Sh d C b i R ibili MShared Cybersecurity Responsibility Maps‐‐‐‐‐‐‐‐‐‐‐‐
C bi i SIPOC RACI P idCombining SIPOC + RACI ProvidesEnd‐to‐End Visualization ofRoles ResponsibilitiesRoles, Responsibilities,
Expectations, and Dependencies
Many Aspects of Cybersecurity are Beyond the Domain of IT Departmentsp Cybersecurity Responsibilities are Shared Among Multiple
Departments, Stakeholders, and Business Partners p , , Finance and Risk Management (NIST CSF ID.RA)
• Ensures the organization understands the cybersecurity risk to mission, functions, reputation, organizational assets, individuals, and business partners
H R (NIST CSF PR AT) Human Resources (NIST CSF PR.AT)• Responsible for training personnel to perform information security related duties and responsibilities consistent with policies, procedures, and agreements
Legal (NIST CSF ID.GV‐3)Legal (NIST CSF ID.GV 3)• Ensures the organization understands and manages legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations
( ) Business Process Owners (NIST CSF PR.IP)• Ensures security policies, processes, and procedures are maintained and used to manage protection of information systems and assets
Shared Responsibility Maps Provide End to End Visualization of Shared Responsibility Maps Provide End‐to‐End Visualization of These Roles, Responsibilities, Expectancies, and Dependencies
Responsibilities and Expectations Externalto Cybersecurity Processes and Activitiesy y
All Cybersecurity Processes and Activities Receive InputsInputs
All Cybersecurity Processes and Activities Create OutputsOutputs
Someone or Something (Could be a Process, Department or External Entity) Is Responsible forDepartment, or External Entity) Is Responsible for Providing the Inputs According to Predefined Specifications
Someone or Something (Could be a Process, Department, or External Entity) Expects to Receive the Outputs According to Predefined Specifications
SIPOC: Defines Responsibilities and Expectancies External to Processes and Activities
Suppliers Receive the input specifications from the process team and provides the inputs to
the process team according to specifications
Inputs The resources and their specifications defined by the process team
Processes The steps the process team will execute to create the outputs
Outputsp The deliverables created by the process team that will be delivered to the
customer/consumer within predefined specifications
Customers Expects to receive the outputs/deliverables developed according to predefined
specifications by the process team
RACI: Responsible, Accountable, Consult, InformTeam Responsibilities for Process Executionp
Responsible (The Doers) ‐ Those who do the work to achieve the task There is at(The Doers) Those who do the work to achieve the task. There is at
least one role with a participation type of Responsible
Accountable (The Buck Stops Here) ‐ The one ultimately answerable for correctness(The Buck Stops Here) The one ultimately answerable for correctness
and thoroughness of the completed task
Consult Those whose opinions are sought, typically subject matter experts.Those whose opinions are sought, typically subject matter experts.
Two‐way communication
InformThose kept up to date on progress with̶ Those kept up to date on progress with whom there is one‐way communication
Shared Responsibility MappingCombines SIPOC & RACI
Defines and Visually Illustrates End‐to‐End Roles, Responsibilities, Expectations, and Dependencies of All Departments, Stakeholders, and Business Partners
Serves to Penetrate Departmental Silos, Tool Conflicts, and Tribal Knowledge Improves Communications and Collaboration
Computer Security Incident Response PlanProcess Resource (NIST 800‐61 R2 Base) Shared Cybersecurity Responsibility Maps can be delivered as stand‐alone
documents, integrated into existing plans, or integrated into web frameworks h ill b i i i i d i dthat illustrate cybersecurity processes, activities, and associated resources
Shared CSIRP Responsibility Map ofStep 2.1 Monitor and Detection Process
High‐level and detailed views are available within a few clicks
Identifying Factors that Contribute toUnsatisfactory Outcomes Variation Impacts the Predictability of Effectiveness and Efficiencies Inputs and Process Activities are Sources of Variation in the Management of
y
p gthe Quality of Deliverables
Shared Responsibility Maps Illustrate Where and How Variation Impacts the Ability to Effectively Manage Cybersecurity
Example of a Factor Contributing to Less Than Desirable Cybersecurity Management
A User Not Properly Trained to Recognize and Report Anomalous Malware BehaviorMalware Behavior Extends the time from initial
entry to detection Extends dwell timeExtends dwell time Increases the opportunity
for the malware to spread laterally in the system
The Solution: Human Resources provides appropriate and continuous user
laterally in the system
cybersecurity training, testing, and proficiency tracking
Shared Responsibility Maps Illustrate Multistep Activity/Process Dependencies
Activity/Process Start
Step 1 Outputs & CustomerBecomes Step 2
Supplier and Inputs
Activity/Process Step 1
Step 2 Outputs & Customer
Activity/Process Step 2
Becomes Step 3Supplier and Inputs
Variation in Earlier Steps Influence Latter Dependent
Activity/Process Step 3Activity/Process End
Activity and Process Steps
In Summary Shared Cybersecurity Responsibility Maps
Enable End‐to‐End Definition and Visualization of Responsibilities for All Involved with CybersecurityResponsibilities for All Involved with Cybersecurity
Clarifies Inputs and Outputs including Specifications Illustrates Where and How Variation Influences Illustrates Where and How Variation Influences Deliverables
Contact
Henry DraughonProcess Delivery SystemsProcess Delivery Systems(972) 980‐[email protected] // d li / / h d b i ibili h lhttps://www.processdeliverysystems.com/resources/shared_cybersecurity_responsibility_maps.html
Top Related