Scott E. Donaldson1 , Stanley G. Siegel2, Chris K. Williams3 and Abdul Aslam3
(1)
Falls Church, Virginia, USA
(2)
Potomac, Maryland, USA
(3)
San Diego, California, USA
Overview
This chapter examines the enterprise cybersecurity operational processes.
The graphic depicts the 17 major operational processes and 14 major information systems that support cybersecurity operations in the 11 functional areas.
This chapter explains how they all work together to operate an effective cybersecurity program.
Organizationally, security
does not have to be in charge of all cybersecurity operational processes; and
does need to have a role in ensuring processes are present, operating properly, and satisfying enterprise security objectives.
Enterprise security without security operations is unlikely to hold up long against a deliberate attacker, so security operations are critical to achieving successful enterprise cybersecurity.
Topics
Operational Responsibilities
Business (CIO, Customers)
Security (Cybersecurity)
(IT) Strategy/Architecture
(IT) Engineering
(IT) Operations
High-Level IT and Cybersecurity Processes
IT Operational Process
Risk Management Process
Vulnerability Management and Incident Response Process
Auditing and Deficiency Tracking Process
Operational Processes and Information Systems
Cybersecurity Operational Processes
Supporting Information Systems
Functional Area Operational Objectives
Systems Administration
Network Security
Application Security
Endpoint, Server, and Device Security
Identity, Authentication, and Access Management
Data Protection and Cryptography
Monitoring, Vulnerability, and Patch Management
High Availability, Disaster Recovery, and Physical Protection
Incident Response
Asset Management and Supply Chain
Policy, Audit, E-Discovery, and Training
Operational Responsibilities
The graphic shows the various organizations that have security responsibilities and how those responsibilities are allocated across the seven-stage IT life cycle.
Generally, cybersecurity operations involve leveraging processes and technology across departments to maintain the enterprise’s security posture over time.
For example, (IT) operations primarily support stages 4, 5, and 6; however, it also provides support and coordinates with the other departments and corresponding responsibilities.
Business(CIO, customers)
Provides business oversight in regard to cybersecurity operations
Adjudicates risk decisions and security vs. operational trade-offs that involve tough calls on what level of risk is acceptable—that is, what is best for the business
Security(Cybersecurity)
Generally under the Chief Information Security Officer (CISO)
Provides guidance across all departments
Responsible for ensuring security processes are in place and operating
May either perform cybersecurity processes itself or hold other teams responsible for them
Cybersecurity department often consists of teams to include the following:
Risk Management performs risk analysis and management.
Security Operations Center (SOC) provides for security monitoring and incident identification.
CyberIntrusion Response Team (CIRT) provides for incident response.
CIRT may also stand for “Cybersecurity Incident Response Team.”
Compliance performs reporting for external compliance requirements.
Cybersecurity capabilities or functions frequently reside in the IT teams and are “dotted-line” accountable to the CISO office.
(IT) Strategy/Architecture
Is involved in a number of security operational processes
Ensures system architectures are consistent with the enterprise strategy and overall architecture, including vendor and technology selection
From strategy and architecture perspectives, is responsible for risk management and policy review
(IT)Engineering
Has significant role in security operational processes to design security capabilities and controls that are effective and cost-effective
(IT)Operations
Is responsible for enterprise IT operations and has significant responsibility for security operational processes
However, cybersecurity department maintains oversight of the security operations and ensures security is not compromised for operational expediency
This separation of responsibilities ensures that when there is a conflict between cybersecurity operations and IT operations, the conflict gets escalated to the CIO level so it can be resolved as a business decision
High-Level IT and Cybersecurity Processes
Context
CISO maintains a number of enterprise operational processes to maintain an effective cybersecurity posture.
The following four high-level IT and cybersecurity processes set the context for this process discussion:
IT Operational Process
Risk Management Process
Vulnerability Management and Incident Response Process
Auditing and Deficiency Tracking Process
IT Operational Process
The graphic depicts the fundamental IT operational process.
Change drivers influence the IT environment via business need, security, strategy, and architecture.
Business needs drive the execution of two “loops” that operate and change the IT environment, namely, the operations and engineering loops.
The IT operational process is at the core of many IT functions, including many of the security functions supporting IT operations and engineering.
Services
Involves delivering IT services, both on a continuous basis and on an as-requested bases
Is most often associated with operations
Optimization
Involves performing relatively minor tasks and “tweaks” to improve the efficiency and effectiveness of IT operations
Can be a fine line between optimization and engineering changes
Usually involves changes that improve efficiency or performance without changing (1) service delivered, (2) software installation, or (3) addition or removal of servers or computers
IncidentResolution
Involves solving problems with IT environment where a deficiency occurs that must be resolved to restore normal operations
May affect a single user or it may affect an entire system or service
IT operations captures incidents and tracks them through resolution
ProblemResolution
Responds to IT infrastructure problems
Addresses software bugs that impact operations and requires vendor support
IT operations identifies IT environment problems such as (1) system does not perform as designed or (2) flaws are identified in design that require redesign or re-engineering to correct them
Enhancements
Are relatively minor changes to IT environment to improve service quality, reduce cost, or enable new services
Are different from projects because they are generally performed within operations and maintenance budgets vs. a dedicated budget or formal schedule
Are low-cost efforts not requiring significant management oversight
Projects
Are major changes to IT environment to deliver new services, retire legacy services, deploy new technologies, or make major upgrades to existing capabilities or services
Are distinct from enhancements because they have dedicated budgets, schedules, and management oversight to ensure they are successful
Risk Management Process
Is one of the most fundamental processes of the cybersecurity effort
Requires collaboration among cybersecurity and other departments
Identifies risks to the business, the consequences of those risks, and appropriate risk mitigations
Starts with the business analyzing the potential risks to the IT environment assets in terms of confidentiality, integrity, and availability—What are potential business impacts?
Evaluates identified risks with regard to their likelihood and level of impact
Determines overall risk level for a specific threat (likelihood + impact)
Cybersecurity determines
containment (security scopes) for subsequent protection; and
mitigation (security controls) to reduce risk likelihood and impact.
Vulnerability Management
and Incident Response Process
Process is really two processes side-by-side:
Vulnerability Management (left-side track of graphic)
Incident Response (right-side track of graphic)
VulnerabilityManagement
Security Operations usually initiates process.
Security team ensures
vulnerability management process is performed; and
its quality and quantity are not compromised in the interest of other IT priorities.
Includes the following high-level steps:
Vulnerability Scans
Patching and Correction
Remediation
VulnerabilityScans
Performed by IT security against enterprise IT systems to identify vulnerabilities (missing patches, configuration failures)
Performed on as many IT systems as possible by using automated tools
Scanning priority given to production and public-facing systems connected to the Internet
Produce a list of vulnerabilities and remediation recommendations
Patching /Correction
Performed by IT operations
Involves following guidance from the vulnerability scans to remediate as much vulnerability as possible
Timely fixes occasionally hindered by compatibility issues, service level agreements, or other business
Can involve non-trivial system changes that are passed to engineering
Remediation
Performed by IT engineering when remediation requires redesign, re-engineering, or other engineering capabilities
IT security tracks vulnerabilities that require engineering actions until
they are successfully mitigated;
compensating controls are put in place; and
risk is handled by business leadership.
IncidentResponse
The right-side track of the graphic represents the incident response process, which is initiated by IT security.
Incident response is passed to IT operations and engineering until the situation can be resolved and remediated.
Remediation includes patching and sometimes re-engineering.
Incident response includes the following high-level steps:
Forensic Controls
Detective Controls and Indicators of Compromise (IOC)
Investigation
Containment
Remediation
ForensicControls
Logs enterprise events and makes them available for automated processing and review
Is starting point for the incident process since it is primarily from these events that incidents are identified
Detective Controls and Indicators of Compromise (IOCs)
Applied to forensic controls and logs to identify incidents from the events
Pattern matches
Event cross-correlation
Multivariable analysis
Artificial intelligence
Will have some measure of false positives (control triggers that are false alarms) and false negatives (controls fail to trigger)
Designed to minimize both sets of negatives
Produce a list of incidents to be investigated
Investigation
Performed by CIRT
Determines extent of incident
Identifies computers, accounts, and networks
Generates IOCs to feed back into the detective controls to identify more computers, accounts, and networks
Provides output that is an assessment of compromise and its impact on enterprise
Containment
Performed by IT operations team to contain the incident and restrict it from spreading further
Involves denying the adversary the use of compromised machines, accounts, and networks so they can no longer operate in the enterprise and the actual cleanup can begin
Produces a list of vulnerabilities that were exploited by the attackers and need to be remediated to prevent the same attack from occurring again
Remediation
Performed by IT engineering to harden the enterprise against future attacks
Can be quite significant
Strengthening preventive controls
Improving forensic, detective, and audit controls to improve detection, response, and future remediation
May result in cybersecurity projects lasting months or years after the initial incident is resolved
Auditing and Deficiency Tracking Process
Involves two tracks that run somewhat in parallel and are subsets of the overall IT operations loop
Security operations loop (left-hand side track of graphic)
Engineering loop (right-hand side track of graphic)
Security OperationsLoop
Security Operations Loop includes periodic audits of the IT environment to ensure security controls are present and operating as designed.
Security audits may be internally driven or externally driven.
Likely there may be multiple security audits over the course of a year to satisfy different audit requirements.
Security audits also may also be a part of general security maintenance, independent of regulatory compliance.
Security audits include the following high-level steps:
External Compliance Standards
Security Audit
Audit Deficiencies
Deficiency Remediation
External Compliance Audit
External ComplianceStandards
These standards are inputs to audit for external compliance.
“Internal-use-only” audits use external standards, frameworks, or internal cybersecurity control documentation.
SecurityAudit
Initiated by security operations to examine the operation of controls
Triggered by schedule (monthly, quarterly, annual), an event, or external requirement
Examines cybersecurity controls to determine their effectiveness
For preventive controls, audit involves testing to ensure behavior that is supposed to be blocked is actually blocked.
For detective and forensic controls, audit involves creating incidents to ensure incidents are detected or sampling logs to search for expected incident detections.
AuditDeficiencies
Deficiencies are identified via audit process and formally tracked through resolution.
When identified by external auditors, deficiencies often require explanation or follow-up testing.
Sometimes deficiencies are not really defects or are the result of control operating as designed, but not doing what auditors expect.
DeficiencyRemediation
Remediation corrects deficiencies so that controls function as designed.
Sometimes audits reveal design deficiencies requiring engineering involvement or non-trivial investment to correct.
External ComplianceAudit
Results are obtained from the audit process as required.
With a well-designed control framework, it is possible to conduct a single internal cybersecurity audit that generates results satisfying multiple external compliance requirements, even when external audits use different control frameworks.
Operational Process
es and Information Systems
Context
The previous section described four high-level IT and cybersecurity processes:
IT Operational Process
Risk Management Process
Vulnerability Management and Incident Response Process
Audit and Deficiency Tracking process
The above four high-level processes can be further decomposed into 17 cybersecurity operational processes, as shown in the the graphic.
This section introduces these 17 cybersecurity operational processes that are essential to the proper operation of enterprise cybersecurity.
Appendix B contains a detailed description of the processes.
Operational Processes
Privileged Account ActivityAudit
Audit involves manually auditing system administration activities for the most sensitive accounts.
Not all administrative accounts need to be subject to this level of scrutiny.
Accounts that have enterprisewide access and the ability to turn off or bypass security logging should be subject to audit and other controls to detect any attempt at misuse.
Account and Access PeriodicRecertification
This process involves managing accounts and accesses throughout their life cycles, from creation through assignment and removal of permissions, periodic recertification, and retirement.
It is important that recertification or a similar method be used to ensure accounts and access that are no longer needed are removed in a timely fashion.
Password and KeyManagement
This process involves managing enterprise keys throughout their life cycle, from creation through storage, rotation, recertification, and retirement.
Organizational passwords (those used for service accounts and external accounts) should be treated as keys and stored securely throughout their life cycle.
Vulnerability Scanning, Tracking, andManagement
This process involves periodically scanning enterprise IT systems for vulnerabilities.
Identified vulnerabilities are tracked until they are patched or otherwise remediated.
Vulnerabilities that cannot be easily mitigated may result in enterprise risks that are tracked long-term.
Patch Management andDeployment
This process involves patching enterprise systems to resolve security vulnerabilities, resolve operational problems, or stay current on vendor product patches.
This process has two main tracks: (1) routine patch deployments and (2) emergency patching to resolve urgent problems.
Emergency patching requires management oversight to adjudicate the risk of patching without adequate testing vs. the security or operational risk of waiting for the normal process.
SecurityMonitoring
Security Monitoring involves monitoring security systems for alerts related to potential security incidents.
Alerts feed into the incident response process when incidents are identified and confirmed.
There is an important feedback loop where false alerts are identified and alerts are constantly tuned to reduce false alerts.
All-Hazards Emergency PreparednessExercises
This process involves testing emergency preparedness processes in context of potential hazards, including natural disasters, man-made situations, accidents, and cyberintrusions.
Goal is to establish a robust set of emergency procedures that can be used to handle a variety of situations affecting enterprise information systems, facilities, or people.
CyberintrusionResponse
Involves responding to cyberintrusions when they occur and tracking them through to containment and ultimate remediation.
Asset Inventory andAudit
This process involves inventorying enterprise IT assets to ensure IT properly accounts for all assets.
Assets that are not tracked cannot be secured.
ChangeControl
Ensures enterprise changes are properly authorized and reviewed prior to implementation
Includes formal approvals to operate new IT systems and tracking enterprise risks associated with vulnerabilities that are not remediated prior to deployment of operational system
May also be able to detect unauthorized changes so they can be investigated
Involves periodically reviewing configuration documentation to identify discrepancies between enterprise system configuration records and actual configurations deployed and operating
Ensures identified discrepancies are properly reviewed and remediated
Supplier Reviews and RiskAssessments
Involve reviewing the IT supply chain to assess cybersecurity risk from a supplier perspective
Ensure mitigations are in place to protect against potentially compromised service providers or products
Policies and Policy ExceptionManagement
Involves maintaining the enterprise cybersecurity policies and standards
Involves tracking and managing exceptions to those policies and standards when they are required
Project and Change SecurityReviews
These reviews involve modifying the IT project and change processes to include security reviews and approvals prior to going live.
Process is tricky to get right so security is involved but does not become an obstacle to progress.
RiskManagement
Involves identifying risks to the enterprise IT environment and its assets, and then identifying controls to mitigate those risks
ControlManagement
Involves maintaining the enterprise security controls to ensure they stay relevant over time and effectively utilize available security technologies and capabilities
Auditing and DeficiencyTracking
Involves auditing the IT environment to find cybersecurity controls’ deficiencies and tracking those deficiencies until they can be resolved or remediated
Supporting Information Systems
Context
The graphic lists supporting information systems enabling the cybersecurity operational processes.
Depending upon enterprise needs and its level of complexity and maturity, systems may be simple (spreadsheets, word processing documents, or paper files) or sophisticated (major enterprise applications with supporting databases).
The cybersecurity department is responsible for ensuring these information systems are present and operating within the IT environment.
The remainder of this section provides a brief explanation of each system and its significance to enterprise security.
Administrator AuditTrail
Involves tracking privileged administrator activities so such activities can be audited
Accounts andPermissions
Will most likely be obtained from supporting information systems, such as enterprise directories and identity/access management systems
Password and KeyVault
This information system tracks organizational accounts and passwords.
It is ideal for this information to be maintained using highly secure vault technology that provides access controls and audit trails; less than ideal is using a spreadsheet to track this information.
These organizational accounts/passwords are the “keys to the kingdom” and should be correspondingly well-protected.
VulnerabilityDatabase
Tracks vulnerabilities identified through vulnerability scans and other automated methods
Tracks vulnerabilities against the associated IT assets
Tracks business decisions associated with what is done for each vulnerability
Disaster RecoveryPlans
Plans include contingency plan for a wide range of disaster scenarios to include natural disasters and severe cybersecurity events.
IT staff members need to now where the plans are and when/how to use them.
IncidentRecords
Track enterprise cybersecurity incidents
Identify the assets involved in the incidents, threats that caused the incidents, vulnerabilities exploited, and containment and mitigation performed to resolve the incidents
Track the risks associated with attack, and help with understanding patterns of threats and vulnerabilities affecting the enterprise
Configuration Management (CM)Database
This information system ties into the asset database to keep track of high-level configuration attributes of systems.
CM database and the asset database are essential for identifying IT assets and understanding the business impact of cybersecurity events involving IT assets.
AssetDatabase
Is most likely to be automated
Keeps track of the IT assets in the enterprise
Tracks vendors, servers, computers, networking equipment, software, and so on
SecurityPolicies
These policies represent enterprise security policies and standards, which are the foundation of risk management.
PolicyExceptions
This information system addresses the fact that “for every rule there is an exception.”
Exceptions to policies and standards need to be tracked so they can be periodically re-evaluated and eventually mitigated.
Otherwise, the enterprise runs the risk of exceptions becoming the rule and policies becoming meaningless.
Approval to Operate (ATO)Records
When new IT systems are placed online, it is important to document their risks.
This information system records the business decision to operate the system.
System owners document and retain the performance, cost, and risk of system operation.
The records should be periodically revisited as standards and threats evolve.
EnterpriseRisks
Tracks risks in terms of threats and consequences to confidentiality, integrity, and availability (CIA)
For example, a risk might state, “An attacker steals credit card data and causes financial damages and a regulatory violation.”
Mitigations then center on deploying security controls to reduce the probability or impact of the risk.
SecurityControls
This information system tracks the enterprise’s active security controls and is essential to being able to validate security so it can be audited for compliance.
A challenge is that security control lists cannot be so large that no one can comprehend them.
The goal is to a strike the balance of having a controls list that is sufficiently high level while containing sufficient detail to be auditable.
SecurityDeficiencies
Tracks security deficiencies identified in the course of security audits through to remediation
Tracks risks associated with deficiencies
Tracks deficiencies against the affected assets and security controls
Functional Area Operational Objectives
Context
This section describes the operational objectives of enterprise cybersecurity, grouped by functional area.
The graphic illustrates how the functional areas, operational processes, and supporting information systems can be unified to achieve successful enterprise cybersecurity operations.
Each functional area’s primary operational objective is to maintain its capabilities to deliver the enterprise’s preventive, detective, forensic, and audit controls.
Most functional areas host one or more operational processes that are supported by one or more supporting information systems.
The rest of this section describes the functional area operational objectives.
Systems Administration
Has primary operational of ensuring that secure systems administration capabilities are operating to protect systems administration channels from exploitation by attackers who gain access to enterprise networks
Uses a combination of preventive, detective, forensic, and audit controls—all working together through automated and manual processes
Hosts the following operational process: Privileged Account Activity Audit
Accesses the following information systems: (1) Administrator Audit Trail and (2) Incident Records
Network Security
Has primary operational objective of preventing, detecting, and documenting illicit activity targeting the enterprise
Achieves objective by using a large number of capabilities to provide preventive, detective, forensic, and audit controls affecting communications among enterprise computers and the Internet
Needs to provide the following high-level capabilities to accomplish primary objective:
A perimeter that connects the enterprise to the Internet while also protecting vulnerable systems inside the enterprise from external exploitation
Segmentation within the enterprise to protect business functions with different security needs from each other and to contain incidents
Inspection of external access to internal systems to identify unauthorized access or malicious network traffic
Support for incident investigation and response so incidents can be quickly analyzed, contained, and remediated when they occur
Application Security
Has primary operational objective of preventing, detecting, and documenting illicit activity in enterprise applications
Focuses on the capabilities, limitations, vulnerabilities, and security controls specific to particular enterprise applications, including e-mail, web servers, databases, and custom-built software
Endpoint, Server, and DeviceSecurity
Has primary operational objective of preventing, detecting, and documenting attacks and compromises of enterprise computers and computing devices
Focuses on the operating systems and software installed on these systems
Hardens above systems so they are difficult to compromise, detects compromises when they occur, and documents compromises and security control activities so they can be investigated after the fact
Involves keeping the capabilities supporting it operational and maintaining those capabilities according to vendor specifications and best practices
Identity, Authentication, and AccessManagement
Has primary operational objective of managing identities and accesses within the enterprise throughout their life cycle—from instantiation through retirement
Involves regular re-certification so unused identities and accesses can be de-provisioned in a timely fashion
Frequently uses automation (such as identity management technology and enterprise directories), but not required, especially in smaller organizations
Is successful if it results in an effective role-based access control and “least-privilege” provisioning with minimum amount of unnecessary accounts and accesses lingering and posing a cybersecurity threat
Hosts the following operational process: Account and Access Periodic Recertification
Accesses the following information systems: Accounts and Permissions
Data Protection and Cryptography
Has primary objective of protecting, detecting, and documenting activities surrounding enterprise data and keys
Is data-focused and includes technologies such as digital rights management, digital watermarking, and pattern recognition
Tracks data flows within the enterprise
What data is going where
How data is protected
Includes cryptographic capabilities: encryption, signature, authentication, key management, password management (since passwords are also keys)
Is successful if it results in effective use of data protection and cryptographic capabilities to protect the enterprise data, detect misuse of that data, and document data and cryptographic activities for investigation and audit as required
Hosts the following operational process: Password and Key Management
Accesses the following information systems: Password and KeyVault
Monitoring, Vulnerability, and PatchManagement
Primary operational objective is to operate the enterprise security detective controls on an ongoing basis.
Many of the major functions required to maintain and operate the security systems fall under this functional area.
Major functions include the following:
Patch management—maintaining enterprise information systems in a secure state
Vulnerability management—detecting and remediating vulnerabilities when they occur
Security monitoring—monitoring the environment on an ongoing basis to detect intrusions when they occur
Is successful if operation results in effective monitoring and security maintenance on an ongoing basis.
Functional area can include scans for rogue computers and network connections, penetration tests if they are regularly scheduled, and advanced detection capabilities such as honeypots and honeynets.
If an enterprise has a security operations center (SOC), its operation falls under this functional area.
Functional area hosts the following operational processes: (1) Vulnerability Scanning, Tracking, and Management, (2) Patch Management and Deployment, and (3) Security Monitoring.
Functional area accesses the following information systems: (1) Vulnerability Database, (2) Incident Records, (3) Configuration Management Database, and (4) Enterprise Risks.
High Availability, Disaster Recovery, and PhysicalProtection
Has primary operational objective to be able to recover rapidly from operational disruption through redundancy, backups, and physical protection of data, equipment, personnel, and facilities.
Functional area includes not only the IT technologies required to meet service level agreements, but also more dramatic capabilities required to recover from natural and man-made disasters.
Resiliency is the operative term for this functional area:
Makes business resistant to all types of adversity
Gives enterprise tools and options when things go wrong and failures occur
Capabilities are designed and combined in an integrated fashion so they can be leveraged to support each other through
shared procedures;
shared technologies; and
common training.
This functional area provides disaster recovery capabilities that are critical to robust incident response against advanced threats.
This functional area provides physical protection and access to information systems to prevent physical destruction and compromise of information systems.
Successful operation results in the enterprise meeting its service-level agreements on an ongoing basis and having robust capabilities to protect and recover from losses of data, systems, personnel, or facilities.
Functional area hosts the following operational process: All-Hazards Emergency Preparedness Exercises.
Functional area accesses the following information systems: Disaster Recovery Plans.
Incident Response
Has primary operational objective of preparing for and responding to security incidents when they occur
Includes threat analysis to gain intelligence on what types of incidents should be detected and prepared for
Is important for this functional area to have methods for obtaining external assistance and “surge support” when it is required as a fixed staff can quickly be overwhelmed
Is successful if it results in security incidents being quickly identified, investigated, contained, and remediated within the enterprise environment
Hosts the following operational process: Cyberintrusion Response
Accesses the following information systems: (1) Vulnerability Database and (2) Incident Records
Asset Management and Supply Chain
Has primary operational objective of tracking the assets, configurations, technologies, and vendors used in the enterprise IT environment throughout the asset life cycle
Includes maintaining information to (1) ensure the secure procurement of IT assets, (2) track the assets throughout their life cycle, and (3) ensure their secure destruction at the end of that life cycle
Is responsible for a number of IT operational databases critical not only to enterprise security, but also to successful enterprise IT operations in general
Is successful if it results in the enterprise being able to track its vendors, technologies, assets, their configuration, and changes through their life cycle
Hosts the following operational process: (1) Asset Inventory and Audit, (2) Change Control, (3) Configuration Management Database Recertification, and (4) Supplier Reviews and Risk Assessments
Accesses the following information systems: (1) Configuration Management Database, (2) Asset Database, (3) Enterprise Risks, and (4) SecurityControls
Policy, Audit, E-Discovery, andTraining
Has primary operational objective of operating the office of the CISO or director of cybersecurity and ensuring the performance of the scheduled and unscheduled cybersecurity activities within the enterprise
Includes
Risk management functions
Development of security policy and architecture
Performance of security screening and training for employees and contractors
Reporting on security status and posture
Audit of security functions
Answering e-discovery requests
External coordination and reporting on cybersecurity status, posture, and compliance
Operates many of the administrative cybersecurity information systems that do not logically fit within one of the other functional areas (such as security awareness)
Is successful if it results in a coherent cybersecurity policy, posture, training, good coordination across other functional areas, and the cybersecurity program representing itself effectively to external auditors, evaluators, and regulatory bodies
Hosts the following operational process: (1) Policies and Policy Exception Management, (2) Project and Change Security Reviews, (3) Risk Management, and (4) Audit and Deficiency Tracking
Accesses the following information systems: (1) Incident Records, (2) Security Policies, (3) Policy Exceptions, (4) Approval to Operate (ATO) Records, (5) Enterprise Risks, (6) Security Controls, and (7) SecurityDeficiencies