CERIAS Weekly Security Seminar - Purdue University artwork

Gideon Rasmussen, "Program Maturity - Cybersecurity and Operational Risk Management"

CERIAS Weekly Security Seminar - Purdue University

English - November 02, 2022 20:30 - 237 MB Video - ★★★★ - 6 ratings
Technology Education Courses infosec security video seminar cerias purdue information sfs research education Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Previous Episode: Ning Zhang, "Security and Privacy in the Cyber-physical World"
Next Episode: Christine Task, "Data, Privacy---and the Interactions Between Them"

Business executives leverage cybersecurity programs to understand
residual risk. That helps them make informed decisions to mitigate
risk to an acceptable level. This session provides guidance to
improve program maturity in stages.



Maturity Level 1.

Minimal Compliance Development of an information security
programshould begin with a reputable baseline such as the NIST
Cybersecurity Framework.



A framework communicates the minimum controls required to protect
an organization. It is also necessary to include control
requirements from applicablelaws, regulations and contractual
obligations. Compliance with external requirements is also a
minimalistic approach when designing a program.





Maturity Level 2.

Common Controls Control frameworks provide mid-level guidance and
are not intended to be prescriptive. That is by design. This level
of maturity addresses common security safeguards that are not
specified in the control framework. It is necessary to identify and
implement them. Gap analysis: Deploy controls based on proven
methodologies such as the 20 CIS Controls.



- Patching

- Penetration testing

- Web application firewall



Establish a risk-based approach for implementing controls.



Maturity Level 3.

Risk Management It is necessary to tailor controls to the
organization and to adapt to changes in the threat landscape. We
discuss 'Threat Landscape and Controls Analysis' and a Risk
Register process.



Maturity Level 4.

Strong Risk management At this level the organization begins to
demonstrate ownership of the cybersecurity program from an
operational risk perspective. When management communicates low risk
tolerance, that is synonymous with a commitment to strong risk
management.



- The cybersecurity program maintains controls specific to line of
business products, services and assets



- An operational risk management function maintains a risk
scenarios inventory and conducts quantitative risk analysis



- Incident response and business continuity exercises are conducted
annually to include senior executives, lines of business leaders,
information technology, legal, public relations and critical
suppliers



A multi-generational plan can be used to improve program maturity.
Strong risk management pays dividends over time with low occurrence
of harsh negative events. When incidents do occur, controls are in
place to limit business impact.