EHBC CONSULTING
PMO & Project Management Specialists
Cyber Security:
Also referred to as information technology security, focuses on protecting computers, networks, programs, and data from unintended or unauthorized access, change, or destruction.
Government agencies, the military, corporations, financial institutions, hospitals, and other groups collect, process, and store a great deal of confidential information on computers and transmit that data across networks to other computers. With the growing volume and sophistication of cyber attacks, ongoing attention is required to protect sensitive business and personal information, as well as safeguard national security.
__________________________________________________________________________________________________________
_____________________________________________________________________________________________________________________________________
Basic components of a fully mature Cyber Security Program in an organization may include the following processes and projects:
-
Data Loss Prevention
-
End Point Telemetry
-
Incident Response
-
Security Blueprints
-
Internal Controls
-
Enterprise Security Standards
-
IT Policy Exception Process
-
DDOS Protection
-
Secure Coding Practices
-
Info Security Training & Awareness
-
ISG GRC
-
Threat Intelligence
-
IT Risk Assessment
-
Third Party Risk Management
-
Secure Coding Practices
-
Advanced Malware Protection
-
Secure SDLC
-
App Blacklisting / Whitelisting
-
Metrics and Reporting
-
Malicious Email Filtering
-
IAM Strategy
-
Infrastructure Security
-
Admin Privileges at Endpoint
-
Data Protection & Mgt Strategy
-
Data In motion Encryption
-
Data at Rest Encryption
-
Cyber Analytics
Cyber Security Frameworks and Policy (Click to open / download)
What does a mature cyber security capability look like?
Cyber Security Framework- Commercial / Private Organizations
The often used conventional Framework developed by NIST (National Institute of Standards and Technology) is as follows:
1) Identify
2) Protect
3) Detect
4) Respond
5) Recover
NIST and ISO have publications that have become the basic for standard organizational benchmarks to assure mature capabilities are established. Other standards frameworks that can apply, and overlap with NIST and ISO such as COBIT, ISA are relevant and applicable. In some of the NIST publications, the NIST Framework is broken down and the specific areas are mapped to the other relevant frameworks for clarity.
Cyber Security Framework-Government Related Agencies and Contractors
Policy has been amended in the FAR (Federal Acquisitions Regulation) Section 52.204-21 "Basic safe guarding of Covered Contractor Information Systems as well as DFARS (Defense Federal Acquisition Regulations) Section 252.204-7012 "Safeguarding Covered Defense Information and Cyber Incident reporting.
These additions to Military and Government policy dictate that companies wishing to bid on government contract must have a mature cycler security capability or show a clear plan how their organization will be compliant with cyber security standards.
FAR Contractually Required Clause Excerpt:
52.204-21 – Basic Safeguarding of Covered Contractor Information Systems.
As prescribed in 4.1903, insert the following clause:
Basic Safeguarding of Covered Contractor Information Systems (Jun 2016)
(a) Definitions. As used in this clause--
“Covered contractor information system” means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information.
“Federal contract information” means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.
“Information” means any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009).
“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. 3502).
“Safeguarding” means measures or controls that are prescribed to protect information systems
Below is an example of how NIST framework in the area of Asset Management is mapped through subcategories and has information references to a number of other industry frameworks.