Question

Set up an introduction to a three-level control framework (TLCF) for cybersecurity governance.

Of the nine TLCF building blocks, draft summary of policies, strategy, organization, risk management, program management, and metrics.

Describe how the use of TLCF to assess the effectiveness of security program.

Describe a sample process for building out the TLCF to prove a viable security program.

Answer 1

Set up an introduction to a three-level control framework (TLCF) for cybersecurity governance.

ANS:

To establish effective governance and management processes, managerial controls should be modeled or grouped into easily recognizable blocks. Governance-specific activities are often presented alongside operational practices in the standards, which makes them difficult for senior executives to read. This is why it would be very useful to have a simple model presenting the main areas of management involvement when setting up an information security (IS) management system (ISMS). Such a model could also be useful in facilitating business leaders’ involvement in the change management process, which impacts IS. Having such a model would make it easier to guide discussions with management, review practices in a structured manner, discuss new opportunities, and above all involve everyone, as well as security specialists, who has a role to play in setting up adequate security in an organization.

Three-Level Control Framework

Different terms designate the means that are deployed to protect information confidentiality, availability and integrity: measure, control, protection, countermeasure, and so on. We will use the term control, which, a priori, can be taken as a synonym for all the other terms commonly used. Controls can be classified into different categories; for example:

◾ By nature: regulatory, physical, technical, human

◾ By security domain: information, physical (safety), human

◾ By protected target: information systems, physical premises, human integrity

◾ By characteristics: preventive, corrective, detective

◾ And so on.

When we look at security standards’ recommendations, the immediate question that arises is: how can the various controls be broken down by level of responsibility? Board members cannot be expected to read the standards to identify the controls under their responsibility. So, we need a model that groups controls under different levels of responsibility, enabling the rapid identification of who is responsible for what in the governance process.

What is the main purpose of such a framework?

Such a framework should allow management and security practitioners to ask pertinent questions about governance for IS as a whole, a specific security domain, or during major IS changes. These questions are the following:

1. Do we have a strategy?

2. Have we established our policies?

3. Is our security organization adequate?

4. What are the risks and how are they managed?

5. How is our IS program managed?

6. Is the reporting and oversight system adequate?

7. Which assets (data, applications, etc.) are impacted, and who is responsible for them?

8. Are we in compliance with the legal and regulatory framework?

9. Do we have metrics or key performance indicators (KPIs) to track the adequacy of our protection system?

Of the nine TLCF building blocks, draft summary of policies, strategy, organization, risk management, program management, and metrics.

ANS:

Breakdown of blocks into levels of control.

Strategic Level

The strategic level encompasses the three main building blocks of the model: Strategy, Policies, and Organization These are the three areas where senior executives have the greatest responsibility. Changes at the strategic level directly affect processes and controls at tactical and operational level. The opposite is also true. Significant operational changes cannot be made without referring to the strategic level.

Tactical Level

The tactical level encompasses all the main activities and responsibilities that can be attributed to IS management. Since the implementation of a strategy and policies requires the deployment of various controls within an ISMS, the term tactical seems more appropriate than managerial. The grouping of activities into building blocks at this level makes it possible to highlight the main axes of security executive officers’ activity either for the entire IS or for a specific domain

TACTICAL LEVEL

All activities or controls at this level depend on the orientations given at the previous level. Once the strategic orientations have been taken, the security program will be reviewed or adapted according to a systematic approach. We should therefore talk about the repeated or renewable process of establishing and managing a security program. The opposite is also true. If management or the board do not have insight into tactical-level activities (such as risk management, the effectiveness of measures, asset management, compliance, or metrics), they will not be able to make educated decisions about investments, new projects, or the adjustment of controls. Good governance therefore needs a high-performing and transparent tactical level.

Operational Level

The operational level includes all operational security measures, processes, or controls. We often talk about the instantiation or functional realization of a security system. Standards, such as the National Institute of Standards and Technology (NIST), present a comprehensive catalog of all controls to be part of an operational system . Controls at this level have been put in place to protect the company’s assets in accordance with the strategy and internal regulatory framework and within a specific security organization (strategic level). Their main objective is to mitigate risks within the framework of an IS program; their effectiveness is measured; they are the subject of reporting and oversight; and they protect the assets in accordance with the legal and regulatory framework (tactical level). Operational controls should not be deployed in a disorganized manner by adding successive layers of highly innovative technical solutions. Company needs must be met at the best cost/performance ratio within the framework of an IS program and established plans. Any operational measure or control must meet the following requirements: ◾ It is justified by the presence of a risk to which it responds.

◾ It is the responsibility of a specific person or entity.

◾ It responds to business strategy or need expressed by the business.

◾ It has been tested.

◾ Its effectiveness is measurable

Strategy:

The first block involves setting up a strategy for the entire security system. A specific security domain can also benefit from its own strategy aligned with the overall security strategy. Having a vision for IS makes it easier for a company to choose among the different options available for the IS program and specific operational controls. All the actors should be familiar with the vision and align their efforts with objectives acknowledged as important for the organization. There are no alternatives to this approach. In fact, a security system without a strategy will be built by piling up protective techniques against new threats or ad hoc processes to comply with audit recommendations. This will ultimately have a negative impact on costs, will not be understood by management, and will not be efficient. The security strategy includes the direction the company wants its IS program to take in the near future. It can also be established by major security domains (e.g., cybersecurity strategy, continuity, human resources, etc.). The strategies are entirely the responsibility of the company’s management or its board, but proposals might be given by the security manager or a committee authorized for this purpose. As with any strategy, a security strategy takes the form of a relatively short document that presents two essential elements: the vision or goal to be achieved in a period of a couple of years and initiatives that must be undertaken to achieve it.

The security strategy should explicitly include foreseeable changes in the conduct of business and new technologies, with defined roadmaps if possible. The following elements should be part of the security strategy:

1. The external environment and business context. Recall the context and explain why the security strategy and positioning should be adjusted.

2. Legal and regulatory framework and its impact. Recall the main areas of compliance required and mention adjustment required to new regulations.

3. Changes in threats, vulnerabilities, technologies, and risk appetite. It is important to adopt a posture concerning threats, especially due to the evolution of technologies, business models, and risk appetite. The company can take a position in its strategy in the form of choices such as “no outsourcing of confidential data” or “waiting for the technology to mature,” and so on.

4. Corporate culture. Recall the essential criteria that must drive IS decisions according to the company’s culture and its position vis-à-vis competitors. Security Governance Control Framework

◾ 5. Requirements for explicit alignment with certain business initiatives or strategies. When a company has to adapt quickly because of new directions in business strategies (such as new services, a new market, mergers or acquisitions, and so on), security must follow and adapt.

POLICIES

The block called Policies is primarily about the internal regulatory framework. Policies are high-level internal regulatory documents. They translate the strategy into more restrictive terms. This block also deals with documents of the lowest level of the internal regulatory framework, such as guidelines, standards, or procedures. The reasons why an internal regulatory framework is important are obvious. Let us recall some other arguments in favor of IS policies in the current context.

Governance and Management Component The development of IS policy is a very effective way to put security on the agenda of decision-makers and other stakeholders in the organization. A policy that has been discussed, validated by line managers, and signed by the board of directors proves to be a very useful instrument for governance. All stakeholders are strongly interested in this, because it helps to anchor the IS program closer to their needs:

◾ The board may require periodic reports allowing it to make decisions regarding the evolution of the IS program and investments.

◾ Business unit managers can rely on the policies and guidelines to ensure that security meets their needs.

◾ Security officers will use the policies to strengthen controls and justify investments.

◾ Auditors will be able to rely on the policies to assess the compliance of operations.

◾ Teams responsible for implementing security controls need internal regulatory framework to guide their activities. ◾ Finally, the policies and guidelines can be used to raise awareness and as a code of conduct for all the employees.

Organization

The term organization will be used to describe all the requirements related to responsibilities and functions in the context of an ISMS. This is not just about the governing body or executive management as specified in ISO 27014, but includes all the security functions, roles, and responsibilities aimed at ensuring the operations of an IS program. Organization requirements must be formulated in the security policy.

EXAMPLE

A formalized incident management process is recommended by all the standards and also by numerous sectoral regulations, in particular in banking, through financial sector control and regulatory bodies in many countries. Almost all these regulations require the board and senior management to ensure that there is incident management process, that they are informed, and that they inform the regulators in the case of particularly important incidents.

Specific security organization should therefore be put in place to manage incidents with the following functions:

◾ Central registration and incident dispatching service

◾ Incident owner or responsible for the resolution and follow-up of corrective measures

◾ Committee (if needed) to decide on the sever

Risk Management

Risk mitigation is the raison d’être of any security program. The activities grouped under this block will all be dedicated to the risk management process, including identification, analysis, treatment, and reporting as essential IS governance support. Risk analysis allows security organization to fix priorities based on risk appetite, strategy, and policies. One of the main concerns of security governance must be to ensure the effective management of security risks, in particular their identification, analysis, and treatment. Ignoring risk or its implicit acceptance is one of the main dangers of any IS program. The ultimate responsibility for security risks lies with the board of directors. Operational managers from different business units own the security risks in their operations. As the security operations manager, the CISO is also responsible for risks in their own department (e.g., the effectiveness of controls or failure of security operations). Their role is also to provide support for the identification and management of security risks in the business units. Security risks are part of a company’s operational risks, although they have some characteristics that must be taken into account. For example, quantitative evaluation methods are very often impossible to apply because of the difficulty of observing events within the organization. On the other hand, it is relatively easy for someone accustomed to observing security threat trends to qualify a risk on a simple scale such as small, medium, large. The chapter dedicated to IS risks will show a pragmatic way to analyze them. Security risk assessment and emerging trends are key indicators for steering the IS program. An increasing risk for which mitigation measures are no longer sufficient or are poorly adapted must clearly be addressed as a priority.

Program Management

Program management encompasses all the activities that ensure the effective deployment of security controls as part of an ISMS. Standards such as ISO 27001/2 or NIST (800-53) give a good summary of these controls. According to Control Objectives for Information and Related Technology (CobIT) 5, management activities also applicable to security are defined as “plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.” The main activities of the CISO and their teams consist of implementing and managing security controls. In addition to operational controls (“run” mode), a security program includes initiatives and projects that aim to improve the effectiveness of the controls in place or put in place new ones (“change” mode). To be able to govern well, it is essential to know the controls in place and their usefulness (protection objective) as well as their effectiveness. Management and the governing body must be able to visualize all the controls in the form of a catalog or inventory containing the notions of responsibility and the level of maturity. This catalog is used as one of the main tools in the security program and risk management process and as support for internal and external auditors. Operational measures or controls cannot be deployed without support from security strategy, policies, organization, and risk management and without a security program plan. The companies most successful in optimizing their security resources are those that implement operational controls based on their strategy and risk appetite and follow the policies and guidelines by first protecting data identified as critical or confidential in accordance with the legal and regulatory framework.

Security Metrics

IS governance needs reliable indicators as decision support. Metrics are used in reports; they quantify risks, evaluate trends and control effectiveness, calculate return on investment, and so on. They also make it possible to set thresholds to warn about trends and thus prevent incidents. Nevertheless, measuring security is not easy, due primarily to the absence of measurable events or incidents. We cannot, for example, know exactly how many attempts have been made to break into companies similar to ours, their type, and especially whether they were successful or not. It is also difficult to know whether an intrusion protection system has captured all the attempts or not. There are many other examples like these. On the other hand, purely technical and widely available metrics, such as the number of viruses or attacks prevented or the number of servers configured with the latest updates, do not provide governing bodies with relevant information about the overall performance of the protection system. Basic metrics must generally be compiled or aggregated to convey useful information for the management, such as evolution of the level of protection compared with the evolution of risks, real return on recent investments to implement security solutions, the level of improved resilience against cyberattacks, the effectiveness of the awareness program.

Describe how the use of TLCF to assess the effectiveness of security program.

ANS: