Management

The cost of a true security profile score is minimized by including the work of auditors and analysts as input from activities that are currently occurring in an environment. Collecting information from different areas of the organization results in a trusted assessment.

The Cyber Security Management Life Cycle involves basic activities integrated into different functions such as Business & IT Operations, Enterprise Architecture, Security Management, Executive Management and Security Operations.

The foundation of the Cyber Security Management Life Cycle is based on the NIST Risk Management Framework (NIST RMF). The six steps of the NIST RMF take place within the life cycle. Assets are received and evaluated for proper security controls when implemented into the environment. They are identified and recorded within the configuration management database (CMDB).

On an annual basis, as well as continually where required, the Enterprise Architecture (EA) team evaluates the assets and the changes within the organization making changes to the security control catalog based upon risks, business operations, assets and applications. A new catalog is formed and presented to Security Management as a part of an output from the EA Governance Committee.

The Security Management team, including the Director of Security or the CISO, evaluates the security requirements of the new security control catalog. The ESPM is utilized to demonstrate the risks to the organization. Security audit and governance teams have input at this juncture of the Cyber Security Management Life Cycle. Security Management has a responsibility to see that security controls are aligned to security risks and implemented correctly.

At Tier 1, Security Management presents the information security plan and policies to the Executive Management team. Resource allocation requests are presented and submitted for the proper mitigation of risks.

Once Executive Management approves the information security plan and policies the Tier 2 management level sets the objectives for each unit within the organization to implement the procedures required for their functional activities. The Security Operations team adjusts the evaluation of security events for the new policies, providing feedback to Tier 2 management. Assessments and analysis of security controls encourages groups to be aligned with reducing security risk.

Tier 3 receives the procedural documents required to properly implement security for assets, projects, applications and other plans within the System Development Life Cycle (SDLC).

Integrating the NIST RMF, the ESPM and security in the SDLC will contribute to and elevated security awareness and improved enterprise security profile score.