Rob Arnold, CISSP CISM
Building your InfoSec Program: Frameworks & Benchmarks
Information Security Officer, University of Kansas
75%
25%
Security is a…
Necessary cost Competitive advantage
Raytheon/Ponemon 2015 Global Megatrends in Cybersecurity, Feb 2015
Agenda
• Why use a framework?
• How do I use a framework?
• Where can I get a framework?
• What value are benchmarks?
• Where can I find benchmarks?
• How can I get started?
• What resources are there?
Use a framework to
• Ensure you have coverage(the “unknown unknown” problem)
– Frameworks are highly vetted
– Some degree of future-proofing
– Help with responding to audits
Use a framework to
• Identify areas for improvement
– Taxonomy provides structure
– Common vocabulary
– Framework defines some ideal
– You assess the gap between your reality and the ideal
– Develop a work plan
Use a framework to
• Benefit from a proven successful approach
– Repeatable approaches to problems
– Stand on the shoulders of giants
– Allow tailoring for your organization
“If I have seen further it is by standing on ye sholders of Giants.”
--Isaac Newton
Use a framework to
• Enable service delivery
– Consider your work output as services
– Move toward understanding the demand
– Move toward understanding your capacity
– Move toward knowing where your organization gets the security services it needs
Build your security program on a framework
• Catalog of controls
– Mapped to the framework
– With a narrative description of processes
• Do feed the auditors!
– Follow the taxonomy of your framework
– Use the common vocabulary
– Design your controls to produce evidence
6.1.3 Contact with authorities
Appropriate contacts with relevant authorities shall be maintained. Requests for information by law enforcement shall be
dispatched as set forth in the Investigative Contact by Law
Enforcement, Policy and Procedures [KUIT6.1.3A].
Reporting of crimes shall occur as set forth in the Crime
Reporting Policy [KUIT6.1.6B].
6.1.4 Contact with special interest groups
Appropriate contacts with special interest groups or other specialist
security forums and professional associations shall be maintained.
IT Security Office shall maintain membership and participation
in special interest groups and information sharing groups as
deemed appropriate by the Information Security Officer. ITSO
staff are member representatives of REN-ISAC and members of
MS-ISAC [KUIT6.1.4A].
ITSO staff are members of various professional organizations
including (ISC)2, ISACA, and EC Council as a result of the
position requirement for current certification [KUIT6.1.4B].
18.2 Information security reviews
Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.
18.2.1 Independent review of information security
The organization’s approach to managing information security and its
implementation (i.e. control objectives, controls, policies, processes and
procedures for information security) shall be reviewed independently at
planned intervals or when significant changes occur.
This program document shall serve as a record of the
organization’s approach to the management and
implementation of information security. This document shall be
reviewed no less than annually by the Information Security
Officer. [KU18.2.1A]
An external review of the program document shall be
performed at least every two years. [KU18.2.1B]
18.2.2 Compliance with security policies and
standards
Managers shall regularly review the compliance of information processing
and procedures within their area of responsibility with the appropriate
security policies, standards and any other security requirements.
The IT Security Office shall conduct a Risk and Vulnerability
Assessment (RVA) as a service to units. The RVA shall serve as a
unit-level review of the practices and documentation of the
unit. Issues from the review shall be reported to the unit
leadership. [KU18.2.2A]
Information security controls
• Are specific
• Are testable
• Produce evidence
• Map to your choice of framework
• Use “shall” not “should” or “may”
Finding frameworks
• You may be required to use one (or more) by your industry’s regulating body
• Standards bodies (NIST, ISO)
• Regulatory bodies (NERC, FISMA, HITRUST)
• Audit organizations (COBIT, CAG)
• How do I compare to my competition?
• How do I compare to my industry?
• Am I paying too much for security?
• Is my attention focused correctly?
• How do I get more resources?
• What are my strategic gaps?
• Big vendors give them away
…or trade them for a lead
• Research firms sell them to you
• ISAC organizations can help, depending on industry
• Government agencies publish them (sometimes infrequently and poorly)
• Read the docs in the resource section
• Use your professional contacts
– (ISC)2
– ISACA
– ISSA
• Pick a framework
• Write a program document
• Lather, rinse, repeat
Frameworks
• SANS 20 Critical Security Controls
• ISO 27001:2013 and 27002:2013 (not free)
• NIST SP800-53rev4
• NIST Cybersecurity Framework
• ISACA COBIT 5
• NERC CIP
• Council on CyberSecurity Cybersecurity Workforce Handbook
• NICE National Cybersecurity Workforce Framework
• HITRUST Common Security Framework
Metrics
• Verizon DBIR
• PwC Global State of Information Security
• Raytheon/Ponemon 2015 Global Megatrends
• IBM/Ponemon 2014 Cost of Data Breach Study
• Cisco Annual Security Report
• HP Cyber Risk Report
• Wisegate 2013 IT Security Benchmark Summary Report
• Gartner Info Security and Risk Management Metrics (requires survey)
Image credits
Public domain• Photograph of a Workman on the Framework of the Empire State
Building (National Archives Identifier) 518290• Woolworth Bldg Library of Congress, call number LC-B2- 2416-4Creative Commons• Hindenburg Bundesarchiv, Bild 146-1986-127-05 / CC-BY-SA• Benchmark User:Nixterrimus CC-BY-SA• Peloton User:muffinn CC-BY• Countisbury Ordnance Survey Benchmark © Copyright Rachel Hunt
CC-BY-SA• It's time to get started User:The fixerupperz CC-BY-SA• Udachnaya mine User:stepanovas CC-BY-SA