CYBER SECURITY & COMPLIANCE

CYBER SECURITY & COMPLIANCEFRAMEWORK

PUBLIC SECTOR AND ENTERPRISE ORGANIZATIONS REQUIRE A PRACTICAL

SECURITY METHODOLOGY THAT IS INTEGRATED WITH THEIR EVERYDAY

OPERATIONS TO EFFECTIVELY MITIGATE EVER-EVOLVING SECURITY THREATS AND HELP ENSURE COMPREHENSIVE

REGULATORY COMPLIANCE AND DATA PRIVACY.

BACKGROUND

1

Bridgepoint has developed a comprehensive Cyber Security and Compliance (CSC) Framework that delivers a proven step-by-step methodology to understand, identify, and mitigate cybersecurity risks. We leverage best practices and industry-specific guidance to achieve optimal protection and regulatory compliance. Our goal is to create world-class results for cyber security and compliance by providing a holistic approach to help our clients achieve practical and effective security.

Bridgepoint Consulting developed our CSC framework from our experience serving clients in the Power & Energy, Manufacturing, Financial, Government, and Software industries.

The CSC framework is comprised of five integrated disciplines that are comprehensive in scope but flexible enough for virtually any industry or organization. Bridgepoint has the expertise to tailor the CSC framework to deliver optimum value. We evaluate and absorb mature aspects of an organization’s current security posture and compliance operations to reduce stress, expense, and delays during implementation. The framework also incorporates the vital discipline of continuous monitoring and improvement to ensure that organizations can evolve to keep pace with the ever-changing threat landscape.

2

THE FIVE DISCIPLINES OF BRIDGEPOINT’S CSC FRAMEWORK:

3

MATURITY ASSESSMENT

4

Identifying the appropriate cyber security protection for an organization first requires understanding its business, relevant compliance requirements, and assessing its current cyber security posture in place. All of the organization’s critical information assets should be identified and prioritized according to its criticality to the business. This will ensure that the protections commensurate with the importance of the assets can be applied. Data inventory, classification, and business impact analysis are fundamental components of the CSC framework and maturity assessment discipline.

5

1

DATA INVENTORY &

CLASSIFICATION

6

To help assess cybersecurity risk exposures, organizations should first understand the types of data they collect, process, and share. Organizations need to identify the risk and responsibility associated with each data set. Because organizations handle many different types of data, some data may be subject to federal, state, and local regulations and possibly foreign privacy standards. The CSC framework utilizes this current and complete data inventory information to identify the compliance requirements the organization is subject to and the boundary of the cyber risk exposure. Once the organization understands the types of data it handles, classifying the data based on confidentiality, integrity, and availability is critical to developing a comprehensive data security policy. Data classification will help determine who should be authorized to access it and assess the level of data security needed. The CSC framework utilizes this data inventory information to identify the compliance requirements the organization is subject to and the boundary of its cybersecurity program.

1 | DATA INVENTORY & CLASSIFICATION

7

2

BUSINESSIMPACT

ANALYSIS

8

Understanding the appropriate cyber security stance requires a structured business impact analysis (BIA) to estimate the likely impact of a cyber security event in terms of loss of business, impact to reputation, operational disruption, data breach, and loss of information. Resumption of critical processes/functions after such an event is the purpose of business continuity (BC) planning. Bridgepoint’s CSC framework is flexible and can either add a cyber security element to an existing BC plan or act as a catalyst to create a BC plan where one does not exist. In either case, the BIA is the critical precursor that identifies an organization’s essential products, services, and functions and evaluates them against the organization’s unique risk profile. The BIA establishes the appropriate BC objectives, i.e., the maximum tolerable period of disruption (MTPD), recovery time objectives (RTO), and recovery point objectives (RPO). The CSC framework also helps to identify the organization’s Incident Response Plan (IRP). An IRP is an organized approach to addressing and managing the aftermath of a security breach or attack. The goal is to handle the situation to limit damage and reduce recovery time and costs.

2 | BUSINESS IMPACT ANALYSIS

9

3

CURRENT &EMERGING

REGULATORYREQUIREMENTS

10

Information systems are increasingly distributed and pervasive, enabling organizations to operate functions and services, as well as share sensitive information across the organization. However, these same enterprises also face the challenge of working under multiple regulatory jurisdictions with overlapping rules that govern how they use and protect their digital assets. For example, it is common for a single organization to fall under the regulations of Sarbanes-Oxley in its financial operations, the Health Insurance Portability and Accountability Act (HIPPA) under human resources, the Payment Card Industry Data Security Standard (PCI-DSS) for any customer-facing services, and General Data Protection Regulation for operating Europe e-commerce business. Many organizations face further layers of industry-specific regulatory requirements, such as NERC-CIP for utilities, HIPPA for healthcare organizations, FIPS 200 for Federal information systems, and Regulation SCI for trading and securities firms, to name just a few. It is increasingly challenging to manage security and compliance from a multi-silo approach, which is where many organizations find themselves. The CSC framework provides guidance that enables organizations to streamline and simplify multiple regulatory requirements by reconciling them with a unified and holistic approach for effective cybersecurity best practices that also enable compliance requirements.

3 | CURRENT & EMERGING REGULATORY REQUIREMENTS

11

4

EXISTING GOVERNANCE

& SECURITY FRAMEWORKS

12

Depending on an enterprise’s maturity level and industry, there may already be frameworks in place for governance and compliance. These frameworks often have common elements that are practical and effective for implementing a comprehensive cyber security program. Many industry-specific compliance programs use operational frameworks, like ITIL, as the authoritative reference for building compliance. Establishing a cyber security program on the appropriate frameworks creates a foundation for achieving both compliance and practical cyber security and makes both efforts more effective and much easier to sustain as regulations and threats evolve. The rules and threats will continue to grow, and Bridgepoint’s approach recognizes the need for this agility.

In many cases, the compliance requirement provides auditable proof of the adherence to these acceptable practices provided for in the governance framework. The type of industry or compliance requirements could be the deciding factors. Publicly traded companies will likely use COBIT to meet Sarbanes Oxley requirements. The ISO 27000 series offers a comprehensive information security framework that applies to any industry, although the implementation is difficult and lengthy. However, ISO 27000 certification provides value when the company needs to demonstrate information security capabilities to its stakeholders. NIST SP 800-53 controls were designed specifically for U.S. government agencies, but NIST SP 800-53, as well as

4 | EXISTING GOVERNANCE & SECURITY FRAMEWORKS

13

4 | EXISTING GOVERNANCE & SECURITY FRAMEWORKS

ISO/ IEC 27001, provide information security standards that are practical for a broad scope of environments and organizations. The NIST standard is quickly becoming the de facto cross-industry framework for information security and security governance. For instance, the Electricity Subsector Cyber Security Capability Maturity Model (ES-C2M2) from the Department of Energy maps into the NIST framework. The diagram below illustrates the relationships of the various frameworks to their scope of governance and each other:

14

CORPORATE GOVERNANCE

REGULATORY REQUIREMENTSSECURITY BEST PRACTICES

GENERAL & INDUSTRY SPECIFIC RISKS

IT SERVICEMANAGEMENT

IT GOVERNANCE

INFORMATIONSECURITY

SECURITY GOVERNANCE

COSO

ITIL - COBIT

ISO - NIST

NERC - CIP - PCIHIPPA - SOX

Bridgepoint’s unique approach is to analyze an organization’s current use of frameworks and best practices, along with those that are required for a specific industry. The results of this analysis provide a roadmap for a hybrid compliance and cybersecurity framework. This framework harmonizes an organization’s existing best practices with a unified approach to practically address regulatory requirements and effectively mitigate risks identified in the BIA.

15

5

CYBER SECURITY & COMPLIANCE

AUDIT

16

A comprehensive cyber security and compliance audit that includes testing of controls and policy review will assess how the enterprise conforms to any existing framework and where strategic and operational gaps exist. Such an audit consists of a detailed technical evaluation of an organization’s IT infrastructure and a review of policies, procedures, and organizational security culture.

The output of such an audit will provide the following deliverables:

• A prioritized list of high-priority remediation and fortification recommendations to address immediate threats and exposures

• An in-depth understanding of the system and network cybersecurity strengths and risks based on the unique operational requirements of the organization

• An understanding of compliance controls and effectiveness based on the specific regulatory requirements of the organization

• A mapping of the specific multiple compliance requirements to the general framework adopted by the organization

• In-depth knowledge transfer to organizational staff and management throughout the evaluation process, culminating in the delivery of detailed written documentation

5 | CYBER SECURITY & COMPLIANCE AUDIT

17

GAP ANALYSIS & BENCHMARKING

18

Once the current state is established using the audit process, it can be used to document the current cyber security baseline that defines “where we are now.” The client and Bridgepoint can then work together to create a harmonized cyber security framework specifically tailored to the organization’s unique operational and regulatory environment. This will define “where we want to go.” With the starting and endpoints established, Bridgepoint will help develop a comprehensive gap analysis that identifies areas needing attention, relevant metrics for measuring progress, potential tools that will facilitate collection and reporting of these metrics, and a mapping of standards and best practices that provide guidance for each area.

19

RISK PRIORITIZATION & TACTICAL REMEDIATION

20

As mentioned above, any imminent threats or regulatory breaches that result from the audit will receive high priority, and a triage program will be created as necessary to mitigate these issues. The larger body of identified risks will be analyzed and incorporated into a matrix that prioritizes risk based on likelihood, impact, and other considerations relevant to the organization. Metrics created in the previous discipline will track the tactical remediation activities. The metrics will also be continually evaluated and refined to ensure accuracy and effectiveness in guiding efforts toward the desired goal.

The following diagram is an example of a simple weighted risk impact matrix that can help prioritize risks identified in the data inventory and BIA.

21

A vital aspect of tactical remediation includes developing an Incident Response Plan (IRP) with risks identified and prioritized. While an IRP is also integral to the larger security architecture, it is necessary to prepare for the potential consequences of known risks, unknown risks, or those that are too expensive or difficult to mitigate. Bridgepoint will help develop a practical incident response plan that focuses on a timely and measured response to potential security breaches.

The primary objective of such a plan is to manage a cybersecurity event or incident that limits damage, increases customer’s and external stakeholders’ confidence, and reduces recovery time and costs. The plan’s structure includes identification and classification of incidents, incident handling procedures, communication guidelines, and post-incident analysis and documentation.Aspects of an incident response plan will also have logical links to business continuity and disaster recovery plans. Bridgepoint will help the organization develop a seamless flow between these plans to ensure comprehensive procedures are in place to deal with all contingencies.

23

STRATEGIC ROADMAP & SECURITY ARCHITECTURE

DEVELOPMENT

24

Using the insights provided by assessing and prioritizing risks, a tactical and strategic plan will be developed to mitigate risks and move towards the ideal state. Tactical plans will comprise projects designed to address higher priority risks that have an immediate threat to security or compliance and can be implemented immediately. As with any project, objectives, scope, budgets, and resources will need to be defined, and formal project management will be required for success. Typically, the business case for security and compliance projects are risk-based versus ROI. Bridgepoint can work with the organization to develop appropriate business cases for the initiatives.

Strategic architecture planning is much more complex and should be guided by the organization’s operating and strategic plans. Analysis of proposed regulatory actions will help guide strategic planning, as well as trends in the evolution of general cybersecurity threats, as well as those that are relevant to the organization’s industry.

25

A sample roadmap to address this challenge typically includes:

• Multi-framework mapping and harmonization with clearly identified security/compliance requirements and goals

• Security architecture design that will achieve identified security/compliance requirements and goals

• Suggested security/compliance governance structures • Cost-benefit analysis of multiple implementation

strategies that include variations of in-house vs. outsourced scenarios

• Execution strategy to implement security architecture design and chosen implementation strategy

• Security and compliance policies that support objectives and goals and also meet compliance requirements

• Resource strategy that includes staff skills inventory and training objectives, as well as skills-based recruiting objectives required for supporting new architecture

• High-level project plans for implementing security architecture

26

Bridgepoint recommends creating an ongoing Security Initiatives Program (SIP) that recognizes that the security and compliance work is never complete and needs to adapt as the organization matures and the threat landscape changes.

Bridgepoint can assist with both the tactical and strategic facets of developing a comprehensive security architecture, as well as the creation of implementation timelines to help realize roadmap objectives. Bridgepoint can also help set up a Security Initiatives Program and a Security and Compliance governance structure that allows an organization to adapt effectively.

27

CONTINUOUS IMPROVEMENT & ADAPTABILITY

28

Working through a comprehensive framework as proposed by Bridgepoint requires an investment of time, effort, and dedication. To ensure a long-term return on this investment, commitment to ongoing review and improvement is critical. Fortunately, the CSC provides a solid foundation in which to build a continuous improvement program. Application of a Deming or PDCA method for managing cyber security risk over the long-term will operationalize the framework to ensure it continues to evolve and adapt to protect the organization from cyber security risk.

29

PLAN

The roadmap provides the goals, objectives, and processes to deliver the desired organizational results. Since the plan was developed using specific inputs that are subject to change over time, it will change to address evolving conditions.

30

DO

Implementing the projects that were identified as part of the roadmap is critical. This requires project management methods and disciplines as well as a larger “program” perspective to ensure progress towards strategic goals is maintained. Diligence in collecting metrics and measuring the expected results of projects is critical for validating assumptions and providing input for the next step.

31

CHECK

Critical analysis of data that compares actual to expected results is the heart of this activity. This is where the quality of the tools and measurement criteria will help evaluate any deviation from the roadmap. Detours and adjustments are expected and necessary to maintain progress. Unforeseen circumstances may even require adjustment of strategic goals, but all actions must be deliberate and well planned.

32

ACT

Adjustments in the program depend on the results measured during roadmap implementation. Invariably adjustments will need to be made to accommodate unforeseen circumstances and new opportunities. Establishing a new baseline that reflects the changes implemented thus far is required for proper planning and evaluating future progress. This naturally leads back to the Plan phase, which illustrates the iterative nature of this method. The frequency at which an organization completes a process cycle varies. However, a common practice is to complete a cycle annually or on completion of a significant project to capture new data and reset baselines.

33

SUMMARY

34

In today’s technology-dependent world, cyber-attacks are no longer a matter of if but when. The above framework is designed to help you create an integrated security methodology that effectively mitigates continuously advancing security threats. By leveraging Bridgepoint Consulting’s best practices, your organization can help ensure comprehensive regulatory compliance and data privacy. Implementing the above framework does come with its complications. If you or your organization has questions about your specific situation, we encourage you to start the conversation with us and request a consultation. Take the proactive step to help safeguard your organization today.

35

https://bridgepointconsulting.com/management-consulting-firm/request-a-consultation/

ABOUT USBRIDGEPOINT CONSULTING,

AN ADDISON GROUP COMPANY, IS A LEADING MANAGEMENT

CONSULTING FIRM THAT HELPS COMPANIES THROUGHOUT THEIR

BUSINESS LIFECYCLE.

36WWW.BRIDGEPOINTCONSULTING.COM

http://www.bridgepointconsulting.com

37

HOW WE’RE DIFFERENTWE OFFER A BROAD RANGE OF FINANCE, TECHNOLOGY, AND RISK/COMPLIANCE SERVICES TO SUPPORT CLIENTS FROM THE STARTUP PHASE ALL THE WAY TO IPO READINESS AND BEYOND. SINCE 1999,

WE’VE BEEN HELPING EXECUTIVES AND MANAGEMENT TEAMS REDUCE THEIR BUSINESS AND OPERATIONAL RISKS, BRIDGE

RESOURCE GAPS, AND IMPROVE OVERALL PERFORMANCE. WHETHER AN ORGANIZATION NEEDS INTERIM EXPERTISE TO IMPROVE

INFRASTRUCTURE AND PROCESSES, OR STRATEGIC MANAGEMENT OF A SIGNIFICANT TRANSITION OR TRANSACTION, OUR TEAM OF

QUALIFIED PROFESSIONALS CAN HELP.

CYBER SECURITY & COMPLIANCE

Documents

Transcript of CYBER SECURITY & COMPLIANCE