Cyber Security Governance
The Information Security Officer (ISO) provides guidance and support for the overall Information Security Portfolio.
The ISO establishes the Security Lifecycle through the development and management of agency wide governance.
The ISO facilitates the lifecycle of Security Operations, Risk Management and Security Architecture through a number of activities and repeatable processes.
- Information Security Strategic Planning
- Information Security Roadmap Development
- Information Security Resource Planning
- Establishment of Information Security Policies, Standards, Processes and Procedures
- Information Security Training, Education and Awareness
Best practices for Information Governance is found in NIST SP 800-39 “Managing Information Security Risk Organizational, Mission, and Information System View,”. This document provides a best practice framework for facilitating information management.
The purpose of your Security Operations Center (SOC) is to identify threats to Information Security.
As threats are identified, they should be provided to Risk Management for Analysis.
Threats can be identified through a number of mechanisms including:
- Intrusion Detection & Prevention Technologies.
- Notices from organizations such as the Multi-State Information Sharing & Analysis Center.
Best practice for identifying threats is found in Appendix D of NIST SP 800-30 Revision 1.
The purpose of your Risk Management Program is to quantify the Risks Identified by your Security Operations Center.
As risks are quantified and prioritized, they should be provided to the security architects so security controls can be established or configured, which mitigate the risks identified.
The risks of threats can be managed through a number of strategies including:
- Cataloguing the Risk – Establish a Risk Register.
- Quantifying the Risk – Determine if vulnerabilities exist which can be exploited by the threats identified.
- Measuring the Risk – Identify the impacts of realized risks.
- Communicate the Risk – Convey prioritized risks to architects so that a solution can be established.
There are a number of ways in which risks can be managed. NIST SP 800-37 “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,” provides a best practice framework for facilitating this activity.
Risks are provided to Security Architects who implement or configure security controls to mitigate the identified risks.
As risks are mitigated, security architects should inform the Security Operations team how they should monitor to ensure that they are not realized.
The following represents a process steps that can be used to mitigate risk:
- Determine how the risk results in exploitation of a vulnerability.
- Determine if there are existing security controls which can mitigate exploitation.
- Implement or re-configure the security control to mitigate the risk.
- Develop a mechanism to identify if risk exploitation is occurring and solution for monitoring for this risk.
Security controls are implemented across the infrastructure to mitigate various risks which are presented. As risks are presented by your Risk Management Program, your architects should be working to implement solutions to mitigate them. NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations,” illustrates a catalogue of security controls that can be used to identify mitigation strategies.
National Cybersecurity Workforce Framework
NICE developed the National Cybersecurity Workforce Framework (the Framework) to codify cybersecurity work and to identify the specialty areas of cybersecurity professionals.
The Framework establishes:
- A common taxonomy and lexicon for cybersecurity workers that organizes cybersecurity into 31 specialty areas within 7 categories.
- A baseline of tasks, specialty areas, and knowledge, skills and abilities (KSAs) associated with cybersecurity professionals.
The Framework assists with strategic human capital efforts, including:
- Workforce planning
- Recruitment and Selection
- Training and Development
- Succession Planning
||Specialty areas responsible for conceptualizing, designing, and building secure information technology (IT) systems, i.e., responsible for some aspect of systems development.
|Operate and Maintain
||Specialty areas responsible for providing support, administration, and maintenance necessary to ensure effective and efficient information technology (IT) system performance and security.
|Protect and Defend
||Specialty area responsible for identification, analysis and mitigation of threats to internal information technology (IT) systems and networks.
||Specialty areas responsible for investigation of cyber events and/or crimes of information technology (IT) systems, networks, and digital evidence.
|Operate and Collect
||Specialty areas responsible for specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence.
||Specialty area responsible for highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence.
|Oversight and Development
||Specialty areas that providing leadership, management, direction, and/or development and advocacy so that individuals and organizations may effectively conduct cybersecurity work.
The Framework organizes cybersecurity work into 31 specialty areas within 7 categories. Each specialty area represents an area of concentrated work, or function, within cybersecurity. Below are the 7 categories (bold), with corresponding specialty areas.
- Systems Requirements Planning
- Systems Development
- Software Assurance and Security Engineering
- Systems Security Architecture
- Test and Evaluation
- Technology Research and Development
- Information Assurance (IA) Compliance
Operate and Maintain
- System Administration
- Network Services
- Systems Security Analysis
- Customer Service and Technical Support
- Data Administration
- Knowledge Management
Collect and Operate
- Collection Operations
- Cyber Operations Planning
- Cyber Operations
Protect and Defend
- Vulnerability Assessment and Management
- Incident Response
- Computer Network Defense (CND) Analysis
- Computer Network Defense (CND) Infrastructure Support
- Digital Forensics
- Cyber Threat Analysis
- Exploitation Analysis
- All Source Intelligence
Oversight and Development
- Legal Advice and Advocacy
- Education and Training
- Strategic Planning and Policy Development
- Information Systems Security Operations (ISSO)
- Security Program Management (Chief Information Security Officer [CISO])