Cyber Security Defense-in-Depth Control Pyramid part 1 explanation

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Management Layers

Operational Layers

For more information contact

Skype; Mark_E_S_Bernard

Twitter; @MESB_TechSecure

LinkedIn; http://ca.linkedin.com/in/markesbernard

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Governance - The top officials , executives held accountable for the outcomes. The direct reports responsible for executing the vision and direction for Cyber Security. Accountability cannot be delegated down the chain of command, however responsibilities and roles for consultation and communications can change. (see slide 3) Security Program – The business plan, strategy, vision, mission, strategic and tactical goals and objectives, the program framework and workflow, the supporting policies, procedures and standards, security operations, monitoring security events, incidents, implementation, maintenance of security program assets, security of supply chains, partners, vendors and suppliers. (see slide 4) Human Resources – the recruitment and selection, induction, orientation, responsibility for employee behaviour, internal investigations, assignment of assets, initialization of request for physical & logical access control, termination. Incident Management – security event monitoring and response to physical and logical security incidents, exists outside Information Technology to maintain an objective – independent opinion during investigations, coordination with general counsel and external parties including law enforcement as required. The incident response team can call upon anyone within the organization to assist. Access Control – Identity and Access Management, responsible for granting and revoking physical and logical security access, one stop shopping for effective resolution of security access requirements. Physical & Environmental – responsibility for maintaining the security parameter and enforcing security policy, security of visitors, escorting visitors, security of vendors & suppliers, security of mechanical engineering maintenance and installation. Information Systems Acquisition, Development and Maintenance – responsible of security within software procurement and decommissioning activities, security within the maintenance of existing systems and new systems, Communications & Operations Management – responsible for security of telecommunications within the enterprise and externally, operations within the operations group, key roles include managers, supervisors, contractors and regular employees administering business systems, hardware, software, servers, desktops, smart phones, laptops, cloud services, etc… Business Continuity & Disaster Recovery - This is the last fall back point, if all else has failed its time to pull up stakes and relocate of rebuilds an existing instance this layer.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Within “Layer 1 – Governance” inputs and outputs forming the integration of governance ownership, custodianship, accountability, responsibility who needs to be consulted and who needs to be informed with various lines of business and the information security program. This layer of governance requires participation of all stakeholders.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Within “Layer 1 – Governance” inputs and outputs with Risk Management are crucial to establishing the culture of risk management and to keep threats and vulnerabilities in check. In some cases such as vendor, supplier management and Cloud Computing many risks are ongoing and shared between two or more parties. In these circumstances a Risk Registry is required to empower management by monitoring these risks with the external party on a monthly basis.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Within “Layer 1 – Governance “and Risk Management – Risk Registry is essential to proactively managing risks and maintain alignment with Enterprise Risk Management program. The key areas to monitor are strategic risk, financial risk operational risk and compliance risk.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Within “Layer 2 – Security Program” inputs and outputs forming integration with various lines of business with the information security program. i.e. governance, risk management, quality management, compliance management, communications strategy, awareness training, identity and access management, knowledge management, document control and records management, active

monitoring and internal /externals audit.

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Within “Layer 2 – Security Program” with risk management requires the assessment of threats and vulnerabilities followed by quality management activities like corrective action planning for immediate risks and preventive design either to stop the reoccurrence of risks or prevent risks from being realized, essentially eliminating risk trigger points. Control Design is a technique that was based on quality management techniques that we use to identify key control areas, assets and validate control effectiveness, efficiency further leading to assessing the organizations investments in security

safeguards .

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Within “Layer 2 – Security Program” and Risk Management through Control Design allows the manager to initiate corrective actions and/or preventive actions to mitigate or eliminate risk. These CAPA action plans are recorded in the risk treatment plans against the key control asset groups and monitored until successfully completed and the completion needs to be independently validated. Management s decisions are also recorded along with the risk rating and value of the control in addition to residual risk estimating the level of risk following the successful completing of the risk

treatment plan.