Governance by Design: How to Manage Cybersecurity Risk

The following is a “book report” on How to Manage Cybersecurity Risk.

Suggested Reading Focus

This security leader’s roadmap is designed to be instructional for a security leader in their first assignment as chief information security officer (CIS) in a mid-sized firm. The three sections are arranged by maturity level.

You may want to start with Section II titled Planned, which describes the basics of an information security program. Section III titled Managed contains example process documents with an overarching integration framework, essentially the Plan-Do-Check-Act continuous improvement cycle. There is a brief section titled “Manage Regulatory and Contractual Compliance” you may find interesting primarily as a contrast between your understanding and that of a security professional.

Discussion Topics

Plan the Security Program – Using the organization’s authoritative policy system, briefly (1-2 paragraphs) describe the Program, then define the requirements and assign the responsibilities.

Define Objectives – Protect Information. Protect Information Systems

Design Defense in Depth – Establish the processes, systems, and human capabilities to achieve the objectives.

Manage the Security Program – Formally document the integrated processes to operate the security program with an underlying rhythm of Plan-Do-Check-Act.

Key Processes – Plan Do Check Act

Risk Management – formalize identification of information security risks (few items) with organization executive. Assemble data from other Key Processes and external sources to analyze risk. Perform risk analysis. Identify control improvement options, analyze potential risk reduction, and develop business case incorporating risk analysis based on proposed improvement. Direct Policy Management to oversee resulting control improvement projects.

Policy Management – maintain a security controls framework of control requirements with security domain applicability (i.e., personnel, physical, network, computing host or application security). Manage security control implement and security control improvement projects. Also provide control requirements to Assessment Management.

Assessment Management – periodically measure, by various means, that security controls have been implemented as required across all security domains. Also perform structured or ad-hoc assessments to discover potential new vulnerabilities. Provide compliance and ad-hoc assessment status to Risk Management.

Incident Management – manage the incident life cycle leveraging detection and response capabilities. Develop and utilize incident intelligence sources to anticipate potential actions of identified threat agents. Provide status of ongoing incidents, data about exploited vulnerabilities, and summary of threat intelligence to Risk Management. Also identify potential (and sometimes urgent) security control improvements to Policy Management.


In my first draft I had much of the Appendix at the front of the book. But it was pointed out that the reader might not find their way to the real beginning of the story. Information security practitioners are all very diligent in their work, yet they exist in stove pipes. One result is that some very basic terms (risk, threat, vulnerability) mean different things to different security practitioners. Another example is that in the Incident Response domain, the words incident and event mean the exact opposite of dictionary definitions.
The Appendix is my proposed “correct” meanings and use of the information security vocabulary, including the popular word cybersecurity.

Lessons Learned

The layers of controls were just described from the inside out. However, while reacting to Internet threats it is natural to emphasize the outer layer of network controls. With threats escalating and the market for technical solutions expanding, the result can be a hard, crunchy shell around a soft center. This may seem analogous to the fortress castle with the strongest protection at the perimeter, the reality of Internet is that some threat communities have substantial resources resulting in frequent attack leveraging high capabilities; some will get through the perimeter. It is paramount to have effective security controls for all system layers.

The requirement for using complex passwords have been the best practice for many years. Unfortunately, the goal has been difficult to achieve, relying on users to remember multiple passwords that may not be particularly memorable. One of the fundamental control improvements relating to the increased capabilities of threat communities is the implementation of two-factor authentication.

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

Return to Defense in Depth

Information Systems Protection Requirements

When designing layers of control to protect the confidentiality, integrity and availability of information systems, it is necessary to start with the information and business systems needing protection, designing layers of protection from there. This way you ensure that all the controls are aligned to the objective. The resultant requirements are documented in your organization’s security control framework. Reference Figure 2 as we look at the layers of controls.


Figure 2 IT Security Design Diagram

The fundamental controls for protecting information apply equally to protecting electronic documents and business systems: marking sensitive information and using personnel security controls for people authorized to create, use and share the sensitive information, and who use business systems.

The next layer of controls is physical controls for the hosts containing documents and business systems, which are typically grouped together in a shared hosting environment (in the past these were simply called data centers). A robust physical perimeter and doors controlled to permit access by a very few trusted individuals helps assure confidentiality, integrity and availability of the information systems. In addition, power backup is typically provided to enhance availability.

Business systems may be designed to directly authenticate users or they may rely on an infrastructure authentication capability such as Microsoft Windows Active Directory. Robust design and implementation of the business system application is necessary to reduce vulnerable user interfaces; this is especially relevant should the system be directly accessible from the Internet. Electronic documents are often stored using capabilities such as Microsoft Windows file sharing, which also takes advantage of Active Directory. The secure configuration of the information system host is the next layer of protection.

The information systems in some organizations rely on a single sign-on authentication system, and centralized identity data that includes people data attributes useful in making access decisions. The identity data may be integrated in Active Directory or could be part of a high availability directory service. Integrity and availability of these systems, along with appropriate data quality, are objectives of security controls for this component.

We now move out of the shared hosting environment into other organization facilities. We’ll assume that physical controls for information protection requirements are already in place. These provide some control for the network cables within a building as well as the user workstations connected to the network. Wireless communication between the network and the user is typically encrypted and has authentication to control its use. Network traffic between buildings could by physically protected where practical. But typically, this traffic travels through public networks, even if a dedicated communication path is provided. Point-to-point encryption is an option in these circumstances.

In some cases, the organization’s information systems (or some subset) are isolated from the Internet, so the organization physical perimeter is the final layer of protection. Otherwise, the final layer of controls is the interface between the organization’s information systems and the Internet, which is provided by perimeter systems. Some components include firewalls, antivirus and network traffic monitors. Often employees or other users can access the organization’s information systems through the perimeter. This requires robust authentication of the external users and more stringent host an application security controls to compensate for the increased threat event frequency associated with the perimeter. Some organization choose to isolate the external-facing information systems in a network segment that excludes normal internal organization network traffic.

In the last section, we defined information protection requirements to be used when you design your security control framework. Those requirements apply equally to information system. But we have added information system components and the protection objectives of confidentiality, integrity and availability. These requirements will also be composed of short requirements stated as a verb-phrase, followed with additional detail relevant to your circumstances.

Some of these details are drawn from regulatory requirements. The following illustrates requirement statements.

  • Define confidentiality, integrity and availability requirements for business systems.
  • Establish electronic identifier for network, host and application access control.
    • Employ a single badge for physical and computing access.
    • Require separate identifiers for users with privileged access.
  • Protect sensitive information during use and at rest in information systems.
  • Controlaccess to organization networks, hosts and applications.
  • Limit access to sensitive information to authorized users.
  • Controlauthorized access to business systems.
  • Destroy sensitive information when no longer needed.
  • Monitor for and respond to potential intrusions to information systems.
  • Investigate and dispense corrective action to individuals misusing information systems.
  • Manage and monitor suppliers providing information systems support.
  • Prepare for disasters with offsite backup storage and geographically separate hosting.
  • Push security requirement to transportation security.

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

Return to Defense in Depth

Security Systems

Finally, we come to the security systems that are trusted to enable a variety of physical, computing and network security controls. This include capabilities such as card access systems for the physical perimeter, network perimeter firewalls and access control. Also included are centralized identity, authentication, key management and authorization systems that are leveraged to support computing and network security.

Prior to the mid-1990’s the organization’s information systems were entirely contained within the physical perimeter. Many organizations were swift in their adoption of the internet, with the desire to have a web presence and engage in e-commerce. Soon it became apparent that they had moved into a bad neighborhood containing threats that no longer had to overcome the organization’s physical perimeter in order to seek confidential information, deface web sites, and disrupt systems’ availability. Worse yet, the internet became awash with viruses attempting to attack systems, potentially adversely impacting confidentiality, integrity or availability.

The computing and network perimeter is much like the physical perimeter, providing a foundation for protecting the confidentiality, integrity and integrity of the information system. The first step is to limit the number of connections to the internet, which is analogous to access-controlled doors on the organization’s physical perimeter. As with doors, the incoming internet traffic must be screened for what is permitted and what is not. It is also common to control traffic leaving the organization, most commonly to prevent access to internet locations known to present a threat to the organization.

Organization users may access the internet anonymously (e.g. access to a public web site) or they may have authenticated access to an internet location. The data flows between the user and the internet must be allowed to flow both ways through the perimeter. Similarly, there may be users at internet locations who are permitted to access systems inside the organizations perimeter, such as employees working at home or on travel, and organization customers or suppliers who need access to organization systems in order to provide status and billing for materials being provided, or ordering and checking status on products being purchased. Fundamentally these all require an authentication at the perimeter in order to establish the connection. But what can arise is the burdensome requirement for a series of logons, such as logging on to the supplier’s information system, logging on to your organization’s perimeter, logging on to the host, and finally logging onto the desired application.

The ideal is to achieve a single sign on experience for users, employees as well as suppliers and customers. It is common to achieve single sign on for a hosting environment, which is commonly supported by Windows or UNIX operating systems. Applications can be configured to leverage the host authentication. It is also possible for one organization to trust the authentication of another organization. The Security Assertion Markup Language (SAML) can be leveraged for this purpose, accompanied by the establishment of the trust relationship between organizations and their information systems.

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

Return to Defense in Depth

Computing and Network Security

Users’ access to the organization’s information systems is the next layer of control, composed of the network, host, application and database components. For the moment, we will use the case where the user is at work in the organization’s office, i.e., they have gone through the physical perimeter. Now they must gain access to the information system, much like gaining access to a container protecting information. The sign on requires the user to identify who they are (the userid) and validate that identity through something they know or have (e.g., password, pin, access card with chip). This process may have to be repeated in order to access different computers or to access specific applications. The risk to confidentiality, integrity and availability of information within the information system is reduced by the strength of the access controls, making it more difficult for unauthorized users to gain access. Today two-factor authentication has become necessary due to the high capabilities possessed by many threat agents.

Access administration is an important component of maintaining the difficulty for unauthorized users to gain access. It is quite natural to desire the ability to quickly authorize users to have access to everything they need to do their job. But if not managed properly, they may have access to systems not required for their job, increasing risk to confidentiality, integrity and availability. But often overlooked is the need to remove access when it is no longer required. Over a long career in a large organization, individuals gradually build up a large collection of authorized accesses. Even in organizations with careful screening practices, there is some small frequency of insiders who may become motivated to steal sensitive information. With poorly managed access, the information is effectively 100% vulnerable to these insiders. Obviously, they are continuing to act despite the deterrence of prosecution if they are caught.

High privilege accounts used by system operators and trusted processes are a necessary to manage and operate hosts. Like the special containers needed to protect security systems within the data center, these accounts need special controls to limit their use. Accounts with passwords are also needed to run business system applications, but there is the obvious problem of changing passwords regularly, and the need to have the password available to applications that initiate other processes.

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

Return to Defense in Depth