Maturity

The systems architecture process is where the concepts that will be the backbone of the actual system are developed. It is a conceptual model that describes the structure and behavior of the proposed system or of an existing system. The model could include the technical framework, end user requirements, and a list of system components (hardware and software). The key decisions that need to be made during the systems architecture process are: The attributes of the new system, The style of architecture, Type of software used (custom or off-the-shelf), Types of technologies used, and How the system will be deployed. Systems design is the process of defining elements of a system like modules, architecture, components and their interfaces and data for a system based on the specified requirements. It is the process of defining, developing and designing systems which satisfies the specific needs and requirements of a business or organization.

Roles refer to one’s position on a team. Responsibilities refer to the tasks and duties of their particular role or job description. Employees are held accountable for completing several tasks in the workplace. The clearer their supervisor outlines the tasks, the better employees can achieve their team’s goals and succeed in their individual roles at the company. For a supervisor or team leader to effectively delegate, however, they must understand that individual’s role at the company. Along with increasing team efficiency, creating functional roles and responsibilities provides several other benefits that could help your company as a whole. Understanding these benefits will motivate team leaders to implement them in the future if they haven’t already.

The ongoing process of using service-level agreements (SLAs) to maintain high quality in the provision of services — and to ensure that service-level objectives (SLOs) and performance meet the changing needs of the recipient’s business — through continuous improvement of service activities, functions and processes.

Security targets derive from security goals, which include different measures to secure the data, like confidentiality, integrity, authentication, etc. However, the main goal is to protect the data from various types of security attacks. Since not everything needs protection at the same level, it is critical to classify assets into buckets with assigned controls to define Targets of Evaluation (TOE)’s. Different TOE’s will have different security targets scoped to their unique context of operation.

Reputational risk refers to the potential for negative publicity, public perception or uncontrollable events to have an adverse impact on a company’s reputation, thereby affecting its revenue. Reputational risk strikes without warning and shifts your corporate landscape. Even worse, it injects an unfavorable narrative into your search results which affects customer opinions and impacts revenue. There are countless statistics about online reputation that support this conclusion. Reputation risk is largely unpredictable, in fact, it can even be tied to events that aren’t your company’s fault. Still, opinions of clients, investors, business partners and the general public can have a profound impact on your firm’s revenue. Therefore, it’s critical to be aware of hazards that result in reputational damage to a business.

A threshold of risk an entity is willing to assume in order to achieve a potential desired result. Tolerance measures the organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives. Note that risk tolerance can be influenced by legal or regulatory requirements. Risk tolerance includes defining the specific implementation for these considerations for handling risk: avoidance, retention, transferal, sharing, and reduction.

Forward thinking to enhance the availability of organizational systems during a disaster or catastrophic event. Business continuity planning (BCP) is the process involved in creating a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster or cyber-attack. BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.

Resilience planning is the effort to document the business-critical processes, through Business Impact Analysis (BIA), necessary to support the organization during Business-As-Usual outages and/or cybersecurity incident outages that may only affect a portion of the business. The Disaster Recovery efforts required to support business resilience efforts will be identified and prioritized. Plans will be created to provide continuity of operations after systems have been restored or when standard office workspace is unusable. This effort will improve organizational resiliency and develop consistency in process execution.

Infrastructure Resilience is best described by the built environment, for if vertical structures (buildings etc.) were not made, there would be no need for horizontal structures (roads, utilities, etc.). All this infrastructure is created to support community and commercial endeavor. Therefore, those things which should be considered as part of any evaluation of infrastructure resilience, are as follows: Buildings (safety focus), Telecommunications Network (Radio, TV, Telephone, etc.), Electricity Network (including generation & distribution), Water Network (including treatment, storage & distribution), Wastewater Network (including collection, treatment & disposal), Petroleum Fuel & Lubricant Network, Natural Gas Network, Stormwater / Land Drainage Network, Road Network, Rail Network, Ports (Airport, Shipping Port, Inland Freight Ports), Fast Moving Consumer Goods (Food, etc.), and Banking (Access to Cash). Some items which are towards the bottom of the list are often overlooked, but are of critical importance to enhance resilience and speed recovery.

A field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of electronic records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records. The term “records” is defined as information created, received and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business. Key concepts for consideration in this domain include: data privacy concerns, lifecycle management, de-identification, tokenization, metadata, provenance, lineage, and chain-of-custody.

Stakeholders are individuals and organizations that have an interest in or are affected by your evaluation and/or its results. Stakeholders provide a reality check on the appropriateness and feasibility of your evaluation questions, offer insight on and suggest methods to access the target populations, provide ongoing feedback and recommendations, and help make evaluation results actionable. The reports generated for this audience generally are very high level trending summaries of more detailed datasets and is often presented in the form of charts and graphs rather than words.

Strategic business leaders bring fresh insight and outlook to every problem. However, strategy involves more than mere ideas. It requires an understanding of organizational mission, knowledge of systems and careful thought. For a strategic leader, strategy and leadership should go hand-in-hand. They must be able to see the big picture and focus on results more than the methods. Strategic Management is focused on a specific area within the overall organization, therefore, reports to this level should be targeted summaries and trend data specific to the relevant security or maturity area of the recipient.

Tactical leaders focus on the literal tactics, or maneuvers, that are needed to get what needs to be done—done. It’s a relentless daily focus on checking off tasks. They can manage and maneuver through critical incidents and they’re always trying to shift things around so that efficiency is maximized. They also focus on the short-term management of a business, with multiple skip level meetings to get a broad view of the different departments. Reporting to this level includes the detail left out of the strategic and stakeholder reports so that they can properly understand and direct response actions immediately.

An internal contract is one that’s basically between you and you (i.e., between two entities in your business structure). When using template agreements for internal use in your structure, these agreements will often be simplified. Internal contracts don’t require all the legal protections that are needed when working with outside parties. Put simply: you won’t defraud you. You won’t sue you. So internal agreements and contracts don’t necessarily need to have those kinds of clauses.  This is quite different than external contracts, or contracts with third parties.  These are agreements between your entity and some outside party (a contractor, for instance), so you need to make sure that the contract protects you and your business from all sides. We are no longer in the days of handshake agreements. Although you may operate with that level of integrity, not everyone does.  All this being said, there are still two important things to note for business contracts regardless of whether they’re internal or external.  Your contracts and business dealings, whether internal or external, must be formalized and held at arm’s-length.  This ensures they’re both legally enforceable and hold up under scrutiny if you were sued, protecting your corporate veil.

In a strategic assessment, we consider environmental and heritage impacts over time. It’s a progressive way to assess and approve a broad set of actions and development under one process. Think about this approach for complex developments or programs that overlap with protected matters. There are two key aspects of the relationship between risk and strategy: (1) understanding the organization’s strategic risks and the related risk management processes, and (2) understanding how risk is considered and embedded in the organization’s strategy setting and performance measurement processes. These two areas not only deserve the attention of boards, but also fit closely with one of the primary responsibilities of the board — risk oversight. A program assessment typically takes the form of assessing maturity in an effort to identify ways to improve the program.

An Operational Assessment (OA) is an evaluation of operational effectiveness and operational suitability typically made by an independent entity, with user support as required. The focus of an OA is on significant trends noted in development efforts, programmatic voids, risk areas, adequacy of requirements, and the ability of the program to support adequate operational testing. Such assessments target the tactical responses within organizational workflows to identify areas where there are bottlenecks, weaknesses, or areas worth improvement.

Assess the technical elements within a defined system. Technical elements include: system configurations, patch level, software and firmware versions, system boundary, internal boundaries, access controls, etc. Technical assessments are an essential part of a comprehensive vulnerability management program. Assessments combine automated scans and manual techniques performed by a human, such as penetration testing. The purpose of these assessments is to identify misconfigurations, weaknesses, or other deficiencies that could potentially be exploited and introduce risk to the system, and by extension, expose the organization to a loss.

Provide a method to vet and qualify people for advertised roles that handle sensitive information. Screening consists of tests given to people before they are allowed to work for a company, to make certain they can be trusted, have the right personality for the job, etc. Employee screening may include reference and credit checks, background checks, and physical/drug testing.

Standardize and coordinate job responsibilities, job descriptions, and assigned access with desired skillsets and experience. This is a collaborative effort across multiple verticals within an organization and may involve automation to make the process efficient.

Disciplinary procedures prevent and mitigate incidents resulting from employee misbehavior. Defining tolerance and actions to take are key components of constructing the process, as are labor laws and similar regulations that limit what organizations can do.

Security awareness is a formal process for training and educating employees about IT protection. It involves: Programs to educate employees; Individual responsibility for company security policies; Measures to audit these efforts. Obviously, the first bullet point is the main component of a security awareness program, but it’s just as important that employees are held accountable and steps are taken to gauge the effectiveness of an organization’s security measures. Security awareness can be broken down into four stages: Determining the current status; Developing and crafting a security awareness program; Deploying said program to employees; Measuring the progress made by the program and revising as necessary.

Ensures that personnel are aware of their job responsibilities and develop their professional skills. Role-based security awareness training is a specialized type of training that is specific to the role that this particular user has with this application or with this data. That’s because each user role is going to have unique security requirements when it comes to these assets. Organizations also want to apply this training when they are working with third parties. If you have contractors, your partners, or suppliers that are accessing these applications, you want to be sure they understand the security implications of doing that.

Allocation of resources to all tactical and operational management capabilities. Resources should be optimally allocated when they are used to produce goods and services that match business needs and wants at the lowest possible cost. Efficiency of spend means fewer resources are expended in producing goods and services, which allows resources to be used for other economic activities, such as further production, savings, and investment. This basically boils down to managing available resources as cheaply and efficiently as possible.

Methods and processes to validate third party partners, vendors, products, and consultants against an appropriate standard of due diligence and due care with regards to defined organizational or contractual requirements. These include: A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats whether presented by the supplier, the supplies product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal); and the implementation of processes, tools or techniques to minimize the adverse impact of attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle.

Structured processes and controls to ensure that each installed service and information system is compliant with security targets. SDLC is a process followed for a software project, within a software organization. It consists of a detailed plan describing how to develop, maintain, replace and alter or enhance specific software. The life cycle defines a methodology for improving the quality of software and the overall development process. Ensuring that the SDLC process includes secure methods is vital for preventing weaknesses from being inadvertently built into software products prior to entering the production environment.

This process covers control of access into secure areas containing important repositories or interfaces, and alternate facilities. An alternative to denying access is using a quarantined area with limited access. This capability manages the physical methods of entry to facilities, as well as the management of systems housing access control lists and systems that actually administer the physical access control devices. This capability operationalizes the methods described in the Workforce Management domain and is closely tied to the Environment Architecture and Design capability and the Access Control capability.

This capability focuses on protection of critical infrastructure from fire, extreme temperatures, extreme humidity flood, electromagnetic anomalies, and other physical threats. This capability also incorporates elements of the larger organizational capability of facilities management. Facilities management can be defined as the tools and services that support the functionality, safety, and sustainability of buildings, grounds, infrastructure, and real estate.

Uniquely identify and provide credentials to all users, processes, and assets that are authorized. Identity management is the organizational and technical processes for first registering identities and credentials in the configuration phase, and then in the operation phase for identifying individuals or groups of people that require access to applications, systems or networks based on job function. Identity management is the task of controlling information about users on computers. Such information includes information that authenticates the identity of a user. It also includes the management of descriptive information about the user. In addition to users, managed entities typically include hardware and network resources and even applications.

Apply the concepts of least privilege and separation of duties through access controls. Access management is the organizational and technical processes for authorizing access rights in the configuration phase, and then in the operation phase for authenticating and controlling individuals or groups of people to have access to applications, systems or networks based on previously authorized access rights. Access management relies on Identity Management to include information that authenticates the identity of a user, and supplies information that describes data and actions they are authorized to access and/or perform. It also includes the management of descriptive information about how and by whom information can be accessed and modified. In addition to users, managed entities typically include hardware and network resources and even applications.

Know what data you possess, where it is, and what is necessary for it’s protection. The basis for categorization is the idea that, if fewer people know the details of a mission or task, the risk or likelihood that such information will be compromised or fall into the hands of the opposition is decreased. Hence, varying levels of clearance within organizations exist. Yet, even if someone has the highest clearance, certain “classified” information, identified by codewords referring to particular types of secret information, may still be restricted to certain operators, even with a lower overall security clearance. Information marked this way is said to be codeword–classified. Data Handling is an important concept that ensures the integrity of data, as it addresses some important concerns such as security, confidentiality, and the preservation of data.

Identify and enforce retention requirements based on regulatory and business needs. Limit the liability of and reduce storage requirements for stale data. Care needs to be taken to ensure that sensitive data is completely erased from all electronic storage media. Generally speaking, to remove data from a hard disk properly, it is necessary to overwrite the data several times with a series of zeroes. The number of times this must be done will depend on the sensitivity of the data. Naturally, the task takes longer according to the number of times it must be performed. Therefore, IT personnel will not appreciate having to apply the highest standards to non-sensitive data. Where back-up media is concerned, it will normally be necessary to destroy the media itself to ensure that it is unreadable. Although some back-up media can be reused, most IT departments will only tend to do so a few times as the media’s reliability may diminish each time it is used. Once it has reached the end of its useful life, this back-up media should be destroyed in accordance with the usual policies.

The administration of backup procedures to protect data against computer system failure or environmental disaster. Data protection management (DPM) makes sure that backups are performed correctly and on time and that adequate storage is available when needed. It also covers privacy, security and compliance with applicable frameworks. Continuous assessment to ensure that off-site media retains the ability to be useful. This includes testing recovery capabilities. In addition, current efforts to maximize the efficient and effective use of resources to maintain digitized data and achieve cost-saving benefits whenever possible. When digitized information is relocated to less expensive archival storage locations the infrastructure used to retrieve the information must also be preserved. This is closely tied to the Knowledge Management capability.

Ensure all purchases of specific products, providers, and outsourcing providers are the best fit for the needs of the organization and adhere to the information security objectives and metrics. Procurement management is also referred to as the source-to-settle process. It encompasses the evaluation, selection, and creation of formal contractual agreements as well as managing the company’s ongoing supplier relationships. Companies invest in procurement management solutions to streamline and automate the source-to-settle process. Procurement management software plays a major role in managing costs by increasing savings through negotiated buying agreements with suppliers. Expenses are managed by directing purchases to approved suppliers through applications that also enforce buying policies. Source-to-settle solutions also improve procurement efficiencies by streamlining internal processes and reducing risk through more effective supplier management and contracts.

Assets in the context of information security refer to either the physical or virtual hardware, software, and firmware, information, people, and facilities owned or possessed by the organization. Asset management is a systematic process of developing, operating, maintaining, upgrading, and disposing of assets in the most cost-effective manner (including all costs, risks and performance attributes). Enterprise asset management (EAM) systems are asset information systems that support the management of an organization’s assets. An EAM includes an asset registry (inventory of assets and their attributes) combined with a computerized maintenance management system (CMMS) and other modules (such as inventory or materials management). Assets that are geographically distributed, interconnected or networked, are often also represented through the use of geographic information systems (GIS).

Change Control is the process that management uses to identify, document and authorize changes to an IT environment. It minimizes the likelihood of disruptions, unauthorized alterations and errors. The change control procedures should be designed with the size and complexity of the environment in mind. For example, applications that are complex, maintained by large IT Staffs or represent high risks require more formalized and more extensive processes than simple applications maintained by a single IT person. In all cases there should be clear identification of who is responsible for the change control process. Change control process should consider the following elements: Change Request Initiation and Control; Impact Assessment; Control and documentation of Changes; Documentation and Procedures; Authorized Maintenance; Testing and User signoff; Testing Environment; Version Control; Emergency Changes; Distribution of Software; Hardware and System Software Changes.

Protect assets from intentional malicious actions. Systems hardening is a collection of tools, techniques, and best practices to reduce vulnerability in technology applications, systems, infrastructure, firmware, and other areas. The goal of systems hardening is to reduce security risk by eliminating potential attack vectors and condensing the system’s attack surface. By removing superfluous programs, accounts functions, applications, ports, permissions, access, etc. attackers and malware have fewer opportunities to gain a foothold within your IT ecosystem. Systems hardening demands a methodical approach to audit, identify, close, and control potential security vulnerabilities throughout your organization.