Supriya Ghosh (Editor)

Cybersecurity CS5L CMM

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit
Cybersecurity CS5L CMM

Background

Evolution to be inclusive

Contents

In the Information Technology industry IT, the evolution of the Capability Maturity Model CMM began with the Capability modeling for software development. There was a security component limited to security elements included in the development of software applications. Capability Maturity Model With the advent of many cybersecurity solutions providers, including those that developed cybersecurity solutions into their products, like CISCO, and others that were solely cybersecurity solutions providers, the model became outdated as it failed to include these elements. In the energy industry a cybersecurity capability maturity model developed, named C2M2. It has been progressive in addressing measurement specific to SCADA compliance, but did not include all elements or areas of cybersecurity. Cybersecurity solution providers, or vendors gravitated to solutions that were specific to their areas of expertise or market share. Initially there was a lot of emphasis on an all inclusive solution using technology, which later changed to incorporate social engineering, the human behavior element, only in the 5 years, leading up to 2015. This was because of the trend of, successful cyber attacks, beginning with user behavior, that was unable to be controlled with a technically solution. The big omission, cyber security awareness training.

A strategic approach

In collaboration with many companies, associations and government, a strategic approach, to include the elements or areas in 5 layouts. The layouts included Training. The 5 layout strategy was adopted, and became part of many initiatives, in organizing cybersecurity measurement in state government and private industry. The approach is to have a strategic defense, hence a cybersecurity strategy. This is much like a military defense strategy, where assets (Air force, Tanks, Infantry are used strategically to develop a tactical plan) This also simplifies the analytic phase of the resulting data collected, and the data acquisition process in the CMM, having the strategy is broken out into 5 areas or Layouts. This allows easier identification of responsible parties in an organization, areas that cybersecurity solutions providers are focused, and an simplified view for management. This inherently provides a clear understanding that a cybersecurity strategy is an executive responsibility reaching across the organization, (including training) encompassing computer systems, hardware, software, people, policies and procedures. This helps negate, "ask my IT guy about compliance", and the "white horse cybersecurity solution".

Measurement

This modeling evolved to address the layouts and encompass all vendors providing cybersecurity solutions, and thereby provide a model that is useful at an executive level, to measure and manage not only its enterprise but those it does business with, and allows access to its systems.

Hence we arrive at a Cybersecurity Strategy 5 Layout Capability Maturity Model. CS5L CMM.

Cybersecurity Strategy 5 Layout Capability Maturity Model

The Cybersecurity Strategy is used to manage and measure all the aspects of IT security, by grouping security functionality into 5 areas, or layouts of defense. Computer security Cybersecurity.

A strategic approach identifies 5 layouts and adopts a Cybersecurity Strategy 5 Layout Capability Maturity Model (CS5L CMM)

The CS5L CMM model has a tool CS5L CMM, which is an open source web application that is used to collect data and measure. This is part of a "Mature Cybersecurity Strategy".

Cybersecurity Strategy

The Cyber Security Strategy is a framework to determine gaps and to measure using 5 Layout approach (CS5L), which results in standard measurement from which a tactical plan can be developed. In military terms the strategy is how we plan our defenses. The tactical plan is how we implement and perform it.

In practice, companies have various vendors that provide security, most of which participate in providing data, have system interfaces and are able to supply iterative answers to their layout of defense, sometimes spanning more than one areas or layouts. The five layouts cover the general areas known at this time, and the strategy model formalizes measurement of each, and facilitates a road map to improve by using capability maturity modeling. (CMM) This way we identify security risks, address them, and have a plan to improve going forward, whilst maintaining a record of such. We show how the CS5L CMM measurement fits into a complete 'mature' defense approach. A ‘mature’ cyber security defense includes a cycle of before and after processes to the data gathering CS5L and measurement CMM, namely, before, a situation awareness study (largely a self study), and after, vulnerability and compliance mapping and risk management. The CS5L CMM framework is developing quickly into a measurement standard, this is the groundwork of the complete cycle. CS5L The Cybersecurity Strategy 5 layout are the strategic asset areas, devices, people, policies and procedures, in the strategy model. CMM Using a Capability Maturity Model, which formalizes and standardizes measurement of each layout, and facilitates a road map to improve capability.

Mature cybersecurity defense

The CS5L CMM is part of a bigger process we call a Mature cybersecurity defense.

A mature cybersecurity defense, is called mature as it implies that all the process are addressed.

The CS5L CMM is used in the two processes, to collect data and to measure.

The processes are as follows, and are a continuous cycle:

  • A situation awareness self study,
  • Data gathering (a checklist of questions and answers and data inputs on a user and devise level) - CS5L,
  • Measurement using a Capability Maturity Model - CMM,
  • Vulnerability mapping,
  • Regulatory compliance check and planning,
  • Risk planning and risk management including incident mitigation.

    • The strategy areas or layouts,

    * help organize an all encompassing approach * lends to separating the data into manageable segments for measurement. In the analysis phase, this allows drill down of the measurement results. Measurement, results in identifying security risks, addressing them, and devising a plan to manage and improve improve going forward.

    Five Layouts The 5 layout Cyber Security defense strategy, CS5L is a developed standard for measuring people, procedures and systems at an enterprise. When engaged at a client site, System Soft deploys trained Cyber Security, system and analytical experts to support this five layout approach to Cyber security. The process begins with a ‘situational awareness study’ which is primarily done together with the client. The process is performed in two stages, gathering data and measurement. Both are performed using the 5 layouts:

    1. Network (Communication)

    Vendors providing VPN virtual private network hardware, networking equipment, Firewall and software. E.g.: CISCO. This is part of a defense layout to every endpoint and BYOD Bring your own devise. Includes data gathering on, network encryption and all devices, and user access. Analysis on the design and configuration of these networks and firewalls, with a focus on vulnerabilities.

    2. AppSec (Software systems)

    AppSec (Application Security) are applications developed by the client that interact with services hosted by the client, and applications that are installed on any part of their network, either hosted, on an end client or server. This includes, Wireless, DMZ servers, Telephony, Border routing, Remote Administration, Web Security Gateway, Remote Access VPN, etc. Access policies, authentication and methods to systems and data.

    3. Security Awareness (People capability and procedures)

    Often measured by the level of training. A part of which is sometimes called Employee cyber Security Awareness Training (ESAT). Measure access to ESAT for all employees, and agents or B2B companies that have tier 1. The ESAT program should work through an online Web app which under the control of the IT department and collaboration of HR, performs a cyber-security attack on employees known a Phishing and measures performance. Then it runs a training programs driven via email and performed on the Web which allows users to proceed at their pace allowing stopping and restarting. Once complete the ‘dummy’ attack is performed again and measured. Security awareness would also include developer training for application developers, administration policy, managing privacy, and risk assessment.

    4. Internal Defense (In-house scanning, policies and controls)

    AV Anti-Virus, Data Encryption, Disaster recovery, Backup and recovery, Installation and version control, USB usage, Managing alerts, and incident mitigation.

    5. Forensics (CSI and real time monitoring)

    Analyze and measure the configuration of, and monitoring of all system access. Design and deliver custom action plans for responsive action to denial of service attacks and access breach attempts. E.g.: Sourcefire now a CISCO product.

    Measurement

    The levels are each measured using the Capability Maturity Model (CMM) for all 5 layouts.

    Data collection

    Using the Cyber Security Strategy CS5L CMM system, two steps are performed to collect data for each layout.

    1. a survey of questions directed to the responsible person in the organization is performed, and
    2. where applicable data is drawn in and applied dynamically to the CMM.

    Capability for each question is rated on each CMM level:

    1. 'As is' (where you are now) and
    2. 'To be' (where you need to be).

    The choice of levels, where you are at today and where you need to be establishes the 'gaps' which enables us to identify and focus on maturing your capability. Hence we call this Capability Maturity Modeling.

    An example of how a question is presented;

    In step 2., where data is drawn in dynamically, (an example would be each users training courses completed), the data is applied to the CMM by the system, using some preset rules, like if the user has completed these sets of courses the user will be mapped to the CMM level say, managed.

    Dynamic links are set up in co-operation with each cybersecurity vendor. Questions are created in co-operation with each cybersecurity vendor.

    Questions are assigned to a responsible person in the organization to provide answers, all communicated using emails.

    CS5L CMM system

    The CS5L CMM system is an open web SAAS system which delivers measurement data to a MS SQL Database which is then available free to report on the measured data.

    There are two parts, Data collection CS5L, and measurement CMM.

    Data is collected on Policies, procedures, devices, users, each employees training maturity, in each area or layout by questions and answers and input feeds from various vendors. (sometimes crosses two or more layouts).

    As part of the CS5L Data is collected in these main ways,

    1. In a survey method, using emails, questions and CMM Answers (CMM levels are selected) to the responsible person for a layout or part thereof,

    2. Data inputs are configured specifically for the security vendor, and inserted into the database, for later dynamic CMM level assignment, that is specifically configurable.

    As part of the CMM, data is applied and analysed.

    The CMM records data through its maturity and assists in drill downs to easily identify deficits, and retains and reports the CMM data.
  • Energy Sector Cybersecurity Framework Implementation Guidance (January 2015)

    • Significant coverage

  • AIF Associated Industries of Florida, Building an initiative to bring capability measurement to Florida State
  • RSA Conference 2015, Where the world talks security - the US, the EMEA region and the Asia-Pacific region - See more at: http://www.rsaconference.com/about#sthash.yuqaR11p.dpuf

    • References

    Cybersecurity CS5L CMM Wikipedia
    (Text) CC BY-SA


    Similar Topics