Question

In: Computer Science

The Executive Board approved your Security Program Charter. Based on your research for Unit 2: Draft...

The Executive Board approved your Security Program Charter.
Based on your research for Unit 2:
Draft the CISO’s threat and vulnerability control plan.
To set the stage for the document and provide the reader an understanding of its purpose, begin with an introduction that describes a recent major computer security incident.
Explain the various control strategies such as detection and prevention and explain how each will be used.
Provide insight into some of the methods and tools that will be used to address threats and reduce vulnerabilities to PCS information system assets.

Solutions

Expert Solution

In the information security space, a vulnerability is a weakness in which it allows an attacker to reduce a systems information assurance. It is the intersection of three elements – a system susceptibility or flow, attacker access to the flow, and attacker capability to exploit the flow. In order to exploit a vulnerability, an attacker can use various tools or techniques to connect to a system weakness and it’s also known as attack surface. A threat is a communicated intent to inflict harm or loss to the information system and it is considered an act of coercion.
Most recent attacks exploit known vulnerabilities for which a patch or mitigating control was available. This makes vulnerability management a strategic component of any advanced threat defense strategy, providing benefits at multiple layers of a defense-in-depth security architecture.
Attacks launched at the beginning of this year against organizations in North America involved a zero-day privilege escalation vulnerability affecting windows. Researchers found the attackers first compromised the targeted system and achieved remote code execution via the malicious documents attached to spear-phishing emails, and then they used the CVE-2016-0167 exploit to run the code with system privileges.
ALSO ON CSO How to respond to ransomware threats
Verizon Data Breach Q1 2016 Report shows that the threat actors exploited an easily identified vulnerability in the payment application, leading to the compromise of customer PII and payment information. Hackers are consistently looking for vulnerabilities that they can exploit to gain access to corporate networks and systems, financial data and more.
Organizations acquire capital funds and purchase the latest and greatest threat and vulnerability mitigation strategy by investing thousands of dollars; unfortunately, a strategic plan to move forward and maintain the new technology are often overlooked. This results in new technology providing a false sense of security as operating budgets do not take into account the time to support, maintain and operate the new technology – thus it becomes ineffective and leaves platform with open holes. Threat actors have the upper hand when technology is not maintained and they develop ways to circumvent how it works and its weaknesses. Cloud, mobile and IoT require an innovative and different approach to assess vulnerabilities than the traditional windows and Linux servers and workstations required.
Today, most IT managers try to find the answer to the question “We have found 500 vulnerabilities and can fix 300 of them quickly. So how to prioritize which one to fix first and then next?” Threat and vulnerability management is a tedious and time consuming manual process that most of the enterprises use, and require business context in order to implement the remediation plan. Enterprises need to design a solution to support vulnerability life cycle management providing automated workflow, reporting and collaboration capabilities.
At the same time required coordination and planning with business owners is necessary in order to minimize the impact to the service availability and downtime. Security engineering teams at times spend lot of time planning, deploying and testing the vulnerability patching in non-production environment before applying the patches to the production environment because businesses don’t want any service interruption that would impact revenue.
Threat and vulnerability management is a process of identifying, analyzing, modeling, simulating the potential impact and risk thereby planning to remediate security threats and weaknesses. The program could covered:

  • Asset inventory management
  • Vulnerability scanning
  • Vulnerability assessment and analysis
  • Vulnerability remediation and mitigation planning
  • Risk and threat modeling and impact analysis
  • Penetration testing

Threat and vulnerability management program managers need to deliver effective vulnerability management for traditional and emerging technologies in growing, perimeter-less IT environments including mobility, cloud and IoT. To ensure a successful vulnerability management program, security leaders need to verify the effectiveness of their threat and vulnerability management efforts and align these with business context and objectives. Assessing the impact of potential threats to evaluate their risk will become a primary tool in managing the large volume of vulnerabilities that enterprises need to detect and remediate on an ongoing basis in order to prevent the cyber advisories and data breaches.
Vulnerability management is critical within any organization to identify, classify, re-mediate, and mitigate any vulnerabilities. Organizations that set up effective vulnerability management programs take a proactive and preemptive approach for the safety of their applications, software and networks and are significantly safer from data breaches and theft.
Technical blind spots certainly present major information security challenges to CISOs and their teams, as the complexities of monitoring encrypted traffic and updating SAP software and other legacy applications can be daunting tasks. But there are other cybersecurity blind spots that involve more amorphous and less technical concepts such as enterprise risks. Several cybersecurity experts and CISOs offered insight into some of the hidden risks and vulnerabilities they've discovered, as well as some of the more persistent and growing threats to enterprise security.
For CISOs now wondering what they might be missing, experts suggest focusing on the fact that the CEO and board of directors will want to know where and how the company is positioned in comparison to leading standards, such as NIST or ISO, and what the company's level of security maturity is. They will also want to see that CISOs have developed a roadmap to address any security gaps uncovered.
In order for the above objectives to be met by the Vulnerability Management Program, a CISO needs to ensure that it meets the following Top 10 requirements:
1. Maintain an Updated IT Assets Inventory and Categorize it by Business Risks
Most companies lack sufficient insight into the number of information assets that are critical to running their business. It is imperative that an organization’s IT assets are enrolled into the Vulnerability Management Program. IT assets can include in-house managed assets, third-party assets used for business processes, and assets on the private/public cloud used to conduct businesses. Business owners, along with their security team, should assign risk to these IT assets depending on the critical areas they support in the business value chain. The risk value can be determined on the basis of business value, sensitive information or the transactions that are supported or handled by the IT asset.
2. Prioritize Security Assessments on the Basis of Risk
Once IT assets have been enrolled and assigned risk values, it becomes easier to prioritize security assessments. Make effective use of automated and manual assessments on your IT assets depending on the risk value assigned to them. For example, for a high risk asset, a more detailed assessment with manual expert security testing can be designated, whereas for a low risk asset, a general vulnerability scan for compliance can be carried out. This type of approach towards security assessments can help while collaborating with business owners to schedule security assessments. Critical assets can undergo continuous assessments on a weekly or monthly basis, whereas others can follow a less periodic schedule of assessments.
3. Engage IT Teams in a Continuous Security Assessment Plan
IT teams need to be sensitized about the need for integrating security assessments to their build–deploy cycles. Once the schedule of assessments is decided, the engaging IT teams have to ensure that all of the necessary assets are ready and configured for assessments. This is a key requirement for the success of a vulnerability management program.
4. Maintain Updated Security Baselines
In order to improve the overall IT security posture, the vulnerability management program should be guided by secure baselines/standards against which assessments should be carried out. These baselines should be created for different asset types and can be further categorized into mandatory, important and optional standards.
5. Map Baselines with Compliance Requirements
Ensure that baselines map to compliance requirements of the business, for example, PCI for payment card data handling. This will help ensure that adhering to security baselines or standards automatically helps in compliance with global standards.
6. Empower IT Teams with Security Training
Once the vulnerabilities have been identified, the IT team needs to mitigate the risks on the IT assets. Training IT teams in secure baselines and secure-coding guidelines goes a long way in ensuring that vulnerabilities are mitigated faster.
7. Adopt a Risk-Based Mitigation Strategy
The derived risk values of the IT assets will help in determining the controls that have to be applied for mitigating the risks on the IT assets. Do you use advanced two-factor authentication systems or complex passwords? This will be determined by the type of asset that has to be protected.
8. Integrate Mitigation Tracking into the VM Program
Maintain a system, such as an MIS system, to track the mitigation of vulnerability classes and asset types. This system can help you determine the progress of mitigations, how classes of vulnerabilities are being mitigated and how soon. Assigning mitigation tasks to specific teams or IT owners and integrating them with bug-tracking systems is also something that proves beneficial to the success of a vulnerability management program.
9. Define, Measure and Review the Metrics for the VM Program
Determine whether the program is on track to assess all the enrolled IT assets. Determine whether your vulnerabilities are being addressed or risks are being mitigated with the progress of time. Measure the time taken to acquire new assets or asset components. Measure the time taken to go live for critical business applications. These metrics would give you better visibility of the security issues affecting your IT assets. Intelligence gained can be used to further fine-tune your vulnerability management program, drive specific trainings, and develop better IT security standards.
10. Centralized Visibility of the Entire Vulnerability Management Program
Finally, all stakeholders of the vulnerability management program should have a unified view of the current status of the vulnerability management program. A centralized dashboard can serve this purpose by providing views of the assessment schedule across all assets, the most critical vulnerabilities that need immediate attention, and the departments with the highest/lowest number of vulnerable assets.

Technical blind spots certainly present major information security challenges to CISOs and their teams, as the complexities of monitoring encrypted traffic and updating SAP software and other legacy applications can be daunting tasks. But there are other cybersecurity blind spots that involve more amorphous and less technical concepts such as enterprise risks. Several cybersecurity experts and CISOs offered insight into some of the hidden risks and vulnerabilities they've discovered, as well as some of the more persistent and growing threats to enterprise security.
For CISOs now wondering what they might be missing, experts suggest focusing on the fact that the CEO and board of directors will want to know where and how the company is positioned in comparison to leading standards, such as NIST or ISO, and what the company's level of security maturity is. They will also want to see that CISOs have developed a roadmap to address any security gaps uncovered.


Related Solutions

Please post a rough draft of your Research Proposal
Please post a rough draft of your Research Proposal
Scenario The board of Penco approved your recommendations and decided to purchase stock in the two...
Scenario The board of Penco approved your recommendations and decided to purchase stock in the two organisations you recommended. In fact, based on your recommendations, they decided to invest more than anticipated. The previous budget was £2,000,000 but the board wants to invest £1,000,000 in each of the two organisations you recommended which means that an extra £1,000,000 is required. Instructions: Write a short report containing: ▪ An introduction discussing the need for short term working capital and long-term funds...
Appropriate sampling is a critical component in developing a good research project. Using your approved research...
Appropriate sampling is a critical component in developing a good research project. Using your approved research questions and research topic, explain your anticipated sampling method and why this is appropriate for your research proposal. What is your sample size? Next, read and review two of your classmates’ posts and analyze their sampling approach. Are their sampling approaches appropriate? Why or why not?
Choose a systematic review from the list of approved reviews based on your interests or your...
Choose a systematic review from the list of approved reviews based on your interests or your practice situation. Formulate a significant clinical question related to the topic of the systematic review that will be the basis for your capstone change project. Relate how you developed the question. Describe the importance of this question to your clinical practice previously, currently, or in the future. Describe what a research-practice gap is. Be sure to include all components of the PICO question (P=...
Discussion Board 2: Measures of Central Tendency Based on your reading, what are the strengths and...
Discussion Board 2: Measures of Central Tendency Based on your reading, what are the strengths and weaknesses of the mean, mode, and median?  Give an example of when it might be a good idea to use each one of the measures instead of the other, and explain why.
Research , draft, develop and implement one of the health and safety policy for your child...
Research , draft, develop and implement one of the health and safety policy for your child care
Course: Security Architecture & Design Assignment - Executive Program Practical Connection Assignment Provide a reflection of...
Course: Security Architecture & Design Assignment - Executive Program Practical Connection Assignment Provide a reflection of at least 500 words (or 2 pages double spaced) of how the knowledge, skills, or theories of this course have been applied, or could be applied, in a practical manner to your current work environment. If you are not currently working, share times when you have or could observe these theories and knowledge could be applied to an employment opportunity in your field of...
Your Chief executive has asked you to prepare a report for the board identifying the key...
Your Chief executive has asked you to prepare a report for the board identifying the key contemporary business issues and main external factors affecting the organisation and the impact on HR. The report should also include how HR strategies and practices are shaped and developed and how to identify and respond to changes in the business environment. In presenting the report you are expected to have included: • A summary of the contemporary business issues and the main external factors...
Your Chief executive has asked you to prepare a report for the board identifying the key...
Your Chief executive has asked you to prepare a report for the board identifying the key contemporary business issues and main external factors affecting the organisation and the impact on HR. The report should also include how HR strategies and practices are shaped and developed and how to identify and respond to changes in the business environment. In presenting the report you are expected to have included: A summary of a response to the PESTLE factors including HR’s role in...
Your Chief executive has asked you to prepare a report for the board identifying the key...
Your Chief executive has asked you to prepare a report for the board identifying the key contemporary business issues and main external factors affecting the organisation and the impact on HR. The report should also include how HR strategies and practices are shaped and developed and how to identify and respond to changes in the business environment. In presenting the report you are expected to have included: --A summary of the changes in the business environment in terms of a...
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT