Assignment 1: A List Of Key Security Controls

Decent Essays

Security Officers must obtain a consensus for which mitigating controls are key, which can be a trying negotiation between the CISO, Chief Technology Officer, Cyber Threat Intelligence (CTI), Infrastructure Engineering, Audit and Assurance teams, and the Investment and Audit committees. How do you harness your entire organization to focus on a common agreed-upon list of key security controls?
By defining key controls based on cyber threats (translated into business risks), an organization can more easily right-size the its control set and adapt it to their needs. Risk assessment processes that are near real-time, gated by the change control process, provide continuous feedback on the sufficiency of controls within an …show more content…

Think of your organizational assets from the eyes of an attacker motivated by crime, espionage, hacktivism and even warfare. In other words, what are our Top Threats and how do we know? Interview the Chief Risk Officer and Business Unit leadership and ask them “what keeps you up at night?”. Then tie these answers to Corporate objectives and strategies in a Risk Register.
Get agreement on key controls and downstream decision impacts. A systematic risk-based approach to information security, as ISO31000 describes, driven by periodic threat-based risk assessments, ensures that security efforts address risks in an effective and timely manner where and when needed.
Risk Management processes, measures and taxonomy:

ISO 31000 Risk Management Standard
SO 31000 describes a framework for implementing risk management. As ISO 31000 depicts, it’s essential to manage your cybersecurity program within a continually improving management oversight wrapper.
Make risk management an integral part of your organization’s management approach. Emphasize the need to communicate and consult with both external and internal stakeholders, Continuously monitor and review your organization’s risk management process (including SOC playbooks and CSIRT response scenarios).
ISO 31000:2009 - Framework for Managing Risk

The Art of Cyber Risk Prioritization
Compliance and broad checklists create

Get Access