firewall CSC’s often do Forensics, and Networks do Firewalls.This is why the CS5L layouts follow the ISO/IEM 27K standards in their defense definition, and why some defenses are detailed in more than one layout.
2. Situational Awareness Study
The situational awareness study is performed largely by your managers of the various layout areas, guided by the CS5L CCM. This does require that both technical and legal professionals visit your facilities to identify your key personnel and open communications.
3. Data Gathering
CS5L gathers data to be by the CMM in two ways. First, by collecting answers to questions directed at Net-work and internal defenses, Forensics, Firewall, and training methodologies, which exposes deficiencies and outlines areas of need. The second is by gathering detailed security information using penetration testing tools and data feeds on existing systems, plus data sources from the various CSC’s that may be in place. 4. Measurement
Using a SAAS (software as a service) solution, SSTech consultants apply the data to the CMM. Thereafter, the technical analytics are performed at System Soft Technologies, and the legal analysis is done at Sedg-wick’s offices.
Capability Maturity Modeling Profiles
CMM Cybersecurity employs NIST profiles, by which we measure the clients’ cybersecurity health and capabilities. Our grading system rates each of the five layouts, based on the NIST established tiers. The tier system is structured as follows and is shown in Figure 3:
1. Initial (Grade E)
Cybersecurity practices are often disorganized, rather than formalized, and performed on a reactionary ba-sis. The process is not documented and therefore not repeatable.
2. Repeatable (Grade D)
Formal cybersecurity policies are in place and basic risk management techniques are established and consis-tently repeatable.
3. Defined and Measured (Grade C)
The organization has developed its own detailed process with more complete documentation and imple-mentation. Methods are in place to handle changes in risk.
4. Managed (Grade B)
The organization uses data collection and analysis to monitor and control its cybersecurity risks.
5. Self-Optimized (Grade A)
Cybersecurity risk management processes are constantly being improved. The self-optimized organization has the capability to mature and teach their procedures as the business changes and
© 2015 System Soft Technologies, All Rights Reserved
System Soft Technologies provides a full-spectrum of IT services and system solutions using a combination of elite technical knowledge and unmatched expertise in the use of cutting-edge technologies. Our mission is to provide clients with innovative IT consulting and solu-tions, and to foster an environment that creates a collaborative business experience while producing business outcomes.
CMM Measurement
The 5 layout Cybersecurity Defense Strategy, CS5L, is a developed standard for measuring people, procedures and systems at an enterprise. When engaged at a client site, System Soft Technologies deploys trained cybersecu-rity, systems and analytical experts to support this five layout approach.
In Stage 6, measurements are returned relating to the three areas, Vulnerability, Compliance and Risk Manage-ment. The components of each of those areas are shown below.
Vulnerability
• Map the CMM to vulnerabili-ties
• Use the NIST Standards • ISO/IEC 27001:2013 • Validation of CMM • Use Validation tools
Compliance
Industry-specific compliance design rules • Regulatory Exposure • HIPAA Compliance • PCI Compliance • SCADA Compliance • Industry-specific compliance design rules (e.g., HIPAA, SCADA, PCI, etc.)Risk Management
• Contract Exposure • Geopolitical • Historical Incidents • Policies/Controls • Risk Planning • Incident Mitigation • Change in controlCorporate Headquarters Atlanta Office Virginia Office Dallas Office India Office
3000 Bayport Drive 6 Concourse Parkway 2551 Dulles View Drive 5850 Granite Parkway 2nd Fl., Plot 16
Suite 840 Suite 2950 Suite 350 Suite 970 Sector III, HUDA Techno Enclave
Tampa, Florida 33607 Atlanta, Georgia 30328 Herndon, Virginia 20171 Plano, Texas 75024 Opp. K., Raheja IT Park Ph: (727) 723-0801 Ph: (770) 391-0801 Ph: (703) 870-7407 Ph: (254) 647-0801 Madhapur, Hyderabad 500 081 Fax: (813) 289-5359 Fax: (770) 391-0849 Fax: (703) 870-7467 Fax: (214) 436-4677 Ph: 23115579/89
Fax: 23113349
