Risk Management and Assessment in ISO Standards

Questions and Answers

APPSEC/ETH group GRC & CISO group DPI Cloud sec & compliance Operational ______.

Technology

Living-off-the-land attacks use trusted system tools to conduct attacks, making them harder to ______

detect

Mobile and IoT devices are increasingly targeted, with malvertising and malware posing ______

threats

A zero-day vulnerability is a software weakness unknown to those who should mitigate it, allowing hackers to exploit it before a fix is ______

available

The economics of cybercrime is a significant issue, with estimated costs reaching $6 trillion in ______

2021

CISOs/Security Officers act as strategic and tactical leaders in ______

cybersecurity

Spear phishing is a targeted form of email ______

scam

Ransomware attacks involve mass infection of systems and demand payment in exchange for restoring access to ______

data

The cybersecurity landscape is subject to an ever-growing number of laws, regulations, and standards, such as ISO27k, NIST, CIS, GDPR, NIS, and FDA ______

rulings

Technology layer includes implementation, automation, and ______

reporting

Employee awareness forms the hygiene layer of ______

cybersecurity

Hackers' return on investment (ROI) influences their target selection, with an average return per attack being less than $4,500

[blank]

Cybercrime operates like a business, with a supply chain, middlemen, and distribution ______

channels

An ISMS (Information Security Management System) is a ______ approach for managing an organization's information security, based on risk assessment and the organization's risk acceptance levels.

systematic

ISO27k is a family of standards with two main standards: ______ focuses on security controls and risk assessments, while ISO27002 provides guidelines for implementing security controls.

ISO27001

To define a ______ security strategy and roadmap, consider business objectives, security trends, and maturity levels.

tailored

Cyber ______ is an essential barrier for trade in the context of security trends and security management.

Compliance

Cybersecurity industry faces a significant lack of ______, with 1205 vacancies in Belgium and a 16% vacancy rate.

resources

Risk management is a crucial aspect of ISO27001:2017, and risks must be ______ at different levels and occasions.

managed

Developing a ______ strategy involves selecting a standard/framework, increasing technical security countermeasures, and prioritizing based on current maturity levels and budget constraints.

cybersecurity

Challenges in cybersecurity include the '______ of More' and the need for a business-driven, optimized ROSI (Return on Security Investment).

Fog

Cybersecurity presents ______, such as avoidance of direct damage, customer and investor confidence, and product differentiation.

opportunities

______ of a security strategy include governance, organizational risks, technical maturity, and security requirements.

Pillars

______ includes context, leadership, planning, support, operation, performance evaluation, and improvement.

ISO27001:2017

A threat is a potential cause of an unwanted incident, and risk management involves comprehensive risk assessments, ______, and assessments during significant changes.

updates

ISO31000, ISO27001:2017 defines ______ as the potential harm or threat to an organization, determined by the impact and probability

risk

Risk management for ______ servers, such as JIRA and Confluence, involves assessing and protecting critical information assets

CI/CD

Example assets include ______ Directory Servers, with different risk profiles, RTOs (Recovery Time Objectives), and RPOs (Recovery Point Objectives)

Active

ISO27001:2017 outlines 114 ______ in 14 clauses and 35 control categories for effective risk management, including ______ for information security policies, human resource security, and access control

controls

The ______ Cyber Security Framework (CSF) provides guidelines for developing a cyber security strategy, with easy-to-understand categories and maturity levels for risk management

NIST

The NIST CSF focuses on ______ for both the Governance and Technical tracks, including the use of community support networks and prioritized controls for effective cyber defense systems

options

______ diagnostics and mitigation, automation, and measurements and metrics are essential components of an effective cyber security strategy, according to the NIST CSF

Continuous

ISO27002:2017 and other ______ provide additional controls and guidelines for operational security governance, procedural guidelines, and technical controls

standards

NIST validates cyber security programs and offers ______ for individuals as NIST CSF Practitioners

certifications

The ______ Controls (V7.1) are recommended for the Technical Track, offering a prioritized set of actions that are community-supported, implementable, scalable, and compliant with industry and government security requirements

CIS

The ______ critical tenets of an effective cyber defense system, according to the NIST CSF, include offense informs defense, prioritization, measurements and metrics, and continuous diagnostics and mitigation

5

IG1 organizations are small to medium-sized with limited IT and cybersecurity expertise. The principal concern is keeping business operational and protecting ______ and financial information.

employee

IG2 organizations employ individuals responsible for managing and protecting IT infrastructure. They support multiple departments with varying risk profiles and may have regulatory compliance burdens. They store and process sensitive client or company information and can withstand short interruptions of service. Loss of public confidence is a major ______.

concern

IG3 organizations employ security experts specializing in different cybersecurity facets. Systems and data contain sensitive information or functions subject to regulatory and compliance oversight. They address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the ______.

public

After a maturity assessment using the chosen governance standard (NIST CSF/ ISO27K for governance and CIS Controls for technical), organizations should summarize findings and risks. Define high-level risk mitigation actions and set maturity targets for the next 3 years based on ______ benchmarks.

industry

Prioritize and detail the risk mitigation actions. Consolidate findings, risks, and mitigation actions to create a cybersecurity ______.

strategy

Findings include potential risks and should be summarized with context and insight to understand what is ______.

important

Describe the risks associated with each finding, but remember that these are not the equivalent of detailed ______ assessments.

risk

The CIS Center for Internet Security provides free cybersecurity strategies and tools, including the CIS Controls (V7.1), which map to both ISO27002 and NIST CSF ______.

standards

The CIS Controls prioritize the implementation of cybersecurity measures into three Implementation Groups (IGs): IG1, IG2, and IG3, based on the size and expertise of the ______.

organization

Sub-Controls should be implementable with limited expertise, aimed to thwart general attacks and work with small or home office COTS hardware and ______.

software

Sub-Controls help security teams cope with increased operational complexity and depend on ______-grade technology and specialized expertise.

enterprise

Sub-Controls must abate targeted attacks and reduce the impact of ______ attacks.

zero-day

High-level description of the actions to take to mitigate the risk associated with finding A. These high-level actions will be further detailed later on.

missing

High-level description of the actions to take to mitigate the risk associated with finding B. These high-level actions will be further detailed later on.

missing

High-level description of the actions to take to mitigate the risk associated with finding C. These high-level actions will be further detailed later on.

missing

One can choose to set a target maturity over 3 years Governance 2,40 2,11 2,11 2,25 2,40 Technical 2,10 1,50 1,75 1,95 2,20 Reference Now 2021 2022 2023 Based on benchmark figures within the same sector 80 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Prioritize and detail For each high-level, risk mitigating action, you can now specify the more detailed actions to take, and to prioritize these actions over the coming (3) years. Per action, think about documenting: Part of the governance or technical track The detailed action Stakeholders Budget estimate Timing Must-do / Roadmap candidate Consider putting the high-level actions on a timeline 81 Cybersecurity – how to define a cyber strategy 82 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 2 83 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 3 84 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 4 85 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 1 86 Questions. 87 Security Operating Model GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENT Cybersecurity is too big a task to be handled by one person. Divide and conquer. 89 90 Managed Security Office Framework Client Security Office Security Office Essential Security & Compliance Projects Ecosystem of partners Expert Services Security Office – Typical persons involved Client X Security Office Account manager Cloud security expert (if applicable) Application security expert (if applicable) CISO / SPOC (required) Security Architect (if applicable) Sidekick (preferred) … (what’s applicable) 92 Foundation Strong foundation principle for SOaaS Pentest CIS assessment In Ga telli th gen er in ce g Foundation Business Threat Model s ou n u in o nt icati o C rif Ve Security Office Portal Continuous Vulnerability Scanning e nc a rn ve ol o G n tr Co Incident Response Brainframe 93 Foundation Security Office Portal Compliance standards Custom compliance CIS Project Management M365 CIS Azure CIS Zero Trust GDPR NIST ISO 27001 MITRE ATT&CK Data sources in-depth recommendations M365 & AAD Azure Conditional Access OnPremises AWS Google Cloud 450+ customizable rules 94 Cyber Security & Start & ScaleUps GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENT Tech Scale-Up Phases Conserve cash Invest Aggressively Search for product/Market Fit Search for Repeatable, Scalable, & Profitable Growth Model Scaling the Business 96 Phase 1: Product/Market Fit Search for product/Market Fit Business Objectives: Define MVP Find Beachhead Market for MVP Security Objectives: Define Minimal Viable Product Security Bootstrap Security 97 Phase 1: Product/Market Fit Search for product/Market Fit Business Objectives: Define MVP Find Beachhead Market for MVP Security Objectives: Define Minimal Viable Product Security Bootstrap Security How to Implement Security Objectives: Focus on Product Security Only Define Basic Non-Functional Requirements Manually Threat Modeling Validate Security of MVP Penetration Testing Use Subsidized Security Services to minimize costs. 98 Phase 2: Repeatable, Scalable & Profitable Growth Search for Repeatable, Scalable, & Profitable Growth Model Business Objectives: Exponential growth and market development. Gaining trust of corporate and enterprise customers. Security Objectives: Gain overall security maturity and make it demonstrable towards interested stakeholders. 99 Phase 2: Repeatable, Scalable & Profitable Growth Search for Repeatable, Scalable, & Profitable Growth Model Business Objectives: Exponential growth and market development. Gaining trust of corporate and enterprise customers. Security Objectives: Gain overall security maturity and make it demonstrable towards interested stakeholders. How to Implement Security Objectives: Adopt Security Standards (ISO27k, NIST, …) Appoint Security Resources (CISO, Security Officer, DPO) Can still be parttime Retain focus on Product Security Agile Pentesting Agile Threat Modeling Optimize important processes by adopting (basic) security technology. E.g. Buy Cloud Licenses that include security functionalities (E5, …) SAST/DAST tooling to improve code quality … 100 Phase 3: Aggressive Scaling Scaling the Business Business Objectives: Sustain market leadership & growth Security Objectives: Continue to.

missing

Study Notes

• The CIS Center for Internet Security provides free cybersecurity strategies and tools, including the CIS Controls (V7.1), which map to both ISO27002 and NIST CSF standards.
• The CIS Controls prioritize the implementation of cybersecurity measures into three Implementation Groups (IGs): IG1, IG2, and IG3, based on the size and expertise of the organization.

IG1:

• IG1 organizations are small to medium-sized with limited IT and cybersecurity expertise.
• Principal concern is keeping business operational and protecting employee and financial information.
• Sub-Controls should be implementable with limited expertise, aimed to thwart general attacks and work with small or home office COTS hardware and software.

IG2:

• IG2 organizations employ individuals responsible for managing and protecting IT infrastructure.
• Support multiple departments with varying risk profiles and may have regulatory compliance burdens.
• Store and process sensitive client or company information and can withstand short interruptions of service.
• Loss of public confidence is a major concern.
• Sub-Controls help security teams cope with increased operational complexity and depend on enterprise-grade technology and specialized expertise.

IG3:

• IG3 organizations employ security experts specializing in different cybersecurity facets.
• Systems and data contain sensitive information or functions subject to regulatory and compliance oversight.
• Address availability of services and the confidentiality and integrity of sensitive data.
• Successful attacks can cause significant harm to the public.
• Sub-Controls must abate targeted attacks and reduce the impact of zero-day attacks.
• After a maturity assessment using the chosen governance standard (NIST CSF/ ISO27K for governance and CIS Controls for technical), organizations should summarize findings and risks.
• Define high-level risk mitigation actions and set maturity targets for the next 3 years based on industry benchmarks.
• Prioritize and detail the risk mitigation actions.
• Consolidate findings, risks, and mitigation actions to create a cybersecurity strategy.
• Findings include potential risks and should be summarized with context and insight to understand what is important.
• Describe the risks associated with each finding, but remember that these are not the equivalent of detailed risk assessments.