This document discusses building and maintaining a structured cybersecurity program. It begins by outlining some of the challenges organizations face in describing their security programs. It then discusses different frameworks and standards organizations can adopt, noting the challenge of balancing multiple standards. The document advocates adopting a framework like NIST CSF, customizing controls to an organization's needs, defining how controls are implemented, testing controls, and maintaining the program over time. The goal is to have a flexible way to describe a security program to various standards and measure its coverage and effectiveness.
Report
Share
Report
Share
1 of 39
More Related Content
Audit Once, Comply Many, and other lies
1. Audit Once, Comply Many
and other lies in cybersecurity.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
2. Are you a good driver?
I haven’t had any tickets in 5+ years.
I have auto insurance.
I attended driver education.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
3. Do you have a good cyber program?
No breaches in 3yrs*
We perform an annual pen test.
I have a SOC report.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
4. THE CHALLENGE 01
SUCCESS THROUGH CLAIRITY 02
DEATH BY ALPHABET 03
CONTROLS ARE TERRIBLE 04
HOW I LEARNED TO LOVE THE CONTROL 05
TABLE
OF
CONTENTS
How to build and maintain a
structured cybersecurity program
that inspires confidence
5. ABOUT ME
Cybersecurity GRC specialist, Supervisor of Assurance for
Arkansas Blue Cross and Blue Shield.
For the past decade I’ve helped organizations build sustainable
& practical security programs that auditors love.
I love helping organizations transform & thrive through
cybersecurity and compliance.
• vCISO – Finance & Healthcare
• SOC Specialist
• CISSP, CCSFP, CCSK
• 800-53 fanboy
7. Most orgs struggle to describe their
security program in a manner that
inspires confidence.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
8. Disclaimer
The views in this presentation are my own and do not necessarily represent the views of Arkansas Blue Cross
9. Adopt the SU/CR.
FRAMEWORK
The security unicorns and compliance rainbows
framework is fictional. I apologize.
63 2 days 50K
International Standards mapped To deploy ecause it is designed to
work out-of-the-box
SU/CR clients worldwide.
10. The Real Answer.
You must adopt, customize, define, test, and
maintain security controls.
Yes, really.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
12. FFIEC CAT
Federal Financial Institutions Examination
Council (FFIEC) developed the Cybersecurity
Assessment Tool (CAT) – Regulators FDIC,
NCUA.
CMMC*
Cybersecurity Maturity Model Certification,
DoD program that applies to Defense
Industrial Base (DIB) contractors. Required
for acquisitions/contracts.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
13. CMMC
If hadn’t been for those darn
kids.
DFARS ➡ 800-171 ➡ 800-53
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
16. We are drowning with standards.
AICPA SOC
HITRUST
NIST CSF
CCM / CAIQ
CIS20
ISO 27001
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
HIPAA
BSIMM
PCI
PCI SSF
GDPR
CCPA
And whatever
set of questions
your latest client
just sent over.
17. There are some good efforts…
Wasn’t SOC was supposed to solve this?
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
19. A Security Control
The safeguard or countermeasure prescribed for
an organization and/or information system(s) to
protect the confidentiality, integrity, and availability
of information.
In other words, a documented expected outcome.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
20. NIST CSF – DE.CM-4
Malicious code is detected.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
21. FFIEC - D3.DC.Ev.B.2
Mechanisms (e.g., antivirus alerts, log event alerts) are in
place to alert management to potential attacks.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
22. AICPA SOC CC 7.2.ii
Detection policies and procedures are defined and
implemented, and detection tools are implemented on
Infrastructure and software to identify anomalies in the
operation or unusual activity on systems. Procedures may
include (1) a defined governance process for security
event detection and management that includes provision
of resources; (2) use of intelligence sources to identify
newly discovered threats and vulnerabilities; and (3)
logging of unusual system activities.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
23. REDACTED
The organization configures malicious code and spam
protection mechanisms to (i) perform periodic scans of the
information system according to organization guidelines;
(ii) perform real-time scans of files from external sources
at endpoints and network entry/exit points as the files are
downloaded, opened, or executed in accordance with
organizational security policy; and, (iii) block malicious
code, quarantine malicious code, or send an alert to the
administrator in response to malicious code detection.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
24. 800-53 SI-3
Implement signature based or non-signature based
malicious code protection mechanisms at system entry
and exit points to detect and eradicate malicious code;
Automatically update malicious code protection
mechanisms as new releases are available in accordance
with organizational configuration management policy and
procedures;
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
25. 800-53 SI-3 continued…
Configure malicious code protection mechanisms to:
• Perform periodic scans of the system [frequency] and real-
time scans of files from external sources at endpoints;
firewalls, as the files are downloaded, opened, or executed
in accordance with organizational policy; and
• Block malicious code OR quarantine malicious code; and
send alert to TEAM in response to malicious code
detection; and
• Address the receipt of false positives during malicious code
detection and eradication and the resulting potential impact
on the availability of the system."
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
26. Pick your poison
There is NO single set of controls that fits your org
or addresses all security/privacy concerns
Mission must drive adequacy.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
28. THE PLAN
ADOPT
TEST & MAINTAIN
DEFINE
CUSTOMIZE
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
29. Adopt
Start somewhere.
Try NIST CSF or CIS18
If you have more risk/complexity dive into 800-53.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
30. Customize
Non-signature based malicious code detection will
be deployed on all workstations & servers. It will
be updated continuously. Full scans will be
performed weekly. Threats will be quarantined and
alert appropriate parties in a timely manner.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
31. Define (1)
The organization has deployed XYZ EDR to all
Windows workstations and servers. The EDR is
centrally managed via a cloud management
console. Detection and version updates are
deployed automatically.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
32. Define (2)
The following scans are configured for all
workstations
• Period Scans – Weekly
• Active File scans upon download or execute
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
33. Define (3)
The EDR is configured to alert the SOC via an API
integration with SIEM platform. The alert
thresholds are configured to Sev1 for threats that
fail quarantine and Sev2 for quarantined threats.
False positives are reviewed on a weekly basis via
the console/report.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
34. TEST & MAINTAIN
Narrow control based on ownership.
For each promise how would you prove?
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
35. Define (1)
The organization has deployed XYZ EDR to all
Windows workstations and servers. The EDR is
centrally managed via a cloud management
console. Detection and version updates are
deployed automatically.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
36. Ownership
The organization has deployed EDR to all
Windows workstations and servers. – (Base
Image, GPO, Desktop Team)
The EDR is centrally managed via a cloud
management console. Detection and version
updates are deployed automatically. – (EDR,
MSP, SecEng)
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
37. Testing
The organization has deployed EDR to all
Windows workstations and servers. –
(Detective Control, population report)
The EDR is centrally managed via a cloud
management console. Detection and version
updates are deployed automatically. – (same)
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
38. MAINTAIN
Maintain Mapping
Bake controls into change management!!!!!!
Watch for guidance changes.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
39. All this work gets you…
The flexibility to describe your program to a variety
of standards.
The ability to measure
• coverage (do we have the right controls)
• confidence (are the controls effective)
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022
To clients, prospects, board, themselves
Supply Chain Risks have significantly increased the need to demonstrate cybersecurity posture via a variety of frameworks, standards, audits, questionnaires, and attestations.
Question: How can you manage a program that can withstand heightened scrutiny while providing you basis of confidence.
Security Unicorns and Compliance Rainbows.
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,
Cloud Security Alliance – Open standards, gaining traction with financial industry. First to market with portal.
HITRUST – comprehensive, maintain audit quality,