Cyber Reference Architecture (CRA) Framework · 2018-11-20 · defining enterprise security architecture to address prioritized risks and enable the business. Tactical and operational

November 14, 2018© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company

Cyber Reference Architecture (CRA) FrameworkVersion 2.1DXC Security

For further information,please contact [email protected]

mailto:[email protected]

November 14, 2018 2© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company

Taxonomy and legend

Drivers for Strategy, Leadership & Governance (SLG) domainSubdomains Capabilities

The framework is based on a hierarchy of domains

Each domain breaks down into a list of subdomains

Each subdomain is supported by a list of capabilities

Key


CRA framework: Three levels

Physical Security (PS)

Security Resilient Architecture (SRA)

Cyber Defense (CD)

Identity & Access

Management (IAM)

Infrastructure &

Endpoint

Security (IES)

Applications

Security (AS)

Data Protecti

on & Privacy (DPP)

Converged Security (CS)

Risk & Compliance Management

(RCM)

Resilient Workforce (RW)

Security Orchestration (SO)

Strategy,Leadership

& Governance

(SLG)

Technical Security (TS)

Cyber Defense & Orchestration (CDO)

Security Strategy & Risks

Management (SSRM)

Strategic levelDefining strategy,

managing risks and compliance,defining enterprise security architecture to address prioritized

risks and enable the business

Tactical and operational levelSecurity monitoring and breach responseOrchestrate intelligent security operations

Technical levelDesign, size, implement and run

technical security solutions


CRA framework: Structured in domains



Cyber Defense (CD)

Identity & Access

Management (IAM)

Infrastructure & Endpoint

Security (IES)

Applications Security (AS)

Data Protection &

Privacy (DPP)


Risk & Compliance Management (RCM)



Strategy,Leadership

& Governance (SLG)

Define a security strategic direction aligned with business objectives, outline a plan to achieve that direction, and ensure proper execution of that plan, including decision making based on risk management

Translation of business strategies into effective security solutions through principles, models, capabilities and patterns

Security monitoring, incident management and breach response

Integration of IT and operational technology (OT) security

Management of identities and access controls to meet compliance, operational and security requirements

Processes to define, evaluate, mitigate, accept or transfer risk and ensure compliance with regulatory and industry requirements while meeting business objectives

Capabilities necessary to create a security-conscious culture and manage internal security knowledge

Data classification, data security modeling and protection to prevent loss, modification or misuse

Operational security processes, including management and measurement

Development and maintenance of software to meet security requirements

Protection of assets from environmental, accidental or deliberate physical threats

Automated rule enforcement, threat detection and prevention at infrastructure and endpoint


CRA V2.0: 12 domains and 55 subdomainsStrategy,

Leadership & Governance (SLG)



Security Orchestration (SO)Cyber Defense (CD)Resilient Workforce

(RW)Infrastructure &

Endpoint Security (IES)




Identity & Access Management (IAM)

Data Protection & Privacy (DPP)

Asset Management

Information Security Management System

Risk Management Framework

Security Metrics

Third Party Management Framework

Legal, Regulatory & Privacy Compliance

Standard & Industry Compliance

Audit Management & Certification

Enterprise Security Architecture

Security Architecture Single Domain

Blueprints

Business Continuity

Security Architecture Multi Domain

Blueprints

Security Architecture Assurance

Technical Architecture Standards & Process

Design

Solution Architecture

Security Culture

Empowered Workforce

Security Training & Education

Knowledge Management

Security Monitoring

Security Incident Response &

Remediation Mngt.

Security Analytics

Threat Intelligence & Profiling

Digital Investigation & Forensics

Vulnerability Management

Security Process Measurement

Security Operations Management

Identity & Account Management

Authentication Management

Access Management

Privileged Account Management

Security Enforcement By Design

Rule-based Security Policy Enforcement

Known Threat Detection & Prevention

Unknown Threat Detection & Prevention

Forensic Analysis & Response

Software Lifecycle

Secured Application Development

Application Quality Assurance

Release, Deployment & Maintenance

Data Assurance & Governance

Data Protection

Data Security Lifecycle

Management

Certificate & Key Management

Industrial Controls Systems Security

Internet of Things Security

Industrial Safety

Business Objectives

Critical Business Processes & Assets

Security Policy

Key Business Risks

Security Strategy

Security Governance & Organization

Datacenter Security

Office Security


Strategy, Leadership & Governance (1/2)

Objective

Business-aligned cyber security

Provide and support security strategic direction and security transformation plan aligned with corporate business objectives and ensure that objectives are achieved by understanding the criticality of information to the organization, understanding emerging threats, ensuring proper execution of security programs and ensuring proper decision making to address and minimize business risk.

Subdomains

Security Strategy Security PolicySecurity Governance & Organization

Drivers

Business ObjectivesCritical Business

Processes& Assets

Key Business Risks



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Strategy, Leadership & Governance (2/2)Physical Security (PS)


Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)

Business Objectives Key Business RisksCritical Business Processes & Assets Security PolicySecurity Governance

& OrganizationSecurity Strategy

Critical Business Processes

Critical Business Assets

Understand Threat Landscape

Strategic Cyber Security Risks

Security Strategy Charter

Security Strategy Alignment

Transformation Roadmap

Information Security Framework

Security Budgeting & Investment

Maturity Assessment & Gap Analysis

Leadership

Organization, Structure & Governance

Program Management Office

Board Security Steering Committees

External Communications

Understand the Industry

Corporate Business Strategy

Value & Revenue Creation

Security Policy

Policy & Strategy Alignment & Review


SLG: Drivers and subdomains

Business Objectives

Understand the two to five years’ business plan, vision, goals and objectives to be achieved to deliver long-term benefits to the organization and its key stakeholders. Understand the organization’s financial performance, market approach, R&D spending, value chain, main partners and suppliers, key industry trends, etc.

Critical Business Processes &

AssetsIdentify the core business processes and information assets supporting business objectives.

Key Business Risks

Understand the threat landscape in the industry, the main threat actors and the known breaches in the industry or previous breaches/security incidents the organization suffered from in the past. Define the key strategic cyber security risks that could impact the organization that should be addressed and mitigated.

Security Strategy A long-term strategic security plan to support business objectives, outlining how to preserve the confidentiality, integrity and availability of information assets and how to manage technical, organizational and process-oriented security risks and threats.


Organizational and governance setup for the management of security to provide strategic direction and ensure that objectives are achieved by understanding the criticality ofinformation to the organization, understanding emerging threats, ensuring proper execution of security programs and ensuring proper decision making to address andminimize business risk.

Security PolicySecurity Policy specifies the information security objectives of the organization, defines roles and responsibilities, and establishes high-level requirements for protecting theorganization’s information assets and resources. The policy may be derived from internal requirements (e.g., audit, board direction, information security) or external sources(e.g., statutory and regulatory requirements).



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Key Business Risks


Assets

Understand the Industry

Corporate Business Strategy

Describe the future and what the organization wants its business to look like in two to five years’ time in terms of vision, goals and objectives to be achieved to deliver benefits to the organization (growth and finance, market positioning, brand reputation, etc.). Describe the need for change; what needs to be performed to deploy the strategy?

Value & Revenue Creation

Security PolicySecurity

Governance & Organization

Security Strategy

SLG: Drivers (1/3)

Business Objectives

Understand the key industry trends and market trends, what is happening in the industry from a business perspective, the technological developments, level of competition, market convergence, etc. Which IT megatrends do we see in the industry? What would be the consequences for security? What’s the landscape in terms of regulatory developments?

Understand financial performance: Which products and services generate the majority of the organization’s revenue? Which information assets are key for this? Understand the organization’s market approach: Which brands do they operate under? What is their client portfolio? What is the operating model? Understand how critical R&D is for future revenue, associated patents and intellectual property. How much is the company investing in this? Understand the value chain and the main partners and suppliers in this. Understand the political aspects, if relevant for the organization.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Key Business Risks


Assets

Critical Business Processes

Critical Business Assets

What are the core application and information assets supporting the core business processes? The tangible and intangible assets (or fixed assets) making the organization valuable, such as items used in the operation of the business (buildings and factories, equipment, etc.) and, more importantly, patents and intellectual property?



Security Strategy

SLG: Drivers (2/3)

Business Objectives

What are the core business processes supporting business objectives?



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Key Business Risks


Assets

Understand Threat Landscape

Strategic Cyber Security Risks Define the key strategic cyber security risks that could impact the organization that should be addressed and mitigated.



Security Strategy

SLG: Drivers (3/3)

Business Objectives

Understand the threat landscape in the industry, the main threat actors and the known breaches in the industry or previous breaches/security incidents the organization suffered from in the past.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Key Business Risks


AssetsSecurity Policy


Security Strategy

SLG: Capabilities (1/4)

Business Objectives

Security Strategy Charter

Describes the future (To-Be) state and what the organization wants its security posture to look like in two to five years’ time in terms of vision, mission statements and goals and objectives to be achieved to support the corporate business strategy. Describes the need for change, what needs to be performed to deploy the security strategy. “Security” should be understood on a large spectrum and encompasses “Compliance,” “Privacy,” “Resilience” and “Safety.”NB: An embedded or dedicated privacy vision and mission statement objective can be described, providing a description of what the organization does to ensure privacy.

Security Strategy Alignment Ensure that Security Strategy and IT Security Strategy content and objectives are aligned to corporate Business Strategy and overarching IT Strategy objectives.

Information Security

Framework

A comprehensive, structured foundation of security domains, subdomains and capabilities used to support the effective execution of security strategy and associated improvement programs (or subprograms such as Compliance and Privacy programs) aligned to business objectives and drivers.

Security Budgeting & Investment

Decide and review investment in information security to ensure alignment with the organization strategy and meet security and compliance strategy objectives. Analyze returnof investments in terms of objective achievement and adjust budget decisions accordingly. Ensure proper investment in case of crisis or major security breaches.

Maturity Assessment & Gap

Analysis

Analyze the gap between the To-Be state and the current (As-Is) state by performing a Cyber Maturity Review covering any core domains and subdomains of the corporateInformation Security Framework.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Key Business Risks




Security Strategy


Business Objectives

Transformation Roadmap List of prioritized and planned initiatives and projects to be executed to achieve goals and objectives of the Security Strategy.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Key Business Risks




Security Strategy


Business Objectives

Leadership

Boards of directors and senior executives are fully involved and supportive at the governance level to provide strategic direction and ensure that objectives are achieved by understanding the criticality of information to the organization; understanding emerging threats; ensuring proper execution of security programs and other programs, such as compliance and privacy programs; and ensuring proper decision making to address and minimize business risk. The board defines and quantifies business risk tolerance relative to cyber resilience and ensures that this is consistent with corporate strategy and risk appetite.

Organization, Structure & Governance

Development of an organization and associated governance for the company for effective and efficient decision making and reporting, management, execution and adaptation of the security strategy, programs, roadmaps and its components. This includes required committees and boards, as well as role descriptions and required capabilities/skills at management and leadership level, such as but not limited to the Chief Security Officer (CSO), Chief Information Security Officer (CISO) and the Data Privacy Officer (DPO).

Program Management Office

Cyber security transformation needs program, project and budgetary management to ensure that it produces agreed-on deliverables on time and to budget. This will demonstrate to senior management that business principles are being followed, the business strategy is being adhered to and technical requirements are being met. The program office should use capability maturity modeling to measure the success of the transformation program. Ensure security is addressed in any project regardless of the type of the project.

Board Security Steering

Committees

Communications at the board level of risk posture to the business should be done regularly. Use a balanced Security Scorecard to support further decision making byregularly communicating and analyzing reports about the adequacy and efficiency of security improvement programs to support business objectives. Identify tactical andstrategic initiatives and risk to the business using estimates based on operational security metrics. “Security” encompasses “Compliance,” “Privacy,” “Resilience” and “Safety”and should be understood in a wide sense. (Could be addressed in overall board committee, risk committee, cyber resilience committee, etc.)

External Communications

Official communication with regional and national security agencies and bodies, supervisory authorities, media, press, etc. Communicating and explaining the corporate position incase of security breaches that have become publicly known (loss of customer data, loss of private information, etc.). Communicating around law and regulation obligations.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)

Key Business Risks




Security Strategy


Business Objectives

Security PolicySecurity Policy specifies the information security objectives of the organization, defines the roles and responsibilities and establishes high-level requirements for protecting the organization’s information assets and resources.NB: This includes but is not limited to compliance, privacy, safety, resilience objectives, information security, IT security, physical security and IoT/OT security policy.

Policy & Strategy Alignment &

Review

Regularly assess alignment between security strategy objectives (or another strategy, such as the privacy strategy) and the associated policy to address both new business objectives and the emerging threat landscape. This includes independent review of the organization’s security strategy and policy, ideally carried out annually.




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)

Risk & Compliance Management (1/2)

Objective

Manage risk and complianceProcesses by which risks are evaluated in light of business activities, value and criticality for the business and legal/regulatory requirements. Risk mitigation activities are then defined to determine an appropriate level of risk balanced with cost/budget and the residual risk to reputation, business activities and other market factors. Processes by which an assessment to policy is measured, remediation efforts are detailed and gaps are identified. This function is performed by various individuals and teams, including internal audit, risk assessment teams, external regulatory agencies and third-party organizations.

Subdomains

Third-Party Management Framework





Asset Management Security MetricsInformation Security Management System



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Risk & Compliance Management (2/2)

Asset Management Security MetricsInformation Security Management System





Third Party Management Framework

ISMS Standard Selection

Planning & Scoping

Implementation & Operation

Monitoring Effectiveness

Continual Improvement

Security Metrics Definition & Review

Security Metrics Analysis

Security Metrics Benchmarks

Board Dashboarding

Management Security & Compliance

Dashboard

Regional & Country Requirements

MonitoringCompliance &

Privacy Standard Selection

Information Transfer Management &

Sovereignty

Universal Control Framework

Private Information Processing

Management

Legal, Regulatory & Privacy Controls &

Asset Mapping

Corporate Legal Interface

Information Breach Disclosure

Management

Information Security Mngt. System Compliance

Risk Management Framework Compliance

Corporate Security Standard Compliance

Industry Specific Compliance

Risk Management Standard Selection

Threat Modeling

Risk Communication

Risk Profiles

Risk Monitoring

Risk Identification & Assessment

Risk Treatment

Third Party Governance

Third Party Profiling

Third Party Selection

Contract Management

SLA & Performance Management

Audit Organization Structure

Record & Evidence Management & QMS

Self- Assessment

Audit Findings Review & Approval

Audit Findings Remediation Plan &

Monitoring

IT Asset Inventory

Software Asset Inventory

Configuration Management Repository

Information Asset Inventory

IP Address Management

Information Categories Definition

Information Asset Valuation

License Management

Asset Lifecycle Management

Asset Classification Schema

Asset Classification Enforcement

Asset Ownership Enforcement



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


RCM: Subdomains (1/2)

Asset Management

Repositories of identified information assets with classifications reflecting the value and criticality for the business, legal requirements and sensitivity of the information asset as well as ownership and security requirements in terms of confidentiality, integrity, availability and traceability.

Information Security

Management System

Definition, design, implementation, monitoring and continual improvement of an Information Security Management System to manage the protection of corporate business processes and supporting assets that contribute to business objectives.

Security Metrics Definition, collection, analysis and communication of security metrics to measure the effectiveness of the security improvement program and security operations against targets, assess the risk posture of the business and take action and define priorities.

Legal, Regulatory & Privacy

Compliance

Processes for understanding and managing of legal, regulatory and privacy requirements applicable to the organization, mapping to controls, and assets to protect corporate, confidential, employee, customer and partner information, including personally identifiable information (PII).

Standard & Industry

ComplianceCompliance with standards and regulations is measurable, allowing deviations to be identified, quantified and managed at various organizational levels within theorganization.


Methods, processes and tools to perform risk assessments and evaluate business risk, business impacts and operational security risks, to define and manage associated riskmitigation strategies and risk acceptance.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


RCM: Subdomains (2/2)


Processes and methods for procuring, onboarding, assessing and managing services and products from suppliers and third parties.

Audit Management &

Certification

Robust audit management to ensure handling of internal, external and regulatory audits, including audits to get certified against a standard or a regulation. Managing of the remediation of audit findings in a timely manner.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Security MetricsInformation

Security Management

System


Standard & Industry

Compliance


Compliance

RCM: Capabilities (1/12)

Asset Management

IT Asset InventoryInventory of any physical asset (systems, servers, end user devices, virtualized systems, gateways and communication equipment, industrial machines, robots, utilities, etc.) with justification and purpose description, location, associated classification, ownership and security requirements in terms of confidentiality, integrity, availability and traceability attributes.

Software Asset Inventory

Inventory of any software asset (any type of OS for servers and end user devices, as well as infrastructure and industrial components, middleware, applications, utilities, development tools, shareware, open source and freeware), with justification and purpose description, location, associated classification, ownership and security requirements in terms of confidentiality, integrity, availability and traceability attributes. This includes license information (expiration date, type of license, etc.).

Information Asset Inventory

Repositories of identified information assets with their associated security classifications (databases, files, contracts and agreements, intellectual property, research information, private information such as customer or employee/contractor personal data, financial information, medical information, legal information, operational or support processes and procedures, etc.), purpose of the asset, location, ownership and security requirements in terms of confidentiality, integrity, availability and traceability attributes.

Information Categories Definition

Define data categories as business, legal, private (customer personal data, employee/contractor personal data), financial, medical, etc. Security requirements associated todata category are clearly defined. Some categories can be subcategorized; for example, private data can be subcategorized showing racial or ethnic origin, political opinions,religious or philosophical beliefs, etc.

Information Asset Valuation

Documenting either the value of the information asset or data, or which data is most important. This facilitates reconciling how much to spend protecting it or/and budgetspending prioritization.


Audit Management &

Certification



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Security Management

System


Standard & Industry

Compliance


Compliance


Asset Management

Configuration Management Repository

Repository of configuration and setting (configuration item: CI) of any IT and OT system, middleware or application, as well as the relationships between them.

IP Address Management Inventory, planning and management of IP address space (IP subnets, start address, end address, classification).

License Management

Request, approve, purchase, deploy, maintain, upgrade and update license, and remove license from corporate environment. (Certificates could be managed as software license.)

Asset Life-cycle Management Manage asset requests, approval, purchase, deployment, maintenance, upgrade, return and removal of asset from corporate environment.

Asset Classification Schema

Definition of the classification schema to reflect value and criticality for the business, legal requirements and sensitivity of an asset/information as well as security requirements in terms of confidentiality, integrity, availability and traceability attributes to ensure that assets receive an appropriate level of protection.


Audit Management &

Certification



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Security Management

System


Standard & Industry

Compliance


Compliance


Asset Management

Asset Classification Enforcement

Method and process to ensure that the asset classification schema is communicated and understood by business and applied on system, application and information assets by the assigned owners.

Asset Ownership Enforcement

Ensuring that an accountable owner is assigned to a system, application and information asset, with the ultimate responsibility for the classification, access management, processing, transfer, storage and removal of classified information, for creating an official inventory record of the asset and for defining, documenting and implementing acceptable use of the application asset during its life cycle.


Audit Management &

Certification



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Security Management

System


Standard & Industry

Compliance


Compliance


Asset Management

ISMS Standard Selection

Select the appropriate standard to be used for the ISMS (i.e., ISO2700x, Cobit, ITIL, NIST, SANS, ISMS of Japan, Information Security Check Service [ISCS] of Korea, German IT baseline protection, UK Cyber Essentials Scheme).

Planning & Scoping Define ISMS policy, objectives and the scope of applicability (Statement of Applicability) to manage and improve information security to support corporate business objectives.

Implementation & Operation

Methods, processes and procedures to implement and operate the ISMS. Elaboration of controls, measures and solutions catalog to be used following risk assessment to treat risks.

Monitoring Effectiveness Assess and monitor effectiveness of security performance to match ISMS objective using the Security Metrics Framework approach.

Continual Improvement

Based on “Monitoring Effectiveness” outcomes and other upcoming new requirements (e.g., new business, new regulatory, new technologies), define corrective andimprovement actions to ensure continual improvement.


Audit Management &

Certification



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Security Management

System


Standard & Industry

Compliance


Compliance


Asset Management

Security Metrics Definition & Review

Define security and risk metrics and indicators to be generated to assess and communicate information security posture to enable timely, effective and efficient management of risk to the business and improve reporting across the group: business metrics, risk posture metrics, compliance metrics, privacy metrics, process and technical metrics. Ensure metrics are periodically reviewed for improvement. Two types of indicators have to be defined: leading indicators map to business objectives and lagging indicators used at an operational level to measure security processes efficiency.

Security Metrics Analysis

Metrics analysis (and benchmarks) to measure effectiveness of security improvement program or other programs, such as compliance and privacy programs, and operations against targets; decide remediation action; and maintain a historical record for trend analysis and prediction. Provide insight into operational and strategic status and activities, thus enabling action plans to be defined and implemented. Support all security program/process owners/managers/users with reporting needs.

Security Metrics Benchmarks Comparing a company’s metrics and performance against peers within or outside the industry to provide comparative data to help in setting objectives.

Board Dashboarding

Board Dashboarding presents leading indicators mapped to business objectives to communicate to stakeholders and obtained by measuring risk posture from metrics andmeasurement consolidation. Measurements (key performance indicators [KPIs]) provide a single point of view of raw data at one time collected from security processes.Metrics compare several KPIs over time with a predefined baseline for objective. Provide financial data for project tracking and operations as well as investment.

Management Security &

Compliance Dashboard

Reporting focusing on security objectives (policy, ISMS, security processes, third-party management, security incident management) and compliance objectives (regulation,privacy, industry compliance) to track compliance and policy violations, security incident management and associated remediation and improvement activities.


Audit Management &

Certification



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Security Management

System


Standard & Industry

Compliance


Compliance


Asset Management

Regional & Country Requirements

Monitoring

Assess emerging compliance requirements and legislation that will impact the organization at the regional and country levels in the near future and define a plan for integration into the compliance program. External source regulatory feeds can be used to automatically be informed of new upcoming regulations.

Compliance & Privacy Standard

Selection

Selecting the appropriate standard(s) to be used as reference for Legal, Regulatory & Privacy Compliance related controls to support compliance and privacy programs and guide managers and projects in making decisions to be in compliance with legal or policy requirements. Existing standards may be adapted to include organization-specific requirements or future emerging compliance requirements and changing business requirements.This capability may include the Compliance and Privacy Assessment Model selection to be used to conduct corporate assessments.

Universal Control Framework

Consolidated and rationalized control framework for compliance to optimize compliance program activities when the organization has to comply with several compliance standards.

Legal, Regulatory & Privacy Controls &

Asset Mapping

Converting and mapping of regulatory, legal and privacy requirements as EU data law, SOX, Gramm–Leach–Bliley Act, GDPR, EU standard clauses, regional privacy laws(e.g., Switzerland, Luxembourg, India) to controls/standards and assets. Updating the asset inventory with regulatory, legal and privacy requirements in respect of securitycapabilities and record of associated evidences to prove compliance.

Corporate Legal Interface Processes and procedures to involve the legal department in case of major security-related noncompliance issues.


Audit Management &

Certification



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Security Management

System


Standard & Industry

Compliance


Compliance


Asset Management

Information Transfer

Management & Sovereignty

Processes to manage the transfer of information within the organization and with any external entity (information transfer procedures, transfer agreements, etc.), including Information Sovereignty to enforce compliance requirements, depending on where the information is stored and who can access it.

Private Information Processing

Management

Communication and notification to the information owner of the purpose for processing their personal data. Getting and recording individual consent for legitimizing the processing purpose of personal information (Consent Management).

Information Breach Disclosure

ManagementPolicy on disclosure of personal information, communication of the policy and communication of disclosure to information/data subject when happening.


Audit Management &

Certification



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Security Management

System


Standard & Industry

Compliance


Compliance


Asset Management

Information Security Mngt. System Compliance

Ensure compliance with commonly used standards such as ISO 27001/2, NIST, CoBit and NERC. Compliance must be measurable, allowing risks to be identified, quantified and managed at various organizational levels within the organization.

Risk Management Framework Compliance

Ensure compliance with commonly used standards such as ISO 27005, ISO 31000, EBIOS, CRAMM, MEHARI and RiskAoA.

Corporate Security Standard

ComplianceEnsure compliance with the corporate security standards that are part of corporate policy.

Industry Specific Compliance Ensure compliance with industry-specific standards such as PCI/DSS, HIPAA, SOX and ISAE 3420.


Audit Management &

Certification



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Security Management

System


Standard & Industry

Compliance


Compliance


Asset Management

Risk Management Standard Selection Selection of the standard used for Risk Management (i.e., ISO27005, ISO31000, EBIOS, CRAMM, MEHARI or RiskAoA).

Threat Modeling

Identification and classification of top-level threats that can be categorized in three dimensions: motivation, localization and agent. The threat agent is the actor that imposes the threat to the business of the organization or to a specific business process and supportive assets. For the classification of the threat agent, four categories are to be considered: human, processes, technological and force majeure. Threat motivation describes a categorization of threats that focuses on the motivation of this threat, distinguishing between intentional or unintentional threats. Threat localization describes a classification of the origin, either internal or external to the organizational perimeter. The threat modeling also has to take into account the capability of the threat agent (financial, expertise, resources, etc.), the catalyst (event or change in circumstances triggering the threat agent to act) or the inhibitor (the factor that may deter the threat agent from executing a threat).

Risk Profiles Documentation and calculation of risk profiles and associated criteria for acceptable and unacceptable risks. Risk profiles are defined by key stakeholders, including business leaders, application data and business process owners; CISO; risk, compliance and privacy officers; and the legal department.

Risk Identification & Assessment

Methods, procedures and tools employed to identify, estimate, evaluate business and operational risk and the associated impact, and produce the prioritized risks (according to risk profiles/appetite and riskevaluation criteria).

Risk Treatment Selection of measures, controls or solutions to reduce, avoid, transfer or retain/accept identified risks and define the corresponding treatment plan.


Audit Management &

Certification



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Security Management

System


Standard & Industry

Compliance


Compliance


Asset Management

Risk Communication Communication and reporting of identified risks with stakeholders and decision makers.

Risk Monitoring Monitoring and reevaluation of risks, their context (value of assets, business impacts, vulnerabilities, likelihood of occurrence) and effectiveness of deployed measure and controls to mitigate identified risks to update priorities and the risk treatment plan. Maintain traceability of risks, action plan and status (heat map, risk register).


Audit Management &

Certification



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Security Management

System


Standard & Industry

Compliance


Compliance


Asset Management

Third-Party Governance

Implement the proper structure on both sides to ensure appropriate governance around security of third-party service delivery. It could be a focal point to handle contract issues, procurement, delivery issues and problems, noncompliance issues, audit findings management, security incidents, plans for remediation, tracking, reporting review, etc.

Third-PartyProfiling

Define the different categories of “third party” that the organization may have to deal with and define associated security and privacy requirements to be met by third parties that process, store or transmit confidential data or provide critical services. A third party may also be known as a vendor, supplier, customer, joint venture or fourth party. Different categories of third party can be a third-party service provider (to perform/deliver IT services or business services), third-party administrator, third-party developer, third-party insurance, third-party verification or auditor, etc.

Third-Party Selection

Activities to select and assess (due diligence), prior to contract signoff, security of third-party services to validate the scope of service, its appropriateness with the organization’s requirements and the adequacy with what the third-party claims to deliver or assure. This includes reviews of third-party background, reputation, financial performance and stability.

Contract Management

Establish, renegotiate and terminate a contract with a third party, with a clear definition of the objective, SLA, and role and responsibility around security services, includingservice reversibility and nondisclosure agreement.

SLA & Performance Management

Report (according to the contract) around third-party security services to demonstrate delivery according to contract SLA and SLO definition. Report should contain metricsand KPIs according to the organization's Security Metrics Framework.


Audit Management &

Certification



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Security Management

System


Standard & Industry

Compliance


Compliance


Asset Management

Audit Organization Structure

Manage audits (internal and external), regulatory requests and compliance checks by involving respective parties (including third parties), including an audit to get certified against a standard or a regulation.

Record & Evidence Management &

QMS

Manage the record of documents, evidence and compliance attestations, including gathering, secure storage, records and evidence validation. Map between collected document/evidence and controls and risks. This includes management of the record of official Legal & Regulatory documents.

Self- Assessment Perform a self-assessment to prepare and identify compliance issues and to define a remediation plan in readiness of corporate (internal or external) audit and certification.

Audit Findings Review & Approval Process the audit finding review and approval process, including third parties.

Audit Findings Remediation Plan &

MonitoringManage audit findings by defining a remediation plan and closely monitoring the regime.


Audit Management &

Certification



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Security Resilient Architecture (1/2)

Objective

Defining how

The translation of businesses’ visions and strategies into effective enterprise security solutions by developing and communicating a consistent set of security principles, models, capabilities and patterns that provides the direction of the development, operations and governance, describing the enterprise’s target security posture and ensuring its alignment to the business needs and changes.

Subdomains



DesignBusiness ContinuitySolution Architecture

Enterprise Security Architecture

Security Architecture Multidomain Blueprints

Security Architecture Single-Domain

Blueprints



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Security Resilient Architecture (2/2)Enterprise Security

ArchitectureSecurity Architecture

Multi Domain Blueprints

Security Architecture Single Domain

BlueprintsBusiness ContinuitySolution Architecture


DesignSecurity Architecture

Assurance


Blueprint

Resilient Workforce Blueprint

Applications Security Blueprint

Cyber Defense Blueprint

Data Protection & Privacy Blueprint

Identity & Access Management

BlueprintInfrastructure &

Endpoint Security Blueprint

Cloud Security Blueprint

(consumption)

Cloud Security Blueprint (provider)

Industrial Control Systems Security

Blueprint

Mobility Security Blueprint

GDPR Blueprint

Internet of Things Security Blueprint

Vehicle Security Design Blueprint

Next Generation (NG) Endpoint Protection Security Blueprint

Security Technical Standards

Security Guidelines

Security Process Catalog

Product Security Assurance

Solution Selection, Evaluation & Development

Solution Architecture Overview

High Level Design

Low Level Design

Service Definition

Business Impact Analysis

Asset Prioritization

Data Replication

Recovery Objectives

Invocation & Escalation

Recovery Strategy

Redundancy

Virtual Team Mobilization & Collaboration

Communication & Reporting

Testing

Architecture Review Board

Enterprise Architecture Framework

Security Architecture Framework

Models

Strategies Alignment

Zoning Model

Principles

Capabilities & Requirements

Development, Quality & Production

Environment Model

Third Party External Connections Model

Reusable Objects

Security Profiles



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


SRA: Subdomains (1/2)

Enterprise Security

ArchitecturePrinciples, models, capabilities and reusable objects describing the enterprise security architecture.

Security Architecture

Single-Domain Blueprints

Reusable generic templates for one specific core domain of the framework, describing dependencies and workflows between capabilities of the core domains and highlighting, if needed, dependencies with any other capabilities outside the core domain.


Reusable generic templates for specific scenarios or business contexts, involving several core domains of the framework, composing and mapping security capabilities and functions in the enterprise security architecture framework.

Technical Architecture Standards &

Process Design

Standards defining the mandatory settings, controls and requirements that must be implemented to achieve policy objectives.


A combination of architecture artifacts (including but not limited to overview architecture, high-level description, low-level description and service management description),describing a solution with clear objectives and expected benefits for the organization, ready to be deployed, that complies with applicable reference security blueprints andenterprise security architecture components.

Business Continuity

Processes and plans for resilient capabilities in the event of environmental, man-made or technical failures in business supporting IT services, ICT infrastructure andapplications.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


SRA: Subdomains (2/2)


Authoritative review and approval or rejection of change initiatives with regard to architectural security aspects.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)





Business Continuity



Process Design

SRA: Capabilities (1/12)

Enterprise Security

Architecture

Enterprise Architecture Framework

Define or select the reference architecture framework used for enterprise architecture (i.e., Zachman, TOGAF, FEAF, DoDAF, Gartner, IBM, DXC ITSA). An Enterprise Architecture Framework defines how to create and use an enterprise architecture and provides guidance for building solution architecture. It helps capture and translate business requirements into security capabilities using a Business Attributes model; these are later transformed through use cases (reusable objects) and profiles into security controls.

Security Architecture Framework

A comprehensive, structured foundation of security domains, security subdomains and security capabilities used to create security solution architecture. Define or select the reference security framework used for the enterprise security architecture (i.e., Sabsa, O-ESA, OSA, DXC CRA) aligned with the Enterprise Architecture Framework.

Strategies Alignment

The security strategy supports business and IT strategies, focusing on long-term road maps for the protection and preservation of confidentiality, integrity and availability of essential business information. Enterprise Security Architecture (ESA) must be aligned to business and IT strategies so ESA objectives describe clear mapping with business drivers and goals by defining which business principles are supported by the ESA.

PrinciplesBusiness strategy and business objectives expressed in business principles are translated into foundational, functional, technical and implementation principles, directing theenterprise security architecture and guiding how security solutions should be designed, built and operated to efficiently and consistently safeguard the information assets andsupport the business principles.

Capabilities & Requirements

The architectural security building blocks, structured in a multilayered taxonomy and expressed in generic terms, requiring process-, organizational- and technical-orientedbusiness-driven abilities to accomplish.




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)





Business Continuity



Process Design


Enterprise Security

Architecture

Models Conceptual models, abstract views, outlining the requirements necessary to implement and enforce security policies (e.g., domain model, data-centric model or information protection model, component or layering model, zero-trust model, threat model, location model, operational model).

Zoning Model

Reference architecture for effective, standardized design and operation of security zones, segmenting and isolating groups of information assets with consistent security requirements and policies, divided in uncontrolled, controlled, restricted, sensitive and management zones, supporting a multitiered architecture with different levels of trust and information flows.Definition of security zones and associated security requirements in terms of integrity, confidentiality, availability and traceability.

Development, Quality &

Production Environment Model

Reference architecture for effective, standardized design and operation of Development, Quality and Production Environments for the different phases of the life cycle development and release management: development environment, test and qualification environment (where new features are developed, changes are made and tested) and production environment (used by corporate users). Those environments are separated and security requirements are described to secure/controls intra-environment flows.

Third-Party External Connections Model

Reference architecture for effective, standardized design and operation of third-party external connections (depending on third-party profiling) covering and documenting:security requirements and policies for third-party technical interconnections, identification of critical business processes that are dependent on external connectivity,infrastructure and systems’ data flow comprehensive diagrams to support data flow authorization, risk assessment and audit; mandatory and optional security capabilities andcontrols to be deployed depending on third-party profiles to detect and prevent intrusions from third-party connections.

Reusable ObjectsComposites of security constructs and usage architecture patterns, including but not limited to security profiles, use cases and business attributes, to be used in securityarchitecture designs and security blueprints, with the objective to industrialize and standardize reoccurring security solutions to a commonly occurring problem or to achieve asecurity goal.




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)





Business Continuity



Process Design


Enterprise Security

Architecture

Security Profiles Defined mandatory, additional and optional lists of security controls and security capabilities to be applied on each class of information assets in a predefined architecture use case.




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)





Business Continuity



Process Design


Enterprise Security

Architecture


Blueprint

Reference security architecture for managing security supporting a process-centric information security approach and continuous improvement of effectiveness and efficiency, including integrated and automated corporate reference security process enforcement, measurement and analysis, policy and controls enforcement, risk management, compliance management, third-party management, audit management and automated remediation.

Resilient Workforce Blueprint

Reference security architecture to promote and establish a security-aware company culture and empower your workforce by getting appropriate, accurate and targeted security awareness training and education to support your business and enforce protection of your critical and sensitive information.

Cyber Defense Blueprint

Reference security architecture for a secure, resilient, standardized design and operation of cyber defense capabilities, including governance, situational awareness, security intelligence and analytics, threat intelligence, digital investigations, security operations center, tooling, event management, incident response and remediation management.

Identity & Access Management

Blueprint

Reference security architecture for effective, standardized and reusable design and operations of identity and access capabilities, including identity life-cycle management, provisioning, authentication and access control, privileged user management, and key and directory management.

Infrastructure & Endpoint Security

Blueprint

Reference security architecture for effective, standardized and reusable design and operations of endpoints and infrastructures, including rule-based security capabilities, known and unknown threat detection and prevention capabilities.




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)





Business Continuity



Process Design


Enterprise Security

Architecture

Applications Security Blueprint

Reference security architecture for secure development of application software and security APIs, including but not limited to use case modeling, threat modeling, security requirements, design, documentation, secure coding practices, testing (static and dynamic code analysis), source code handling, change and release management, security readiness and research, maintenance, incident response and security assurance.

Data Protection & Privacy Blueprint

Reference security architecture for effective, standardized and reusable design and operations of data protection and privacy, including data discovery and classification, data assurance, data security life-cycle management, and certificate and key management.




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)





Business Continuity



Process Design


Enterprise Security

Architecture

Cloud Security Blueprint

(Consumption)

Reference security architecture for effective, standardized design and operations of security solutions in XaaS cloud environments, leveraging use cases and capabilities relevant for cloud consumers.

Cloud Security Blueprint (Provider)

Reference security architecture for effective, standardized design and operations of security solutions in XaaS cloud environments, leveraging use cases and capabilities relevant for cloud providers and cloud brokers.

Mobility Security Blueprint

Reference security architecture for effective, standardized and reusable design and operation of trusted and untrusted mobility endpoints from a security perspective, including but not limited to mobile security, BYOD/AYOD (Bring/Allow Your Own Device), policies and requirements, remote access and network access controls, security compliance checking, malware protection, forensics, event collection, authentication and authorization, etc.

IoT Security Blueprint

Reference security architecture for secure, effective and standardized design and operation for IoT, leveraging relevant security capabilities from subdomains of theframework.

Vehicle Security Design Blueprint

Reference security architecture for secure, effective and standardized design and operation for vehicles leveraging relevant security capabilities from subdomains of theframework.




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)





Business Continuity



Process Design


Enterprise Security

Architecture

Industrial Control Systems Security

Blueprint

Reference security architecture for secure, effective and standardized design and operation for Industrial Control Systems (ICSs) leveraging relevant security capabilities from subdomains of the framework, including security for Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCSs) and programmable logic controllers (PLCs).

GDPR BlueprintReference security architecture for effective, standardized and reusable design and operations to address privacy compliance requirements and objectives. Privacy requirements include but are not limited to openness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability and rights of the individual.

NG Endpoint Protection Security

Blueprint

Reference security architecture for effective, standardized and reusable design and operation for end user device protection, allowing (1) digital enablement with nonintrusive security, friendly 2FA and full SSO, that is easy to manage.; (2) threat resistance with security foundations, cyber hygiene, secure by design, maintain trust chain (HW to apps) principle, isolation of critical kernel components, trust no one (app reputation) and micro segmentation (micro virtualization, containers or sandboxing), nonintrusive AV, FW, etc.; (3) threat resiliency by assuming a state of compromise, with flight recorder with detailed E2E telemetry, health attestation, forensics ready, allowing agile and detailed hunting, etc.




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)





Business Continuity



Process Design


Enterprise Security

Architecture

Security Technical Standards

The mandatory configuration settings and controls that must be implemented to achieve policy objectives with the goal of providing fit-for-purpose security level(s). These configurations, linked to the organization’s security policies, would be based on both internal knowledge and industry standards and best practices.

Security Guidelines Recommended (nonmandatory) configuration guidelines and best practices helping to support standards or serve as a reference when no applicable security standard is in place.

Security Process Catalog

Definition of global processes ensuring that security policies and standards are applied in a consistent and repeatable manner. A process is a set of steps, tasks or activities to be executed to deploy a policy or standard describing inputs and outputs of processes. Global processes are then instantiated into operational processes (SO domain) to be deployed across the organization (we may have different ways to deploy processes, assuming the objectives defined in the global processes are met); e.g., component build process and health checking process.

Product Security Assurance

Assurance that an application, product or system (acquired or developed by the organization) is certified against security criteria for evaluation of IT security developed by theorganization or from a known and recognized standard; e.g., common criteria ISO 15408 EAL, Information Technology Security Evaluation Criteria (ITSEC), TrustedComputer System Evaluation Criteria (TCSEC), Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) of USA or OWASP for webapplications. Evaluations can be insourced or done by independent external company.

Solution Selection, Evaluation & Development

Testing (against security criteria), benchmarking and referencing of security tools, products and services to be implemented, deployed and used to support security policies,standards, guidelines and reference architectures. Development of security tools, software and products to support security policies, standards and reference architectures.This activity can include research.




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)





Business Continuity



Process Design


Enterprise Security

Architecture


Overview

Overview of a security solution (applications, products, processes and people) linked to the strategy (business, IT and security strategies) describing business drivers and organizational context, objectives, stakeholders, planning, resourcing, budget and benefits of the solution.

High-Level Design

Description of a security solution in terms of the security requirements. This includes compliance, privacy, safety and resilience requirements, to meet the objectives, assumptions and hypothesis while leveraging and demonstrating compliance with the applicable corporate enterprise security architecture components. These may include principles, capabilities, models, reusable objects (architecture use cases), segregation and segmentation, and security profiles, as well as compliance with corporate security blueprints (Security Architecture Single-Domain Blueprints) and other relevant blueprints (Security Architecture Multidomain Blueprints).

Low-Level DesignDetailed description of a security solution (products, processes and people) to effectively implement the solution, including the operational model (elements, nodes, locations, zones, boundaries, borders, connections, nonfunctional requirements, etc.), sizing, product selection, configuration settings and necessary operational processes to be either leveraged or developed to support the solution.

Service Definition Detailed description of how to measure the efficiency and maturity of the solution as well as the roles and responsibilities of teams, business units, suppliers, third parties andother resources involved in steady state operations.




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)





Business Continuity



Process Design


Enterprise Security

Architecture

Business Impact Analysis Business impact analysis and risk assessments to identify the most important assets, process and technology dependencies, impact on business, and risks.

Asset Prioritization Selecting prioritized business-critical information assets to recover as a minimum in case of a major disruption.

Recovery Objectives Business owners defining and refining recovery time objectives and recovery point objectives for critical applications.

Recovery Strategy Selecting recovery strategies for systems in scope for disaster recovery solutions, with high availability, system duplication on twin sites and active/standby solutions.

Redundancy Selecting redundancy solutions, with dual sites or dual building, and technical and organizational duplications.




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)





Business Continuity



Process Design


Enterprise Security

Architecture

Data Replication Selecting synchronous or asynchronous data replication between dual sites and whether replicating data blocks on the storage level or replicating database logs or files.

Invocation & Escalation Procedures and routines for invocation and escalation to the crisis team in case of major disruptions of IT services.

Virtual Team Mobilization & Collaboration

Procedures and routines for mobilization of virtual cross-organizational teams for crisis management and for collaboration across teams during an invoked major IT service disruption.

Communication & Reporting Procedures and routines how to communicate and report to employees, board, partners, customers and the public during a major IT service interruption.

Testing Periodic tests of disaster recovery plans through desktop, walkthrough, simulated, partial or full tests.




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)





Business Continuity



Process Design


Enterprise Security

Architecture

Architecture Review Board

The authoritative entity for reviewing and approving or rejecting new enterprise security solutions or change initiatives with regard to security architecture aspects defined in the enterprise security architecture, including standards, and determining if there is any security impact. This includes an exception process providing inputs, approvals and necessary risk acceptance for the introduction of a nonstandard technology or solution.




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Resilient Workforce (1/2)

Objective

People contributing to digital resilience

Promote and establish a security-aware company culture and empower your workforce by getting appropriate, accurate and targeted security awareness training and education to support your business and enforce protection of your critical and sensitive information.

Subdomains


Security Culture Security Training & EducationEmpowered Workforce



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Resilient Workforce (2/2)

Security Culture Security Training & Education

Empowered Workforce


Job Role Management

Segregation of Duties

Talent Retention Program

HR Processes Integration

Mentoring Program

Talent Recruitment, Identity Proofing &

VettingIdentity Enrolment &

Profile Record Management

Workforce Satisfaction

Security Culture Leadership Approach

IT/Security Organization Training

Developer Security Training

Board & Management Security Awareness

Training

Employee External Certification

Third Party Security Awareness Training

Employee Internal Certification

Employee Security Awareness Training

Targeted Security Awareness Training


SystemsKnowledge Creation,

Collection & Validation

Knowledge Sharing

Organization Security Culture Profiling

Corporate Communication



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


RW: Subdomains

Security CultureSecurity Culture describes the way security in the workplace is organized and thus reflects the attitudes, convictions, perceptions and values of the employees and of the organization with regard to security. Therefore, organizations need to build and structure elements of their organizations, such as resources and guidelines, to reflect their security objectives. Security culture also means management of the change process that makes employees’ attitudes and behavior more security related.

Empowered Workforce

Empowered Workforce describes activities to ensure talent and competency development for both attracting and retaining talent for operational security people and managers: recruiting, career development, mentoring program, etc.


Security Training & Education objectives are to define and maintain content adequate for different target groups, considering national and intercultural aspects reflective of the present-day working environment and the current threat landscape, and to define appropriate training packages targeting security teams, IT staff and managers to provide specific knowledge and skills to achieve their job objectives and responsibilities, including employee certifications when needed.


Knowledge Management regroups activities around the creation, contribution, collection, referencing, sharing and using of knowledge/information developed by the organization, with the objective of ensuring the best use of knowledge, identifying and promoting knowledge and experience, and facilitating employee skill development and collaboration.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Empowered Workforce


RW: Capabilities (1/6)

Security Culture

Organization Security Culture

Profiling

Definition of requirements in regard to the desired state of information security awareness for different target groups (CxO, employees, power users, third parties, etc.). The profile contains information about location, languages, national and intercultural aspects, number of employees and industry, with consideration of mission, strategy and values of the organization and opportunities, risks and threats the organization is facing, as well as compliance obligations. The profile includes influencing and company-relevant factors to be measured in security culture.

Corporate Communication

Internal communications to ensure the positive image of security as an enabler:• The corporate policy and any ongoing changes, including regulatory, compliance and privacy obligations• Employee roles and responsibilities• Internal communications to announce and raise awareness for security topics• Communication from security leadership team through conferences, newsletters, wiki, etc. to communicate the security vision, objectives and initiatives as a security

provider both internal (providing and enhancing security within the organization) and external (security embedded in IT products and services sold to partners, external customers and other third parties)

• The corporate position in case of a publicly known security breach (loss of customer data, loss of private/sensitive information, etc.)



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Job Role Management

Description of business roles and job descriptions allowing mapping to applications and systems to be used by people to achieve their job objectives and responsibilities. Role Management includes job role modeling, job role discovery, job role assignation (assign a role to an identity) and job role change.

Segregation of Duties Definition of Segregation of Duties rules to address business risks associated with a user-role conflict of interest.

HR Processes Integration

Security anchored in HR processes: security responsibilities are incorporated into job profiles and terms and conditions of employment in the contract, including responsibilities and duties that remain valid after termination or change of employment (e.g., a nondisclosure statement/clause for employees dealing with sensitive information). The security aspect is included in annual goals and performance reviews. This also includes a disciplinary process to take action against employees who have committed a security breach.

Talent Recruitment, Identity Proofing &

Vetting

Processes and tools used to perform identity proofing, i.e. validating an identity using authoritative data sources and identity profile data with sufficient information and evidence. Background check and screening to uniquely identify persons as having the identity they claim and to match people to places by analyzing the required skills and matching them with the available qualifications of employees. Recruiting to support the organization in the recruiting process to figure out which people fit to the organization’s needs and culture.

Identity Enrollment & Profile Record

Management

Process when a candidate for employment has passed verification and an identity record is created, with the complete identity record, including name, address, birth date and other unique identifiers linked to a person. This includes processes for deactivating, archiving and deleting an identity record after the person has resigned, retired or permanently left.


Empowered Workforce

Knowledge ManagementSecurity Culture



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Talent Retention Program

Define and apply a retention program to identify critical people for the organization. Provide activities to ensure talent and competency development to both attract and retain talent for operational security people and managers (e.g., recruiting, career development, training program, mentoring program).

Mentoring Program

Build and execute a mentoring program to: • Allow an effective way to transfer experience, lessons learned, skills and knowledge from one person to another • Achieve specific objectives for skill growth and development• Create effective relationships, guide mentees and encourage an environment for success

Workforce Satisfaction

To have attentive and aware employees, you need to motivate your workforce by creating a healthy and engaging environment. Motivational factors can include recognition, work-life balance, stress reduction programs and "burnout" prevention. By associating security with these factors, you will have a more engaged and open-minded workforce with a positive attitude toward secure behavior.

Security Culture Leadership Approach

Develop security culture processes to ensure clarity on the corporate policy and rules to ensure that employees understand their role and what is expected of them in terms of security. Ensure management is setting the right example by showing exemplary behavior (Leading by Example) by embedding security in the tasks and actions of (middle) management. Ensure people have sufficient time, competency and the capacity to abide by the rules and protocols for dealing with sensitive information (Culture of Prevention). Encourage transparency of employees’ behavior and ensure that the effects thereof are visible in the way of working. Encourage openness on security incidents and concerns so employees feel safe to discuss incidents, concerns and dilemmas openly in the organization (Culture of Detection). Ensure employees feel safe engaging with other employees when they see incorrect treatment of sensitive information (Culture of Responsiveness). Have management enforce the rules with board support, and reward and/or sanction people (Culture of Responsiveness). Enforce the principle that you can learn from mistakes—the basic requirement to establish a stable security culture. To be practiced in training but also in daily work without having to reckon with strict consequences (Culture of Failure Acceptance).


Empowered Workforce




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



IT/Security Organization

Training

Understand and define IT staff security training requirements and scope: develop or select support education and training materials; and deliver security training for the security team, IT staff, sales and managers to provide specific knowledge and skills to achieve their job objectives and responsibilities, including the "train the trainer" concept. Prepare for certifications or knowledge development.

Developer Security Training

Educate application architects and developers around secure system development life cycle (SDLC), including how to architect and design security in an application; how to develop secure code, including mobile applications; and how to avoid pitfalls that result in vulnerabilities/insecurities. Educate software testers on how to test for security issues.

Employee External Certification

Understand and define IT staff security external certification requirements. Ensure External Certification of employees to demonstrate knowledge acquisition and to comply with organization certification requirements.

Employee Internal Certification

Define corporate Internal Certification program (certification and recertification criteria, training content, schedule, certification package template, review board, etc.). Ensure Internal Certification of employees to demonstrate knowledge acquisition and to comply with organization certification requirements.


Empowered Workforce




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Employee Security Awareness Training

Production and implementation of security awareness training targeting different employee groups and covering the following aspects (not an exhaustive list):• Regular User Security Awareness program• Privileged User Security Awareness program

• Mandatory and regular Code of Conduct training• Ensuring clarity on the corporate policy and rules to ensure that employees

understand their role and what is expected of them in terms of security

Board & Management

Security Awareness Training

Security awareness training for board members about the current threat landscape, covering:• Advanced threats, threat actors and cyber security• Business impact and legal consequences if such threats are realized, including the worst-case scenario• Regulatory, Compliance and Privacy obligations

Third-Party Security Awareness Training Security awareness training for third parties and contractors (in particular, users with privileged access) to ensure they comply with corporate security policy.

Targeted Security Awareness Training Security awareness training for targeted communities of people, depending on the organization’s objective and special needs (e.g., salespeople).


Empowered Workforce




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)




SystemsSystems supporting storage, organizing, access and sharing of knowledge.

Knowledge Creation, Collection

& Validation

Processes to support creation, identification, collection, referencing and validation of knowledge, skills, expertise, experiences, ideas, collateral, information assets and lessons learned. This includes methodologies and templates to maximize understanding and reusability of knowledge.

Knowledge Sharing Processes to support exchange of knowledge between people (employees, communities, third parties, etc.) and access, sharing and collaboration around knowledge between employees.


Empowered Workforce




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Cyber Defense (1/2)

Objective

Intelligence to detect breaches and respond

Provide real-time alerting, tooling and intelligence to more effectively identify, understand, respond to and contain security incidents by providing:• overall visibility of cyber security situational risk• understanding of threat techniques, tools, procedures and potential

impact to business

Subdomains

Digital Investigation & Forensics Security AnalyticsVulnerability

Management

Security Monitoring Threat Intelligence & Profiling

Security Incident Response & Remediation Management



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Cyber Defense (2/2)

Security Monitoring Threat Intelligence & Profiling

Security Incident Response &

Remediation MngtSecurity AnalyticsVulnerability

ManagementDigital Investigation &

Forensics

Incident & Defect Notification

CERT & Authority Information Request

Incident Analysis

Incident Triage

Root Cause Analysis

Incident Validation

Incident Classification

Incident Mitigation & Remediation

Incident Recovery

Crisis Communication

Incident Reporting

Crisis Leadership & Organization

Escalation Procedure

Threat Intelligence Platform

Cyber Threat Intelligence Sources

Threat Actor Profiling

Cyber Threat Intelligence Sharing

Malware Analysis

Security Trends

Technical Threat Modeling

Threat Intelligence Knowledge

Management

Digital Investigations

Digital Forensics

E-Discovery

Active Threat Hunting

Static Code Analysis

Dynamic Code Analysis

Social Engineering

Penetration Testing

Vulnerability Remediation

Attack Simulation

Vulnerability Scanning

Patch Management

Vulnerability Notification

Vulnerability Monitoring

Vulnerability Validation & Criticality

Vulnerability Research

Big Data Security Analytics

Baselining

Social Media Analysis

Data Anomaly Detection

Network Anomaly Detection

User Behavior Analysis

Privileged Threat Analytics

DNS Analytics

Technical Attack Reconstruction &

Visualization

Log Policy Definition

Log Management

Monitoring & Alerting Processes

Log Correlation

Event Query

Log Integrity

Use Case Management

Log Reporting

Shift-Handover Process

Daily Operations Meeting Procedure



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


CD: Subdomains

Security Monitoring

Manage logs and correlating security event logs to automatically generate security alerts based on known attack scenario/use cases. Monitor security alerts and incidents as they occur in the environment. Provide evidence in case of investigations and to support Incident Response management.


Validate, classify and analyze security incidents (understand what happened, how and why) to ensure adequate and prompt remediation or recovery activities (Incident Response Level 1 and 2).

Threat Intelligence & Profiling

Change the security model from reactive to proactive by understanding your adversaries and so developing tactics to combat current attacks and to plan for future threats. Accurate, complete and actionable information allowing for threat modeling, planning and remediation activities to occur. Such information may come from inside sources or external providers of such information. The key is to create “actionable” steps to further protect the enterprise. Processes and plans for establishing, maintaining and testing resilient IT service capabilities in the event of environmental, man-made or technical failures in ICT infrastructure and applications.

Digital Investigation &

Forensics

Identify, process and analyze digital states and events to find evidence as to how, why and by whom a computing resource was compromised, and collect, process and review data in the event of legal action (Incident Response Level 3).

Vulnerability Management

The cyclical practice of policy definition, baselining, assessing, prioritizing, shielding, remediating and monitoring of exploitable security vulnerabilities in software and firmwarein endpoints, infrastructure and other IP addressable assets, including root cause analysis and elimination.

Security Analytics Analytics to allow real-time processing of a large volume of unstructured and structured data to efficiently identify, detect and alert anomalies or transactions that are not conforming to expected patterns.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


ThreatIntelligence &

Profiling


Security AnalyticsVulnerability Management


Forensics

CD: Capabilities (1/13)

Security Monitoring

Log Policy Definition

The definition of a corporate policy related to log generation, with the necessary level of requested logs per component. Each component’s security standard should include a technical log setting, which may include logs containing user activities, security violations and other security event information to provide evidence in case of incidents, digital investigations and for access control monitoring, as well as rules around log storage, retention period, log integrity, etc.

Log Management

Activities to ensure proper log setting configuration on each hardware and software component according to the corresponding component security standard; collecting and aggregating logs to a central repository through collectors or agents from any device, source or format; Log Consolidation by unifying logs into a single standard format through normalization and categorization; ensuring sufficient storage capacity to store logs during the agreed retention period (then deleted after the retention period) and provide ability to retrieve logs when requested (e.g., for postmortem incident analysis, audit requests, etc.).

Log Correlation The ability to discover and apply logical associations among disparate log events and within a large volume of events from different log sources to highlight important events and identify suspicious activities.

Log Integrity Ensuring logs cannot be modified so that integrity is maintained throughout and evidence of integrity can be provided.

Use Case Management

Use case definition: the modeling of attack scenarios or a sequence of events and associated rule definition, which, if occurring within a certain period of time, represent a suspicious activity that needs to be analyzed. Use case to log source mapping: the identification of which logs are necessary to implement the use case.Use case implementation: ensure alerting when a defined and implemented use case occurs.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Profiling




Forensics


Security Monitoring

Monitoring & Alerting Processes The process of observing, checking and tracing (recording) generated alerts defined in use case implementations to initiate incident triage and response when needed.

Event Query The ability to query for a particular event or a sequence of events that occurred in the past.

Log Reporting Logs and events management report: events and logs collected and recorded, use cases management, altering and monitoring activities (numbers of alerts, actions undertaken, etc.).

Shift-Handover Process The process to manage SOC analysts’ and operators’ Shift-Handover.

Daily Operations Meeting Procedure The process to manage SOC daily operations (console monitoring, ticket management, etc.).



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Profiling




Forensics


Security Monitoring

Incident & Defect Notification

Ability to receive an incident notification from a Security information and event management (SIEM) or Help Desk or a notification from end users reporting security or privacy defects (for instance, complaints regarding employees’ behavior impacting privacy obligations).

CERT & Authority Information

RequestAbility to receive a request from authoritative national agency, national police force, a legal department, customers or third parties.

Incident Triage Triaging of suspicious events/alerts by the SOC Analyst to ascertain their potential impact and effect on the organization. This includes automated triaging when possible.

Incident Validation Confirmation of whether the event/alert requires an investigation, meaning this is a real incident and not a false positive or an event belonging to an existing ongoing security incident.

Incident Classification

Definition of the severity and/or priority of the security incident, as well as the type of incident–usually according to the predefined security incidents categories (DDoS, unauthorized access, information leakage, compliance, privacy, etc.) and security priority matrix (critical, major, medium or minor).



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Profiling




Forensics


Security Monitoring

Incident Analysis Analysis of events to understand dependencies between events, whether some events can be explained by others and so on in order to understand how an incident occurred and what the impact was on the business (usually Level 1 or 2 for incident analysis).

Root Cause Analysis

Analysis of an incident explaining what happened, why and how it happened, and what is recommended to be implemented moving forward to avoid the same incident happening again.

Incident Mitigation & Remediation

Activities to address or avoid incidents impacting information assets and the business, ensuring compliance with legal requirements upon a breach, with the primary focus on preventing or minimizing harm. These could take the shape of:• A predefined list of tasks to be executed depending on the category, the priority and the

severity of the incident

• A complex remediation plan, depending on the magnitude of the attack, the type of attack, the stage of the attack and the current impact

• A legal aspect can be part of activities to be undertaken, for example, in the case of a privacy incident or customer data leakage

Incident Recovery

Activities to be undertaken to recover from an incident that has already taken place and had an impact. These could include:• Service and data restoration• System reimage

• A basic cleanup or eradication of malware• An external communication to a third party or government agency in case of a security

breach affecting a customer, a third party or confidential private information

Incident Reporting Reports regarding security incidents: the number of incidents and their priority, status and ongoing activities to remediate or recover from a security incident.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Profiling




Forensics


Security Monitoring

Crisis Leadership & Organization

In the event of crisis, a clear definition of the roles and responsibilities of anyone who should be involved, how they should be involved to respond to a serious incident and who the owner of the incident is who will be the focal point for any communication.

Escalation Procedure

Definition of escalation procedure to deal with potential problems and unexpected situations and to raise attention about some issues to avoid escalating a crisis from a disruption to an emergency situation.

Crisis Communication

Activities taken by an organization to communicate with the public, employees, third parties, partners and stakeholders when a security incident occurs that could have a negative impact on the organization’s reputation or other external organizations.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Profiling




Forensics


Security Monitoring

Threat Intelligence Platform

Support collection, validation and storage of threat intelligence; allow custom scripting flexibility and programing language options; allow automated enrichment via community feeds and sources, automated triage and automated application of IOCs; provide analysis support tools such as decoders, unpackers, hashers, connection graphs and TotalVirus automated lookup; allow mature curation of signatures, use cases and scripting to be deployed on endpoint IR tooling.

Cyber Threat Intelligence

Sources

Provide internal and/or external feeds about emerging threats to support the intelligence-led approach: (1) proactively develop tactics to respond to threats that may target your organization in the medium-term, (2) identify if those threats have already targeted your organization and (3) support threat actor profiling and hunting activities. Provide a broader view of the threat landscape leveraging Global Security Center feeds, industry feeds and security community feeds. For example, a feed from a national CSIRT, CERT or other Threat Intelligence service used to establish proactive indicators of compromise (IOCs) would help to promptly respond to high-severity incidents.

Cyber Threat Intelligence Sharing Collaborate and share knowledge with an authoritative national agency, national police force, national CSIRT, CERT or other Threat Intelligence third-party service.

Security Trends Better understand the threat landscape by knowing security trends and which industries are targeted by what type of threat or attacks.

Technical Threat Modeling

Optimize network or application/software security by identifying attack objectives, attack surfaces and vulnerabilities, and then defining protections or countermeasures to prevent or mitigate the effects of threats to the system. In this context, a threat is a potential or actual adverse event that may be malicious (such as a denial-of-service attack) or incidental (such as the failure of a storage device), and which can compromise the assets of an enterprise.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Profiling




Forensics


Security Monitoring

Threat Actor Profiling

Activities to understand an organization's cyber adversaries and current activities (done during investigation) of the threat actor within the organization: attack patterns and indicators, technical scenario used to infiltrate the customer environment, tools and method of access used to search, capture and exfiltration data (malwares, backdoors, RAT, command and control (C2), rogue connections, Webshell, etc.). Understand what they target within the environment (intellectual property, customer and personal data, business processes, trade secrets, etc.) and identify IP addresses, URLs, DNS domain names, SMTP domain names, beaconing devices and frequency related to attacker activities.

Malware Analysis Malware triage engine (in a sandbox) for malware/file analysis and behavior.

Threat Intelligence Knowledge

Management

Record of any SOC activity around incident management and threat intelligence: monitoring activities, use case modeling, record for incident response activities, incident analysis and RCA, what happened, how, why and how it has been remediated and recovered, lessons learned (logs, volatile and nonvolatile data, artifacts, PCAP, protocol logging, etc.) and any other relevant information that must be shared across the Cyber Security team to optimize further activities related to the same alerts/events/incidents. This includes updating processes’ end procedures, if needed (list of actions to be executed to recover).Record of IOCs, watch lists, use cases, custom signatures and scripts developed. Record of technical intelligence, tactical intelligence and strategic intelligence.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Profiling




Forensics


Security Monitoring

Digital Investigations

Identify, process and analyze digital states and events to find evidence as to how, why and by whom a computing resource was compromised as input for subsequent digital forensics (usually level 3 for incident analysis).

Digital Forensics Used as part of an internal investigation into security incidents covering identification, preservation, collecting, processing and reviewing data in the event of legal processes.

E-Discovery Used to support an external investigation resulting from security incidents that have resulted in legal or regulatory action (e.g., concerning data protection) being taken in relation to the customer.

Active Threat Hunting Activities to proactively discover active threats and malware present within the environment.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Profiling




Forensics


Security Monitoring

Static Code Analysis Security testing of the application from the inside out by examining the source code, byte code or application binaries for conditions indicative of a security vulnerability.

Dynamic Code Analysis Security testing of the application from the outside in by examining the application in a runtime environment with various attack techniques to discover security vulnerabilities.

Penetration Testing

Ethical hacking of internal and/or external systems, web applications, mobile applications, end user devices, servers, networks, wireless devices, etc.Identifying, assessing and testing vulnerabilities in software and applications, configuration errors or other operational deployment weaknesses or deficiencies by using various attack techniques to gain access to network, system, application and information assets.This may include specialized penetration testing:• Network exposure: assessing the exposure of systems and networks — and the vulnerabilities they may contain — to other networks (e.g., a corporate network to the

internet, or ICS systems to a corporate network).• IoT testing: Specialized testing of devices and applications that have been traditionally “unconnected,” such as connected vehicle security.• SCADA/ICS: Specialized penetration testing of SCADA/ICS systems that takes into account the safety-critical nature of these networks and devices as well as the

proprietary hardware and software associated with them.• Intelligence-led penetration testing: Using threat intelligence data and information in active threat actors to provide a real-world simulated attack on customer systems to

show how well they would stand up to an advanced persistent threat (APT)-style attack.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Profiling




Forensics


Security Monitoring

Attack SimulationActivities will test and validate the ability to withstand a targeted cyberattack; measure detect and respond capabilities against industry-specific attack simulation; and demonstrate due diligence in securing the organization by simulating a real-world targeted cyberattack, emulating existing threat actor tools, techniques and procedures.Note: The red team will conduct the attack and the blue team will perform a parallel exercise to defend and respond to the attack.

Vulnerability Scanning Identify, categorize, classify, prioritize, assess, track and report known vulnerabilities in software and firmware.

Social Engineering

Impactful identification of vulnerabilities among people and processes. For instance:• Test user email security awareness through the use of phishing and spear-phishing methods.• Test user security awareness through the use of voice-based ethical hacking methods.• Test site security (physical security) defenses using ethical hacking methods.

Vulnerability Remediation A list of activities to be undertaken to fix identified vulnerabilities.

Patch Management Identify, test, approve and deploy security patches and hotfixes provided by software vendors to mitigate identified vulnerabilities according to established patch management procedures.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Profiling




Forensics


Security Monitoring

Vulnerability Notification

Get vulnerability notification feeds from hardware, software and application vendors or security communities (e.g., Microsoft, SAP, Linux, Oracle, VMware) to be notified about new known vulnerabilities in firmware, operating systems, middleware or applications.

Vulnerability Monitoring

Get vulnerability feeds from customers/partners using software developed by the organization; customers/partners could discover security vulnerabilities while using software developed by the organization.

Vulnerability Validation &

Criticality

Activities to evaluate applicability of notified vulnerabilities to an environment and evaluate or re-evaluate criticality of vulnerabilities (Critical, Major, Medium, Minor) to the organization.

Vulnerability Research Research activities to discover new (unknown up to the point of discovery) vulnerabilities in firmware, operating systems, middleware or applications by trying to make them fail.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Profiling




Forensics


Security Monitoring

Big Data Security Analytics

Big data infrastructure to allow processing of a large volume of unstructured and structured data to support contextual analysis and predictive security, and to allow real-time monitoring and alerting.

Baselining Baseline of normal user, system or application behavior (network, system, application) to be used as reference when abnormal behaviour is identified.

Data Anomaly Detection Real-time identification, detection and alerting of fraudulent activities around data transaction and handling or other abnormal events that are not conforming to expected patterns.

User Behavior Analysis Real-time identification, detection and alerting of fraudulent activities around user activities or other abnormal events that are not conforming to expected user behavior patterns.

Privileged Threat Analytics Identification of malicious privileged user activity and actionable intelligence, allowing incident responders to disrupt and respond to attacks.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Profiling




Forensics


Security Monitoring

Social Media Analysis

Real-time identification, detection and alerting of social media communication anomalies or other abnormal events that are not conforming to expected user behavior when using social media networks. This could also be used to anticipate new attack campaigns by analyzing external exchanges made on social media networks from multiple sources.

Network Anomaly Detection Real-time identification, detection and alerting of network anomaly or other abnormal events or transactions that are not conforming to expected network communication patterns.

DNS Analytics Real-time identification, detection and alerting of DNS anomalies that are not conforming to expected DNS communication patterns. For instance, this is used to identify "bad" DNS domain names used by attackers to infiltrate a customer environment or to exfiltrate information from a customer environment.

Technical Attack Reconstruction &

Visualization

Ability to visually represent flows, actions, behavior, patterns, etc. with the intention to identify outliers. Also, the ability to automatically show exactly what happened: all processes, files, commands and scripts involved in an attack, showing the sequenced and end-to-end view of an attack (what process starts another process, loads a file or launches a command, etc.).



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Security Orchestration (1/2)

Objective

Operate and demonstrate security posture

Operational security processes for the management, measurement and improvement of security capabilities integrated with service management processes and business processes.

Subdomains





Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Security Orchestration (2/2)



Security Management

Processes

Resourcing

Operational Security Steering Committee

Equipment Lifecycle

Incident & Change Management

Integration

Hardening

Technical Health-Checking

Change Advisory Board

Security Change Impact Analysis

Exception Management

Security Process Standard Adoption

Security Operational Process

MeasurementOps Measurement

Generation & Collection

Operational Security Reporting

Operational Compliance Reporting


SO: Subdomains


Collection, consolidation and reporting of operational security KPIs for the measurement, communication and improvement of security performance, and the maturity and efficiency of security processes.

Security Operations

ManagementOperational processes for managing security capabilities integrated with service management processes and business processes.


Security Operations

Management

SO: Capabilities (1/3)


Security Process Standard Adoption Selecting the standard used for process definition (e.g., ISO/IEC 27001, ITIL, COBIT).

Security Operational

Process Measurement

Measurement with outputs and/or KPIs associated with any security process and supporting solutions to produce appropriate security reporting. This allows measurement of the maturity in efficiency of security processes, thus also supporting operational decision making and operational improvement plans.

Operational Measurement Generation &

Collection

Each solution-supporting security process should generate relevant and actionable output and/or KPIs according to the security process description and objective. KPIs should be collected into a central repository for consolidation and analysis.

Operational Security Reporting

Reporting of operational security metrics/KPIs, allowing measurement of the maturity and efficiency of corresponding security processes. Communication to relevant servicemanagers for operational decision making and action planning to continuously improve process efficiency.

Operational Compliance Reporting

Reporting of operational security metrics/KPIs to support the compliance and audit program. Communication to compliance managers and service managers for decision making and action planning to improve and ensure compliance posture.


Security Operations

Management



Security Management

Processes

Security delivery processes and procedures definition, ownership, deployment and execution, including but not limited to antivirus management, IPS management, firewall management, health checking management, security solution maintenance and operational monitoring.

Resourcing Activities to ensure proper resources with adequate skill are assigned to support and maintain operational security processes.

Equipment Life Cycle

Equipment acceptance testing: new equipment, system and upgrade tested with predefined acceptance criteria before moving to production mode.Equipment monitoring and capacity management: Consistently monitor any equipment to detect and manage operational incident as well as to anticipate future capacity needs to ensure system performance.Equipment maintenance: Consistently maintain and upgrade any equipment to ensure availability and integrity.

Hardening Set of configuration settings, parameters and values to apply on a component (e.g., firmware, operating systems, middleware or applications) to limit the attack surface bysecuring the setting according to security best practices and corporate technical security standards.

Technical Health-Checking

Process to periodically check the technical compliance of component (e.g., firmware, operating systems, middleware or applications) settings and configuration againstdefined and agreed-upon corporate technical security standards; identification of nontechnical compliance.


Security Operations

Management



Operational Security Steering

CommitteeReview of security processes output, KPIs and definition of prioritized actions and corresponding plan to address process issues/noncompliance/SLAs/incidents.

Incident & Change Management

Integration

Integration between security processes and the incident and change management process and ticketing system to request changes (maintenance, setting, policy, etc.) and support for investigation (evidence collection, etc.) or remediation activities (clean-up, end user device re-image, etc.).

Change Advisory Board

Ensure any security change is approved and that security impact analysis has been conducted for the change. For major architecture changes, Architecture Review Board approval is required.Advisory board is also responsible for reviewing, rejecting or approving exceptions (risk acceptance) to global security processes or technical security standards.

Security Change Impact Analysis

Provide change impact analysis regarding security change or security aspect of a change to Change Advisory Board. Determine what areas could be affected by the proposedchanges and identify associated risks and potential mitigation. These areas may involve functional and nonfunctional testing.

Exception Management

Provide input, approvals and necessary risk acceptance for introduction of a nonstandard technology or configuration to environment. Suggest standard technologies tomanage risk in most cost-effective manner.


Identity & Access Management (1/2)

Objective

Securing the information assets

The management of identities, accounts, entitlements and access across multiple systems to ensure the right individual is granted the right access to resources in a fully auditable manner to meet compliance, operational and security requirements.

Subdomains


Identity & Account Management Access ManagementAuthentication

Management



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Identity & Access Management (2/2)Identity & Account

Management Access ManagementAuthentication Management


Claims-based Authentication

Credential-based Authentication

Multi-Factor Authentication

Credential Provisioning

Single Sign-On

Credential Reset & Renewal

Strong Authentication

Authentication Policy Enforcement

Object Access Control List

Group-based Access Control

Access Approval

Role-based Access Control

Access Provisioning & De-provisioning

Attribute-based Access Control

Adaptive Access Control

Access Reconciliation

Access Certification

Access Policy Enforcement

Access Removal

Access Monitoring & Auditing

Web and API Access Management

Delegation

Access Reporting

Non-Personal Account Lifecycle

Management

Privileged Session Management

Password Vaulting

Traceability & Accountability

Privileged Account Reporting

Privileged Account Reconciliation

Privileged Account Revalidation

Identity Feed

Identity Directories

Account Removal

Account Provisioning & De-provisioning

Federated Identity Management

Account Reconciliation &

Consolidation

Account Revalidation

Account Monitoring & Auditing

Account Reporting



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


IAM: Subdomains

Identity & Account Management Managing user entities during the identity life cycle, and provisioning and deprovisioning of account ID, including nonpersonal ID.

Authentication Management Enforcing centralized authentication policies, including credentials and strong authentication.

Access Management Enforcing access authorizations and entitlements to applications and information.

Privileged Account Management Provisioning and enforcement of privileged access authorizations and entitlements to systems and applications.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


IAM: Capabilities (1/9)

Access Management


Privileged Account

ManagementIdentity & Account

Management

Identity Feed The automated process of transferring one or more identities from common sources of identity data.

Identity Directories Shared repository for storing, structuring, organizing and managing data within an LDAP structure or other proprietary directory structure. Could include synchronization of directories for external distributed authentication and authorization to ensure consistency, availability and performance.

Account Provisioning & Deprovisioning

Generating a unique user account for an identity profile for use in IT systems or applications. These are provisioned automatically for accounts on systems/applications and provided to the user directly or via his or her manager.


Consolidation

Automated reconciliation of accounts by validating that accounts present on systems and applications belong to active identities. The account reconciliation includes inactive or dormant accounts as well as shared, default, system or service accounts for which responsible account owners are assigned. This includes account consolidation for merging multiple user accounts into a single unique account ID, where the old account IDs are migrated to attributes of the new account ID.


Periodic manual revalidation of reconciled accounts performed by the line manager by confirming or denying that reconciled accounts belong to active identities, and reprovisioning or deprovisioning according to the account provisioning process. This account revalidation includes inactive or dormant accounts as well as shared, default, system or service accounts for which responsible account owners are assigned.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Access Management


Privileged Account


Management

Account Removal Manual or automated deactivation, archiving and removal of active accounts after account reconciliation and revalidation or after an employee leaves the company.


Allow linkage of electronic identity and associated attributes stored in several different identity management systems sometimes owned by different organizations (different “domains of control”) to enforce a common set of policies and rules around accounts linked to identity across different systems, domains and organizations. This allows technical interoperability, enables the portability of identity information or allows delegated authentication or authentication outsourcing to service provider. (SAML, OAuth, OpenID, security tokens, web services, etc.)

Account Monitoring & Auditing Real-time monitoring of account usage, including logon and logoff attempts. Querying and ad hoc reporting for evidence on active accounts for compliance control purposes.

Account Reporting Predefined, auto-generated reports, including active accounts, dormant accounts, suspended accounts, approvals and rejections, and related account activities.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Access Management


Privileged Account


Management

Claims-Based Authentication Authentication based on known attributes of an identity without the need for credentials, provisioned to the service provider in a secure token.

Credential-Based Authentication Basic authentication where hashes generated from password credentials are compared with hashes stored in a corporate user directory or external user directories.

Credential Provisioning Providing account password credentials to users with distribution methods that do not reveal the credential when in transit.

Credential Reset & Renewal Reset of password or periodic renewal of password credentials by self-service applications or by the help desk over two separate channels.


The use of methods of authentication that are likely to withstand attacks and only allow the intended individual access to a system or systems. Two-factor authentication or multifactor authentication can be considered strong authentication, but strong authentication doesn’t necessary mean two-factor authentication or multifactor authentication. For instance, biometric, digital certificates-based authentication or one-factor authentication based on a nonreusable element which cannot easily be reproduced or stolen can be considered strong authentication.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Access Management


Privileged Account


Management

Multifactor Authentication

The use of several separate and distinct methods of authentication together; can be 2FA or multifactor authentication (MFA): something you know (e.g., password, PIN, pattern), something you have (e.g., mobile phone, credit card, key), something you are (e.g., fingerprint, facial recognition) and/or somewhere you are (localization). An example would be the use of a digital certificate or a one-time password or facial recognition along with a pattern.

Single Sign-On An identity, authentication and authorization system where the user logs in once with a single set of credentials ands gets a security token (Kerberos ticket, SAML ticket) that can be reused in multiple SSO-aware applications without the need to authenticate again. Allows single authentication across different IT systems or even organizations.


The process of enforcing centralized authentication policies according to predefined password policies (e.g., password length, complexity and expiration) and authentication methods (credential based, claims based, strong authentication, etc.).



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Access Management


Privileged Account


Management

Object Access Control List A list of permissions attached to an object (file system, computer, etc.) to permit or deny access to subjects (users or user groups), often used for network access control.

Group-Based Access Control Access permissions based on the group memberships of a user entity, either directly assigned or by inheritance through other group memberships.

Role-Based Access Control Assigning one or many access privileges to a user based on predefined job role/s within an organization, linked to the identity profile (i.e., assign a role to an account/identity).

Attribute-Based Access Control

Assigning access privileges based on user attributes, resource attributes, environment attributes, etc. by enforcing authorization policies using the XACML standard. Attribute-based access control can be used to enforce mandatory access control (MAC).


Access control enforced based on dynamically changing levels of risk and trust measured using user contextual information (e.g., behavior, localization, endpoint technical compliance or other attributes or criteria). The measured level of trust performed in real time may trigger additional controls in addition to the adaptive authentication and access control to minimize the risk associated to the level of trust.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Access Management


Privileged Account


Management

Access Approval System or application access requests from end users based on business needs, reviewed and approved or rejected by one or more responsible managers or information owners.

Access Provisioning & Deprovisioning

Provision (automatically/self-service) user’s access to resources on systems, applications and services based on roles and business rules. User access provisioning automates and optimizes user administration to reduce risks and the cost of performing the task manually.


Periodic automated reconciliation of the need for account access privileges based on business job roles or functions. The access reconciliation could include inactive or dormant accounts as well as shared, default, system or service accounts for which responsible account owners are assigned.


Periodic revalidation of the need for account access privileges based on account reconciliation, performed by the line manager, account owner or compliance departments by approving or denying reconciled account privileges and reprovisioning or deprovisioning according to the provisioning process. This access revalidation could include inactive or dormant account access privileges as well as shared, default, system or service account access privileges to which responsibleaccount owners are assigned.

Access Removal Manual or automated deactivation and archiving of access privileges for user accounts or groups after reconciliation when access is no longer needed due to changes in requirements of protected access.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Access Management


Privileged Account


Management

Web and API Access

Management

Web and API access management to allow authentication with third parties, business partners, suppliers, service providers, etc. (web or mobile, private or public cloud, internal or external applications). Could leverage SAML, OAuth and OpenID, etc. Web access management usually focuses on providing access to some resources; API access management might provide access of people, machines and other APIs to some APIs.

Delegation Process to assign some responsibilities or authorities to another person for a determined period of time to perform some activities and make some decisions.

Access Policy Enforcement Process of enforcing centralized authorization policies (Access control List (ACL) based, group membership based, role based or attribute based).

Access Monitoring & Auditing Monitoring of granted access privileges and the use of privileges to detect unauthorized or fraudulent access according to policies for compliance control and investigation purposes.

Access Reporting Predefined, auto-generated reports with access privileges granted to user accounts or groups. Reports should provide a view of cross-system/applications and evidence on granted, revoked or suspended access privileges for compliance control purposes.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Access Management


Privileged Account


Management

Nonpersonal Account Life-Cycle

Management

The management of system or service accounts to be used by nonpersonal entities, as well as shared privileged accounts such as root and default accounts. An account owner is assigned to be responsible for nonpersonal account creation, access granting, revalidation and removal, and the ability to check out/check in.

Privileged Session Management Recording and replaying privileged user session activities on sensitive or confidential information assets.

Traceability & Accountability Tracing privileged access to an individual user, ensuring accountability of actions in case of investigations or for compliance purposes.


Automated reconciliation of the need for privileged accounts based on business job roles or functions. The account reconciliation includes inactive or dormant accounts as well as shared, default, system or service accounts for which responsible account owners are assigned.


Periodic manual revalidation of reconciled privileged accounts performed by the line manager, who approves or denies reconciled accounts and reprovisions or deprovisions according to the provisioning process. This account revalidation includes inactive or dormant account access privileges as well as shared, default, system or service accounts for which responsible account owners are assigned.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Access Management


Privileged Account


Management

Password Vaulting Preventing malicious access and use of privileged user passwords by using a encrypted storage area for managing password credentials for privileged users.

Privileged Account Reporting Predefined, auto-generated reports including active, dormant or suspended privileged accounts, account approvals and rejections, and other account activities.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Infrastructure & Endpoint Security (1/2)

Objective


Rule-based, automated techniques and tools for monitoring, detecting, scanning, blocking, analyzing, detonating, logging and alerting against known and unknown malware, exploits and threats at endpoints and in networks.

Subdomains


Security Enforcement by Design


Rule-Based Security Policy Enforcement




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Infrastructure & Endpoint Security (2/2)Identity & Account

Management Access ManagementAuthentication Management


Claims-based Authentication

Credential-based Authentication

Multi-Factor Authentication

Credential Provisioning

Single Sign-On

Credential Reset & Renewal



Object Access Control List

Group-based Access Control

Access Approval

Role-based Access Control

Access Provisioning & De-provisioning

Attribute-based Access Control




Access Policy Enforcement

Access Removal

Access Monitoring & Auditing

Web and API Access Management

Delegation

Access Reporting

Non-Personal Account Lifecycle

Management

Privileged Session Management

Password Vaulting

Traceability & Accountability

Privileged Account Reporting



Identity Feed

Identity Directories

Account Removal

Account Provisioning & De-provisioning



Consolidation


Account Monitoring & Auditing

Account Reporting



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


IES: Subdomains

Security Enforcement By

Design

Automated enforcement techniques for zoning, encrypting, virtualizing, intercepting, intermediating and session controlling remote access, wireless access and network access.


Rule-based and automated enforcement techniques and tools for monitoring, scanning, inspecting, blocking, blacklisting and whitelisting unauthorized, illegal and noncompliant access to internal and external resources at endpoints and network infrastructure, preventing malware infections and C2 connections.


Monitoring, detecting, scanning, blocking, remediating, logging and alerting for malware and exploits with signature-, reputational- and behavior-based software at endpoints and in networks, including DDoS attack protection.


The detection, analysis, blocking and detonation of web and email content as well as files shared over the network in isolated sandbox environments or in real time by simulating/replaying end-to-end communication or sessions.

Forensic Analysis & Response Endpoint and network incident response and forensics tooling with collecting, recording, detection, investigation, containment, remediation and threat disruption capabilities.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


IES: Capabilities (1/9)






Design

ZoningSegmenting and isolating information assets and networks logically into separated zones of subnets or VLANs with consistent security policies and requirements based on information classification, vulnerabilities and threats; restricting access and information flows only to authorized components and users according to security policies; and minimizing object visibility to unauthorized entities.

Network Encryption Point-to-point transport layer encryption of communications to secure data transmission over unmanaged or insecure networks.

Session Encryption Session encryption or endpoint to systems transport layer encryption of communications to secure data transmission between endpoints over unmanaged or insecure networks.

Remote Access Control

Security control mechanisms dedicated for inbound access for employees working remotely, from the internet or from public or uncontrolled environments to internal network resources, with capabilities for strong authentication, access control, session logging and computer compliance host checking.

Wireless Access Control

Security control mechanisms with mutual authentication of client and server to ensure only authorized users are allowed access, enabling secure connections to internal networks.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)








Design

Network Access Control Policy-based access authorization and device connectivity to networks and resources, including preadmission policy compliance checks.

SSL Interception Intercepting and decrypting encrypted traffic, and forwarding unencrypted traffic for malware or content analysis.

Jump Hosting A terminal server for virtual desktop or virtual host sessions to internal network resources restricted to graphical presentation without resource sharing, providing authentication, access control, session logging and computer compliance checking capabilities.

Microvirtualization & Containerization

An alternative to full virtualization, encapsulating an application (containerization) or a task/transaction (microvirtualization) in an isolated container with its own operating environment, enabling the application to securely run on any suitable physical machine without any dependencies or constraints; or in an isolated micro virtual machine to enable isolation of user tasks from one another, including system and network resources.

Proxy A network component acting as a session intermediator for its associated clients and servers, providing anonymity and enabling session logging, session control and content analysis, etc.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)








Design

Clock Synchronization A reliable external time source to be used to synchronize all the systems/components clocks to facilitate tracing, reconstitution of activity timelines and analysis.

Master Copy & Reimage

Ability to create images and clones to distribute corporate endpoint images (for laptops, servers or virtual machines) aligned with security technical standards to support incident remediation and recovery so that a large number of systems can be created very fast so that compromised or wracked systems can be sufficiently and effectively re-created, even under run condition with the threat actor. The image is created in a secure environment using verified (hashed) software and is actually patched with the latest updates and configured to comply with corporate security technical standards.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)








Design

Network Layer Firewall

Rule-based controls to authorize or deny unauthorized access at the network level or endpoints, based on IP address, subnets, ports, protocols and connection types, with stateful or packet-filtering firewalls or access control lists.

Application Firewall Rule-based controls enforcement to authorize or deny unauthorized application types, application traffics flows, application requests, application commands or features at user session level at the application or database layer.

Web Content Filtering

Rule-based URL filtering and blocking, preventing illegal, inappropriate or forbidden-by-corporate-policy access to websites or web content, or to known malware websites on the internet.

Application Control Preventing malware from executing by whitelisting or blacklisting applications, tools or process execution, blocking configuration changes and preventing storage in directories.

Software Installation Control Ensuring any deployed software has been authorized.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)








Design

DNS Sinkholing Control channel prevention by rerouting, faking and blocking name-to-IP address DNS lookups to prevent malware-infected endpoints to connect to C2C hosts.

Device Control Monitoring and blocking software from reading, writing and executing on end user devices and ports and on removable media.

Flow Access Control List Rule-based blocking of unauthorized and noncompliant access by host checking, MAC ACL, IP ACL, etc.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)








Design

Known Malware Protection

Detecting, scanning, analyzing, blocking, logging, alerting and remediating known malware on endpoints, mails, collaboration and messaging servers, networks, virtualized systems, etc., with signature-based software triggering of process execution (e.g. opening file, web browsing, downloading a file, opening email attachments etc.), often called anti-malware, anti-virus and anti-spyware.

Known Exploit Protection

Detecting, scanning, analyzing, blocking, logging, alerting and remediating malicious activities on endpoints and in networks with heuristics-based software recognizing command sequences or malformed packets exploiting a known vulnerability, often called Host IPS or Network IPS.

Known Behavior-Based Attack

Prevention

Monitoring, analyzing, logging, alerting and remediating endpoints and networks with pattern-based software detecting deviations from normal user, system or application behavior, protocol/Remote Function Call (RFC) conformity, etc., used in DDoS protection, IPS and C2 channel prevention.

Known Reputational-Based Attack Prevention

Detecting, scanning, logging, alerting and remediating endpoints and in networks with reputational-based software and URL filtering, blocking illegal or unethical content and harmful malware (e.g., pedophilia, spam, phishing email, web content, C2 channel backlisting based on known IP or DNS domain names or DNS sinkholing).

DDoS Attack Protection

Real-time protection for deflecting and blocking DDoS attacks (volumetric, protocol based or application layer based) from the internet before reaching the corporate perimeter, where the attack objective can be to make business-critical websites unavailable, or a diversion, masquerading more malicious attacks through other attack vectors.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)








Design

Unknown Malware Detection &

Analysis

Analyzing, blocking, detonating and alerting unknown malware in web or email traffic, in isolated virtual sandbox environments or in real time, preventing the infection of other resources.

Unknown Exploit Detection &

AnalysisTechniques for zero-day threat detection and prevention, session sandboxing, session deconstruction or replay.

Unknown Behavior-Based Attack Detection &

Analysis

Anomaly detection and analysis based on user and system behavior (e.g., NetFlow baselining).



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)







Security Enforcement by

Design

Full Packet Capture & Protocol Decoding

Flight recorder for capturing and recording network packets, including payload, for security analytics, investigation and forensics. Includes protocol decoding.

Endpoint Forensic Tooling

Ability to dump and collect digital evidences from endpoints: volatile (in memory) and nonvolatile (on disk) evidences (list of processes, list of TCP session, registry, part of disk space, full disk dump, memory content used by a process, entire memory dump, etc.) to support triage and investigation activities.

Endpoint Containment Isolation of the endpoint when compromised.

Endpoint Remediation Ability to support remediation when an endpoint is compromised: kill session, kill process, shut down the workstation, etc.

Network Forensic Tooling

Ability to collect network artifacts such as TCP sessions, packet statistics, ARP information, ICMP information, net flow information, etc. and ability to search for indicator ofcompromises within the network by analyzing this information or applying detection rules.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)







Security Enforcement by

Design

IOC Detection, Real-Time Query &

AlertingAbility to alert in real time based on published rules, IOCs or on-demand queries (search for known indicators of compromise) on the endpoint in the network.

Honeypots & Threat Deception

Simulation of network, system, application and data layers to learn about unknown attack techniques and malwares to delay and disrupt attacker’s activities, acting as bait to identify attackers by generating deceitful responses, lies, misdirection, diversions, etc.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Applications Security (1/2)

Objective

Securing the information assetsMethodology, process, expertise and tools to increase and provide assurance that applications/software meet relevant security requirements and implement required security controls, while reducing the number and severity of vulnerabilities to protect the data and control entrusted to the applications or other software. Industry-standard software development practices can result in applications riddled with vulnerabilities, so improvement is required.

Subdomains


Software Life Cycle Application Quality Assurance




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)

Software LifecycleApplication Quality

AssuranceSecured Application

DevelopmentRelease, Deployment

& Maintenance

Development Standards & Tools

Development, Quality & Production

Environment Mngt.

Functional Testing

Non-Functional Testing

Secure SDLC Process

Software Assurance Maturity Model

Applications Security (2/2)

Security Requirements Qualification

Secure Coding

Application Monitoring & Auditing

Release Process

Deployment & Rollback Process

Patch Development Management




Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)

AS: Subdomains

Software Life Cycle Definition of the secure SDLC process describing the set of activities to be performed during development, delivery and maintenance, and a secure software, including maturity models/assessments which gauge strengths and weaknesses of an organization’s security coverage throughout the SDLC.


Process of securely developing and coding applications or software through phases and across different development environments, taking into account application security principles and requirements; leveraging selected and defined development security standards and tools for the SDLC specific to application families and development methods; and leveraging secure coding best practices.


Quality assurance process to test functional (end user functionalities) and nonfunctional (performance, security and operations) application requirements according to software specifications, including user acceptance testing (UAT) and operational acceptance testing (OAT).


Processes to manage, plan, schedule, deploy and maintain software build, revision and versioning following different phases and leveraging different environments, including processes to update developed software to address vulnerabilities.


AS: Capabilities (1/4)


Secured Application

Development


Software Life Cycle

Secure SDLC Process

Defines the secure SDLC process, describing the set of activities to be performed during the development, delivery and maintenance of a secure software. This may include leveraging common frameworks and standards to evaluate and allow process improvement.

Software Assurance Maturity

Model

Maturity models which define levels of software assurance maturity relevant to an enterprise, organization or application. Examples of these are Open Software Assurance Maturity Model (OpenSAMM) and Build Security In Maturity Model (BSIMM). Some models are only descriptive, such as BSIMM (reference against what other organizations do, but no implication of what is better or worse), in contrast to prescriptive models. Similar to Capability Maturity Model Integration (CMMI), but specifically focused on software assurance.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)




Secured Application

Development


Software Life Cycle

Development Standards & Tools

Selection and definition of development security standards and tools for the SDLC specific to application families (e.g., Web, Mobile, SAP, ICS) and specific to development methods (e.g., Agile, Waterfall). Includes standards for development tools and frameworks to be used for application families, integration of tools and developer guidelines.

Security Requirements Qualification

The process of identifying and validating security requirements — including compliance, privacy, safety and resilience requirements — relevant to an application or software.

Development, Quality &

Production Environment Mgmt.

Manage separate environments for different phases of the life-cycle development and release management: development environment, test and qualification environment (where new features are developed, changes are made and tested) and production environment (used by corporate users). Those environment are separated.

Secure Coding Developing/writing source code, taking into account security principles, best practices, secure coding guidelines, etc.

Application Monitoring &

Auditing

Monitoring of application events and logs, application access and the use of application privileges to detect unauthorized or fraudulent access, activities or transactions according to policies and compliance rules, including separation of duty rules. Monitoring of application response and performance.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)




Secured Application

Development


Software Life Cycle

Functional TestingQuality assurance process to test (including UAT) what the software is supposed to do in terms of end user perspective/requirements and to validate the functional specifications of the software: functions provided to end users. Functionalities are tested using test uses cases using inputs and analyzing output of the software based on the specifications. This includes functional regression testing.

Nonfunctional Testing

Testing (and acceptance) of application and systems nonfunctional requirements, the way a system operates (not end-user functions/functionalities) and the way the systems/software should behave. Nonfunctional requirements can include performance testing (load, stress, reliability, scalability, resilience testing, etc.), compliance and security testing, and operational testing (backup, restore, recovery, etc.), also known as OAT.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)




Secured Application

Development


Software Life Cycle

Release Process Develop a release process to manage, plan and schedule software build, revision and versioning.

Deployment & Rollback Process

Develop a deployment process to manage, plan and schedule software deployment in production through different environments. This includes the development of a rollback process to ensure the return to a previous state or version or revision of the application in case of an issue when deploying a new release.

Develop application/software patches/updates to address security vulnerabilities discovered in software which is already released. As it is highly unlikely for complex software to be completely vulnerability-free, it's important to have a means to issue timely security patches and updates for vulnerabilities in software you're responsible for. Development, of course, covers the development of the fixes/patches, as well as building the patch.Security patches developed to fix vulnerabilities discovered in released software require timely testing before being released, both for (likely limited) regression (functionality and security) and assurance that the specific vulnerability prompting the patch is fixed.Application security patch notification alerts all (at least supported) affected users of the application/software in a way that maximizes protection and minimizes exposure/harm.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)

Patch Development Management


Data Protection & Privacy (1/2)

Objective


Methods, tools and techniques to identify and classify information, define data security modeling and associated security requirements, and protect data by preventing unauthorized loss, modification and use of data.

Subdomains


Data Assurance & Governance

Data Security Life-Cycle

ManagementData Protection



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Data Protection & Privacy (2/2)Data Assurance &

GovernanceData Security

Lifecycle Management

Data Protection Certificate & Key Management

Digital Rights Management

Data Tokenization

Disk Encryption

Data Masking

Data Integrity

Data Loss Prevention

Data Encryption

Data Monitoring

Data Recovery

Data Backup

Data Destruction

Data Archiving

Data Migration

Data Retention

Certificate & Key Lifecycle

Management

Certificate Authority

Registration Authority

Cryptography

Data Security Modeling

Data Tagging

Data Standardization

Data Discovery

Data Accuracy

Data Flow

Data Processing

Data Origin

Data Adequacy



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


DPP: Subdomains

Data Assurance & Governance Activities to ensure accountability of data security modeling, data tagging, data discovery, data management, data processing and usage.

Data Protection Methods, tools and techniques to protect data by preventing unauthorized loss, modification and use of sensitive or confidential information.


ManagementThe process of creating, storing, using, sharing, archiving and destroying data during its life cycle.


The process of registration, key and certificate generation, distribution, storage, backup, usage, renewal, expiration, revocation, recovery, notification, archiving and auditing of keysand digital certificates.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


DPP: Capabilities (1/7)


ManagementData Protection Certificate & Key

ManagementData Assurance &

Governance

Data Security Modeling

Activities to define a data model and semantics for security to support technical experts’ and security officers’ understanding of the data security requirements to be taken into account in application design or system development (e.g., database design). This includes business-oriented data constraints and relationships among data defined by the organization, industry standards or some regulations to allow interoperability between organizations and applications (e.g., bank routing codes to allow interbank transactions).

Data Tagging Identifying, classifying and tagging data elements such as content (legal, private, financial, medical or types of business data) as well as geolocation, file type or other attributes-based information asset classification schema, data category and data security modeling.

Data Discovery A process, based on information asset classification schema and data patterns, to automatically discover and identify data repositories in the organization, how data is used and by whom or which processes, then improving data inventory and classification by analyzing data patterns and values.

Data Flow Documenting approved transfers of data (regulated data, critical business data or other) from one system to another. For instance, data flow is a prerequisite to map data privacyrequirements to assets.

Data Processing Documenting legitimate reasons for processing data (regulated data, critical business data or other) and approved data access. For instance, data access is a prerequisite tomap data privacy requirements to assets.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)






Governance

Data Standardization Activities to ensure that data is cleansed and standardized to a defined model before it is used.

Data Accuracy Management of accuracy and update of data before it is used.

Data Origin Identification and record of data origin for audit and compliance purposes.

Data Adequacy Activities to ensure adequacy of data, relevance and verifying data is not excessive in relation to the purposes for which they are processed.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)






Governance

Digital Rights Management

Methods and tools to prevent copying, modification or distribution of intellectual property, copyrighted material or other digital media by copy-, write-, forward- or print-protecting the information.

Data Tokenization Protecting PII, personal health information, cardholder data or other confidential and sensitive records by substituting field values with vault-based or vaultless tokens stored in look-up tables that can be used to detokenize to original values.

Data Masking Protecting PII, personal health information, cardholder data or other confidential and sensitive records by hiding data with random characters and using different techniques such as substitution, encryption or shuffling. Synonymous with data anonymization.

Data Loss Prevention

Preventing unauthorized and unintentional loss and use of sensitive or confidential information by protecting data in use, in transit and at rest based on information classification labels,tags or other identifiers.

Data Encryption Preventing unauthorized access to sensitive or confidential information by administrators or third parties by encrypting data at rest in databases or file systems.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)






Governance

Disk Encryption Preventing unauthorized use and loss of sensitive or confidential information in case of theft or loss of endpoint device by encrypting internal or removable storage.

Data Integrity Preventing data from being modified, tampered or altered by unauthorized users.

Data Monitoring Real-time monitoring of data usage according to policy.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)






Governance

Data Recovery Solutions for data restoration in the event of hardware or software failures or disasters.

Data Backup Solutions for backup generation which can subsequently be used in the event of hardware or software failures or disasters.

Data Archiving The process of moving older data that is no longer actively used to a separate storage device for long-term retention, needed future reference and regulatory compliance.

Data Migration The process of recovering and converting data from complex, outdated or decommissioned systems.

Data Retention Management of retention period of data being stored and archived.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)






Governance

Data Destruction Irrevocably destroying data prior to disposal of internal or removable storage or when terminating third-party ICT services. Could be achieved by erasing the encryption key.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)






Governance

Certificate & Key Life-Cycle

Management

The defined business practices and procedures surrounding the entire use of keys. The complete process of registration, issuance, distribution, storage, backup, usage, renewal, expiration, revocation, recovery, notification, archiving and auditing of key and certificates in PKI environments (symmetric, asymmetric, private, public or shared keys including but not limited to Secure Shell (SSH) and IP security [IPSec]).

Certificate Authority The trusted entity that issues certificates and vouches that certificates belong to an individual or organization, compliant with the Certificate Policy (CP) and Certificate Practice Statement (CPS).

Registration Authority The organizational entity responsible for assuring the identity and authenticity of entities requesting certificates.

Cryptography The science and mathematics of encrypting and decrypting data by using block ciphers, stream ciphers or hashes with symmetric or asymmetric algorithms, and by using different strengths and protocols to prevent unauthorized users from decrypting the data.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Converged Security (1/2)

Objective


IT and OT integration generates new security risks and challenges. Assessing and managing these security risks is more necessary than ever before to ensure the continuity of production processes and even to prevent life-threatening incidents from occurring. IT is the use of any computers, mobiles, communication protocols, storage and other infrastructure devices and processes to create, process, exchange and store any type of electronic data. OT is the use of hardware and software to detect, monitor and control physical devices, processes and events.

Subdomains

Industrial Controls Systems Security Industrial SafetyIoT Security



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Converged Security (2/2)

Industrial Controls Systems Security Industrial SafetyInternet of Things

Security

Machine to People Interaction

Machine to Machine Communication

Command & Control Communication

Telemetry & Geo Tracking System

Safety Standard Selection

Safety Controls & Asset Mapping

Safety & Security Program Alignment

Safety Management

IT/OT Alignment

IT/OT Integration

IT/OT Middleware

IT/OT Network Convergence

OT Applications Security



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


CS: Subdomains

Industrial Controls Systems Security

Security blueprint to address cyber security risks resulting from IT/OT (ICS) integration. An ICS is an automation system that is specially designed for controlling industrial processes such as production processes in a factory or supporting services such as water management, lighting, escalators, elevators, storage control, transportation. I could also include the distribution of chemical products, oil, gas, water and/or electricity supply.

IoT Security IoT is a network of smart devices (“things”) containing embedded technologies to capture, monitor or interact with their internal states or the surrounding external environment. Communication with those smart devices is achieved over the internet to control them or to exchange or create data which has to be protected.

Industrial Safety Manage safety risks inherited from IT and OT digital convergence within industrial or IoT environments.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


CS: Capabilities (1/3)

Industrial SafetyIoT SecurityIndustrial

Controls Systems Security

IT/OT Alignment Security requirements to be taken into account in activities to synchronize architecture and standards to ensure IT and OT systems compatibility.

IT/OT Integration Integrated shared security teams and organization to support and manage aligned or shared security capabilities, technologies and architectures.

IT/OT Middleware Secure communication between OT components (SCADA, DCS, PLCs), mainly messaging interfaces, providing program-to-program communication and IT components (enterprise resource planning, asset management, etc).

IT/OT Network Convergence

Secure network infrastructure shared by IT and OT components, specifically in cases when the ICS communication is built on proprietary network protocols and uses the IP network infrastructure to exchange information with IT systems and applications.

OT Applications Security

Methodology, processes and tools to increase and provide assurance that OT applications/software meet relevant security requirements; implement needed security controls with reduced number and severity of vulnerabilities to protect integrity of OT functioning; and avoid unavailability of services.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)





Machine-to-People Interaction Secure communication and interaction between smart devices (IoT endpoints) and people.

Machine-to-Machine

CommunicationSecure direct communication between IoT endpoints.

Command and Control

Communication Secure communication between IoT endpoints and operational infrastructures or back-end data processing and analytics systems for C2 purposes.

Telemetry and Geotracking

System

Collect and record telemetry information, including motion tracking and observation of objects or persons: remote measurements and other data collected from environments, people, industrial systems, control devices, etc. Data is then transmitted to be analyzed for operational decisions (commands, instructions, etc.) or business application and back-end information processing.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)





Safety Standard Selection

Selecting the appropriate standard(s) to be used as reference for safety-related controls applicable to your industry. Existing standards may be adapted to include organization-specific requirements, future emerging safety requirements or changing business requirements (e.g., IEC 61508, IEC 62443, U.S. Occupational Safety and Health Administration [OSHA], etc.).

Safety Controls and Asset Mapping

Converting and mapping of safety requirements to controls/standards and assets. Update the asset inventory with safety requirements for any assets identified to be safety-critical for people or environments.

Safety and Security Program

Alignment

Ensuring alignment between safety and security programs (including physical security) for program rationalization and optimization. Digital transformation and associated technologies introduce new risks around people safety, so cyber security program would encompass safety requirements.

Safety Management

Safety practices and processes to meet requirements for safety-critical systems and manage safety risks and safety countermeasures aligned with security governance, security strategy, policy and planning.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Physical Security (1/2)

Objective


Security measures to protect information assets in data centers and offices against environmental, technical or man-made accidental and deliberate threats that may threaten the availability of information and may cause the loss of information.

Subdomains

Data Center Security Office Security



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


Physical Security (2/2)

Datacenter Security Office Security

Zoning Restrictions

Clean Desk

Lockable Cabinets

Intruder Alarms

Site Location

Physical Perimeter

Access Control

Facilities Restricting Physical Access

Removable Media Management

Utility Infrastructure

Computer Room



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


PS: Subdomains

Data Center Security Protection of information assets against physical and environmental damage in data centers and data rooms.

Office Security Protection of information assets against physical and environmental damage at business offices.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)


PS: Capabilities (1/3)

Office SecurityData Center Security

Site Location Protection of data centers against extreme weather or environmental hazards.

Physical Perimeter Protection of data centers against unauthorized physical access at the outer perimeter by using fences, locks, alarms and closed-circuit television (CCTV) equipment.

Facilities Restricting Physical

Access

Protection of data centers against unauthorized physical access at facilities by using burglar-free entrance rooms, third-party demarcation points, secured emergency exits, locked computer rooms and secure area separations.

Utility Infrastructure Protection of data centers against loss of utilities like air conditioning and power. Develop concept for uninterruptable and redundant cooling and power supplies, diversity routing ofpower grids and data communication links.

Computer Room Protection of computer rooms and data centers by using fire, smoke, dust and water detectors, implementing fire suppressors, securing HVAC, cabling, and flooring, disposaland banning of flammables and unused equipment, and by protecting backup media.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)




Access Control Protection of data centers by using mantraps, visitor restrictions, proximity cards, CCTV, lock and key handling, mandatory ID badges, biometric authentication and regular access log review.

Removable Media Management Management of removable media according to classification schema, including transport, physical storage, disposal and physical transfer.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)




Zoning Restrictions Protection of unauthorized access to sensitive office zones by enforcing zoning restrictions with physical access controls based on a business need.

Clean Desk Clean desk directive to be followed by employees when leaving their office, usually clearing their desk of all papers at the end of the business day.

Lockable Cabinets Provide cabinets that can be locked to employees so that sensitive papers, documents and employee laptops can be securely stored during out-of-office hours.

Intruder Alarms Install intrusion alarm systems: siren-based as well as silent alarms to alert patrol guards, the police and/or monitoring centers when unauthorized access is detected.



Cyber Defense (CD)

Identity & Access

Management (IAM)


Security (IES)


Data Protection &

Privacy (DPP)





Strategy,Leadership

& Governance (SLG)

© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company

For further information, please contact [email protected]

Documents

Cyber Reference Architecture (CRA) Framework · 2018-11-20 · defining enterprise security architecture to address prioritized risks and enable the business. Tactical and operational