Strategy, Frameworks and More Frameworks — RockCyber

Last time, I discussed how you can activate as a leader and help you determine the appetite of cyber risk for your organization. As a reminder, Coso has 5 leading principles and we are on the second leading principle of strategy and objective adjustment. This principle consists of four points:

1. Analyzes the business context

2. Determines the risk appetite

3. Evaluates alternative strategies

4. Formulates business goals

We will handle the 3rd point this week – to evaluate alternative strategies

An organization must evaluate alternative strategies as part of defining the strategy. You need to evaluate the risk of any option and all the resources of your organization’s resources to create, maintain and realize a real value.

The risk management of the enterprise includes an assessment of the strategy from two perspectives:

1. The possibility of the chosen strategy may not be aligned with the mission, vision and basic values ​​of your organization; And

2. The reflection of the chosen strategy.

For you as a cybersecurity leader, the strategy chosen in this context becomes a set of frames for monitoring the Cybersecurity Risk Management Program.

Several cybersecurity frameworks have been developed such as the Nist Cybersecurity Framework, ISO 27001 and control of the Organization of Services (SOC 2) to help organizations establish and report on the effectiveness of their cybersecurity program.

The choice and mapping of these frameworks for the technical security control and risk management processes are also often called the organization’s information security management system (ISMS).

You need to determine which framework to take advantage to build your ISM by considering which is the most appropriate based on your business operations, the current control structure and various other factors such as capital, technologies and resources.

Here are some things to consider:

1. Find out the environment your organization works in. In other words, you need to understand the context of your business. I talked about it two weeks ago and you can see this video on LinkedIn or on the website.

   o For example, ISO 27001 is an expensive and resource intensive to apply and is optional for most organizations.

   O PCI DSS may be expensive and resource intensive to implement, but it is necessary for organizations that store, transmit or process credit card information.

   o Just think of a government -based government processor based in a cloud. They probably have to worry about Fedramp, PCI DSS, AICPA SOC2, and HIPAA/HITRUST (OUCH). Not to mention privacy rules such as GDPR and CCPA.

2. All this is why normalizing your internal GRC frame is a must.

   o Otherwise you will find yourself in the eternal audit AD. Find out where the overlaps between your different requirements are and, accordingly, build your GRC controls.

   o The last thing you want to do is measure the efficiency of your program differently based on The requirements of the next audit you need to go through.

   § This is called “conformity -based security” and this quickly becomes a “security security”, which becomes a violation!

   · Target had just passed a PCI audit when there was a significant violation in December 2013. Compliance is not equal to security!

   o Allow your security program to move the conformity of your necessary frames, not the other way around!

Next time I will continue until 4 point – Formulate business goalsS

As always, I love your comments and if you want to have a direct conversation, please shoot me a message and we will set up something. Thank you and have a great week.