Center for Internet Security Controls (CIS)
Control 01: Inventory and Control of Enterprise Assets
•"Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged asset to remove or remediate."
Control 02: Inventory and Control of Software Assets
•"Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution"
Control 03: Data Protection
•"Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data"
Control 04: Secure Configuration of Enterprise Assets and Software
•"Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things devices; and servers) and software (operating systems and applications)."
Control 05: Account Management
•"Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software."
Control 06: Access Control Management
•"Expands on account management by specifying the type of access that user accounts should have. Organization should follow the principles of "least privilege" and "need-to-know" role assignments. These methodologies assist with the goal that users only have access to systems, services, and data needed to perform their job duties."
Control 07: Continuous Vulnerability Management
•"underscores the criticality of regular review of the cyber environment to identify weaknesses in order to help deter attackers."
•"Development of a plan to access and track vulnerabilities on all enterprise assets periodically within the enterprise's infrastructure to reduce the opportunity of attacks while monitoring industry sources for new threat information."
Control 08: Audit Log Management
•"Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack."
Control 09: Email and Web Browser Protections
•"Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement."
Control 12: Network Infrastructure Management
•"Establish, implement, and actively manage (track, report, correct) network devices in order to prevent attackers from exploiting vulnerable network services and access points."
•Example: Updating documents.
Control 13: Network Monitoring and Defense
•"Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base."
Control 14: Security Awareness and Skills Training
•"Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risk to the enterprise."
Control 16: Application Software Security
•"Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise."
Control 17: Incident Response Management
•"Establish a program to develop and maintain an incident response capability (like policies, plans, procedures, defined roles, training, and communication) to prepare, detect, and quickly respond to an attack."
Control 18: Penetration Testing
•"Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker."
Control Objectives for Information and Related Technologies: is a set of IT governance standards created by Information System Audit and Control Association
Gov objectives:
•E
•
Managers objectives:
•Deliver, Service, and Support (DSS): addresses the security, delivery, and support of IT services. It has six objectives, three of which cover IT security (DSS05- Managed Security Services), business controls (DSS06- Managed Business Proc. Controls), and business continuity (DSS04- Managed Continuity.)
•
•Monitor, Evaluate, and Asses (MAE):
•
The role of IT
•Support : an IT system that is not critical for operating
•Factory : an IT system that will not have an immediate impact in business operations and continuity if it fails
•Turnaround : an IT system that drives innovation for the business but is not required for critical business operations
•Strategic : an IT system that is crucial for both innovation and business operations
Is it critical for operation?
Is it innovative?
Support
No
Factory
Yes
Turnaround
No
Yes
Strategic
Yes
Yes
Data Privacy
Can disclose in reference to HIPPA: redacted information, information to the individual, information for their treatment, with valid authority, if the individual doesn't disagree or agree within a reasonable time, and in the requirements of the law
NIST Privacy Framework
Core Functions:
Identify: inventory and mapping, business environment, risk assessment, and data processing ecosystem risk management
Govern: governance policies, process and procedures; risk management strategy; awareness and training; and monitoring review
Control: data processing policies, processes, and procedures; data processing management; and disassociated processing
Communicate: helps organization determine how the organization should drive dialogue around privacy risks related to data processing activities.
Protect: data protection policies, processes, and procedures; identity management, authentication, and access control; and data security, maintenance, and protective technology
Detect
Respond
Recover
Control Implementation approaches that are to e implemented on a per-control basis:
Common (inheritable) controls: Implement controls at the organizational level, which are adopted by information systems
System-Specific controls: Implement controls at the information system level
Hybrid controls: Implement controls at the organization level where appropriate and the remainder at the information system level.
Baseline Controls: Required to be in conformance to the control family. Baseline controls do not enhance existing controls.
Assessment is not a type of control, it is a procedure used to determine the impact of a subject matter
Implementation Tiers of NIST
Teir 1 (Partial)
Tier 2 (Risk Informed)
Tier 3 (Repeatable)
Tier 5 (Adaptive)
Frame work profiles: the mechanisms by which the NIST recommends companies measure cybersecurity risk and establish a roadmap to ensure the organization can minimize such risk. A implementation guide with insight specific to a particular industry. Profiles should factor organizational goals, industry goals, legal and regulatory requirements, industry best practices, and risk management priorities.
Current Profile: the current state of the organizational risk management
Target Profile: the desired future state of organizational risk management
GAP Analysis: to identify the difference between the current and desired state serving as a means by which an organization can drive change.
Types of Standards and Policies to follow
For companies located in the EY, such as Italy, the scope of the General Data Protection Regulation applies to data processing organizations. Even if the data is processed outside of the EU.
HIPPA security rule: covered entities are required to protect against reasonably anticipated threats tot he security of information.
COBIT
Principles for a governance framework:
Based on conceptual model
Aligned to major standards
Open and flexible
Design factors:
IT implementation methods
•"The methods that can be used to implement new IT projects, such as Aglie, DevOps, Waterfall, or a hybrid of such methods."
Threat Landscape
•"The environment in which the company operates. The threat landscape may be classified as normal or high because of geopolitical threats or issues, the industry sector, or economical issues."
Enterprise Strategy
•"Strategies that generally include a primary and secondary stratedgy, such as a growth/acquisition, innovation/differentiation, cost leadership, and client service strategies."
Risk Profile
•"A profile addressing current risk exposure for the organization and maps out which risks exceed the organization's risk appetite."