Scott E. Donaldson1 , Stanley G. Siegel2, Chris K. Williams3 and Abdul Aslam3
(1)
Falls Church, Virginia, USA
(2)
Potomac, Maryland, USA
(3)
San Diego, California, USA
Overview
This chapter describes
how an enterprise successfully defends itself against cyberattacks;
the challenges in building an effective cyberdefense;
some of the current major approaches to address these challenges;
some of the difficulties with these approaches; and
a different technique for dealing with these challenges.
What makes up an effective enterpris
e cybersecurity program?
Not just about technology
Not just about defenses
Not just about compliance frameworks, checklists, or simply a passing grade on an audit
The graphic depicts a combination of factors required to protect an enterprise.
An effective enterprise cybersecurity program protects the enterprise in a cost-effective manner that balances technology, processes, people, organization, budgets and external compliance requirements, all while supporting the business mission as much as possible.
People, organization, and budgets are the foundation of a successful cybersecurity program.
Everything begins with people because they make the program succeed or fail.
CISO organizes cybersecurity people so individuals and teams clearly understand their responsibilities.
Control Objectives for Information and Related Technology (COBIT)
Information Technology Infrastructure Library (ITIL)
Responsible, Accountable, Consulted, and Informed (RACI)
CISO makes the business case for the cybersecurity budget; if an enterprise does not fund cybersecurity, then it is not important.
Processes and technologies work together, but they can also be opposed to each other.
Deployed processes should account for how technology is going to be (re-)configured.
Processes deployed without technology seldom endure.
Deployed technology should account for how people are going to operate it.
Technology deployed without processes seldom stays working for long.
Compliance requirements are a double-edged sword.
Requirement: There is external validation that security measures are in place and working.
Reality: There is only a loose connection between compliance and security.
Compliance is good, but must not be the only cyberdefense objective.
Topics
Cybersecurity Frameworks
The Cybersecurity Process
Cybersecurity Challenges
The Risk Management Process
Cybersecurity Controls
Cybersecurity Capabilities
Cybersecurity and Enterprise IT
An Enterprise Cybersecurity Architecture
Cybersecurity Frameworks
Representative Frameworks
There are a number of excellent cybersecurity frameworks that
provide a methodology for talking about cybersecurity; and
help ensure important elements of protection and defense are considered for incorporation into an enterprise’s cybersecurity efforts.
Commonalities of Cybersecurity Frameworks
Functional Areas
Frameworks divide the enterprise and its protection into a number of functional areas (also known as domains, families, control areas, and control objectives).
Generally, there are between 10 and 20 functional areas.
Risk Management
Allows enterprise
to identify what protections are needed.
Based on an objective evaluation of its assets, threat
s against those assets, vulnerabilities in the protection of those assets, and risks resulting from the threats being analyzed against vulnerabilities.
Considers risk mitigations, either reducing risk probability or risk severity.
Security Controls
Purpose is to reduce the probability or the severity of a risk.
Some security controls can also serve to detect the exploitation of the risk or to collect forensic data to support later investigations.
Mechanism for Audits, Evaluations, and Validations
Mechanism helps to determine the presence or absence of controls described in the framework.
Sometimes mechanism
is done through documented standards for evaluation.
Sometimes mechanism is done through checklists for auditing.
Many frameworks contain evaluation guidance.
The Cybersecurity Process
Major frameworks contain some method of a cybersecurity process that practitioners can use to implement their organization’s cybersecurity program.
The graphic depicts the National Institute of Standards and Technology (NIST) process
.1
It is one of the more comprehensive documented processes for implementing an enterprise cybersecurity program
.
It is freely available.
Each process step lists corresponding references that provide additional detail and guidance.
Step 1—Categorizes the information systems according to the “potential impact of loss”
Step 2—Selects the security controls for each information system
Step 3—Implements the security controls
and security configurations for enterprise systems
Step 4—Assesses the security controls to ensure controls
Were implemented correctly
Operate as intended
Meet the security objectives and requirements
Step 5—Authorizes the information systems for operation based on
Validation of the security controls
An overall risk assessment
considering the benefits of the system against its potential risks
Step 6—Monitors the security controls to ensure they remain effective over time
CNNS Instruction 1253: Security Categorization and Control Selection for National Security Systems
FIPS 199: Standards for Security Categorization of Federal Information and Information Systems
SP 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories
FIPS 200: Minimum Security Requirement for Federal Information Systems
SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
SP 800-160: Systems Security Engineering
SP 800-53A: Guide for Assessing the Security Controls in Federal Information Systems and Organizations
SP 800-37: Guide for the Security Certification and Accreditation of Federal Information
SP 800-137: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
The six-step process is fine for a single computer, but what happens when a single IT system has a hundred computers in it?
How is a single systems administrator, who is trying to get everything set up, going to get all the paperwork done, especially when that person is already over budget and behind schedule on the deployment project?
Often, the security process languishes until management ends up exempting the security process simply to get things operational in time.
The cybersecurity industry needs a streamlined security process that
actually gets implemented, especially for modern, complex IT environments; and
abstracts the security process above the level of single computers and single servers to “systems” and “systems of systems.”
2ndChallenge—Judgment Calls
How does an enterpriseselectwhich controls are appropriate?
How does an enterprise determine what isgood enough?
Many people may agree to
protect IT systems against unknown, but anticipated, attacks; and
anticipate how attackers are going to operate.
However, frameworks give the industry little or no guidance on what to do to achieve protection.
Frameworks provide a “kitchen sink” approach where the smallest and least critical system is required to have the most onerous of security controls applied to it … don’t want to skimp on security.
Often, these controls
are arbitrarily applied and then incompletely implemented.
Produces crucial control protection gaps
Hard to identify, prioritize, and remediate gaps
3rdChallenge—Detective Controls
There is significant
effort describing control measures to prevent attacks from being successful.
There is relatively little effort talking about detecting and responding to attacks when they occur.
Preventive controls
are good, but they will not actually stop a determined attack.
It is like having a good lock on your doors.
A determined attacker will spend about five minutes playing with the lock, and then simply go and break a window.
Greater attention needs
to be paid to what happens after the window has been broken, instead of simply installing all of the different types of locks that can be put on the door.
4thChallenge—Security Operations
Controlmonitoring addresses some security operations aspects.
The primary process focuses on maintaining preventive controls, not monitoring detective controls to catch attacks in real time.
At the time of writing, a few mainstream frameworks focus on security operations to
monitor security controls;
capture events;
detect incidents;
investigate those incidents; and
respond to incidents and repel the attackers.
Recognizing the importance of monitoring and detective controls is a transition that is still “in progress” for major frameworks.
5thChallenge—Unfulfillable Requirements
Security control frameworks
frequently place requirements on products and technologies that simply “cannot be fulfilled.”
Meetings with product vendors often result with hemming and hawing about how the product “can” be placed into a secure configuration, which may result in useful features being disabled.
Cybersecurity personnel then conduct investigations of third-party products to address the gap by enhancing the original product with additional protections, logging, or monitoring features.
Investigation may find third-party products, but solutions may be overkill for the need, excessively complex to maintain, and unaffordable.
Finally, there will be an effort to negotiate the security requirement in order to do the paperwork to pass an audit.
Reality is the control
is not effective as it needs to be.
General Comments
Mainstream security architectures represent an excellent body of work.
The five cybersecurity challenges presented leave room for some new ideas and a more pragmatic approach.
The Risk Management Process
The graphic depicts
a simplified risk management process that can be adapted for specific enterprise needs.
The process involves a systematic analysis to determine
where an enterprise may have compromises;
consequences of those compromises; and
ways to reduce the probability or severity of those compromises.
Assets
Personnel are people in the organization who bring their own knowledge and abilities.
Facilities are the locations where people work, along with their the tools and equipment.
Processes are the procedures whereby the organization operates and the systems it uses to accomplish its goals
.
Information is the proprietary, customer, or business data held by the enterprise.
Allassets
must be protected.
Vulnerabilities
Vulnerabilities
are ways the assets can be compromised.
For example, a facility vulnerability may be where one side of the facility is adjacent to an abandoned building.
For example, a vulnerability for a business process may be that it relies on an extremely unreliable IT system.
IT systems vulnerabilities
can be further characterized in terms of CIA:
Confidentiality protects the secrecy of data.
Integrity protects data from unauthorized changes.
Availability makes IT systems and the data the systems host available to those who need the data when it is needed.
Threats
Threats
are ways in which vulnerabilities can be exploited to cause damage to the asset.
They
can be natural or man-made, accidental or deliberate, random or deterministic.
Considering threats is one of the most creative steps in the process.
Involves a lot of Murphy’s Law thinking (What can possibly go wrong?)
Helpful to think about threats in terms of how they would affect the CIA of the enterprise’s information and information systems
Risks
By combining vulnerabilities with threats, risks can be identified.
Threats against well
-protected areas generally produce a low level of risk.
Threats against not-well-protected areas generally produce a risk that must be considered.
Identifying and evaluating risks is fundamentally a judgment call with challenges.
Underestimating a risk because vulnerability is underestimated
Missing a risk because a particular threat scenario is not considered
As will be discussed, identifying and evaluating risk challenges can be simplified by using security scopes to group risks and handle them in aggregate.
Risk Treatments
Avoid risk by eliminating the vulnerability or the threat.
Mitigate risk by reducing the probability that it will occur or the impact when it does occur.
Share the risk by
introducing a third party—such as an insurance company—that will compensate the enterprise in the event the risk occurs.
Retain risk where the enterprise simply accepts the possibility the risk may occur and deals with consequences when they happen; self-insurance is a good example.
Controls
Can reduce theprobability the risk will occur or make it more difficult for attackers to execute on the risk
Can reduce the impact when the risk does occur, perhaps limiting the amount of damage that occurs
Can detect theoccurrence of the risk happening
Allows for active responses to contain the damage
Helps reduce the potential exposure
Can collect evidence
Shows the operation of security controls
Detects failures of the controls
Supports investigations after an incident has occurred
Vulnerabilities, Threats, and Risks
The graphic depicts the next level of detail of the risk management process.
Note that the CIA factors span vulnerabilities, threats, and risks.
For information assets, the enterprise should consider vulnerabilities, threats, and risks in terms of the CIA factors, rather than considering each one separately.
Confidentiality is the protection of data that should be access-controlled and not widely disseminated.
What vulnerabilities are there?
How can confidentiality be breached?
What would be the resulting data loss?
What threats (accidental or deliberate) could cause data loss?
When combining vulnerabilities and threats, what are the risks regarding confidentiality?
Integrity involves data being consistent from the time it is entered into a system to the time it is later retrieved.
Does not sound very interesting, except when the data being modified is about money or a transaction involving money
Risk analysis surrounding integrity identifies
where integrity is important;
consequences of an integrity violation; and
threats that could result in those consequences
Availability involves information and information systems
being available when needed.
Threats to availability include the following:
Systems being temporarily unavailable, but otherwise unimpaired
Systems being completely destroyed or corrupted beyond recovery
Generally, availability concerns
are driven by business considerations of negative financial impacts vs. availability maintenance and recovery costs
Risk Analysis and Mitigation
Reducing the Probability and/or Impact of an Incident
Once the CIA risks have been identified, risk mitigation can be considered and often gets the most attention of the risk treatments.
Risk analysis is needed before risk mitigation can be implemented.
Risk is characterized in terms of magnitude— high, medium, or low.
Can be broken out into more gradations
Can be broken into a numeric scale
Can be thought of in terms of probability of occurring and the impact if the risk occurs
The simplified risk matrix above shows how the probability and impact of an incident combine to generate an overall risk level.
If probability and impact are both high, then the overall risk level is probably also high.
If the probability and impact are both low, then the overall risk level is probably also low.
If the probability of risk is low, but the impact is high, the overall risk level is most likely medium.
If the probability of risk is high, but the impact is low, the overall risk is most likely medium.
Cybersecurity Controls
Context
Controls help mitigate enterprise confidentiality, integrity, or availability risks.
Reduce risk probability and risk impact
Detect occurrences of incidents involving the risk
Collect evidence to support evaluations and incident investigations related to the risk
This study guide defines a security control as “consisting of security capabilities or audit activities that are applied to an IT system or business process to prevent, detect, or investigate specific activities that are undesirable, and respond to those activities when they occur.”
The graphic shows types of cybersecurity controls.
Preventive Controls: Block the threat and prevent incidents from occurring altogether
Detective Controls: Detect
when the risk has transpired and generate alerts that can then be acted upon
Forensic Controls: Collect records of activities related to the risk; can be used to produce artifacts to support the operation of detective controls, investigations of incidents, and audits of controls to verify their operation and effectiveness
Audit Controls: Investigate for the presence of the risk, incidents associated with the risk, and the operation of controls that mitigate the risk
Traditionally, enterprises have given disproportional consideration to preventive controls—for example, firewalls that block unwanted protocols—at the expense of other controls.
However, modern threats such as Advanced Persistent Threats (APTs) are designed to get around preventive controls and turn the enterprise against itself.
Responding to threats of APT attacks by enacting more and more preventive controls can bring about its own set of problems.
The graphic compares the security control types by showing how each type of control represents a trade-off among multiple factors including cost of deployment, operation, and impact on continuing operations.
Preventive Cybersecurity Controls
Get lots of attention because they block attacks and incidents—preventing successful attacks
Unless configured in conjunction with corresponding detective controls, not generally good at detecting attacks
Can have a high operational impact (costs) because they may also prevent legitimate users from doing their jobs
While generally inexpensive to operate once they are operational, can be expensive to implement because of their complexity
Can be difficult to modify in response to rapidly changing situations
Detective Cybersecurity Controls
Generally get shortchanged, but their importance is trending upward
Unlike preventive controls, cheap to implement and have little operational impact on the enterprise
Can be expensive to operate as alerts have to be investigated
Can be significantly less expensive overall than the lost productivity from aggressive preventive controls
Essentially is cheaper overall to allow people do whatever they want, alert them when they do wrong, and then deal with it
A real-world analogy is law enforcement trying to prevent crimes.
Only a small range of potential crimes are actively prevented.
Law enforcement is aggressive in pursuing and punishing crimes after they actually occur.
Forensic Cybersecurity Controls
Not very good at actively detecting or blocking attacks
Absolutely critical to investigating attacks successfully after they have occurred
Relatively cheap to operate once they are in place
Provide economical way to implement parts of the security equation without significant investments
Audit Cybersecurity Controls
Almost the exact opposite of preventive controls
Preventive controls are effective at stopping attacks, albeit with considerable operational impact.
Audit controls have almost no operational impact, but they also don’t stop much in the way of attacks.
Low-cost, unobtrusive, and agile
Frequently the only way to find attacks that have defeated the preventive controls
Not “exotic” but deserve respect and consideration in an enterprise’s security architecture
A simple audit can often find problems that have been lurking for months or years, despite all the other controls
General Comments
The graphic provides a partial list of evaluation factors to consider.
When looking at security technologies, it is useful to evaluate them
in terms of what types of control functionality they primarily provide; and
to understand how the different control objectives are going to be achieved.
Ideally, all four control types are designed and operated in parallel, thus supporting each other.
Cybersecurity Capabilities
NIST describes the idea of security capability
as an abstraction.3
“Security capabilities can address a variety of areas that can include, for example, technical means, physical means, procedural means, or any combination thereof …”
“It is important for organizations to have the ability to describe key security capabilities needed to protect core organizational missions/business functions …”
“This [security capability construct] simplifies how the protection problem is viewed conceptually …”
“In essence, using the construct of security capability provides a shorthand method of grouping security controls that are employed for a common purpose or to achieve a common objective …”
“This [security capability construct] becomes an important consideration, for example, when assessing security controls for effectiveness …”
This study guide defines, in part, a security capability as “a process or technology
that enables the organization to perform a specific security control.”
For example, a firewall capability makes it possible to implement
preventive
controls for network access control;
detective controls for network traffic alerting;
forensic controls for network traffic logging; and
audit controls for validating network security and looking for intrusions.
An enterprise’s security capabilities
, both procedural and technological, form the foundation for its cybersecurity program.
SecurityCapability
Is as simple as
a person following a procedure on a set schedule or in response to a predefined event
Is as complex as a sophisticated technology component that spans the enterprise and provides many features in support of many different controls
Can be further defined, in part, as “providing for the auditing, logging, detection, or prevention of a particular type of malicious behavior”
Can be either procedural or technological
Procedural Security Capabilities
Are capabilities that are delivered by having a person follow a procedure on a set schedule or in response to an action
Are most likely an enterprise’s most powerful capabilities
Don’t scale like a piece of technology due to the limits of human skills and abilities
Actual security against a professional attacker is almost entirely dependent on people, not technology
Technological Security Capabilities
Are provided by technologies that are installed into the enterprise’s infrastructure
May be provided by a single technology (“block” an attack and “alert” on attack)
May provide
security capabilities across multiple functional areas
Are powerful because once they are deployed, they tend to “just work” (until they break or stop)
Involve “buying stuff” and deploy “neat technology”
Need to be engineered, deployed, managed, and monitored carefully to live up to their potential
Cybersecurity and Enterprise IT
Context
Regardless of the specific technologies, enterprise IT provides services to deliver information to support the business whether
the business is large or small;
services are delivered using mainframes, microcomputers, servers, or cloud services; or
information delivery is from a single room, over a private network, over dial-up terminals, or over the Internet.
General IT architecture involves the Internet, which complicates cybersecurity protection.
Every host on the Internet is only one hop away from every other host, including malicious hosts operated by potential attackers.
From architectural and strategic perspectives, the graphic illustrates the various enterprise IT components
and how they are generally connected to the Internet.
Endpoint devices consist of customer, Internet organization, and internal organization devices.
Enterprise infrastructure consists of application servers, database servers, and systems administration and monitoring.
Endpoints
Customer Devices
If a business involves interacting with customers over a network, then their devices are an important part of the overall IT architecture.
Why worry about customer devices?
What if every single customer device is malicious and can attack the enterprise?
From a cybersecurity perspective, how would an enterprise interact with their customers?
If a customer’s computer is actively using the enterprise’s data to attack the enterprise, would the enterprise trust the customer?
Many people say, “It depends.”
Customer devices need to be considered when an enterprise implements its cybersecurity controls and capabilities.
Organization Devices
Devices that connect to the enterprise over a public network—for example, the Internet
Depending upon enterprise policies, these devices may be company-owned computers, personal computers, mobile devices, or Bring Your Own Device (BYOD)
.
The reality is the majority of organizations are going to allow some of their employees to connect to enterprise resources over an open network.
Devices that connect to the enterprise over an internal network—for instance, enterprise intranet
Good news—the enterprise likely has more control over these devices than the myriad of customer and organizational devices connecting over an open network.
Bad news—unless the enterprise tolerates a lot of operational headaches, control is likely spotty due to personal, customer, vendor, and other devices occasionally connecting to the enterprise network.
These potential connections jeopardize the enterprise’s efforts to control and protect the integrity of what is internal.
IT Infrastructure
Enterprise IT infrastructure consists of three components that should all work together as a coherent and coordinated system:
Application servers deliver business applications enabling the generation of business value.
Database servers contain the business’s data.
Systems administration and monitoring channels manage and monitor the infrastructure.
In some cases, the data and the applications may actually be hosted on a single component, but most often the two are separate.
Systems administration and monitoring provides IT personnel with the ability to monitor and manage the enterprise; without this capability the enterprise may be unmanageable.
It is helpful to consider these IT functionalities when considering the various ways that attackers seek to penetrate the infrastructure and accomplish their goals.
Protections can be applied around the networks, endpoints, applications, databases, and systems administration functionalities.
Emplacing Cyberdefenses
Enterprise cybersecurity
involves hardening the various components and connections so each component is more difficult to compromise.
It sounds simple, but it isn’t.
The more complex the enterprise is, the more complex the security is.
Complexity begets complexity.
The graphic illustrates a notional enterprise and shows how security hardening can be applied to each enterprise IT component, including accounts, hosts, inter-host communications, and the organization network perimeter.
Internet organization devices should be protected from compromise even while they are connected to the Internet and other trusted networks.
The line connecting the Internet to the organization network is another security boundary where cybersecurity protections should be applied.
Inside the organization network, the internal organization devices, which are already inside the network, can be powerful attack vectors if they are compromised by an attacker.
Systems administration and monitoring is probably the most important element to be protected
as its compromise can be used to disable or bypass most of the other cybersecurity defenses.
Database servers are where the enterprise data resides and they must be protected.
Confidentiality protects the secrecy of data.
Integrity protects data from unauthorized changes.
Availability makes IT systems and the data they host available when and where they are needed.
Application servers provide enterprise services and they must be protected.
Servers must be externally facing while also providing access to enterprise data for legitimate and authorized users.
Customer devices that access enterprise resources are almost impossible to protect.
Security status must always be considered in an enterprise’s security architecture.
General Comments
The graphic
illustrates a basic architecture— applications, databases, servers, clients—used by an enterprise’s security infrastructure.
An actual architecture will end up containing more components than this basic architecture example.
How Cyberdefenses Interconnect
The graphic illustrates an enterprise attack graph that shows
how different cybersecurity components interact with each other; and
how individual cybersecurity component defenses depend on each other.
An enterprise can use the attack graph methodology to envision conceptually what these interdependencies look like.
Following is an example attack scenario statement:
To compromise organizational data, an attacker can compromise the (1) network and steal the data, (2) cryptography and steal the data in transit, (3) systems administration and take control of the servers hosting the data, or (4) applications hosting the data and use them to obtain the data.
Attack scenario statements cause the enterprise to step back and examine the big picture of how an enterprise really works.
The example attack graph represents an attack scenario statement for an entire enterprise.
Although the graph looks somewhat like “spaghetti ball,” it shows that all the enterprise security components connect with and depend on each other.
Every aspect of the enterprise’s security ultimately depends on every other aspect.
Consequently, a breach anywhere in the enterprise can eventually be exploited to compromise the entire enterprise
Due to the interdependency of enterprise IT and cybersecurity components,
attackers can start with an exploit almost anywhere; and
eventually attackers expand the initial exploit to get compete control.
While disconcerting, this connectivity and dependency should not be dismaying.
An enterprise
needs to appreciate the complexity of enterprise security as a system; and
understand how enterprise defenses actually stop attacks.
Enterprise cybersecurity defenses
slow the attack down;
add steps to the attack;
increase the enterprise’s chances of catching the attack before it is completely successful;
make the attack process more difficult, expensive, and time-consuming; and
give defenders time to detect and respond to the intrusion.
An Enterprise Cybersecurity Architecture
Context
To be effective, a cybersecurity architecture should achieve the following objectives:
Cover the full breadth of cybersecurity so nothing is left out
Align people, processes, budgets, and controls into a single framework so they are well-coordinated
Organize cybersecurity capabilities and controls into functional areas so they can be managed more easily
Account for the interdependence of controls and capabilities on each other across functional areas
Be simple enough so it can be managed and briefed at a high level
The graphic represents a new enterprise cybersecurity architecture.
Defined by cybersecurity functional areas covering the technical and operational breadth of enterprise cybersecurity
CybersecurityFunctional Areas
Relatively independent from each other
Align well with how staff, expertise, and responsibilities are distributed in an organization utilizing the IT management frameworks such as the following:
ITIL (IT Infrastructure Library)
COBIT (Control Objectives for Information and Related Technology)
Enable IT leadership to unify technologies, staff, and corresponding budget into a coherent cybersecurity program
Overall cybersecurity posture depends equally on the performance of all the functional areas.
This new enterprise cybersecurityarchitecture
manages the capabilities that deliver preventive, detective, audit, and forensic controls to the enterprise;
provides for consistent management of security capabilities;
assists in prioritizing security capability deployment, maintenance, and upgrades over time;
provides strong accountability and good alignment of strategy, staffing, budget, and technology to meet the organizational security needs;
is designed to be flexible and scalable from a small enterprise up to a large enterprise; and
provides an extensible mechanism for adjusting cyberdefenses over time in response to changing cyberthreats.
Cybersecurity Functional Areas
Systems Administration provides for secure administration of enterprise infrastructure and security systems, and protects systems administration channels from compromise.
Network Security provides for security of enterprise networks, their services, and access to them from the Internet and internally connected devices.
Cybersecurity Functional Areas (continued)
ApplicationSecurity provides for the security of enterprise applications using security technologies that are appropriate to and tailored for the protection of those applications and their communications.
Endpoint, Server, and DeviceSecurity provides for the protection of endpoints, servers, and devices that access enterprise data, and protects them from compromise.
Identity, Authentication, and AccessManagement provides for identification, authentication, and access control throughout the identity life cycle including provisioning, re-certification, and de-provisioning.
Data Protection and Cryptographyprovides
for the protection of data stored in the enterprise and the use of cryptographic technologies to perform that protection. It also supports other operations such as authentication, non-repudiation, and data integrity.
Monitoring, Vulnerability, and PatchManagement provides for the regular monitoring of security infrastructure, scanning, and analysis of vulnerabilities in that infrastructure, and management of patches and workarounds to address those vulnerabilities.
Cybersecurity Functional Areas (continued)
High Availability, Disaster Recovery,and PhysicalProtection provides for the protection of availability in the enterprise, including making systems highly available, recovering from disasters, and physically protecting facilities, people, systems, and data.
Incident Response provides for the investigation, response, and recovery of incidents that are identified through monitoring of the enterprise.
Asset Management and Supply Chain provides for the accounting of enterprise assets, procurement information associated with them, their life cycles, changes, and ensuring orderly and secure disposal without compromise of enterprise data or security.
Policy, Audit, E-Discovery, andTraining provides for policy oversight of controls and audit of their effectiveness, support for legal e-discovery activities, and training of staff in proper security policies and practices
