Upload
others
View
18
Download
7
Embed Size (px)
Citation preview
November 14, 2018© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Cyber Reference Architecture (CRA) FrameworkVersion 2.1DXC Security
For further information,please contact [email protected]
November 14, 2018 2© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Taxonomy and legend
Drivers for Strategy, Leadership & Governance (SLG) domainSubdomains Capabilities
The framework is based on a hierarchy of domains
Each domain breaks down into a list of subdomains
Each subdomain is supported by a list of capabilities
Key
November 14, 2018 3© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
CRA framework: Three levels
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure &
Endpoint
Security (IES)
Applications
Security (AS)
Data Protecti
on & Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management
(RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance
(SLG)
Technical Security (TS)
Cyber Defense & Orchestration (CDO)
Security Strategy & Risks
Management (SSRM)
Strategic levelDefining strategy,
managing risks and compliance,defining enterprise security architecture to address prioritized
risks and enable the business
Tactical and operational levelSecurity monitoring and breach responseOrchestrate intelligent security operations
Technical levelDesign, size, implement and run
technical security solutions
November 14, 2018 4© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
CRA framework: Structured in domains
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
Define a security strategic direction aligned with business objectives, outline a plan to achieve that direction, and ensure proper execution of that plan, including decision making based on risk management
Translation of business strategies into effective security solutions through principles, models, capabilities and patterns
Security monitoring, incident management and breach response
Integration of IT and operational technology (OT) security
Management of identities and access controls to meet compliance, operational and security requirements
Processes to define, evaluate, mitigate, accept or transfer risk and ensure compliance with regulatory and industry requirements while meeting business objectives
Capabilities necessary to create a security-conscious culture and manage internal security knowledge
Data classification, data security modeling and protection to prevent loss, modification or misuse
Operational security processes, including management and measurement
Development and maintenance of software to meet security requirements
Protection of assets from environmental, accidental or deliberate physical threats
Automated rule enforcement, threat detection and prevention at infrastructure and endpoint
November 14, 2018 5© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
CRA V2.0: 12 domains and 55 subdomainsStrategy,
Leadership & Governance (SLG)
Security Resilient Architecture (SRA)
Risk & Compliance Management (RCM)
Security Orchestration (SO)Cyber Defense (CD)Resilient Workforce
(RW)Infrastructure &
Endpoint Security (IES)
Physical Security (PS)
Applications Security (AS)
Converged Security (CS)
Identity & Access Management (IAM)
Data Protection & Privacy (DPP)
Asset Management
Information Security Management System
Risk Management Framework
Security Metrics
Third Party Management Framework
Legal, Regulatory & Privacy Compliance
Standard & Industry Compliance
Audit Management & Certification
Enterprise Security Architecture
Security Architecture Single Domain
Blueprints
Business Continuity
Security Architecture Multi Domain
Blueprints
Security Architecture Assurance
Technical Architecture Standards & Process
Design
Solution Architecture
Security Culture
Empowered Workforce
Security Training & Education
Knowledge Management
Security Monitoring
Security Incident Response &
Remediation Mngt.
Security Analytics
Threat Intelligence & Profiling
Digital Investigation & Forensics
Vulnerability Management
Security Process Measurement
Security Operations Management
Identity & Account Management
Authentication Management
Access Management
Privileged Account Management
Security Enforcement By Design
Rule-based Security Policy Enforcement
Known Threat Detection & Prevention
Unknown Threat Detection & Prevention
Forensic Analysis & Response
Software Lifecycle
Secured Application Development
Application Quality Assurance
Release, Deployment & Maintenance
Data Assurance & Governance
Data Protection
Data Security Lifecycle
Management
Certificate & Key Management
Industrial Controls Systems Security
Internet of Things Security
Industrial Safety
Business Objectives
Critical Business Processes & Assets
Security Policy
Key Business Risks
Security Strategy
Security Governance & Organization
Datacenter Security
Office Security
November 14, 2018 6© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Strategy, Leadership & Governance (1/2)
Objective
Business-aligned cyber security
Provide and support security strategic direction and security transformation plan aligned with corporate business objectives and ensure that objectives are achieved by understanding the criticality of information to the organization, understanding emerging threats, ensuring proper execution of security programs and ensuring proper decision making to address and minimize business risk.
Subdomains
Security Strategy Security PolicySecurity Governance & Organization
Drivers
Business ObjectivesCritical Business
Processes& Assets
Key Business Risks
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 7© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Strategy, Leadership & Governance (2/2)Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
Business Objectives Key Business RisksCritical Business Processes & Assets Security PolicySecurity Governance
& OrganizationSecurity Strategy
Critical Business Processes
Critical Business Assets
Understand Threat Landscape
Strategic Cyber Security Risks
Security Strategy Charter
Security Strategy Alignment
Transformation Roadmap
Information Security Framework
Security Budgeting & Investment
Maturity Assessment & Gap Analysis
Leadership
Organization, Structure & Governance
Program Management Office
Board Security Steering Committees
External Communications
Understand the Industry
Corporate Business Strategy
Value & Revenue Creation
Security Policy
Policy & Strategy Alignment & Review
November 14, 2018 8© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
SLG: Drivers and subdomains
Business Objectives
Understand the two to five years’ business plan, vision, goals and objectives to be achieved to deliver long-term benefits to the organization and its key stakeholders. Understand the organization’s financial performance, market approach, R&D spending, value chain, main partners and suppliers, key industry trends, etc.
Critical Business Processes &
AssetsIdentify the core business processes and information assets supporting business objectives.
Key Business Risks
Understand the threat landscape in the industry, the main threat actors and the known breaches in the industry or previous breaches/security incidents the organization suffered from in the past. Define the key strategic cyber security risks that could impact the organization that should be addressed and mitigated.
Security Strategy A long-term strategic security plan to support business objectives, outlining how to preserve the confidentiality, integrity and availability of information assets and how to manage technical, organizational and process-oriented security risks and threats.
Security Governance & Organization
Organizational and governance setup for the management of security to provide strategic direction and ensure that objectives are achieved by understanding the criticality ofinformation to the organization, understanding emerging threats, ensuring proper execution of security programs and ensuring proper decision making to address andminimize business risk.
Security PolicySecurity Policy specifies the information security objectives of the organization, defines roles and responsibilities, and establishes high-level requirements for protecting theorganization’s information assets and resources. The policy may be derived from internal requirements (e.g., audit, board direction, information security) or external sources(e.g., statutory and regulatory requirements).
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 9© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Key Business Risks
Critical Business Processes &
Assets
Understand the Industry
Corporate Business Strategy
Describe the future and what the organization wants its business to look like in two to five years’ time in terms of vision, goals and objectives to be achieved to deliver benefits to the organization (growth and finance, market positioning, brand reputation, etc.). Describe the need for change; what needs to be performed to deploy the strategy?
Value & Revenue Creation
Security PolicySecurity
Governance & Organization
Security Strategy
SLG: Drivers (1/3)
Business Objectives
Understand the key industry trends and market trends, what is happening in the industry from a business perspective, the technological developments, level of competition, market convergence, etc. Which IT megatrends do we see in the industry? What would be the consequences for security? What’s the landscape in terms of regulatory developments?
Understand financial performance: Which products and services generate the majority of the organization’s revenue? Which information assets are key for this? Understand the organization’s market approach: Which brands do they operate under? What is their client portfolio? What is the operating model? Understand how critical R&D is for future revenue, associated patents and intellectual property. How much is the company investing in this? Understand the value chain and the main partners and suppliers in this. Understand the political aspects, if relevant for the organization.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 10© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Key Business Risks
Critical Business Processes &
Assets
Critical Business Processes
Critical Business Assets
What are the core application and information assets supporting the core business processes? The tangible and intangible assets (or fixed assets) making the organization valuable, such as items used in the operation of the business (buildings and factories, equipment, etc.) and, more importantly, patents and intellectual property?
Security PolicySecurity
Governance & Organization
Security Strategy
SLG: Drivers (2/3)
Business Objectives
What are the core business processes supporting business objectives?
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 11© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Key Business Risks
Critical Business Processes &
Assets
Understand Threat Landscape
Strategic Cyber Security Risks Define the key strategic cyber security risks that could impact the organization that should be addressed and mitigated.
Security PolicySecurity
Governance & Organization
Security Strategy
SLG: Drivers (3/3)
Business Objectives
Understand the threat landscape in the industry, the main threat actors and the known breaches in the industry or previous breaches/security incidents the organization suffered from in the past.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 12© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Key Business Risks
Critical Business Processes &
AssetsSecurity Policy
Security Governance & Organization
Security Strategy
SLG: Capabilities (1/4)
Business Objectives
Security Strategy Charter
Describes the future (To-Be) state and what the organization wants its security posture to look like in two to five years’ time in terms of vision, mission statements and goals and objectives to be achieved to support the corporate business strategy. Describes the need for change, what needs to be performed to deploy the security strategy. “Security” should be understood on a large spectrum and encompasses “Compliance,” “Privacy,” “Resilience” and “Safety.”NB: An embedded or dedicated privacy vision and mission statement objective can be described, providing a description of what the organization does to ensure privacy.
Security Strategy Alignment Ensure that Security Strategy and IT Security Strategy content and objectives are aligned to corporate Business Strategy and overarching IT Strategy objectives.
Information Security
Framework
A comprehensive, structured foundation of security domains, subdomains and capabilities used to support the effective execution of security strategy and associated improvement programs (or subprograms such as Compliance and Privacy programs) aligned to business objectives and drivers.
Security Budgeting & Investment
Decide and review investment in information security to ensure alignment with the organization strategy and meet security and compliance strategy objectives. Analyze returnof investments in terms of objective achievement and adjust budget decisions accordingly. Ensure proper investment in case of crisis or major security breaches.
Maturity Assessment & Gap
Analysis
Analyze the gap between the To-Be state and the current (As-Is) state by performing a Cyber Maturity Review covering any core domains and subdomains of the corporateInformation Security Framework.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 13© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Key Business Risks
Critical Business Processes &
AssetsSecurity Policy
Security Governance & Organization
Security Strategy
SLG: Capabilities (2/4)
Business Objectives
Transformation Roadmap List of prioritized and planned initiatives and projects to be executed to achieve goals and objectives of the Security Strategy.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 14© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Key Business Risks
Critical Business Processes &
AssetsSecurity Policy
Security Governance & Organization
Security Strategy
SLG: Capabilities (3/4)
Business Objectives
Leadership
Boards of directors and senior executives are fully involved and supportive at the governance level to provide strategic direction and ensure that objectives are achieved by understanding the criticality of information to the organization; understanding emerging threats; ensuring proper execution of security programs and other programs, such as compliance and privacy programs; and ensuring proper decision making to address and minimize business risk. The board defines and quantifies business risk tolerance relative to cyber resilience and ensures that this is consistent with corporate strategy and risk appetite.
Organization, Structure & Governance
Development of an organization and associated governance for the company for effective and efficient decision making and reporting, management, execution and adaptation of the security strategy, programs, roadmaps and its components. This includes required committees and boards, as well as role descriptions and required capabilities/skills at management and leadership level, such as but not limited to the Chief Security Officer (CSO), Chief Information Security Officer (CISO) and the Data Privacy Officer (DPO).
Program Management Office
Cyber security transformation needs program, project and budgetary management to ensure that it produces agreed-on deliverables on time and to budget. This will demonstrate to senior management that business principles are being followed, the business strategy is being adhered to and technical requirements are being met. The program office should use capability maturity modeling to measure the success of the transformation program. Ensure security is addressed in any project regardless of the type of the project.
Board Security Steering
Committees
Communications at the board level of risk posture to the business should be done regularly. Use a balanced Security Scorecard to support further decision making byregularly communicating and analyzing reports about the adequacy and efficiency of security improvement programs to support business objectives. Identify tactical andstrategic initiatives and risk to the business using estimates based on operational security metrics. “Security” encompasses “Compliance,” “Privacy,” “Resilience” and “Safety”and should be understood in a wide sense. (Could be addressed in overall board committee, risk committee, cyber resilience committee, etc.)
External Communications
Official communication with regional and national security agencies and bodies, supervisory authorities, media, press, etc. Communicating and explaining the corporate position incase of security breaches that have become publicly known (loss of customer data, loss of private information, etc.). Communicating around law and regulation obligations.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 15© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
Key Business Risks
Critical Business Processes &
AssetsSecurity Policy
Security Governance & Organization
Security Strategy
SLG: Capabilities (4/4)
Business Objectives
Security PolicySecurity Policy specifies the information security objectives of the organization, defines the roles and responsibilities and establishes high-level requirements for protecting the organization’s information assets and resources.NB: This includes but is not limited to compliance, privacy, safety, resilience objectives, information security, IT security, physical security and IoT/OT security policy.
Policy & Strategy Alignment &
Review
Regularly assess alignment between security strategy objectives (or another strategy, such as the privacy strategy) and the associated policy to address both new business objectives and the emerging threat landscape. This includes independent review of the organization’s security strategy and policy, ideally carried out annually.
November 14, 2018 16© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
Risk & Compliance Management (1/2)
Objective
Manage risk and complianceProcesses by which risks are evaluated in light of business activities, value and criticality for the business and legal/regulatory requirements. Risk mitigation activities are then defined to determine an appropriate level of risk balanced with cost/budget and the residual risk to reputation, business activities and other market factors. Processes by which an assessment to policy is measured, remediation efforts are detailed and gaps are identified. This function is performed by various individuals and teams, including internal audit, risk assessment teams, external regulatory agencies and third-party organizations.
Subdomains
Third-Party Management Framework
Audit Management & Certification
Legal, Regulatory & Privacy Compliance
Risk Management Framework
Standard & Industry Compliance
Asset Management Security MetricsInformation Security Management System
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 17© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Risk & Compliance Management (2/2)
Asset Management Security MetricsInformation Security Management System
Risk Management Framework
Standard & Industry Compliance
Legal, Regulatory & Privacy Compliance
Audit Management & Certification
Third Party Management Framework
ISMS Standard Selection
Planning & Scoping
Implementation & Operation
Monitoring Effectiveness
Continual Improvement
Security Metrics Definition & Review
Security Metrics Analysis
Security Metrics Benchmarks
Board Dashboarding
Management Security & Compliance
Dashboard
Regional & Country Requirements
MonitoringCompliance &
Privacy Standard Selection
Information Transfer Management &
Sovereignty
Universal Control Framework
Private Information Processing
Management
Legal, Regulatory & Privacy Controls &
Asset Mapping
Corporate Legal Interface
Information Breach Disclosure
Management
Information Security Mngt. System Compliance
Risk Management Framework Compliance
Corporate Security Standard Compliance
Industry Specific Compliance
Risk Management Standard Selection
Threat Modeling
Risk Communication
Risk Profiles
Risk Monitoring
Risk Identification & Assessment
Risk Treatment
Third Party Governance
Third Party Profiling
Third Party Selection
Contract Management
SLA & Performance Management
Audit Organization Structure
Record & Evidence Management & QMS
Self- Assessment
Audit Findings Review & Approval
Audit Findings Remediation Plan &
Monitoring
IT Asset Inventory
Software Asset Inventory
Configuration Management Repository
Information Asset Inventory
IP Address Management
Information Categories Definition
Information Asset Valuation
License Management
Asset Lifecycle Management
Asset Classification Schema
Asset Classification Enforcement
Asset Ownership Enforcement
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 18© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
RCM: Subdomains (1/2)
Asset Management
Repositories of identified information assets with classifications reflecting the value and criticality for the business, legal requirements and sensitivity of the information asset as well as ownership and security requirements in terms of confidentiality, integrity, availability and traceability.
Information Security
Management System
Definition, design, implementation, monitoring and continual improvement of an Information Security Management System to manage the protection of corporate business processes and supporting assets that contribute to business objectives.
Security Metrics Definition, collection, analysis and communication of security metrics to measure the effectiveness of the security improvement program and security operations against targets, assess the risk posture of the business and take action and define priorities.
Legal, Regulatory & Privacy
Compliance
Processes for understanding and managing of legal, regulatory and privacy requirements applicable to the organization, mapping to controls, and assets to protect corporate, confidential, employee, customer and partner information, including personally identifiable information (PII).
Standard & Industry
ComplianceCompliance with standards and regulations is measurable, allowing deviations to be identified, quantified and managed at various organizational levels within theorganization.
Risk Management Framework
Methods, processes and tools to perform risk assessments and evaluate business risk, business impacts and operational security risks, to define and manage associated riskmitigation strategies and risk acceptance.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 19© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
RCM: Subdomains (2/2)
Third-Party Management Framework
Processes and methods for procuring, onboarding, assessing and managing services and products from suppliers and third parties.
Audit Management &
Certification
Robust audit management to ensure handling of internal, external and regulatory audits, including audits to get certified against a standard or a regulation. Managing of the remediation of audit findings in a timely manner.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 20© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security MetricsInformation
Security Management
System
Risk Management Framework
Standard & Industry
Compliance
Legal, Regulatory & Privacy
Compliance
RCM: Capabilities (1/12)
Asset Management
IT Asset InventoryInventory of any physical asset (systems, servers, end user devices, virtualized systems, gateways and communication equipment, industrial machines, robots, utilities, etc.) with justification and purpose description, location, associated classification, ownership and security requirements in terms of confidentiality, integrity, availability and traceability attributes.
Software Asset Inventory
Inventory of any software asset (any type of OS for servers and end user devices, as well as infrastructure and industrial components, middleware, applications, utilities, development tools, shareware, open source and freeware), with justification and purpose description, location, associated classification, ownership and security requirements in terms of confidentiality, integrity, availability and traceability attributes. This includes license information (expiration date, type of license, etc.).
Information Asset Inventory
Repositories of identified information assets with their associated security classifications (databases, files, contracts and agreements, intellectual property, research information, private information such as customer or employee/contractor personal data, financial information, medical information, legal information, operational or support processes and procedures, etc.), purpose of the asset, location, ownership and security requirements in terms of confidentiality, integrity, availability and traceability attributes.
Information Categories Definition
Define data categories as business, legal, private (customer personal data, employee/contractor personal data), financial, medical, etc. Security requirements associated todata category are clearly defined. Some categories can be subcategorized; for example, private data can be subcategorized showing racial or ethnic origin, political opinions,religious or philosophical beliefs, etc.
Information Asset Valuation
Documenting either the value of the information asset or data, or which data is most important. This facilitates reconciling how much to spend protecting it or/and budgetspending prioritization.
Third-Party Management Framework
Audit Management &
Certification
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 21© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security MetricsInformation
Security Management
System
Risk Management Framework
Standard & Industry
Compliance
Legal, Regulatory & Privacy
Compliance
RCM: Capabilities (2/12)
Asset Management
Configuration Management Repository
Repository of configuration and setting (configuration item: CI) of any IT and OT system, middleware or application, as well as the relationships between them.
IP Address Management Inventory, planning and management of IP address space (IP subnets, start address, end address, classification).
License Management
Request, approve, purchase, deploy, maintain, upgrade and update license, and remove license from corporate environment. (Certificates could be managed as software license.)
Asset Life-cycle Management Manage asset requests, approval, purchase, deployment, maintenance, upgrade, return and removal of asset from corporate environment.
Asset Classification Schema
Definition of the classification schema to reflect value and criticality for the business, legal requirements and sensitivity of an asset/information as well as security requirements in terms of confidentiality, integrity, availability and traceability attributes to ensure that assets receive an appropriate level of protection.
Third-Party Management Framework
Audit Management &
Certification
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 22© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security MetricsInformation
Security Management
System
Risk Management Framework
Standard & Industry
Compliance
Legal, Regulatory & Privacy
Compliance
RCM: Capabilities (3/12)
Asset Management
Asset Classification Enforcement
Method and process to ensure that the asset classification schema is communicated and understood by business and applied on system, application and information assets by the assigned owners.
Asset Ownership Enforcement
Ensuring that an accountable owner is assigned to a system, application and information asset, with the ultimate responsibility for the classification, access management, processing, transfer, storage and removal of classified information, for creating an official inventory record of the asset and for defining, documenting and implementing acceptable use of the application asset during its life cycle.
Third-Party Management Framework
Audit Management &
Certification
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 23© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security MetricsInformation
Security Management
System
Risk Management Framework
Standard & Industry
Compliance
Legal, Regulatory & Privacy
Compliance
RCM: Capabilities (4/12)
Asset Management
ISMS Standard Selection
Select the appropriate standard to be used for the ISMS (i.e., ISO2700x, Cobit, ITIL, NIST, SANS, ISMS of Japan, Information Security Check Service [ISCS] of Korea, German IT baseline protection, UK Cyber Essentials Scheme).
Planning & Scoping Define ISMS policy, objectives and the scope of applicability (Statement of Applicability) to manage and improve information security to support corporate business objectives.
Implementation & Operation
Methods, processes and procedures to implement and operate the ISMS. Elaboration of controls, measures and solutions catalog to be used following risk assessment to treat risks.
Monitoring Effectiveness Assess and monitor effectiveness of security performance to match ISMS objective using the Security Metrics Framework approach.
Continual Improvement
Based on “Monitoring Effectiveness” outcomes and other upcoming new requirements (e.g., new business, new regulatory, new technologies), define corrective andimprovement actions to ensure continual improvement.
Third-Party Management Framework
Audit Management &
Certification
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 24© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security MetricsInformation
Security Management
System
Risk Management Framework
Standard & Industry
Compliance
Legal, Regulatory & Privacy
Compliance
RCM: Capabilities (5/12)
Asset Management
Security Metrics Definition & Review
Define security and risk metrics and indicators to be generated to assess and communicate information security posture to enable timely, effective and efficient management of risk to the business and improve reporting across the group: business metrics, risk posture metrics, compliance metrics, privacy metrics, process and technical metrics. Ensure metrics are periodically reviewed for improvement. Two types of indicators have to be defined: leading indicators map to business objectives and lagging indicators used at an operational level to measure security processes efficiency.
Security Metrics Analysis
Metrics analysis (and benchmarks) to measure effectiveness of security improvement program or other programs, such as compliance and privacy programs, and operations against targets; decide remediation action; and maintain a historical record for trend analysis and prediction. Provide insight into operational and strategic status and activities, thus enabling action plans to be defined and implemented. Support all security program/process owners/managers/users with reporting needs.
Security Metrics Benchmarks Comparing a company’s metrics and performance against peers within or outside the industry to provide comparative data to help in setting objectives.
Board Dashboarding
Board Dashboarding presents leading indicators mapped to business objectives to communicate to stakeholders and obtained by measuring risk posture from metrics andmeasurement consolidation. Measurements (key performance indicators [KPIs]) provide a single point of view of raw data at one time collected from security processes.Metrics compare several KPIs over time with a predefined baseline for objective. Provide financial data for project tracking and operations as well as investment.
Management Security &
Compliance Dashboard
Reporting focusing on security objectives (policy, ISMS, security processes, third-party management, security incident management) and compliance objectives (regulation,privacy, industry compliance) to track compliance and policy violations, security incident management and associated remediation and improvement activities.
Third-Party Management Framework
Audit Management &
Certification
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 25© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security MetricsInformation
Security Management
System
Risk Management Framework
Standard & Industry
Compliance
Legal, Regulatory & Privacy
Compliance
RCM: Capabilities (6/12)
Asset Management
Regional & Country Requirements
Monitoring
Assess emerging compliance requirements and legislation that will impact the organization at the regional and country levels in the near future and define a plan for integration into the compliance program. External source regulatory feeds can be used to automatically be informed of new upcoming regulations.
Compliance & Privacy Standard
Selection
Selecting the appropriate standard(s) to be used as reference for Legal, Regulatory & Privacy Compliance related controls to support compliance and privacy programs and guide managers and projects in making decisions to be in compliance with legal or policy requirements. Existing standards may be adapted to include organization-specific requirements or future emerging compliance requirements and changing business requirements.This capability may include the Compliance and Privacy Assessment Model selection to be used to conduct corporate assessments.
Universal Control Framework
Consolidated and rationalized control framework for compliance to optimize compliance program activities when the organization has to comply with several compliance standards.
Legal, Regulatory & Privacy Controls &
Asset Mapping
Converting and mapping of regulatory, legal and privacy requirements as EU data law, SOX, Gramm–Leach–Bliley Act, GDPR, EU standard clauses, regional privacy laws(e.g., Switzerland, Luxembourg, India) to controls/standards and assets. Updating the asset inventory with regulatory, legal and privacy requirements in respect of securitycapabilities and record of associated evidences to prove compliance.
Corporate Legal Interface Processes and procedures to involve the legal department in case of major security-related noncompliance issues.
Third-Party Management Framework
Audit Management &
Certification
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 26© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security MetricsInformation
Security Management
System
Risk Management Framework
Standard & Industry
Compliance
Legal, Regulatory & Privacy
Compliance
RCM: Capabilities (7/12)
Asset Management
Information Transfer
Management & Sovereignty
Processes to manage the transfer of information within the organization and with any external entity (information transfer procedures, transfer agreements, etc.), including Information Sovereignty to enforce compliance requirements, depending on where the information is stored and who can access it.
Private Information Processing
Management
Communication and notification to the information owner of the purpose for processing their personal data. Getting and recording individual consent for legitimizing the processing purpose of personal information (Consent Management).
Information Breach Disclosure
ManagementPolicy on disclosure of personal information, communication of the policy and communication of disclosure to information/data subject when happening.
Third-Party Management Framework
Audit Management &
Certification
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 27© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security MetricsInformation
Security Management
System
Risk Management Framework
Standard & Industry
Compliance
Legal, Regulatory & Privacy
Compliance
RCM: Capabilities (8/12)
Asset Management
Information Security Mngt. System Compliance
Ensure compliance with commonly used standards such as ISO 27001/2, NIST, CoBit and NERC. Compliance must be measurable, allowing risks to be identified, quantified and managed at various organizational levels within the organization.
Risk Management Framework Compliance
Ensure compliance with commonly used standards such as ISO 27005, ISO 31000, EBIOS, CRAMM, MEHARI and RiskAoA.
Corporate Security Standard
ComplianceEnsure compliance with the corporate security standards that are part of corporate policy.
Industry Specific Compliance Ensure compliance with industry-specific standards such as PCI/DSS, HIPAA, SOX and ISAE 3420.
Third-Party Management Framework
Audit Management &
Certification
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 28© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security MetricsInformation
Security Management
System
Risk Management Framework
Standard & Industry
Compliance
Legal, Regulatory & Privacy
Compliance
RCM: Capabilities (9/12)
Asset Management
Risk Management Standard Selection Selection of the standard used for Risk Management (i.e., ISO27005, ISO31000, EBIOS, CRAMM, MEHARI or RiskAoA).
Threat Modeling
Identification and classification of top-level threats that can be categorized in three dimensions: motivation, localization and agent. The threat agent is the actor that imposes the threat to the business of the organization or to a specific business process and supportive assets. For the classification of the threat agent, four categories are to be considered: human, processes, technological and force majeure. Threat motivation describes a categorization of threats that focuses on the motivation of this threat, distinguishing between intentional or unintentional threats. Threat localization describes a classification of the origin, either internal or external to the organizational perimeter. The threat modeling also has to take into account the capability of the threat agent (financial, expertise, resources, etc.), the catalyst (event or change in circumstances triggering the threat agent to act) or the inhibitor (the factor that may deter the threat agent from executing a threat).
Risk Profiles Documentation and calculation of risk profiles and associated criteria for acceptable and unacceptable risks. Risk profiles are defined by key stakeholders, including business leaders, application data and business process owners; CISO; risk, compliance and privacy officers; and the legal department.
Risk Identification & Assessment
Methods, procedures and tools employed to identify, estimate, evaluate business and operational risk and the associated impact, and produce the prioritized risks (according to risk profiles/appetite and riskevaluation criteria).
Risk Treatment Selection of measures, controls or solutions to reduce, avoid, transfer or retain/accept identified risks and define the corresponding treatment plan.
Third-Party Management Framework
Audit Management &
Certification
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 29© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security MetricsInformation
Security Management
System
Risk Management Framework
Standard & Industry
Compliance
Legal, Regulatory & Privacy
Compliance
RCM: Capabilities (10/12)
Asset Management
Risk Communication Communication and reporting of identified risks with stakeholders and decision makers.
Risk Monitoring Monitoring and reevaluation of risks, their context (value of assets, business impacts, vulnerabilities, likelihood of occurrence) and effectiveness of deployed measure and controls to mitigate identified risks to update priorities and the risk treatment plan. Maintain traceability of risks, action plan and status (heat map, risk register).
Third-Party Management Framework
Audit Management &
Certification
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 30© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security MetricsInformation
Security Management
System
Risk Management Framework
Standard & Industry
Compliance
Legal, Regulatory & Privacy
Compliance
RCM: Capabilities (11/12)
Asset Management
Third-Party Governance
Implement the proper structure on both sides to ensure appropriate governance around security of third-party service delivery. It could be a focal point to handle contract issues, procurement, delivery issues and problems, noncompliance issues, audit findings management, security incidents, plans for remediation, tracking, reporting review, etc.
Third-PartyProfiling
Define the different categories of “third party” that the organization may have to deal with and define associated security and privacy requirements to be met by third parties that process, store or transmit confidential data or provide critical services. A third party may also be known as a vendor, supplier, customer, joint venture or fourth party. Different categories of third party can be a third-party service provider (to perform/deliver IT services or business services), third-party administrator, third-party developer, third-party insurance, third-party verification or auditor, etc.
Third-Party Selection
Activities to select and assess (due diligence), prior to contract signoff, security of third-party services to validate the scope of service, its appropriateness with the organization’s requirements and the adequacy with what the third-party claims to deliver or assure. This includes reviews of third-party background, reputation, financial performance and stability.
Contract Management
Establish, renegotiate and terminate a contract with a third party, with a clear definition of the objective, SLA, and role and responsibility around security services, includingservice reversibility and nondisclosure agreement.
SLA & Performance Management
Report (according to the contract) around third-party security services to demonstrate delivery according to contract SLA and SLO definition. Report should contain metricsand KPIs according to the organization's Security Metrics Framework.
Third-Party Management Framework
Audit Management &
Certification
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 31© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security MetricsInformation
Security Management
System
Risk Management Framework
Standard & Industry
Compliance
Legal, Regulatory & Privacy
Compliance
RCM: Capabilities (12/12)
Asset Management
Audit Organization Structure
Manage audits (internal and external), regulatory requests and compliance checks by involving respective parties (including third parties), including an audit to get certified against a standard or a regulation.
Record & Evidence Management &
QMS
Manage the record of documents, evidence and compliance attestations, including gathering, secure storage, records and evidence validation. Map between collected document/evidence and controls and risks. This includes management of the record of official Legal & Regulatory documents.
Self- Assessment Perform a self-assessment to prepare and identify compliance issues and to define a remediation plan in readiness of corporate (internal or external) audit and certification.
Audit Findings Review & Approval Process the audit finding review and approval process, including third parties.
Audit Findings Remediation Plan &
MonitoringManage audit findings by defining a remediation plan and closely monitoring the regime.
Third-Party Management Framework
Audit Management &
Certification
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 32© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Resilient Architecture (1/2)
Objective
Defining how
The translation of businesses’ visions and strategies into effective enterprise security solutions by developing and communicating a consistent set of security principles, models, capabilities and patterns that provides the direction of the development, operations and governance, describing the enterprise’s target security posture and ensuring its alignment to the business needs and changes.
Subdomains
Security Architecture Assurance
Technical Architecture Standards & Process
DesignBusiness ContinuitySolution Architecture
Enterprise Security Architecture
Security Architecture Multidomain Blueprints
Security Architecture Single-Domain
Blueprints
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 33© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Resilient Architecture (2/2)Enterprise Security
ArchitectureSecurity Architecture
Multi Domain Blueprints
Security Architecture Single Domain
BlueprintsBusiness ContinuitySolution Architecture
Technical Architecture Standards & Process
DesignSecurity Architecture
Assurance
Risk & Compliance Management
Blueprint
Resilient Workforce Blueprint
Applications Security Blueprint
Cyber Defense Blueprint
Data Protection & Privacy Blueprint
Identity & Access Management
BlueprintInfrastructure &
Endpoint Security Blueprint
Cloud Security Blueprint
(consumption)
Cloud Security Blueprint (provider)
Industrial Control Systems Security
Blueprint
Mobility Security Blueprint
GDPR Blueprint
Internet of Things Security Blueprint
Vehicle Security Design Blueprint
Next Generation (NG) Endpoint Protection Security Blueprint
Security Technical Standards
Security Guidelines
Security Process Catalog
Product Security Assurance
Solution Selection, Evaluation & Development
Solution Architecture Overview
High Level Design
Low Level Design
Service Definition
Business Impact Analysis
Asset Prioritization
Data Replication
Recovery Objectives
Invocation & Escalation
Recovery Strategy
Redundancy
Virtual Team Mobilization & Collaboration
Communication & Reporting
Testing
Architecture Review Board
Enterprise Architecture Framework
Security Architecture Framework
Models
Strategies Alignment
Zoning Model
Principles
Capabilities & Requirements
Development, Quality & Production
Environment Model
Third Party External Connections Model
Reusable Objects
Security Profiles
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 34© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
SRA: Subdomains (1/2)
Enterprise Security
ArchitecturePrinciples, models, capabilities and reusable objects describing the enterprise security architecture.
Security Architecture
Single-Domain Blueprints
Reusable generic templates for one specific core domain of the framework, describing dependencies and workflows between capabilities of the core domains and highlighting, if needed, dependencies with any other capabilities outside the core domain.
Security Architecture Multidomain Blueprints
Reusable generic templates for specific scenarios or business contexts, involving several core domains of the framework, composing and mapping security capabilities and functions in the enterprise security architecture framework.
Technical Architecture Standards &
Process Design
Standards defining the mandatory settings, controls and requirements that must be implemented to achieve policy objectives.
Solution Architecture
A combination of architecture artifacts (including but not limited to overview architecture, high-level description, low-level description and service management description),describing a solution with clear objectives and expected benefits for the organization, ready to be deployed, that complies with applicable reference security blueprints andenterprise security architecture components.
Business Continuity
Processes and plans for resilient capabilities in the event of environmental, man-made or technical failures in business supporting IT services, ICT infrastructure andapplications.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 35© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
SRA: Subdomains (2/2)
Security Architecture Assurance
Authoritative review and approval or rejection of change initiatives with regard to architectural security aspects.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 36© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Architecture Multidomain Blueprints
Security Architecture
Single-Domain Blueprints
Business Continuity
Solution Architecture
Technical Architecture Standards &
Process Design
SRA: Capabilities (1/12)
Enterprise Security
Architecture
Enterprise Architecture Framework
Define or select the reference architecture framework used for enterprise architecture (i.e., Zachman, TOGAF, FEAF, DoDAF, Gartner, IBM, DXC ITSA). An Enterprise Architecture Framework defines how to create and use an enterprise architecture and provides guidance for building solution architecture. It helps capture and translate business requirements into security capabilities using a Business Attributes model; these are later transformed through use cases (reusable objects) and profiles into security controls.
Security Architecture Framework
A comprehensive, structured foundation of security domains, security subdomains and security capabilities used to create security solution architecture. Define or select the reference security framework used for the enterprise security architecture (i.e., Sabsa, O-ESA, OSA, DXC CRA) aligned with the Enterprise Architecture Framework.
Strategies Alignment
The security strategy supports business and IT strategies, focusing on long-term road maps for the protection and preservation of confidentiality, integrity and availability of essential business information. Enterprise Security Architecture (ESA) must be aligned to business and IT strategies so ESA objectives describe clear mapping with business drivers and goals by defining which business principles are supported by the ESA.
PrinciplesBusiness strategy and business objectives expressed in business principles are translated into foundational, functional, technical and implementation principles, directing theenterprise security architecture and guiding how security solutions should be designed, built and operated to efficiently and consistently safeguard the information assets andsupport the business principles.
Capabilities & Requirements
The architectural security building blocks, structured in a multilayered taxonomy and expressed in generic terms, requiring process-, organizational- and technical-orientedbusiness-driven abilities to accomplish.
Security Architecture Assurance
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 37© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Architecture Multidomain Blueprints
Security Architecture
Single-Domain Blueprints
Business Continuity
Solution Architecture
Technical Architecture Standards &
Process Design
SRA: Capabilities (2/12)
Enterprise Security
Architecture
Models Conceptual models, abstract views, outlining the requirements necessary to implement and enforce security policies (e.g., domain model, data-centric model or information protection model, component or layering model, zero-trust model, threat model, location model, operational model).
Zoning Model
Reference architecture for effective, standardized design and operation of security zones, segmenting and isolating groups of information assets with consistent security requirements and policies, divided in uncontrolled, controlled, restricted, sensitive and management zones, supporting a multitiered architecture with different levels of trust and information flows.Definition of security zones and associated security requirements in terms of integrity, confidentiality, availability and traceability.
Development, Quality &
Production Environment Model
Reference architecture for effective, standardized design and operation of Development, Quality and Production Environments for the different phases of the life cycle development and release management: development environment, test and qualification environment (where new features are developed, changes are made and tested) and production environment (used by corporate users). Those environments are separated and security requirements are described to secure/controls intra-environment flows.
Third-Party External Connections Model
Reference architecture for effective, standardized design and operation of third-party external connections (depending on third-party profiling) covering and documenting:security requirements and policies for third-party technical interconnections, identification of critical business processes that are dependent on external connectivity,infrastructure and systems’ data flow comprehensive diagrams to support data flow authorization, risk assessment and audit; mandatory and optional security capabilities andcontrols to be deployed depending on third-party profiles to detect and prevent intrusions from third-party connections.
Reusable ObjectsComposites of security constructs and usage architecture patterns, including but not limited to security profiles, use cases and business attributes, to be used in securityarchitecture designs and security blueprints, with the objective to industrialize and standardize reoccurring security solutions to a commonly occurring problem or to achieve asecurity goal.
Security Architecture Assurance
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 38© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Architecture Multidomain Blueprints
Security Architecture
Single-Domain Blueprints
Business Continuity
Solution Architecture
Technical Architecture Standards &
Process Design
SRA: Capabilities (3/12)
Enterprise Security
Architecture
Security Profiles Defined mandatory, additional and optional lists of security controls and security capabilities to be applied on each class of information assets in a predefined architecture use case.
Security Architecture Assurance
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 39© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Architecture Multidomain Blueprints
Security Architecture
Single-Domain Blueprints
Business Continuity
Solution Architecture
Technical Architecture Standards &
Process Design
SRA: Capabilities (4/12)
Enterprise Security
Architecture
Risk & Compliance Management
Blueprint
Reference security architecture for managing security supporting a process-centric information security approach and continuous improvement of effectiveness and efficiency, including integrated and automated corporate reference security process enforcement, measurement and analysis, policy and controls enforcement, risk management, compliance management, third-party management, audit management and automated remediation.
Resilient Workforce Blueprint
Reference security architecture to promote and establish a security-aware company culture and empower your workforce by getting appropriate, accurate and targeted security awareness training and education to support your business and enforce protection of your critical and sensitive information.
Cyber Defense Blueprint
Reference security architecture for a secure, resilient, standardized design and operation of cyber defense capabilities, including governance, situational awareness, security intelligence and analytics, threat intelligence, digital investigations, security operations center, tooling, event management, incident response and remediation management.
Identity & Access Management
Blueprint
Reference security architecture for effective, standardized and reusable design and operations of identity and access capabilities, including identity life-cycle management, provisioning, authentication and access control, privileged user management, and key and directory management.
Infrastructure & Endpoint Security
Blueprint
Reference security architecture for effective, standardized and reusable design and operations of endpoints and infrastructures, including rule-based security capabilities, known and unknown threat detection and prevention capabilities.
Security Architecture Assurance
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 40© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Architecture Multidomain Blueprints
Security Architecture
Single-Domain Blueprints
Business Continuity
Solution Architecture
Technical Architecture Standards &
Process Design
SRA: Capabilities (5/12)
Enterprise Security
Architecture
Applications Security Blueprint
Reference security architecture for secure development of application software and security APIs, including but not limited to use case modeling, threat modeling, security requirements, design, documentation, secure coding practices, testing (static and dynamic code analysis), source code handling, change and release management, security readiness and research, maintenance, incident response and security assurance.
Data Protection & Privacy Blueprint
Reference security architecture for effective, standardized and reusable design and operations of data protection and privacy, including data discovery and classification, data assurance, data security life-cycle management, and certificate and key management.
Security Architecture Assurance
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 41© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Architecture Multidomain Blueprints
Security Architecture
Single-Domain Blueprints
Business Continuity
Solution Architecture
Technical Architecture Standards &
Process Design
SRA: Capabilities (6/12)
Enterprise Security
Architecture
Cloud Security Blueprint
(Consumption)
Reference security architecture for effective, standardized design and operations of security solutions in XaaS cloud environments, leveraging use cases and capabilities relevant for cloud consumers.
Cloud Security Blueprint (Provider)
Reference security architecture for effective, standardized design and operations of security solutions in XaaS cloud environments, leveraging use cases and capabilities relevant for cloud providers and cloud brokers.
Mobility Security Blueprint
Reference security architecture for effective, standardized and reusable design and operation of trusted and untrusted mobility endpoints from a security perspective, including but not limited to mobile security, BYOD/AYOD (Bring/Allow Your Own Device), policies and requirements, remote access and network access controls, security compliance checking, malware protection, forensics, event collection, authentication and authorization, etc.
IoT Security Blueprint
Reference security architecture for secure, effective and standardized design and operation for IoT, leveraging relevant security capabilities from subdomains of theframework.
Vehicle Security Design Blueprint
Reference security architecture for secure, effective and standardized design and operation for vehicles leveraging relevant security capabilities from subdomains of theframework.
Security Architecture Assurance
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 42© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Architecture Multidomain Blueprints
Security Architecture
Single-Domain Blueprints
Business Continuity
Solution Architecture
Technical Architecture Standards &
Process Design
SRA: Capabilities (7/12)
Enterprise Security
Architecture
Industrial Control Systems Security
Blueprint
Reference security architecture for secure, effective and standardized design and operation for Industrial Control Systems (ICSs) leveraging relevant security capabilities from subdomains of the framework, including security for Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCSs) and programmable logic controllers (PLCs).
GDPR BlueprintReference security architecture for effective, standardized and reusable design and operations to address privacy compliance requirements and objectives. Privacy requirements include but are not limited to openness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability and rights of the individual.
NG Endpoint Protection Security
Blueprint
Reference security architecture for effective, standardized and reusable design and operation for end user device protection, allowing (1) digital enablement with nonintrusive security, friendly 2FA and full SSO, that is easy to manage.; (2) threat resistance with security foundations, cyber hygiene, secure by design, maintain trust chain (HW to apps) principle, isolation of critical kernel components, trust no one (app reputation) and micro segmentation (micro virtualization, containers or sandboxing), nonintrusive AV, FW, etc.; (3) threat resiliency by assuming a state of compromise, with flight recorder with detailed E2E telemetry, health attestation, forensics ready, allowing agile and detailed hunting, etc.
Security Architecture Assurance
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 43© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Architecture Multidomain Blueprints
Security Architecture
Single-Domain Blueprints
Business Continuity
Solution Architecture
Technical Architecture Standards &
Process Design
SRA: Capabilities (8/12)
Enterprise Security
Architecture
Security Technical Standards
The mandatory configuration settings and controls that must be implemented to achieve policy objectives with the goal of providing fit-for-purpose security level(s). These configurations, linked to the organization’s security policies, would be based on both internal knowledge and industry standards and best practices.
Security Guidelines Recommended (nonmandatory) configuration guidelines and best practices helping to support standards or serve as a reference when no applicable security standard is in place.
Security Process Catalog
Definition of global processes ensuring that security policies and standards are applied in a consistent and repeatable manner. A process is a set of steps, tasks or activities to be executed to deploy a policy or standard describing inputs and outputs of processes. Global processes are then instantiated into operational processes (SO domain) to be deployed across the organization (we may have different ways to deploy processes, assuming the objectives defined in the global processes are met); e.g., component build process and health checking process.
Product Security Assurance
Assurance that an application, product or system (acquired or developed by the organization) is certified against security criteria for evaluation of IT security developed by theorganization or from a known and recognized standard; e.g., common criteria ISO 15408 EAL, Information Technology Security Evaluation Criteria (ITSEC), TrustedComputer System Evaluation Criteria (TCSEC), Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) of USA or OWASP for webapplications. Evaluations can be insourced or done by independent external company.
Solution Selection, Evaluation & Development
Testing (against security criteria), benchmarking and referencing of security tools, products and services to be implemented, deployed and used to support security policies,standards, guidelines and reference architectures. Development of security tools, software and products to support security policies, standards and reference architectures.This activity can include research.
Security Architecture Assurance
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 44© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Architecture Multidomain Blueprints
Security Architecture
Single-Domain Blueprints
Business Continuity
Solution Architecture
Technical Architecture Standards &
Process Design
SRA: Capabilities (9/12)
Enterprise Security
Architecture
Solution Architecture
Overview
Overview of a security solution (applications, products, processes and people) linked to the strategy (business, IT and security strategies) describing business drivers and organizational context, objectives, stakeholders, planning, resourcing, budget and benefits of the solution.
High-Level Design
Description of a security solution in terms of the security requirements. This includes compliance, privacy, safety and resilience requirements, to meet the objectives, assumptions and hypothesis while leveraging and demonstrating compliance with the applicable corporate enterprise security architecture components. These may include principles, capabilities, models, reusable objects (architecture use cases), segregation and segmentation, and security profiles, as well as compliance with corporate security blueprints (Security Architecture Single-Domain Blueprints) and other relevant blueprints (Security Architecture Multidomain Blueprints).
Low-Level DesignDetailed description of a security solution (products, processes and people) to effectively implement the solution, including the operational model (elements, nodes, locations, zones, boundaries, borders, connections, nonfunctional requirements, etc.), sizing, product selection, configuration settings and necessary operational processes to be either leveraged or developed to support the solution.
Service Definition Detailed description of how to measure the efficiency and maturity of the solution as well as the roles and responsibilities of teams, business units, suppliers, third parties andother resources involved in steady state operations.
Security Architecture Assurance
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 45© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Architecture Multidomain Blueprints
Security Architecture
Single-Domain Blueprints
Business Continuity
Solution Architecture
Technical Architecture Standards &
Process Design
SRA: Capabilities (10/12)
Enterprise Security
Architecture
Business Impact Analysis Business impact analysis and risk assessments to identify the most important assets, process and technology dependencies, impact on business, and risks.
Asset Prioritization Selecting prioritized business-critical information assets to recover as a minimum in case of a major disruption.
Recovery Objectives Business owners defining and refining recovery time objectives and recovery point objectives for critical applications.
Recovery Strategy Selecting recovery strategies for systems in scope for disaster recovery solutions, with high availability, system duplication on twin sites and active/standby solutions.
Redundancy Selecting redundancy solutions, with dual sites or dual building, and technical and organizational duplications.
Security Architecture Assurance
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 46© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Architecture Multidomain Blueprints
Security Architecture
Single-Domain Blueprints
Business Continuity
Solution Architecture
Technical Architecture Standards &
Process Design
SRA: Capabilities (11/12)
Enterprise Security
Architecture
Data Replication Selecting synchronous or asynchronous data replication between dual sites and whether replicating data blocks on the storage level or replicating database logs or files.
Invocation & Escalation Procedures and routines for invocation and escalation to the crisis team in case of major disruptions of IT services.
Virtual Team Mobilization & Collaboration
Procedures and routines for mobilization of virtual cross-organizational teams for crisis management and for collaboration across teams during an invoked major IT service disruption.
Communication & Reporting Procedures and routines how to communicate and report to employees, board, partners, customers and the public during a major IT service interruption.
Testing Periodic tests of disaster recovery plans through desktop, walkthrough, simulated, partial or full tests.
Security Architecture Assurance
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 47© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Architecture Multidomain Blueprints
Security Architecture
Single-Domain Blueprints
Business Continuity
Solution Architecture
Technical Architecture Standards &
Process Design
SRA: Capabilities (12/12)
Enterprise Security
Architecture
Architecture Review Board
The authoritative entity for reviewing and approving or rejecting new enterprise security solutions or change initiatives with regard to security architecture aspects defined in the enterprise security architecture, including standards, and determining if there is any security impact. This includes an exception process providing inputs, approvals and necessary risk acceptance for the introduction of a nonstandard technology or solution.
Security Architecture Assurance
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 48© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Resilient Workforce (1/2)
Objective
People contributing to digital resilience
Promote and establish a security-aware company culture and empower your workforce by getting appropriate, accurate and targeted security awareness training and education to support your business and enforce protection of your critical and sensitive information.
Subdomains
Knowledge Management
Security Culture Security Training & EducationEmpowered Workforce
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 49© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Resilient Workforce (2/2)
Security Culture Security Training & Education
Empowered Workforce
Knowledge Management
Job Role Management
Segregation of Duties
Talent Retention Program
HR Processes Integration
Mentoring Program
Talent Recruitment, Identity Proofing &
VettingIdentity Enrolment &
Profile Record Management
Workforce Satisfaction
Security Culture Leadership Approach
IT/Security Organization Training
Developer Security Training
Board & Management Security Awareness
Training
Employee External Certification
Third Party Security Awareness Training
Employee Internal Certification
Employee Security Awareness Training
Targeted Security Awareness Training
Knowledge Management
SystemsKnowledge Creation,
Collection & Validation
Knowledge Sharing
Organization Security Culture Profiling
Corporate Communication
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 50© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
RW: Subdomains
Security CultureSecurity Culture describes the way security in the workplace is organized and thus reflects the attitudes, convictions, perceptions and values of the employees and of the organization with regard to security. Therefore, organizations need to build and structure elements of their organizations, such as resources and guidelines, to reflect their security objectives. Security culture also means management of the change process that makes employees’ attitudes and behavior more security related.
Empowered Workforce
Empowered Workforce describes activities to ensure talent and competency development for both attracting and retaining talent for operational security people and managers: recruiting, career development, mentoring program, etc.
Security Training & Education
Security Training & Education objectives are to define and maintain content adequate for different target groups, considering national and intercultural aspects reflective of the present-day working environment and the current threat landscape, and to define appropriate training packages targeting security teams, IT staff and managers to provide specific knowledge and skills to achieve their job objectives and responsibilities, including employee certifications when needed.
Knowledge Management
Knowledge Management regroups activities around the creation, contribution, collection, referencing, sharing and using of knowledge/information developed by the organization, with the objective of ensuring the best use of knowledge, identifying and promoting knowledge and experience, and facilitating employee skill development and collaboration.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 51© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Training & Education
Empowered Workforce
Knowledge Management
RW: Capabilities (1/6)
Security Culture
Organization Security Culture
Profiling
Definition of requirements in regard to the desired state of information security awareness for different target groups (CxO, employees, power users, third parties, etc.). The profile contains information about location, languages, national and intercultural aspects, number of employees and industry, with consideration of mission, strategy and values of the organization and opportunities, risks and threats the organization is facing, as well as compliance obligations. The profile includes influencing and company-relevant factors to be measured in security culture.
Corporate Communication
Internal communications to ensure the positive image of security as an enabler:• The corporate policy and any ongoing changes, including regulatory, compliance and privacy obligations• Employee roles and responsibilities• Internal communications to announce and raise awareness for security topics• Communication from security leadership team through conferences, newsletters, wiki, etc. to communicate the security vision, objectives and initiatives as a security
provider both internal (providing and enhancing security within the organization) and external (security embedded in IT products and services sold to partners, external customers and other third parties)
• The corporate position in case of a publicly known security breach (loss of customer data, loss of private/sensitive information, etc.)
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 52© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
RW: Capabilities (2/6)
Job Role Management
Description of business roles and job descriptions allowing mapping to applications and systems to be used by people to achieve their job objectives and responsibilities. Role Management includes job role modeling, job role discovery, job role assignation (assign a role to an identity) and job role change.
Segregation of Duties Definition of Segregation of Duties rules to address business risks associated with a user-role conflict of interest.
HR Processes Integration
Security anchored in HR processes: security responsibilities are incorporated into job profiles and terms and conditions of employment in the contract, including responsibilities and duties that remain valid after termination or change of employment (e.g., a nondisclosure statement/clause for employees dealing with sensitive information). The security aspect is included in annual goals and performance reviews. This also includes a disciplinary process to take action against employees who have committed a security breach.
Talent Recruitment, Identity Proofing &
Vetting
Processes and tools used to perform identity proofing, i.e. validating an identity using authoritative data sources and identity profile data with sufficient information and evidence. Background check and screening to uniquely identify persons as having the identity they claim and to match people to places by analyzing the required skills and matching them with the available qualifications of employees. Recruiting to support the organization in the recruiting process to figure out which people fit to the organization’s needs and culture.
Identity Enrollment & Profile Record
Management
Process when a candidate for employment has passed verification and an identity record is created, with the complete identity record, including name, address, birth date and other unique identifiers linked to a person. This includes processes for deactivating, archiving and deleting an identity record after the person has resigned, retired or permanently left.
Security Training & Education
Empowered Workforce
Knowledge ManagementSecurity Culture
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 53© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
RW: Capabilities (3/6)
Talent Retention Program
Define and apply a retention program to identify critical people for the organization. Provide activities to ensure talent and competency development to both attract and retain talent for operational security people and managers (e.g., recruiting, career development, training program, mentoring program).
Mentoring Program
Build and execute a mentoring program to: • Allow an effective way to transfer experience, lessons learned, skills and knowledge from one person to another • Achieve specific objectives for skill growth and development• Create effective relationships, guide mentees and encourage an environment for success
Workforce Satisfaction
To have attentive and aware employees, you need to motivate your workforce by creating a healthy and engaging environment. Motivational factors can include recognition, work-life balance, stress reduction programs and "burnout" prevention. By associating security with these factors, you will have a more engaged and open-minded workforce with a positive attitude toward secure behavior.
Security Culture Leadership Approach
Develop security culture processes to ensure clarity on the corporate policy and rules to ensure that employees understand their role and what is expected of them in terms of security. Ensure management is setting the right example by showing exemplary behavior (Leading by Example) by embedding security in the tasks and actions of (middle) management. Ensure people have sufficient time, competency and the capacity to abide by the rules and protocols for dealing with sensitive information (Culture of Prevention). Encourage transparency of employees’ behavior and ensure that the effects thereof are visible in the way of working. Encourage openness on security incidents and concerns so employees feel safe to discuss incidents, concerns and dilemmas openly in the organization (Culture of Detection). Ensure employees feel safe engaging with other employees when they see incorrect treatment of sensitive information (Culture of Responsiveness). Have management enforce the rules with board support, and reward and/or sanction people (Culture of Responsiveness). Enforce the principle that you can learn from mistakes—the basic requirement to establish a stable security culture. To be practiced in training but also in daily work without having to reckon with strict consequences (Culture of Failure Acceptance).
Security Training & Education
Empowered Workforce
Knowledge ManagementSecurity Culture
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 54© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
RW: Capabilities (4/6)
IT/Security Organization
Training
Understand and define IT staff security training requirements and scope: develop or select support education and training materials; and deliver security training for the security team, IT staff, sales and managers to provide specific knowledge and skills to achieve their job objectives and responsibilities, including the "train the trainer" concept. Prepare for certifications or knowledge development.
Developer Security Training
Educate application architects and developers around secure system development life cycle (SDLC), including how to architect and design security in an application; how to develop secure code, including mobile applications; and how to avoid pitfalls that result in vulnerabilities/insecurities. Educate software testers on how to test for security issues.
Employee External Certification
Understand and define IT staff security external certification requirements. Ensure External Certification of employees to demonstrate knowledge acquisition and to comply with organization certification requirements.
Employee Internal Certification
Define corporate Internal Certification program (certification and recertification criteria, training content, schedule, certification package template, review board, etc.). Ensure Internal Certification of employees to demonstrate knowledge acquisition and to comply with organization certification requirements.
Security Training & Education
Empowered Workforce
Knowledge ManagementSecurity Culture
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 55© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
RW: Capabilities (5/6)
Employee Security Awareness Training
Production and implementation of security awareness training targeting different employee groups and covering the following aspects (not an exhaustive list):• Regular User Security Awareness program• Privileged User Security Awareness program
• Mandatory and regular Code of Conduct training• Ensuring clarity on the corporate policy and rules to ensure that employees
understand their role and what is expected of them in terms of security
Board & Management
Security Awareness Training
Security awareness training for board members about the current threat landscape, covering:• Advanced threats, threat actors and cyber security• Business impact and legal consequences if such threats are realized, including the worst-case scenario• Regulatory, Compliance and Privacy obligations
Third-Party Security Awareness Training Security awareness training for third parties and contractors (in particular, users with privileged access) to ensure they comply with corporate security policy.
Targeted Security Awareness Training Security awareness training for targeted communities of people, depending on the organization’s objective and special needs (e.g., salespeople).
Security Training & Education
Empowered Workforce
Knowledge ManagementSecurity Culture
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 56© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
RW: Capabilities (6/6)
Knowledge Management
SystemsSystems supporting storage, organizing, access and sharing of knowledge.
Knowledge Creation, Collection
& Validation
Processes to support creation, identification, collection, referencing and validation of knowledge, skills, expertise, experiences, ideas, collateral, information assets and lessons learned. This includes methodologies and templates to maximize understanding and reusability of knowledge.
Knowledge Sharing Processes to support exchange of knowledge between people (employees, communities, third parties, etc.) and access, sharing and collaboration around knowledge between employees.
Security Training & Education
Empowered Workforce
Knowledge ManagementSecurity Culture
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 57© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Cyber Defense (1/2)
Objective
Intelligence to detect breaches and respond
Provide real-time alerting, tooling and intelligence to more effectively identify, understand, respond to and contain security incidents by providing:• overall visibility of cyber security situational risk• understanding of threat techniques, tools, procedures and potential
impact to business
Subdomains
Digital Investigation & Forensics Security AnalyticsVulnerability
Management
Security Monitoring Threat Intelligence & Profiling
Security Incident Response & Remediation Management
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 58© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Cyber Defense (2/2)
Security Monitoring Threat Intelligence & Profiling
Security Incident Response &
Remediation MngtSecurity AnalyticsVulnerability
ManagementDigital Investigation &
Forensics
Incident & Defect Notification
CERT & Authority Information Request
Incident Analysis
Incident Triage
Root Cause Analysis
Incident Validation
Incident Classification
Incident Mitigation & Remediation
Incident Recovery
Crisis Communication
Incident Reporting
Crisis Leadership & Organization
Escalation Procedure
Threat Intelligence Platform
Cyber Threat Intelligence Sources
Threat Actor Profiling
Cyber Threat Intelligence Sharing
Malware Analysis
Security Trends
Technical Threat Modeling
Threat Intelligence Knowledge
Management
Digital Investigations
Digital Forensics
E-Discovery
Active Threat Hunting
Static Code Analysis
Dynamic Code Analysis
Social Engineering
Penetration Testing
Vulnerability Remediation
Attack Simulation
Vulnerability Scanning
Patch Management
Vulnerability Notification
Vulnerability Monitoring
Vulnerability Validation & Criticality
Vulnerability Research
Big Data Security Analytics
Baselining
Social Media Analysis
Data Anomaly Detection
Network Anomaly Detection
User Behavior Analysis
Privileged Threat Analytics
DNS Analytics
Technical Attack Reconstruction &
Visualization
Log Policy Definition
Log Management
Monitoring & Alerting Processes
Log Correlation
Event Query
Log Integrity
Use Case Management
Log Reporting
Shift-Handover Process
Daily Operations Meeting Procedure
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 59© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
CD: Subdomains
Security Monitoring
Manage logs and correlating security event logs to automatically generate security alerts based on known attack scenario/use cases. Monitor security alerts and incidents as they occur in the environment. Provide evidence in case of investigations and to support Incident Response management.
Security Incident Response & Remediation Management
Validate, classify and analyze security incidents (understand what happened, how and why) to ensure adequate and prompt remediation or recovery activities (Incident Response Level 1 and 2).
Threat Intelligence & Profiling
Change the security model from reactive to proactive by understanding your adversaries and so developing tactics to combat current attacks and to plan for future threats. Accurate, complete and actionable information allowing for threat modeling, planning and remediation activities to occur. Such information may come from inside sources or external providers of such information. The key is to create “actionable” steps to further protect the enterprise. Processes and plans for establishing, maintaining and testing resilient IT service capabilities in the event of environmental, man-made or technical failures in ICT infrastructure and applications.
Digital Investigation &
Forensics
Identify, process and analyze digital states and events to find evidence as to how, why and by whom a computing resource was compromised, and collect, process and review data in the event of legal action (Incident Response Level 3).
Vulnerability Management
The cyclical practice of policy definition, baselining, assessing, prioritizing, shielding, remediating and monitoring of exploitable security vulnerabilities in software and firmwarein endpoints, infrastructure and other IP addressable assets, including root cause analysis and elimination.
Security Analytics Analytics to allow real-time processing of a large volume of unstructured and structured data to efficiently identify, detect and alert anomalies or transactions that are not conforming to expected patterns.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 60© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
ThreatIntelligence &
Profiling
Security Incident Response & Remediation Management
Security AnalyticsVulnerability Management
Digital Investigation &
Forensics
CD: Capabilities (1/13)
Security Monitoring
Log Policy Definition
The definition of a corporate policy related to log generation, with the necessary level of requested logs per component. Each component’s security standard should include a technical log setting, which may include logs containing user activities, security violations and other security event information to provide evidence in case of incidents, digital investigations and for access control monitoring, as well as rules around log storage, retention period, log integrity, etc.
Log Management
Activities to ensure proper log setting configuration on each hardware and software component according to the corresponding component security standard; collecting and aggregating logs to a central repository through collectors or agents from any device, source or format; Log Consolidation by unifying logs into a single standard format through normalization and categorization; ensuring sufficient storage capacity to store logs during the agreed retention period (then deleted after the retention period) and provide ability to retrieve logs when requested (e.g., for postmortem incident analysis, audit requests, etc.).
Log Correlation The ability to discover and apply logical associations among disparate log events and within a large volume of events from different log sources to highlight important events and identify suspicious activities.
Log Integrity Ensuring logs cannot be modified so that integrity is maintained throughout and evidence of integrity can be provided.
Use Case Management
Use case definition: the modeling of attack scenarios or a sequence of events and associated rule definition, which, if occurring within a certain period of time, represent a suspicious activity that needs to be analyzed. Use case to log source mapping: the identification of which logs are necessary to implement the use case.Use case implementation: ensure alerting when a defined and implemented use case occurs.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 61© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
ThreatIntelligence &
Profiling
Security Incident Response & Remediation Management
Security AnalyticsVulnerability Management
Digital Investigation &
Forensics
CD: Capabilities (2/13)
Security Monitoring
Monitoring & Alerting Processes The process of observing, checking and tracing (recording) generated alerts defined in use case implementations to initiate incident triage and response when needed.
Event Query The ability to query for a particular event or a sequence of events that occurred in the past.
Log Reporting Logs and events management report: events and logs collected and recorded, use cases management, altering and monitoring activities (numbers of alerts, actions undertaken, etc.).
Shift-Handover Process The process to manage SOC analysts’ and operators’ Shift-Handover.
Daily Operations Meeting Procedure The process to manage SOC daily operations (console monitoring, ticket management, etc.).
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 62© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
ThreatIntelligence &
Profiling
Security Incident Response & Remediation Management
Security AnalyticsVulnerability Management
Digital Investigation &
Forensics
CD: Capabilities (3/13)
Security Monitoring
Incident & Defect Notification
Ability to receive an incident notification from a Security information and event management (SIEM) or Help Desk or a notification from end users reporting security or privacy defects (for instance, complaints regarding employees’ behavior impacting privacy obligations).
CERT & Authority Information
RequestAbility to receive a request from authoritative national agency, national police force, a legal department, customers or third parties.
Incident Triage Triaging of suspicious events/alerts by the SOC Analyst to ascertain their potential impact and effect on the organization. This includes automated triaging when possible.
Incident Validation Confirmation of whether the event/alert requires an investigation, meaning this is a real incident and not a false positive or an event belonging to an existing ongoing security incident.
Incident Classification
Definition of the severity and/or priority of the security incident, as well as the type of incident–usually according to the predefined security incidents categories (DDoS, unauthorized access, information leakage, compliance, privacy, etc.) and security priority matrix (critical, major, medium or minor).
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 63© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
ThreatIntelligence &
Profiling
Security Incident Response & Remediation Management
Security AnalyticsVulnerability Management
Digital Investigation &
Forensics
CD: Capabilities (4/13)
Security Monitoring
Incident Analysis Analysis of events to understand dependencies between events, whether some events can be explained by others and so on in order to understand how an incident occurred and what the impact was on the business (usually Level 1 or 2 for incident analysis).
Root Cause Analysis
Analysis of an incident explaining what happened, why and how it happened, and what is recommended to be implemented moving forward to avoid the same incident happening again.
Incident Mitigation & Remediation
Activities to address or avoid incidents impacting information assets and the business, ensuring compliance with legal requirements upon a breach, with the primary focus on preventing or minimizing harm. These could take the shape of:• A predefined list of tasks to be executed depending on the category, the priority and the
severity of the incident
• A complex remediation plan, depending on the magnitude of the attack, the type of attack, the stage of the attack and the current impact
• A legal aspect can be part of activities to be undertaken, for example, in the case of a privacy incident or customer data leakage
Incident Recovery
Activities to be undertaken to recover from an incident that has already taken place and had an impact. These could include:• Service and data restoration• System reimage
• A basic cleanup or eradication of malware• An external communication to a third party or government agency in case of a security
breach affecting a customer, a third party or confidential private information
Incident Reporting Reports regarding security incidents: the number of incidents and their priority, status and ongoing activities to remediate or recover from a security incident.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 64© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
ThreatIntelligence &
Profiling
Security Incident Response & Remediation Management
Security AnalyticsVulnerability Management
Digital Investigation &
Forensics
CD: Capabilities (5/13)
Security Monitoring
Crisis Leadership & Organization
In the event of crisis, a clear definition of the roles and responsibilities of anyone who should be involved, how they should be involved to respond to a serious incident and who the owner of the incident is who will be the focal point for any communication.
Escalation Procedure
Definition of escalation procedure to deal with potential problems and unexpected situations and to raise attention about some issues to avoid escalating a crisis from a disruption to an emergency situation.
Crisis Communication
Activities taken by an organization to communicate with the public, employees, third parties, partners and stakeholders when a security incident occurs that could have a negative impact on the organization’s reputation or other external organizations.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 65© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
ThreatIntelligence &
Profiling
Security Incident Response & Remediation Management
Security AnalyticsVulnerability Management
Digital Investigation &
Forensics
CD: Capabilities (6/13)
Security Monitoring
Threat Intelligence Platform
Support collection, validation and storage of threat intelligence; allow custom scripting flexibility and programing language options; allow automated enrichment via community feeds and sources, automated triage and automated application of IOCs; provide analysis support tools such as decoders, unpackers, hashers, connection graphs and TotalVirus automated lookup; allow mature curation of signatures, use cases and scripting to be deployed on endpoint IR tooling.
Cyber Threat Intelligence
Sources
Provide internal and/or external feeds about emerging threats to support the intelligence-led approach: (1) proactively develop tactics to respond to threats that may target your organization in the medium-term, (2) identify if those threats have already targeted your organization and (3) support threat actor profiling and hunting activities. Provide a broader view of the threat landscape leveraging Global Security Center feeds, industry feeds and security community feeds. For example, a feed from a national CSIRT, CERT or other Threat Intelligence service used to establish proactive indicators of compromise (IOCs) would help to promptly respond to high-severity incidents.
Cyber Threat Intelligence Sharing Collaborate and share knowledge with an authoritative national agency, national police force, national CSIRT, CERT or other Threat Intelligence third-party service.
Security Trends Better understand the threat landscape by knowing security trends and which industries are targeted by what type of threat or attacks.
Technical Threat Modeling
Optimize network or application/software security by identifying attack objectives, attack surfaces and vulnerabilities, and then defining protections or countermeasures to prevent or mitigate the effects of threats to the system. In this context, a threat is a potential or actual adverse event that may be malicious (such as a denial-of-service attack) or incidental (such as the failure of a storage device), and which can compromise the assets of an enterprise.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 66© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
ThreatIntelligence &
Profiling
Security Incident Response & Remediation Management
Security AnalyticsVulnerability Management
Digital Investigation &
Forensics
CD: Capabilities (7/13)
Security Monitoring
Threat Actor Profiling
Activities to understand an organization's cyber adversaries and current activities (done during investigation) of the threat actor within the organization: attack patterns and indicators, technical scenario used to infiltrate the customer environment, tools and method of access used to search, capture and exfiltration data (malwares, backdoors, RAT, command and control (C2), rogue connections, Webshell, etc.). Understand what they target within the environment (intellectual property, customer and personal data, business processes, trade secrets, etc.) and identify IP addresses, URLs, DNS domain names, SMTP domain names, beaconing devices and frequency related to attacker activities.
Malware Analysis Malware triage engine (in a sandbox) for malware/file analysis and behavior.
Threat Intelligence Knowledge
Management
Record of any SOC activity around incident management and threat intelligence: monitoring activities, use case modeling, record for incident response activities, incident analysis and RCA, what happened, how, why and how it has been remediated and recovered, lessons learned (logs, volatile and nonvolatile data, artifacts, PCAP, protocol logging, etc.) and any other relevant information that must be shared across the Cyber Security team to optimize further activities related to the same alerts/events/incidents. This includes updating processes’ end procedures, if needed (list of actions to be executed to recover).Record of IOCs, watch lists, use cases, custom signatures and scripts developed. Record of technical intelligence, tactical intelligence and strategic intelligence.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 67© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
ThreatIntelligence &
Profiling
Security Incident Response & Remediation Management
Security AnalyticsVulnerability Management
Digital Investigation &
Forensics
CD: Capabilities (8/13)
Security Monitoring
Digital Investigations
Identify, process and analyze digital states and events to find evidence as to how, why and by whom a computing resource was compromised as input for subsequent digital forensics (usually level 3 for incident analysis).
Digital Forensics Used as part of an internal investigation into security incidents covering identification, preservation, collecting, processing and reviewing data in the event of legal processes.
E-Discovery Used to support an external investigation resulting from security incidents that have resulted in legal or regulatory action (e.g., concerning data protection) being taken in relation to the customer.
Active Threat Hunting Activities to proactively discover active threats and malware present within the environment.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 68© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
ThreatIntelligence &
Profiling
Security Incident Response & Remediation Management
Security AnalyticsVulnerability Management
Digital Investigation &
Forensics
CD: Capabilities (9/13)
Security Monitoring
Static Code Analysis Security testing of the application from the inside out by examining the source code, byte code or application binaries for conditions indicative of a security vulnerability.
Dynamic Code Analysis Security testing of the application from the outside in by examining the application in a runtime environment with various attack techniques to discover security vulnerabilities.
Penetration Testing
Ethical hacking of internal and/or external systems, web applications, mobile applications, end user devices, servers, networks, wireless devices, etc.Identifying, assessing and testing vulnerabilities in software and applications, configuration errors or other operational deployment weaknesses or deficiencies by using various attack techniques to gain access to network, system, application and information assets.This may include specialized penetration testing:• Network exposure: assessing the exposure of systems and networks — and the vulnerabilities they may contain — to other networks (e.g., a corporate network to the
internet, or ICS systems to a corporate network).• IoT testing: Specialized testing of devices and applications that have been traditionally “unconnected,” such as connected vehicle security.• SCADA/ICS: Specialized penetration testing of SCADA/ICS systems that takes into account the safety-critical nature of these networks and devices as well as the
proprietary hardware and software associated with them.• Intelligence-led penetration testing: Using threat intelligence data and information in active threat actors to provide a real-world simulated attack on customer systems to
show how well they would stand up to an advanced persistent threat (APT)-style attack.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 69© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
ThreatIntelligence &
Profiling
Security Incident Response & Remediation Management
Security AnalyticsVulnerability Management
Digital Investigation &
Forensics
CD: Capabilities (10/13)
Security Monitoring
Attack SimulationActivities will test and validate the ability to withstand a targeted cyberattack; measure detect and respond capabilities against industry-specific attack simulation; and demonstrate due diligence in securing the organization by simulating a real-world targeted cyberattack, emulating existing threat actor tools, techniques and procedures.Note: The red team will conduct the attack and the blue team will perform a parallel exercise to defend and respond to the attack.
Vulnerability Scanning Identify, categorize, classify, prioritize, assess, track and report known vulnerabilities in software and firmware.
Social Engineering
Impactful identification of vulnerabilities among people and processes. For instance:• Test user email security awareness through the use of phishing and spear-phishing methods.• Test user security awareness through the use of voice-based ethical hacking methods.• Test site security (physical security) defenses using ethical hacking methods.
Vulnerability Remediation A list of activities to be undertaken to fix identified vulnerabilities.
Patch Management Identify, test, approve and deploy security patches and hotfixes provided by software vendors to mitigate identified vulnerabilities according to established patch management procedures.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 70© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
ThreatIntelligence &
Profiling
Security Incident Response & Remediation Management
Security AnalyticsVulnerability Management
Digital Investigation &
Forensics
CD: Capabilities (11/13)
Security Monitoring
Vulnerability Notification
Get vulnerability notification feeds from hardware, software and application vendors or security communities (e.g., Microsoft, SAP, Linux, Oracle, VMware) to be notified about new known vulnerabilities in firmware, operating systems, middleware or applications.
Vulnerability Monitoring
Get vulnerability feeds from customers/partners using software developed by the organization; customers/partners could discover security vulnerabilities while using software developed by the organization.
Vulnerability Validation &
Criticality
Activities to evaluate applicability of notified vulnerabilities to an environment and evaluate or re-evaluate criticality of vulnerabilities (Critical, Major, Medium, Minor) to the organization.
Vulnerability Research Research activities to discover new (unknown up to the point of discovery) vulnerabilities in firmware, operating systems, middleware or applications by trying to make them fail.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 71© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
ThreatIntelligence &
Profiling
Security Incident Response & Remediation Management
Security AnalyticsVulnerability Management
Digital Investigation &
Forensics
CD: Capabilities (12/13)
Security Monitoring
Big Data Security Analytics
Big data infrastructure to allow processing of a large volume of unstructured and structured data to support contextual analysis and predictive security, and to allow real-time monitoring and alerting.
Baselining Baseline of normal user, system or application behavior (network, system, application) to be used as reference when abnormal behaviour is identified.
Data Anomaly Detection Real-time identification, detection and alerting of fraudulent activities around data transaction and handling or other abnormal events that are not conforming to expected patterns.
User Behavior Analysis Real-time identification, detection and alerting of fraudulent activities around user activities or other abnormal events that are not conforming to expected user behavior patterns.
Privileged Threat Analytics Identification of malicious privileged user activity and actionable intelligence, allowing incident responders to disrupt and respond to attacks.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 72© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
ThreatIntelligence &
Profiling
Security Incident Response & Remediation Management
Security AnalyticsVulnerability Management
Digital Investigation &
Forensics
CD: Capabilities (13/13)
Security Monitoring
Social Media Analysis
Real-time identification, detection and alerting of social media communication anomalies or other abnormal events that are not conforming to expected user behavior when using social media networks. This could also be used to anticipate new attack campaigns by analyzing external exchanges made on social media networks from multiple sources.
Network Anomaly Detection Real-time identification, detection and alerting of network anomaly or other abnormal events or transactions that are not conforming to expected network communication patterns.
DNS Analytics Real-time identification, detection and alerting of DNS anomalies that are not conforming to expected DNS communication patterns. For instance, this is used to identify "bad" DNS domain names used by attackers to infiltrate a customer environment or to exfiltrate information from a customer environment.
Technical Attack Reconstruction &
Visualization
Ability to visually represent flows, actions, behavior, patterns, etc. with the intention to identify outliers. Also, the ability to automatically show exactly what happened: all processes, files, commands and scripts involved in an attack, showing the sequenced and end-to-end view of an attack (what process starts another process, loads a file or launches a command, etc.).
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 73© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Orchestration (1/2)
Objective
Operate and demonstrate security posture
Operational security processes for the management, measurement and improvement of security capabilities integrated with service management processes and business processes.
Subdomains
Security Process Measurement
Security Operations Management
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 74© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Orchestration (2/2)
Security Process Measurement
Security Operations Management
Security Management
Processes
Resourcing
Operational Security Steering Committee
Equipment Lifecycle
Incident & Change Management
Integration
Hardening
Technical Health-Checking
Change Advisory Board
Security Change Impact Analysis
Exception Management
Security Process Standard Adoption
Security Operational Process
MeasurementOps Measurement
Generation & Collection
Operational Security Reporting
Operational Compliance Reporting
November 14, 2018 75© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
SO: Subdomains
Security Process Measurement
Collection, consolidation and reporting of operational security KPIs for the measurement, communication and improvement of security performance, and the maturity and efficiency of security processes.
Security Operations
ManagementOperational processes for managing security capabilities integrated with service management processes and business processes.
November 14, 2018 76© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Operations
Management
SO: Capabilities (1/3)
Security Process Measurement
Security Process Standard Adoption Selecting the standard used for process definition (e.g., ISO/IEC 27001, ITIL, COBIT).
Security Operational
Process Measurement
Measurement with outputs and/or KPIs associated with any security process and supporting solutions to produce appropriate security reporting. This allows measurement of the maturity in efficiency of security processes, thus also supporting operational decision making and operational improvement plans.
Operational Measurement Generation &
Collection
Each solution-supporting security process should generate relevant and actionable output and/or KPIs according to the security process description and objective. KPIs should be collected into a central repository for consolidation and analysis.
Operational Security Reporting
Reporting of operational security metrics/KPIs, allowing measurement of the maturity and efficiency of corresponding security processes. Communication to relevant servicemanagers for operational decision making and action planning to continuously improve process efficiency.
Operational Compliance Reporting
Reporting of operational security metrics/KPIs to support the compliance and audit program. Communication to compliance managers and service managers for decision making and action planning to improve and ensure compliance posture.
November 14, 2018 77© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Operations
Management
SO: Capabilities (2/3)
Security Process Measurement
Security Management
Processes
Security delivery processes and procedures definition, ownership, deployment and execution, including but not limited to antivirus management, IPS management, firewall management, health checking management, security solution maintenance and operational monitoring.
Resourcing Activities to ensure proper resources with adequate skill are assigned to support and maintain operational security processes.
Equipment Life Cycle
Equipment acceptance testing: new equipment, system and upgrade tested with predefined acceptance criteria before moving to production mode.Equipment monitoring and capacity management: Consistently monitor any equipment to detect and manage operational incident as well as to anticipate future capacity needs to ensure system performance.Equipment maintenance: Consistently maintain and upgrade any equipment to ensure availability and integrity.
Hardening Set of configuration settings, parameters and values to apply on a component (e.g., firmware, operating systems, middleware or applications) to limit the attack surface bysecuring the setting according to security best practices and corporate technical security standards.
Technical Health-Checking
Process to periodically check the technical compliance of component (e.g., firmware, operating systems, middleware or applications) settings and configuration againstdefined and agreed-upon corporate technical security standards; identification of nontechnical compliance.
November 14, 2018 78© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Security Operations
Management
SO: Capabilities (3/3)
Security Process Measurement
Operational Security Steering
CommitteeReview of security processes output, KPIs and definition of prioritized actions and corresponding plan to address process issues/noncompliance/SLAs/incidents.
Incident & Change Management
Integration
Integration between security processes and the incident and change management process and ticketing system to request changes (maintenance, setting, policy, etc.) and support for investigation (evidence collection, etc.) or remediation activities (clean-up, end user device re-image, etc.).
Change Advisory Board
Ensure any security change is approved and that security impact analysis has been conducted for the change. For major architecture changes, Architecture Review Board approval is required.Advisory board is also responsible for reviewing, rejecting or approving exceptions (risk acceptance) to global security processes or technical security standards.
Security Change Impact Analysis
Provide change impact analysis regarding security change or security aspect of a change to Change Advisory Board. Determine what areas could be affected by the proposedchanges and identify associated risks and potential mitigation. These areas may involve functional and nonfunctional testing.
Exception Management
Provide input, approvals and necessary risk acceptance for introduction of a nonstandard technology or configuration to environment. Suggest standard technologies tomanage risk in most cost-effective manner.
November 14, 2018 79© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Identity & Access Management (1/2)
Objective
Securing the information assets
The management of identities, accounts, entitlements and access across multiple systems to ensure the right individual is granted the right access to resources in a fully auditable manner to meet compliance, operational and security requirements.
Subdomains
Privileged Account Management
Identity & Account Management Access ManagementAuthentication
Management
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 80© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Identity & Access Management (2/2)Identity & Account
Management Access ManagementAuthentication Management
Privileged Account Management
Claims-based Authentication
Credential-based Authentication
Multi-Factor Authentication
Credential Provisioning
Single Sign-On
Credential Reset & Renewal
Strong Authentication
Authentication Policy Enforcement
Object Access Control List
Group-based Access Control
Access Approval
Role-based Access Control
Access Provisioning & De-provisioning
Attribute-based Access Control
Adaptive Access Control
Access Reconciliation
Access Certification
Access Policy Enforcement
Access Removal
Access Monitoring & Auditing
Web and API Access Management
Delegation
Access Reporting
Non-Personal Account Lifecycle
Management
Privileged Session Management
Password Vaulting
Traceability & Accountability
Privileged Account Reporting
Privileged Account Reconciliation
Privileged Account Revalidation
Identity Feed
Identity Directories
Account Removal
Account Provisioning & De-provisioning
Federated Identity Management
Account Reconciliation &
Consolidation
Account Revalidation
Account Monitoring & Auditing
Account Reporting
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 81© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IAM: Subdomains
Identity & Account Management Managing user entities during the identity life cycle, and provisioning and deprovisioning of account ID, including nonpersonal ID.
Authentication Management Enforcing centralized authentication policies, including credentials and strong authentication.
Access Management Enforcing access authorizations and entitlements to applications and information.
Privileged Account Management Provisioning and enforcement of privileged access authorizations and entitlements to systems and applications.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 82© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IAM: Capabilities (1/9)
Access Management
Authentication Management
Privileged Account
ManagementIdentity & Account
Management
Identity Feed The automated process of transferring one or more identities from common sources of identity data.
Identity Directories Shared repository for storing, structuring, organizing and managing data within an LDAP structure or other proprietary directory structure. Could include synchronization of directories for external distributed authentication and authorization to ensure consistency, availability and performance.
Account Provisioning & Deprovisioning
Generating a unique user account for an identity profile for use in IT systems or applications. These are provisioned automatically for accounts on systems/applications and provided to the user directly or via his or her manager.
Account Reconciliation &
Consolidation
Automated reconciliation of accounts by validating that accounts present on systems and applications belong to active identities. The account reconciliation includes inactive or dormant accounts as well as shared, default, system or service accounts for which responsible account owners are assigned. This includes account consolidation for merging multiple user accounts into a single unique account ID, where the old account IDs are migrated to attributes of the new account ID.
Account Revalidation
Periodic manual revalidation of reconciled accounts performed by the line manager by confirming or denying that reconciled accounts belong to active identities, and reprovisioning or deprovisioning according to the account provisioning process. This account revalidation includes inactive or dormant accounts as well as shared, default, system or service accounts for which responsible account owners are assigned.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 83© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IAM: Capabilities (2/9)
Access Management
Authentication Management
Privileged Account
ManagementIdentity & Account
Management
Account Removal Manual or automated deactivation, archiving and removal of active accounts after account reconciliation and revalidation or after an employee leaves the company.
Federated Identity Management
Allow linkage of electronic identity and associated attributes stored in several different identity management systems sometimes owned by different organizations (different “domains of control”) to enforce a common set of policies and rules around accounts linked to identity across different systems, domains and organizations. This allows technical interoperability, enables the portability of identity information or allows delegated authentication or authentication outsourcing to service provider. (SAML, OAuth, OpenID, security tokens, web services, etc.)
Account Monitoring & Auditing Real-time monitoring of account usage, including logon and logoff attempts. Querying and ad hoc reporting for evidence on active accounts for compliance control purposes.
Account Reporting Predefined, auto-generated reports, including active accounts, dormant accounts, suspended accounts, approvals and rejections, and related account activities.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 84© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IAM: Capabilities (3/9)
Access Management
Authentication Management
Privileged Account
ManagementIdentity & Account
Management
Claims-Based Authentication Authentication based on known attributes of an identity without the need for credentials, provisioned to the service provider in a secure token.
Credential-Based Authentication Basic authentication where hashes generated from password credentials are compared with hashes stored in a corporate user directory or external user directories.
Credential Provisioning Providing account password credentials to users with distribution methods that do not reveal the credential when in transit.
Credential Reset & Renewal Reset of password or periodic renewal of password credentials by self-service applications or by the help desk over two separate channels.
Strong Authentication
The use of methods of authentication that are likely to withstand attacks and only allow the intended individual access to a system or systems. Two-factor authentication or multifactor authentication can be considered strong authentication, but strong authentication doesn’t necessary mean two-factor authentication or multifactor authentication. For instance, biometric, digital certificates-based authentication or one-factor authentication based on a nonreusable element which cannot easily be reproduced or stolen can be considered strong authentication.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 85© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IAM: Capabilities (4/9)
Access Management
Authentication Management
Privileged Account
ManagementIdentity & Account
Management
Multifactor Authentication
The use of several separate and distinct methods of authentication together; can be 2FA or multifactor authentication (MFA): something you know (e.g., password, PIN, pattern), something you have (e.g., mobile phone, credit card, key), something you are (e.g., fingerprint, facial recognition) and/or somewhere you are (localization). An example would be the use of a digital certificate or a one-time password or facial recognition along with a pattern.
Single Sign-On An identity, authentication and authorization system where the user logs in once with a single set of credentials ands gets a security token (Kerberos ticket, SAML ticket) that can be reused in multiple SSO-aware applications without the need to authenticate again. Allows single authentication across different IT systems or even organizations.
Authentication Policy Enforcement
The process of enforcing centralized authentication policies according to predefined password policies (e.g., password length, complexity and expiration) and authentication methods (credential based, claims based, strong authentication, etc.).
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 86© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IAM: Capabilities (5/9)
Access Management
Authentication Management
Privileged Account
ManagementIdentity & Account
Management
Object Access Control List A list of permissions attached to an object (file system, computer, etc.) to permit or deny access to subjects (users or user groups), often used for network access control.
Group-Based Access Control Access permissions based on the group memberships of a user entity, either directly assigned or by inheritance through other group memberships.
Role-Based Access Control Assigning one or many access privileges to a user based on predefined job role/s within an organization, linked to the identity profile (i.e., assign a role to an account/identity).
Attribute-Based Access Control
Assigning access privileges based on user attributes, resource attributes, environment attributes, etc. by enforcing authorization policies using the XACML standard. Attribute-based access control can be used to enforce mandatory access control (MAC).
Adaptive Access Control
Access control enforced based on dynamically changing levels of risk and trust measured using user contextual information (e.g., behavior, localization, endpoint technical compliance or other attributes or criteria). The measured level of trust performed in real time may trigger additional controls in addition to the adaptive authentication and access control to minimize the risk associated to the level of trust.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 87© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IAM: Capabilities (6/9)
Access Management
Authentication Management
Privileged Account
ManagementIdentity & Account
Management
Access Approval System or application access requests from end users based on business needs, reviewed and approved or rejected by one or more responsible managers or information owners.
Access Provisioning & Deprovisioning
Provision (automatically/self-service) user’s access to resources on systems, applications and services based on roles and business rules. User access provisioning automates and optimizes user administration to reduce risks and the cost of performing the task manually.
Access Reconciliation
Periodic automated reconciliation of the need for account access privileges based on business job roles or functions. The access reconciliation could include inactive or dormant accounts as well as shared, default, system or service accounts for which responsible account owners are assigned.
Access Certification
Periodic revalidation of the need for account access privileges based on account reconciliation, performed by the line manager, account owner or compliance departments by approving or denying reconciled account privileges and reprovisioning or deprovisioning according to the provisioning process. This access revalidation could include inactive or dormant account access privileges as well as shared, default, system or service account access privileges to which responsibleaccount owners are assigned.
Access Removal Manual or automated deactivation and archiving of access privileges for user accounts or groups after reconciliation when access is no longer needed due to changes in requirements of protected access.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 88© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IAM: Capabilities (7/9)
Access Management
Authentication Management
Privileged Account
ManagementIdentity & Account
Management
Web and API Access
Management
Web and API access management to allow authentication with third parties, business partners, suppliers, service providers, etc. (web or mobile, private or public cloud, internal or external applications). Could leverage SAML, OAuth and OpenID, etc. Web access management usually focuses on providing access to some resources; API access management might provide access of people, machines and other APIs to some APIs.
Delegation Process to assign some responsibilities or authorities to another person for a determined period of time to perform some activities and make some decisions.
Access Policy Enforcement Process of enforcing centralized authorization policies (Access control List (ACL) based, group membership based, role based or attribute based).
Access Monitoring & Auditing Monitoring of granted access privileges and the use of privileges to detect unauthorized or fraudulent access according to policies for compliance control and investigation purposes.
Access Reporting Predefined, auto-generated reports with access privileges granted to user accounts or groups. Reports should provide a view of cross-system/applications and evidence on granted, revoked or suspended access privileges for compliance control purposes.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 89© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IAM: Capabilities (8/9)
Access Management
Authentication Management
Privileged Account
ManagementIdentity & Account
Management
Nonpersonal Account Life-Cycle
Management
The management of system or service accounts to be used by nonpersonal entities, as well as shared privileged accounts such as root and default accounts. An account owner is assigned to be responsible for nonpersonal account creation, access granting, revalidation and removal, and the ability to check out/check in.
Privileged Session Management Recording and replaying privileged user session activities on sensitive or confidential information assets.
Traceability & Accountability Tracing privileged access to an individual user, ensuring accountability of actions in case of investigations or for compliance purposes.
Privileged Account Reconciliation
Automated reconciliation of the need for privileged accounts based on business job roles or functions. The account reconciliation includes inactive or dormant accounts as well as shared, default, system or service accounts for which responsible account owners are assigned.
Privileged Account Revalidation
Periodic manual revalidation of reconciled privileged accounts performed by the line manager, who approves or denies reconciled accounts and reprovisions or deprovisions according to the provisioning process. This account revalidation includes inactive or dormant account access privileges as well as shared, default, system or service accounts for which responsible account owners are assigned.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 90© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IAM: Capabilities (9/9)
Access Management
Authentication Management
Privileged Account
ManagementIdentity & Account
Management
Password Vaulting Preventing malicious access and use of privileged user passwords by using a encrypted storage area for managing password credentials for privileged users.
Privileged Account Reporting Predefined, auto-generated reports including active, dormant or suspended privileged accounts, account approvals and rejections, and other account activities.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 91© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Infrastructure & Endpoint Security (1/2)
Objective
Securing the information assets
Rule-based, automated techniques and tools for monitoring, detecting, scanning, blocking, analyzing, detonating, logging and alerting against known and unknown malware, exploits and threats at endpoints and in networks.
Subdomains
Unknown Threat Detection & Prevention
Security Enforcement by Design
Known Threat Detection & Prevention
Rule-Based Security Policy Enforcement
Forensic Analysis & Response
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 92© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Infrastructure & Endpoint Security (2/2)Identity & Account
Management Access ManagementAuthentication Management
Privileged Account Management
Claims-based Authentication
Credential-based Authentication
Multi-Factor Authentication
Credential Provisioning
Single Sign-On
Credential Reset & Renewal
Strong Authentication
Authentication Policy Enforcement
Object Access Control List
Group-based Access Control
Access Approval
Role-based Access Control
Access Provisioning & De-provisioning
Attribute-based Access Control
Adaptive Access Control
Access Reconciliation
Access Certification
Access Policy Enforcement
Access Removal
Access Monitoring & Auditing
Web and API Access Management
Delegation
Access Reporting
Non-Personal Account Lifecycle
Management
Privileged Session Management
Password Vaulting
Traceability & Accountability
Privileged Account Reporting
Privileged Account Reconciliation
Privileged Account Revalidation
Identity Feed
Identity Directories
Account Removal
Account Provisioning & De-provisioning
Federated Identity Management
Account Reconciliation &
Consolidation
Account Revalidation
Account Monitoring & Auditing
Account Reporting
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 93© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IES: Subdomains
Security Enforcement By
Design
Automated enforcement techniques for zoning, encrypting, virtualizing, intercepting, intermediating and session controlling remote access, wireless access and network access.
Rule-Based Security Policy Enforcement
Rule-based and automated enforcement techniques and tools for monitoring, scanning, inspecting, blocking, blacklisting and whitelisting unauthorized, illegal and noncompliant access to internal and external resources at endpoints and network infrastructure, preventing malware infections and C2 connections.
Known Threat Detection & Prevention
Monitoring, detecting, scanning, blocking, remediating, logging and alerting for malware and exploits with signature-, reputational- and behavior-based software at endpoints and in networks, including DDoS attack protection.
Unknown Threat Detection & Prevention
The detection, analysis, blocking and detonation of web and email content as well as files shared over the network in isolated sandbox environments or in real time by simulating/replaying end-to-end communication or sessions.
Forensic Analysis & Response Endpoint and network incident response and forensics tooling with collecting, recording, detection, investigation, containment, remediation and threat disruption capabilities.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 94© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IES: Capabilities (1/9)
Known Threat Detection & Prevention
Rule-Based Security Policy Enforcement
Forensic Analysis & Response
Unknown Threat Detection & Prevention
Security Enforcement By
Design
ZoningSegmenting and isolating information assets and networks logically into separated zones of subnets or VLANs with consistent security policies and requirements based on information classification, vulnerabilities and threats; restricting access and information flows only to authorized components and users according to security policies; and minimizing object visibility to unauthorized entities.
Network Encryption Point-to-point transport layer encryption of communications to secure data transmission over unmanaged or insecure networks.
Session Encryption Session encryption or endpoint to systems transport layer encryption of communications to secure data transmission between endpoints over unmanaged or insecure networks.
Remote Access Control
Security control mechanisms dedicated for inbound access for employees working remotely, from the internet or from public or uncontrolled environments to internal network resources, with capabilities for strong authentication, access control, session logging and computer compliance host checking.
Wireless Access Control
Security control mechanisms with mutual authentication of client and server to ensure only authorized users are allowed access, enabling secure connections to internal networks.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 95© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IES: Capabilities (2/9)
Known Threat Detection & Prevention
Rule-Based Security Policy Enforcement
Forensic Analysis & Response
Unknown Threat Detection & Prevention
Security Enforcement By
Design
Network Access Control Policy-based access authorization and device connectivity to networks and resources, including preadmission policy compliance checks.
SSL Interception Intercepting and decrypting encrypted traffic, and forwarding unencrypted traffic for malware or content analysis.
Jump Hosting A terminal server for virtual desktop or virtual host sessions to internal network resources restricted to graphical presentation without resource sharing, providing authentication, access control, session logging and computer compliance checking capabilities.
Microvirtualization & Containerization
An alternative to full virtualization, encapsulating an application (containerization) or a task/transaction (microvirtualization) in an isolated container with its own operating environment, enabling the application to securely run on any suitable physical machine without any dependencies or constraints; or in an isolated micro virtual machine to enable isolation of user tasks from one another, including system and network resources.
Proxy A network component acting as a session intermediator for its associated clients and servers, providing anonymity and enabling session logging, session control and content analysis, etc.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 96© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IES: Capabilities (3/9)
Known Threat Detection & Prevention
Rule-Based Security Policy Enforcement
Forensic Analysis & Response
Unknown Threat Detection & Prevention
Security Enforcement By
Design
Clock Synchronization A reliable external time source to be used to synchronize all the systems/components clocks to facilitate tracing, reconstitution of activity timelines and analysis.
Master Copy & Reimage
Ability to create images and clones to distribute corporate endpoint images (for laptops, servers or virtual machines) aligned with security technical standards to support incident remediation and recovery so that a large number of systems can be created very fast so that compromised or wracked systems can be sufficiently and effectively re-created, even under run condition with the threat actor. The image is created in a secure environment using verified (hashed) software and is actually patched with the latest updates and configured to comply with corporate security technical standards.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 97© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IES: Capabilities (4/9)
Known Threat Detection & Prevention
Rule-Based Security Policy Enforcement
Forensic Analysis & Response
Unknown Threat Detection & Prevention
Security Enforcement By
Design
Network Layer Firewall
Rule-based controls to authorize or deny unauthorized access at the network level or endpoints, based on IP address, subnets, ports, protocols and connection types, with stateful or packet-filtering firewalls or access control lists.
Application Firewall Rule-based controls enforcement to authorize or deny unauthorized application types, application traffics flows, application requests, application commands or features at user session level at the application or database layer.
Web Content Filtering
Rule-based URL filtering and blocking, preventing illegal, inappropriate or forbidden-by-corporate-policy access to websites or web content, or to known malware websites on the internet.
Application Control Preventing malware from executing by whitelisting or blacklisting applications, tools or process execution, blocking configuration changes and preventing storage in directories.
Software Installation Control Ensuring any deployed software has been authorized.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 98© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IES: Capabilities (5/9)
Known Threat Detection & Prevention
Rule-Based Security Policy Enforcement
Forensic Analysis & Response
Unknown Threat Detection & Prevention
Security Enforcement By
Design
DNS Sinkholing Control channel prevention by rerouting, faking and blocking name-to-IP address DNS lookups to prevent malware-infected endpoints to connect to C2C hosts.
Device Control Monitoring and blocking software from reading, writing and executing on end user devices and ports and on removable media.
Flow Access Control List Rule-based blocking of unauthorized and noncompliant access by host checking, MAC ACL, IP ACL, etc.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 99© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IES: Capabilities (6/9)
Known Threat Detection & Prevention
Rule-Based Security Policy Enforcement
Forensic Analysis & Response
Unknown Threat Detection & Prevention
Security Enforcement By
Design
Known Malware Protection
Detecting, scanning, analyzing, blocking, logging, alerting and remediating known malware on endpoints, mails, collaboration and messaging servers, networks, virtualized systems, etc., with signature-based software triggering of process execution (e.g. opening file, web browsing, downloading a file, opening email attachments etc.), often called anti-malware, anti-virus and anti-spyware.
Known Exploit Protection
Detecting, scanning, analyzing, blocking, logging, alerting and remediating malicious activities on endpoints and in networks with heuristics-based software recognizing command sequences or malformed packets exploiting a known vulnerability, often called Host IPS or Network IPS.
Known Behavior-Based Attack
Prevention
Monitoring, analyzing, logging, alerting and remediating endpoints and networks with pattern-based software detecting deviations from normal user, system or application behavior, protocol/Remote Function Call (RFC) conformity, etc., used in DDoS protection, IPS and C2 channel prevention.
Known Reputational-Based Attack Prevention
Detecting, scanning, logging, alerting and remediating endpoints and in networks with reputational-based software and URL filtering, blocking illegal or unethical content and harmful malware (e.g., pedophilia, spam, phishing email, web content, C2 channel backlisting based on known IP or DNS domain names or DNS sinkholing).
DDoS Attack Protection
Real-time protection for deflecting and blocking DDoS attacks (volumetric, protocol based or application layer based) from the internet before reaching the corporate perimeter, where the attack objective can be to make business-critical websites unavailable, or a diversion, masquerading more malicious attacks through other attack vectors.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 100© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IES: Capabilities (7/9)
Known Threat Detection & Prevention
Rule-Based Security Policy Enforcement
Forensic Analysis & Response
Unknown Threat Detection & Prevention
Security Enforcement By
Design
Unknown Malware Detection &
Analysis
Analyzing, blocking, detonating and alerting unknown malware in web or email traffic, in isolated virtual sandbox environments or in real time, preventing the infection of other resources.
Unknown Exploit Detection &
AnalysisTechniques for zero-day threat detection and prevention, session sandboxing, session deconstruction or replay.
Unknown Behavior-Based Attack Detection &
Analysis
Anomaly detection and analysis based on user and system behavior (e.g., NetFlow baselining).
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 101© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IES: Capabilities (8/9)
Known Threat Detection & Prevention
Rule-Based Security Policy Enforcement
Forensic Analysis & Response
Unknown Threat Detection & Prevention
Security Enforcement by
Design
Full Packet Capture & Protocol Decoding
Flight recorder for capturing and recording network packets, including payload, for security analytics, investigation and forensics. Includes protocol decoding.
Endpoint Forensic Tooling
Ability to dump and collect digital evidences from endpoints: volatile (in memory) and nonvolatile (on disk) evidences (list of processes, list of TCP session, registry, part of disk space, full disk dump, memory content used by a process, entire memory dump, etc.) to support triage and investigation activities.
Endpoint Containment Isolation of the endpoint when compromised.
Endpoint Remediation Ability to support remediation when an endpoint is compromised: kill session, kill process, shut down the workstation, etc.
Network Forensic Tooling
Ability to collect network artifacts such as TCP sessions, packet statistics, ARP information, ICMP information, net flow information, etc. and ability to search for indicator ofcompromises within the network by analyzing this information or applying detection rules.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 102© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
IES: Capabilities (9/9)
Known Threat Detection & Prevention
Rule-Based Security Policy Enforcement
Forensic Analysis & Response
Unknown Threat Detection & Prevention
Security Enforcement by
Design
IOC Detection, Real-Time Query &
AlertingAbility to alert in real time based on published rules, IOCs or on-demand queries (search for known indicators of compromise) on the endpoint in the network.
Honeypots & Threat Deception
Simulation of network, system, application and data layers to learn about unknown attack techniques and malwares to delay and disrupt attacker’s activities, acting as bait to identify attackers by generating deceitful responses, lies, misdirection, diversions, etc.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 103© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Applications Security (1/2)
Objective
Securing the information assetsMethodology, process, expertise and tools to increase and provide assurance that applications/software meet relevant security requirements and implement required security controls, while reducing the number and severity of vulnerabilities to protect the data and control entrusted to the applications or other software. Industry-standard software development practices can result in applications riddled with vulnerabilities, so improvement is required.
Subdomains
Release, Deployment & Maintenance
Software Life Cycle Application Quality Assurance
Secured Application Development
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 104© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
Software LifecycleApplication Quality
AssuranceSecured Application
DevelopmentRelease, Deployment
& Maintenance
Development Standards & Tools
Development, Quality & Production
Environment Mngt.
Functional Testing
Non-Functional Testing
Secure SDLC Process
Software Assurance Maturity Model
Applications Security (2/2)
Security Requirements Qualification
Secure Coding
Application Monitoring & Auditing
Release Process
Deployment & Rollback Process
Patch Development Management
November 14, 2018 105© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
AS: Subdomains
Software Life Cycle Definition of the secure SDLC process describing the set of activities to be performed during development, delivery and maintenance, and a secure software, including maturity models/assessments which gauge strengths and weaknesses of an organization’s security coverage throughout the SDLC.
Secured Application Development
Process of securely developing and coding applications or software through phases and across different development environments, taking into account application security principles and requirements; leveraging selected and defined development security standards and tools for the SDLC specific to application families and development methods; and leveraging secure coding best practices.
Application Quality Assurance
Quality assurance process to test functional (end user functionalities) and nonfunctional (performance, security and operations) application requirements according to software specifications, including user acceptance testing (UAT) and operational acceptance testing (OAT).
Release, Deployment & Maintenance
Processes to manage, plan, schedule, deploy and maintain software build, revision and versioning following different phases and leveraging different environments, including processes to update developed software to address vulnerabilities.
November 14, 2018 106© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
AS: Capabilities (1/4)
Application Quality Assurance
Secured Application
Development
Release, Deployment & Maintenance
Software Life Cycle
Secure SDLC Process
Defines the secure SDLC process, describing the set of activities to be performed during the development, delivery and maintenance of a secure software. This may include leveraging common frameworks and standards to evaluate and allow process improvement.
Software Assurance Maturity
Model
Maturity models which define levels of software assurance maturity relevant to an enterprise, organization or application. Examples of these are Open Software Assurance Maturity Model (OpenSAMM) and Build Security In Maturity Model (BSIMM). Some models are only descriptive, such as BSIMM (reference against what other organizations do, but no implication of what is better or worse), in contrast to prescriptive models. Similar to Capability Maturity Model Integration (CMMI), but specifically focused on software assurance.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 107© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
AS: Capabilities (2/4)
Application Quality Assurance
Secured Application
Development
Release, Deployment & Maintenance
Software Life Cycle
Development Standards & Tools
Selection and definition of development security standards and tools for the SDLC specific to application families (e.g., Web, Mobile, SAP, ICS) and specific to development methods (e.g., Agile, Waterfall). Includes standards for development tools and frameworks to be used for application families, integration of tools and developer guidelines.
Security Requirements Qualification
The process of identifying and validating security requirements — including compliance, privacy, safety and resilience requirements — relevant to an application or software.
Development, Quality &
Production Environment Mgmt.
Manage separate environments for different phases of the life-cycle development and release management: development environment, test and qualification environment (where new features are developed, changes are made and tested) and production environment (used by corporate users). Those environment are separated.
Secure Coding Developing/writing source code, taking into account security principles, best practices, secure coding guidelines, etc.
Application Monitoring &
Auditing
Monitoring of application events and logs, application access and the use of application privileges to detect unauthorized or fraudulent access, activities or transactions according to policies and compliance rules, including separation of duty rules. Monitoring of application response and performance.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 108© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
AS: Capabilities (3/4)
Application Quality Assurance
Secured Application
Development
Release, Deployment & Maintenance
Software Life Cycle
Functional TestingQuality assurance process to test (including UAT) what the software is supposed to do in terms of end user perspective/requirements and to validate the functional specifications of the software: functions provided to end users. Functionalities are tested using test uses cases using inputs and analyzing output of the software based on the specifications. This includes functional regression testing.
Nonfunctional Testing
Testing (and acceptance) of application and systems nonfunctional requirements, the way a system operates (not end-user functions/functionalities) and the way the systems/software should behave. Nonfunctional requirements can include performance testing (load, stress, reliability, scalability, resilience testing, etc.), compliance and security testing, and operational testing (backup, restore, recovery, etc.), also known as OAT.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 109© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
AS: Capabilities (4/4)
Application Quality Assurance
Secured Application
Development
Release, Deployment & Maintenance
Software Life Cycle
Release Process Develop a release process to manage, plan and schedule software build, revision and versioning.
Deployment & Rollback Process
Develop a deployment process to manage, plan and schedule software deployment in production through different environments. This includes the development of a rollback process to ensure the return to a previous state or version or revision of the application in case of an issue when deploying a new release.
Develop application/software patches/updates to address security vulnerabilities discovered in software which is already released. As it is highly unlikely for complex software to be completely vulnerability-free, it's important to have a means to issue timely security patches and updates for vulnerabilities in software you're responsible for. Development, of course, covers the development of the fixes/patches, as well as building the patch.Security patches developed to fix vulnerabilities discovered in released software require timely testing before being released, both for (likely limited) regression (functionality and security) and assurance that the specific vulnerability prompting the patch is fixed.Application security patch notification alerts all (at least supported) affected users of the application/software in a way that maximizes protection and minimizes exposure/harm.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
Patch Development Management
November 14, 2018 110© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Data Protection & Privacy (1/2)
Objective
Securing the information assets
Methods, tools and techniques to identify and classify information, define data security modeling and associated security requirements, and protect data by preventing unauthorized loss, modification and use of data.
Subdomains
Certificate & Key Management
Data Assurance & Governance
Data Security Life-Cycle
ManagementData Protection
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 111© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Data Protection & Privacy (2/2)Data Assurance &
GovernanceData Security
Lifecycle Management
Data Protection Certificate & Key Management
Digital Rights Management
Data Tokenization
Disk Encryption
Data Masking
Data Integrity
Data Loss Prevention
Data Encryption
Data Monitoring
Data Recovery
Data Backup
Data Destruction
Data Archiving
Data Migration
Data Retention
Certificate & Key Lifecycle
Management
Certificate Authority
Registration Authority
Cryptography
Data Security Modeling
Data Tagging
Data Standardization
Data Discovery
Data Accuracy
Data Flow
Data Processing
Data Origin
Data Adequacy
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 112© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
DPP: Subdomains
Data Assurance & Governance Activities to ensure accountability of data security modeling, data tagging, data discovery, data management, data processing and usage.
Data Protection Methods, tools and techniques to protect data by preventing unauthorized loss, modification and use of sensitive or confidential information.
Data Security Life-Cycle
ManagementThe process of creating, storing, using, sharing, archiving and destroying data during its life cycle.
Certificate & Key Management
The process of registration, key and certificate generation, distribution, storage, backup, usage, renewal, expiration, revocation, recovery, notification, archiving and auditing of keysand digital certificates.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 113© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
DPP: Capabilities (1/7)
Data Security Life-Cycle
ManagementData Protection Certificate & Key
ManagementData Assurance &
Governance
Data Security Modeling
Activities to define a data model and semantics for security to support technical experts’ and security officers’ understanding of the data security requirements to be taken into account in application design or system development (e.g., database design). This includes business-oriented data constraints and relationships among data defined by the organization, industry standards or some regulations to allow interoperability between organizations and applications (e.g., bank routing codes to allow interbank transactions).
Data Tagging Identifying, classifying and tagging data elements such as content (legal, private, financial, medical or types of business data) as well as geolocation, file type or other attributes-based information asset classification schema, data category and data security modeling.
Data Discovery A process, based on information asset classification schema and data patterns, to automatically discover and identify data repositories in the organization, how data is used and by whom or which processes, then improving data inventory and classification by analyzing data patterns and values.
Data Flow Documenting approved transfers of data (regulated data, critical business data or other) from one system to another. For instance, data flow is a prerequisite to map data privacyrequirements to assets.
Data Processing Documenting legitimate reasons for processing data (regulated data, critical business data or other) and approved data access. For instance, data access is a prerequisite tomap data privacy requirements to assets.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 114© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
DPP: Capabilities (2/7)
Data Security Life-Cycle
ManagementData Protection Certificate & Key
ManagementData Assurance &
Governance
Data Standardization Activities to ensure that data is cleansed and standardized to a defined model before it is used.
Data Accuracy Management of accuracy and update of data before it is used.
Data Origin Identification and record of data origin for audit and compliance purposes.
Data Adequacy Activities to ensure adequacy of data, relevance and verifying data is not excessive in relation to the purposes for which they are processed.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 115© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
DPP: Capabilities (3/7)
Data Security Life-Cycle
ManagementData Protection Certificate & Key
ManagementData Assurance &
Governance
Digital Rights Management
Methods and tools to prevent copying, modification or distribution of intellectual property, copyrighted material or other digital media by copy-, write-, forward- or print-protecting the information.
Data Tokenization Protecting PII, personal health information, cardholder data or other confidential and sensitive records by substituting field values with vault-based or vaultless tokens stored in look-up tables that can be used to detokenize to original values.
Data Masking Protecting PII, personal health information, cardholder data or other confidential and sensitive records by hiding data with random characters and using different techniques such as substitution, encryption or shuffling. Synonymous with data anonymization.
Data Loss Prevention
Preventing unauthorized and unintentional loss and use of sensitive or confidential information by protecting data in use, in transit and at rest based on information classification labels,tags or other identifiers.
Data Encryption Preventing unauthorized access to sensitive or confidential information by administrators or third parties by encrypting data at rest in databases or file systems.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 116© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
DPP: Capabilities (4/7)
Data Security Life-Cycle
ManagementData Protection Certificate & Key
ManagementData Assurance &
Governance
Disk Encryption Preventing unauthorized use and loss of sensitive or confidential information in case of theft or loss of endpoint device by encrypting internal or removable storage.
Data Integrity Preventing data from being modified, tampered or altered by unauthorized users.
Data Monitoring Real-time monitoring of data usage according to policy.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 117© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
DPP: Capabilities (5/7)
Data Security Life-Cycle
ManagementData Protection Certificate & Key
ManagementData Assurance &
Governance
Data Recovery Solutions for data restoration in the event of hardware or software failures or disasters.
Data Backup Solutions for backup generation which can subsequently be used in the event of hardware or software failures or disasters.
Data Archiving The process of moving older data that is no longer actively used to a separate storage device for long-term retention, needed future reference and regulatory compliance.
Data Migration The process of recovering and converting data from complex, outdated or decommissioned systems.
Data Retention Management of retention period of data being stored and archived.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 118© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
DPP: Capabilities (6/7)
Data Security Life-Cycle
ManagementData Protection Certificate & Key
ManagementData Assurance &
Governance
Data Destruction Irrevocably destroying data prior to disposal of internal or removable storage or when terminating third-party ICT services. Could be achieved by erasing the encryption key.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 119© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
DPP: Capabilities (7/7)
Data Security Life-Cycle
ManagementData Protection Certificate & Key
ManagementData Assurance &
Governance
Certificate & Key Life-Cycle
Management
The defined business practices and procedures surrounding the entire use of keys. The complete process of registration, issuance, distribution, storage, backup, usage, renewal, expiration, revocation, recovery, notification, archiving and auditing of key and certificates in PKI environments (symmetric, asymmetric, private, public or shared keys including but not limited to Secure Shell (SSH) and IP security [IPSec]).
Certificate Authority The trusted entity that issues certificates and vouches that certificates belong to an individual or organization, compliant with the Certificate Policy (CP) and Certificate Practice Statement (CPS).
Registration Authority The organizational entity responsible for assuring the identity and authenticity of entities requesting certificates.
Cryptography The science and mathematics of encrypting and decrypting data by using block ciphers, stream ciphers or hashes with symmetric or asymmetric algorithms, and by using different strengths and protocols to prevent unauthorized users from decrypting the data.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 120© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Converged Security (1/2)
Objective
Securing the information assets
IT and OT integration generates new security risks and challenges. Assessing and managing these security risks is more necessary than ever before to ensure the continuity of production processes and even to prevent life-threatening incidents from occurring. IT is the use of any computers, mobiles, communication protocols, storage and other infrastructure devices and processes to create, process, exchange and store any type of electronic data. OT is the use of hardware and software to detect, monitor and control physical devices, processes and events.
Subdomains
Industrial Controls Systems Security Industrial SafetyIoT Security
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 121© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Converged Security (2/2)
Industrial Controls Systems Security Industrial SafetyInternet of Things
Security
Machine to People Interaction
Machine to Machine Communication
Command & Control Communication
Telemetry & Geo Tracking System
Safety Standard Selection
Safety Controls & Asset Mapping
Safety & Security Program Alignment
Safety Management
IT/OT Alignment
IT/OT Integration
IT/OT Middleware
IT/OT Network Convergence
OT Applications Security
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 122© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
CS: Subdomains
Industrial Controls Systems Security
Security blueprint to address cyber security risks resulting from IT/OT (ICS) integration. An ICS is an automation system that is specially designed for controlling industrial processes such as production processes in a factory or supporting services such as water management, lighting, escalators, elevators, storage control, transportation. I could also include the distribution of chemical products, oil, gas, water and/or electricity supply.
IoT Security IoT is a network of smart devices (“things”) containing embedded technologies to capture, monitor or interact with their internal states or the surrounding external environment. Communication with those smart devices is achieved over the internet to control them or to exchange or create data which has to be protected.
Industrial Safety Manage safety risks inherited from IT and OT digital convergence within industrial or IoT environments.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 123© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
CS: Capabilities (1/3)
Industrial SafetyIoT SecurityIndustrial
Controls Systems Security
IT/OT Alignment Security requirements to be taken into account in activities to synchronize architecture and standards to ensure IT and OT systems compatibility.
IT/OT Integration Integrated shared security teams and organization to support and manage aligned or shared security capabilities, technologies and architectures.
IT/OT Middleware Secure communication between OT components (SCADA, DCS, PLCs), mainly messaging interfaces, providing program-to-program communication and IT components (enterprise resource planning, asset management, etc).
IT/OT Network Convergence
Secure network infrastructure shared by IT and OT components, specifically in cases when the ICS communication is built on proprietary network protocols and uses the IP network infrastructure to exchange information with IT systems and applications.
OT Applications Security
Methodology, processes and tools to increase and provide assurance that OT applications/software meet relevant security requirements; implement needed security controls with reduced number and severity of vulnerabilities to protect integrity of OT functioning; and avoid unavailability of services.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 124© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
CS: Capabilities (2/3)
Industrial SafetyIoT SecurityIndustrial
Controls Systems Security
Machine-to-People Interaction Secure communication and interaction between smart devices (IoT endpoints) and people.
Machine-to-Machine
CommunicationSecure direct communication between IoT endpoints.
Command and Control
Communication Secure communication between IoT endpoints and operational infrastructures or back-end data processing and analytics systems for C2 purposes.
Telemetry and Geotracking
System
Collect and record telemetry information, including motion tracking and observation of objects or persons: remote measurements and other data collected from environments, people, industrial systems, control devices, etc. Data is then transmitted to be analyzed for operational decisions (commands, instructions, etc.) or business application and back-end information processing.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 125© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
CS: Capabilities (3/3)
Industrial SafetyIoT SecurityIndustrial
Controls Systems Security
Safety Standard Selection
Selecting the appropriate standard(s) to be used as reference for safety-related controls applicable to your industry. Existing standards may be adapted to include organization-specific requirements, future emerging safety requirements or changing business requirements (e.g., IEC 61508, IEC 62443, U.S. Occupational Safety and Health Administration [OSHA], etc.).
Safety Controls and Asset Mapping
Converting and mapping of safety requirements to controls/standards and assets. Update the asset inventory with safety requirements for any assets identified to be safety-critical for people or environments.
Safety and Security Program
Alignment
Ensuring alignment between safety and security programs (including physical security) for program rationalization and optimization. Digital transformation and associated technologies introduce new risks around people safety, so cyber security program would encompass safety requirements.
Safety Management
Safety practices and processes to meet requirements for safety-critical systems and manage safety risks and safety countermeasures aligned with security governance, security strategy, policy and planning.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 126© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Physical Security (1/2)
Objective
Securing the information assets
Security measures to protect information assets in data centers and offices against environmental, technical or man-made accidental and deliberate threats that may threaten the availability of information and may cause the loss of information.
Subdomains
Data Center Security Office Security
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 127© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
Physical Security (2/2)
Datacenter Security Office Security
Zoning Restrictions
Clean Desk
Lockable Cabinets
Intruder Alarms
Site Location
Physical Perimeter
Access Control
Facilities Restricting Physical Access
Removable Media Management
Utility Infrastructure
Computer Room
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 128© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
PS: Subdomains
Data Center Security Protection of information assets against physical and environmental damage in data centers and data rooms.
Office Security Protection of information assets against physical and environmental damage at business offices.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 129© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
PS: Capabilities (1/3)
Office SecurityData Center Security
Site Location Protection of data centers against extreme weather or environmental hazards.
Physical Perimeter Protection of data centers against unauthorized physical access at the outer perimeter by using fences, locks, alarms and closed-circuit television (CCTV) equipment.
Facilities Restricting Physical
Access
Protection of data centers against unauthorized physical access at facilities by using burglar-free entrance rooms, third-party demarcation points, secured emergency exits, locked computer rooms and secure area separations.
Utility Infrastructure Protection of data centers against loss of utilities like air conditioning and power. Develop concept for uninterruptable and redundant cooling and power supplies, diversity routing ofpower grids and data communication links.
Computer Room Protection of computer rooms and data centers by using fire, smoke, dust and water detectors, implementing fire suppressors, securing HVAC, cabling, and flooring, disposaland banning of flammables and unused equipment, and by protecting backup media.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 130© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
PS: Capabilities (2/3)
Office SecurityData Center Security
Access Control Protection of data centers by using mantraps, visitor restrictions, proximity cards, CCTV, lock and key handling, mandatory ID badges, biometric authentication and regular access log review.
Removable Media Management Management of removable media according to classification schema, including transport, physical storage, disposal and physical transfer.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
November 14, 2018 131© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
PS: Capabilities (3/3)
Office SecurityData Center Security
Zoning Restrictions Protection of unauthorized access to sensitive office zones by enforcing zoning restrictions with physical access controls based on a business need.
Clean Desk Clean desk directive to be followed by employees when leaving their office, usually clearing their desk of all papers at the end of the business day.
Lockable Cabinets Provide cabinets that can be locked to employees so that sensitive papers, documents and employee laptops can be securely stored during out-of-office hours.
Intruder Alarms Install intrusion alarm systems: siren-based as well as silent alarms to alert patrol guards, the police and/or monitoring centers when unauthorized access is detected.
Physical Security (PS)
Security Resilient Architecture (SRA)
Cyber Defense (CD)
Identity & Access
Management (IAM)
Infrastructure & Endpoint
Security (IES)
Applications Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Risk & Compliance Management (RCM)
Resilient Workforce (RW)
Security Orchestration (SO)
Strategy,Leadership
& Governance (SLG)
© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company
For further information, please contact [email protected]