Governance by Design: How to Manage Cybersecurity Risk

The following is a “book report” on How to Manage Cybersecurity Risk.

Suggested Reading Focus

This security leader’s roadmap is designed to be instructional for a security leader in their first assignment as chief information security officer (CIS) in a mid-sized firm. The three sections are arranged by maturity level.

You may want to start with Section II titled Planned, which describes the basics of an information security program. Section III titled Managed contains example process documents with an overarching integration framework, essentially the Plan-Do-Check-Act continuous improvement cycle. There is a brief section titled “Manage Regulatory and Contractual Compliance” you may find interesting primarily as a contrast between your understanding and that of a security professional.

Discussion Topics

Plan the Security Program – Using the organization’s authoritative policy system, briefly (1-2 paragraphs) describe the Program, then define the requirements and assign the responsibilities.

Define Objectives – Protect Information. Protect Information Systems

Design Defense in Depth – Establish the processes, systems, and human capabilities to achieve the objectives.

Manage the Security Program – Formally document the integrated processes to operate the security program with an underlying rhythm of Plan-Do-Check-Act.

Key Processes – Plan Do Check Act

Risk Management – formalize identification of information security risks (few items) with organization executive. Assemble data from other Key Processes and external sources to analyze risk. Perform risk analysis. Identify control improvement options, analyze potential risk reduction, and develop business case incorporating risk analysis based on proposed improvement. Direct Policy Management to oversee resulting control improvement projects.

Policy Management – maintain a security controls framework of control requirements with security domain applicability (i.e., personnel, physical, network, computing host or application security). Manage security control implement and security control improvement projects. Also provide control requirements to Assessment Management.

Assessment Management – periodically measure, by various means, that security controls have been implemented as required across all security domains. Also perform structured or ad-hoc assessments to discover potential new vulnerabilities. Provide compliance and ad-hoc assessment status to Risk Management.

Incident Management – manage the incident life cycle leveraging detection and response capabilities. Develop and utilize incident intelligence sources to anticipate potential actions of identified threat agents. Provide status of ongoing incidents, data about exploited vulnerabilities, and summary of threat intelligence to Risk Management. Also identify potential (and sometimes urgent) security control improvements to Policy Management.

Terminology

In my first draft I had much of the Appendix at the front of the book. But it was pointed out that the reader might not find their way to the real beginning of the story. Information security practitioners are all very diligent in their work, yet they exist in stove pipes. One result is that some very basic terms (risk, threat, vulnerability) mean different things to different security practitioners. Another example is that in the Incident Response domain, the words incident and event mean the exact opposite of dictionary definitions.
The Appendix is my proposed “correct” meanings and use of the information security vocabulary, including the popular word cybersecurity.