IT Operational Process

Risk Management Process

Vulnerability Management and Incident Response Process

Auditing and Deficiency Tracking Process

Involves delivering IT services, both on a continuous basis and on an as-requested bases

Is most often associated with operations

Involves performing relatively minor tasks and “tweaks” to improve the efficiency and effectiveness of IT operations

Can be a fine line between optimization and engineering changes

Usually involves changes that improve efficiency or performance without changing (1) service delivered, (2) software installation, or (3) addition or removal of servers or computers

Involves solving problems with IT environment where a deficiency occurs that must be resolved to restore normal operations

May affect a single user or it may affect an entire system or service

IT operations captures incidents and tracks them through resolution

Responds to IT infrastructure problems

Addresses software bugs that impact operations and requires vendor support

IT operations identifies IT environment problems such as (1) system does not perform as designed or (2) flaws are identified in design that require redesign or re-engineering to correct them

Are relatively minor changes to IT environment to improve service quality, reduce cost, or enable new services

Are different from projects because they are generally performed within operations and maintenance budgets vs. a dedicated budget or formal schedule

Are low-cost efforts not requiring significant management oversight

Are major changes to IT environment to deliver new services, retire legacy services, deploy new technologies, or make major upgrades to existing capabilities or services

Are distinct from enhancements because they have dedicated budgets, schedules, and management oversight to ensure they are successful

containment (security scopes) for subsequent protection; and

mitigation (security controls) to reduce risk likelihood and impact.

Vulnerability Management (left-side track of graphic)

Incident Response (right-side track of graphic)

Security Operations usually initiates process.

Security team ensures

Includes the following high-level steps:

Performed by IT security against enterprise IT systems to identify vulnerabilities (missing patches, configuration failures)

Performed on as many IT systems as possible by using automated tools

Scanning priority given to production and public-facing systems connected to the Internet

Produce a list of vulnerabilities and remediation recommendations

Performed by IT operations

Involves following guidance from the vulnerability scans to remediate as much vulnerability as possible

Timely fixes occasionally hindered by compatibility issues, service level agreements, or other business

Can involve non-trivial system changes that are passed to engineering

Performed by IT engineering when remediation requires redesign, re-engineering, or other engineering capabilities

IT security tracks vulnerabilities that require engineering actions until

The right-side track of the graphic represents the incident response process, which is initiated by IT security.

Incident response is passed to IT operations and engineering until the situation can be resolved and remediated.

Remediation includes patching and sometimes re-engineering.

Incident response includes the following high-level steps:

Logs enterprise events and makes them available for automated processing and review

Is starting point for the incident process since it is primarily from these events that incidents are identified

Applied to forensic controls and logs to identify incidents from the events

Will have some measure of false positives (control triggers that are false alarms) and false negatives (controls fail to trigger)

Designed to minimize both sets of negatives

Produce a list of incidents to be investigated

Performed by CIRT

Generates IOCs to feed back into the detective controls to identify more computers, accounts, and networks

Provides output that is an assessment of compromise and its impact on enterprise

Performed by IT operations team to contain the incident and restrict it from spreading further

Involves denying the adversary the use of compromised machines, accounts, and networks so they can no longer operate in the enterprise and the actual cleanup can begin

Produces a list of vulnerabilities that were exploited by the attackers and need to be remediated to prevent the same attack from occurring again

Performed by IT engineering to harden the enterprise against future attacks

Can be quite significant

May result in cybersecurity projects lasting months or years after the initial incident is resolved

Security operations loop (left-hand side track of graphic)

Engineering loop (right-hand side track of graphic)

Security Operations Loop includes periodic audits of the IT environment to ensure security controls are present and operating as designed.

Security audits may be internally driven or externally driven.

Likely there may be multiple security audits over the course of a year to satisfy different audit requirements.

Security audits also may also be a part of general security maintenance, independent of regulatory compliance.

Security audits include the following high-level steps:

These standards are inputs to audit for external compliance.

“Internal-use-only” audits use external standards, frameworks, or internal cybersecurity control documentation.

Initiated by security operations to examine the operation of controls

Triggered by schedule (monthly, quarterly, annual), an event, or external requirement

Examines cybersecurity controls to determine their effectiveness

For preventive controls, audit involves testing to ensure behavior that is supposed to be blocked is actually blocked.

For detective and forensic controls, audit involves creating incidents to ensure incidents are detected or sampling logs to search for expected incident detections.

Deficiencies are identified via audit process and formally tracked through resolution.

When identified by external auditors, deficiencies often require explanation or follow-up testing.

Sometimes deficiencies are not really defects or are the result of control operating as designed, but not doing what auditors expect.

Remediation corrects deficiencies so that controls function as designed.

Sometimes audits reveal design deficiencies requiring engineering involvement or non-trivial investment to correct.

Results are obtained from the audit process as required.

With a well-designed control framework, it is possible to conduct a single internal cybersecurity audit that generates results satisfying multiple external compliance requirements, even when external audits use different control frameworks.

IT Operational Process

Risk Management Process

Vulnerability Management and Incident Response Process

Audit and Deficiency Tracking process

Involves tracking privileged administrator activities so such activities can be audited

Will most likely be obtained from supporting information systems, such as enterprise directories and identity/access management systems

This information system tracks organizational accounts and passwords.

It is ideal for this information to be maintained using highly secure vault technology that provides access controls and audit trails; less than ideal is using a spreadsheet to track this information.

These organizational accounts/passwords are the “keys to the kingdom” and should be correspondingly well-protected.

Tracks vulnerabilities identified through vulnerability scans and other automated methods

Tracks vulnerabilities against the associated IT assets

Tracks business decisions associated with what is done for each vulnerability

Plans include contingency plan for a wide range of disaster scenarios to include natural disasters and severe cybersecurity events.

IT staff members need to now where the plans are and when/how to use them.

Track enterprise cybersecurity incidents

Identify the assets involved in the incidents, threats that caused the incidents, vulnerabilities exploited, and containment and mitigation performed to resolve the incidents

Track the risks associated with attack, and help with understanding patterns of threats and vulnerabilities affecting the enterprise

This information system ties into the asset database to keep track of high-level configuration attributes of systems.

CM database and the asset database are essential for identifying IT assets and understanding the business impact of cybersecurity events involving IT assets.

Is most likely to be automated

Keeps track of the IT assets in the enterprise

Tracks vendors, servers, computers, networking equipment, software, and so on

These policies represent enterprise security policies and standards, which are the foundation of risk management.

This information system addresses the fact that “for every rule there is an exception.”

Exceptions to policies and standards need to be tracked so they can be periodically re-evaluated and eventually mitigated.

Otherwise, the enterprise runs the risk of exceptions becoming the rule and policies becoming meaningless.

When new IT systems are placed online, it is important to document their risks.

This information system records the business decision to operate the system.

System owners document and retain the performance, cost, and risk of system operation.

The records should be periodically revisited as standards and threats evolve.

Tracks risks in terms of threats and consequences to confidentiality, integrity, and availability (CIA)

This information system tracks the enterprise’s active security controls and is essential to being able to validate security so it can be audited for compliance.

A challenge is that security control lists cannot be so large that no one can comprehend them.

The goal is to a strike the balance of having a controls list that is sufficiently high level while containing sufficient detail to be auditable.

Tracks security deficiencies identified in the course of security audits through to remediation

Tracks risks associated with deficiencies

Tracks deficiencies against the affected assets and security controls

Has primary operational of ensuring that secure systems administration capabilities are operating to protect systems administration channels from exploitation by attackers who gain access to enterprise networks

Uses a combination of preventive, detective, forensic, and audit controls—all working together through automated and manual processes

Accesses the following information systems: (1) Administrator Audit Trail and (2) Incident Records

Has primary operational objective of preventing, detecting, and documenting illicit activity targeting the enterprise

Achieves objective by using a large number of capabilities to provide preventive, detective, forensic, and audit controls affecting communications among enterprise computers and the Internet

Needs to provide the following high-level capabilities to accomplish primary objective:

Has primary operational objective of preventing, detecting, and documenting illicit activity in enterprise applications

Focuses on the capabilities, limitations, vulnerabilities, and security controls specific to particular enterprise applications, including e-mail, web servers, databases, and custom-built software

Has primary operational objective of preventing, detecting, and documenting attacks and compromises of enterprise computers and computing devices

Focuses on the operating systems and software installed on these systems

Hardens above systems so they are difficult to compromise, detects compromises when they occur, and documents compromises and security control activities so they can be investigated after the fact

Involves keeping the capabilities supporting it operational and maintaining those capabilities according to vendor specifications and best practices

Has primary operational objective of managing identities and accesses within the enterprise throughout their life cycle—from instantiation through retirement

Involves regular re-certification so unused identities and accesses can be de-provisioned in a timely fashion

Frequently uses automation (such as identity management technology and enterprise directories), but not required, especially in smaller organizations

Is successful if it results in an effective role-based access control and “least-privilege” provisioning with minimum amount of unnecessary accounts and accesses lingering and posing a cybersecurity threat

Has primary objective of protecting, detecting, and documenting activities surrounding enterprise data and keys

Is data-focused and includes technologies such as digital rights management, digital watermarking, and pattern recognition

Tracks data flows within the enterprise

Includes cryptographic capabilities: encryption, signature, authentication, key management, password management (since passwords are also keys)

Is successful if it results in effective use of data protection and cryptographic capabilities to protect the enterprise data, detect misuse of that data, and document data and cryptographic activities for investigation and audit as required

Accesses the following information systems: Password and Key Vault

Primary operational objective is to operate the enterprise security detective controls on an ongoing basis.

Many of the major functions required to maintain and operate the security systems fall under this functional area.

Major functions include the following:

Is successful if operation results in effective monitoring and security maintenance on an ongoing basis.

Functional area can include scans for rogue computers and network connections, penetration tests if they are regularly scheduled, and advanced detection capabilities such as honeypots and honeynets.

If an enterprise has a security operations center (SOC), its operation falls under this functional area.

Functional area hosts the following operational processes: (1) Vulnerability Scanning, Tracking, and Management, (2) Patch Management and Deployment, and (3) Security Monitoring.

Functional area accesses the following information systems: (1) Vulnerability Database, (2) Incident Records, (3) Configuration Management Database, and (4) Enterprise Risks.

Has primary operational objective to be able to recover rapidly from operational disruption through redundancy, backups, and physical protection of data, equipment, personnel, and facilities.

Functional area includes not only the IT technologies required to meet service level agreements, but also more dramatic capabilities required to recover from natural and man-made disasters.

Resiliency is the operative term for this functional area:

Capabilities are designed and combined in an integrated fashion so they can be leveraged to support each other through

This functional area provides disaster recovery capabilities that are critical to robust incident response against advanced threats.

This functional area provides physical protection and access to information systems to prevent physical destruction and compromise of information systems.

Successful operation results in the enterprise meeting its service-level agreements on an ongoing basis and having robust capabilities to protect and recover from losses of data, systems, personnel, or facilities.

Functional area hosts the following operational process: All-Hazards Emergency Preparedness Exercises.

Functional area accesses the following information systems: Disaster Recovery Plans.

Has primary operational objective of preparing for and responding to security incidents when they occur

Includes threat analysis to gain intelligence on what types of incidents should be detected and prepared for

Is important for this functional area to have methods for obtaining external assistance and “surge support” when it is required as a fixed staff can quickly be overwhelmed

Is successful if it results in security incidents being quickly identified, investigated, contained, and remediated within the enterprise environment

Accesses the following information systems: (1) Vulnerability Database and (2) Incident Records

Has primary operational objective of tracking the assets, configurations, technologies, and vendors used in the enterprise IT environment throughout the asset life cycle

Includes maintaining information to (1) ensure the secure procurement of IT assets, (2) track the assets throughout their life cycle, and (3) ensure their secure destruction at the end of that life cycle

Is responsible for a number of IT operational databases critical not only to enterprise security, but also to successful enterprise IT operations in general

Is successful if it results in the enterprise being able to track its vendors, technologies, assets, their configuration, and changes through their life cycle

Hosts the following operational process: (1) Asset Inventory and Audit, (2) Change Control, (3) Configuration Management Database Recertification, and (4) Supplier Reviews and Risk Assessments

Accesses the following information systems: (1) Configuration Management Database, (2) Asset Database, (3) Enterprise Risks, and (4) Security Controls

Has primary operational objective of operating the office of the CISO or director of cybersecurity and ensuring the performance of the scheduled and unscheduled cybersecurity activities within the enterprise

Includes

Operates many of the administrative cybersecurity information systems that do not logically fit within one of the other functional areas (such as security awareness)

Is successful if it results in a coherent cybersecurity policy, posture, training, good coordination across other functional areas, and the cybersecurity program representing itself effectively to external auditors, evaluators, and regulatory bodies

Hosts the following operational process: (1) Policies and Policy Exception Management, (2) Project and Change Security Reviews, (3) Risk Management, and (4) Audit and Deficiency Tracking

Accesses the following information systems: (1) Incident Records, (2) Security Policies, (3) Policy Exceptions, (4) Approval to Operate (ATO) Records, (5) Enterprise Risks, (6) Security Controls, and (7) Security Deficiencies