Cyber Security Processes
Dears, what does it mean when a Cyber Security Framework says that the Organization should define, approve, implement, communicate and monitor an asset “management process”, threat intelligence “management process”, The Member Organization should incorporate cyber security requirements into human resources processes? Does anyone have any sample process for any of these mentioned domains/controls please? I need to understand what does a “process entail”?
ASKER
Thanks Rodney, but what I meant was “the process” not the organization. What does a process contain I mean ?
the lists of events and planned action such as what happens when you decomission a server or a new employee is hired. you are expected to provide processes for common and uncommon scenaris and show that you know what is not or not fully covered, whether you are working on other situations, how, why.
the whole thing is essentially paperwork. it helps achieving decent security but is nowhere next to sufficient. the point is to push a mindset and exhaustive checklists so you won t forget a whole aspect.
the whole thing is essentially paperwork. it helps achieving decent security but is nowhere next to sufficient. the point is to push a mindset and exhaustive checklists so you won t forget a whole aspect.
If I understand your question, you are wanting to know the process for creating a cybersecurity framework? If so, there are a number of steps in this process. It is similar to a project management process.
1. Complete a full asset inventory. Determine every system on the network. This can be done through a number of tools. You need to know the type of device, operating system, IP addresses, etc. From this inventory, you then start building a list of priorities and scope. The most critical systems would be the first to be addressed in this priority.
2. Next, determine any regulatory requirements and and verify vulnerabilities in each system.
3. Create a security profile based on the framework you are planning on implementing for your organization.
4. Create a risk assessment that includes each system and known vulnerabilities that need to be addressed. This includes things like the likelihood of a targeted attack (some industries are more susceptible than others).
5. Next, create a profile for where you would like to be in the future and how much risk the organization is willing to take on to reach it.
6. Look for gaps and address. Part of this process may determine there a numerous gaps in the organization. For example, if there is not any security training for the staff like anti-phishing, etc, that is something that would need to be listed and addressed in the action plan. From this, an action plan is developed.
7. Implement the determined action plan.
Be sure to document everything as a formal plan. Also, this should include the process to continually scan, verify, and remediate vulnerabilities in an ongoing fashion. This is not a one-time shot. It is a constant process.
1. Complete a full asset inventory. Determine every system on the network. This can be done through a number of tools. You need to know the type of device, operating system, IP addresses, etc. From this inventory, you then start building a list of priorities and scope. The most critical systems would be the first to be addressed in this priority.
2. Next, determine any regulatory requirements and and verify vulnerabilities in each system.
3. Create a security profile based on the framework you are planning on implementing for your organization.
4. Create a risk assessment that includes each system and known vulnerabilities that need to be addressed. This includes things like the likelihood of a targeted attack (some industries are more susceptible than others).
5. Next, create a profile for where you would like to be in the future and how much risk the organization is willing to take on to reach it.
6. Look for gaps and address. Part of this process may determine there a numerous gaps in the organization. For example, if there is not any security training for the staff like anti-phishing, etc, that is something that would need to be listed and addressed in the action plan. From this, an action plan is developed.
7. Implement the determined action plan.
Be sure to document everything as a formal plan. Also, this should include the process to continually scan, verify, and remediate vulnerabilities in an ongoing fashion. This is not a one-time shot. It is a constant process.
it may be this document that will be useful to depict "what good looks like" that has been captured under the control considerations that depict minimally what the process should demonstrate
https://www.sama.gov.sa/en-US/RulesInstructions/CyberSecurity/Cyber%20Security%20Framework.pdf
asset “management process”Objective To support the Member Organization in having an accurate and up-to-date inventory and central insight in the physical / logical location and relevant details of all available information assets, in order to support its processes, such as financial, procurement, IT and cyber security processes.Control considerations 1. The asset management process should be defined, approved and implemented. 2. The effectiveness of the asset management process should be monitored, measured and periodically evaluated.3. The asset management process should include:a. a unified register;
b. ownership and custodianship of information assets;
c. the reference to relevant other processes, depending on asset management;
d. information asset classification, labeling and handling;
e. the discovery of new information assets.
threat intelligence “management process”Objective To obtain an adequate understanding of the Member Organization’s emerging threat posture.Control considerations 1. The threat intelligence management process should be defined, approved and implemented. 2. The effectiveness of the threat intelligence management process should be measured and periodically evaluated.3. The threat intelligence management process should include:a. the use of internal sources, such as access control, application and infrastructure logs, IDS, IPS, security tooling, Security Information and Event Monitoring (SIEM), support functions (e.g., Legal, Audit, IT Helpdesk, Forensics, Fraud Management, Risk Management, Compliance);
b. the use of reliable and relevant external sources, such as SAMA, government agencies, security forums, (security) vendors, security organizations and specialist notification services;
c. a defined methodology to analyze the threat information periodically;
d. the relevant details on identified or collected threats, such as modus operandi, actors, motivation and type of threats;
e. the relevance of the derived intelligence and the action-ability for follow-up (for e.g., SOC, Risk Management);
f. sharing the relevant intelligence with the relevant stakeholders (e.g., SAMA, BCIS members).
human resources "processes"Objective To ensure that Member Organization staff’s cyber security responsibilities are embedded in staff agreements and staff are being screened before and during their employment lifecycle.Control considerations 1. The human resources process should define, approve and implement cyber security requirements. 2. The effectiveness of the human resources process should be monitored, measured and periodically evaluated.3. The human resource process should include:a. cyber security responsibilities and non-disclosure clauses within staff agreements (during and after the employment);
b. staff should receive cyber security awareness at the start and during their employment;
c. when disciplinary actions will be applicable;
d. screening and background check; e. post-employment cyber security activities, such as:
1. revoking access rights; 2. returning information assets assigned (e.g., access badge, tokens, mobile devices, all electronic and physical information).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
And BTW, an "asset" is not only hardware or software, but also other "tangible" assets including people.
Even more... "assets" also include non-tangible items that have value to your company and that you need to protect like reputation, knowledge, expertise, experience...
And in many cases security to protect these assets, will cover PPPT (physical, people, process and technology).
The newest ISO27002:2022 stander is a great guide to get it implemented.
(ISO27001:2022 is about to be published in sept/oct 2022...)
Rgds, Peter
Even more... "assets" also include non-tangible items that have value to your company and that you need to protect like reputation, knowledge, expertise, experience...
And in many cases security to protect these assets, will cover PPPT (physical, people, process and technology).
The newest ISO27002:2022 stander is a great guide to get it implemented.
(ISO27001:2022 is about to be published in sept/oct 2022...)
Rgds, Peter
https://www.nist.gov/cyberframework/examples-framework-profiles
The EU has one:
https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-isms/framework
Others are listed here:
https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Choosing-the-right-one