In this video, Kip Boyle breaks down how organization can make or break a program. Explore how to organize an information security program around resilience.
- Being resilient to cyber attacks and cyber failures is one of the four major goals of an information security program. The way we're going to meet that goal is to organize our information security program so resilience is a top priority. We'll do that by selecting a high-level model or framework, selecting controls that explicitly support cyber resilience while at the same time satisfying our customers' information security requirements, our compliance mandates, and supporting our executives. And, we'll measure how well we implement these controls as a basis for conducting and improving our cyber risk management program.
Let's look at two specific frameworks for organizing our information security program around cyber resilience. As you'll see, there are a lot of similarities. Previously, we saw the NIST Cybersecurity Framework. It has five high-level functions. Let's look at each one. Identify means to develop the organizational understanding to manage cyber security risk. Prevent means to develop and implement the appropriate controls to stop cyber attacks from happening.
To detect is to know when a cyber security event happens, and to respond means to take action on a detected cyber security event. Recover means to restore all capabilities and services that were impaired due to the cyber security event. Now let's take a look at another cyber resilience model, this one from Gartner. It has four high-level functions. Let's look at each one. Gartner defines Predict as proactively learning about attacks and failures, and using that information to inform the work of the next three functions.
The Prevent function consists of things you do to prevent cyber attacks and failures from causing harm to your organization. Detect means finding attacks that have evaded your preventative measures. Response means to contain and remove the threat, and then recover from it. However, if you're not a Gartner subscriber, it's probably not worth the cost to become one just to gain access to their model. Instead, you can adopt the NIST Cybersecurity Framework, and then select from all the 98 included controls.
Note, there is an included crosswalk that shows how the Cybersecurity Framework outcomes map to specific ISO 27001 controls, so with some more work, you can still pursue ISO 27001 compliance if you wanted.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance