cyris360-framework

1.1. Program & Metrics

Content

• 1.1.1. Scope & Business context
• 1.1.2. Risks & Objectives & Gap assessment
• 1.1.3. Dashboard & Management review

1.1.1. Scope & Business context

Objectives:

• Identify all assets and associated type (Physical, Data, Intellectual property, etc.) and properties (CIA Rating, Estimated Value)
• Identify all physical & logical interfaces that are exposed to potential threat actors.
• Identify all suppliers & services providers and associated risks based on their respective impact on the continuity of your business.
• Identify applicable regulation depending on region & industry. For reference, here is a list of regulations that you need to consider depending on the operating region and industry sector:
  • EU Network and Information Security (NIS2)
  • US Federal Information Security Management Act (FISMA)
  • Financial Services (PCI DSS, PSD2)
  • Healthcare (NEN 7510, HIPAA, HITRUST CSF)
  • Automotive (UN ECE R155 & R156)
  • Privacy (GDPR-EU, CCPA-California, APA-Australia, APPI-Japan, PDPA-Singapore)
• Locate each category of assets, interface, and regulation in the known-unknown matrix.
• Set up the appropriate process to reduce the unknown unknowns.

Caveat: An inventory that is filled in manually is challenging to keep up to date. Try to automate this process as much as possible.

1.1.2. Risks & Objectives

Objectives:

• Depending on your context & strategy, evaluate the current risks [1,2]. These Risks might be related to different catgories, such as: security, privacy, safety, financial, operational, compliance, etc.
• Define a set of projects, and estimate the allocated resources (budget & staff), the required skills, an associated metric and the success criteria [3].
• You can assign the projects (partially or entirely) to your existing staff. You can expand the capacity of security team by leveraging the concept of security champions [4,5].
• You can also consider outsourcing the projects (partially or entirely) [6].

Hint/Caveat: When hiring a cybersecurity professional, you can use the [7,8] to define the role.

1.1.3. Dashboard & Management review

Objectives:

• Review the metrics assocaited with each objective periodically and identify potential emerging risks.
• Monitor the progress on ongoing projects and the budget spent, and estimate the Return on Security Investment (RoSI).
• Report to senior management: Discuss risk trends and the effectiveness of the current startegy.
• If needed: Consider adjusting the risk apetite and/or the objectives.

Caveat: Measuring the RoSI on cybersecurity projects is very challenging, and depends on a number of estimations and approxiamtions [9].

This site is open source. Improve this page.