Cybersecurity Assessment

In order to create a valid assessment, one must first know what one is trying to protect. Information security is the practice of protecting information. Protecting the devices that transfer and store information is a result of the primary goal. This is a subtle but important nuance. To protect information, one must first understand what information or data one is protecting. This starts by conducting a full inventory of what data is used, where it is stored, and how it is transferred. One must then categorize the data understanding what is critical to the company's well being and growth, and what is not. Not all data needs the full protection and resources of the cybersecurity infrastructure. For example, publically available data will not need the same level of protection that the company's intellectual property does. Lastly, understand how the data is input and by whom. Who has access to the data during transmission, storage, and output. Identifying these parameters and processes will allow one to alocate resources appropriately to protect those datasets that need protection. This is often referred as the 'Turtle Process Diagram' and is a great way to identify potential risk and process gaps.

 

Once one understands the data and business processes of the company, one can build a baseline to understand the level of cybersecurity maturaty the company has attained. A great external tool to use is the Cybersecurity Capability Maturity Model (C2M2). There are many other similar models but this one has worked well for me in generating a baseline and opening up the conversation with the various stakeholders. The model utilizes 350 cybersecurity practices grouped into 10 logical domains, and rates them from being ad hoc to being complete/advanced. This assessment gives an excellent initial view as to where efforts and resources should be placed.

 

With an established cybersecurity program in place, one can then look for opportunities to increase the value proposition of cybersecurity to the company. Often that comes from the attainment of certifications. Cybersecurity certifications are based on well defined security standards and best practices such as NIST and CIS. Attainment of certification not only increases the maturity of the cybersecurity program but it also brings value to the company as a key differentiator to competitors and providing assurance to new and existing customers. A few of the certifications and compliance I have worked with are:

 

• ISO 27001 - As a certified lead auditor for ISO 27001, I have worked with many companies in helping them to prepare, attain, and maintain ISO 27001 certification. I like this certification in that it focuses on processes and areas of continual improvement. It is written in such a way that it allows for many different ways to comply with the controls. The 3 year certification cycle with the first year being a full audit, followed by 2 subsequent surveillance audits allows for focused efforts based on the major and minor nonconformities found. This is an excellent overall certification to have.
• NIST 800-53 - NIST provides a well established set of security controls that is internationally recognized. Although primarily written for US government agencies, it is widely adopted by private organizatins do to its comprehensive nature. NIST 800-53 provides a risk based approach to controls.  This standard is more detailed than ISO 27001 but provides flexibility in adhering to the controls.  I have used this standard in both private and government entities with extensive use at Alameda County to build out my risk register and 5 year cybersecurity roadmap.
• SOC 1 and 2 - With the main difference being SOC 1 is more focused on financial controls and at a moment in time and SOC 2 being more extensively based on the 5 principles of availability, security, process integrity, confidentiality, and privacy, most companies focus on the SOC 2 which provides a report that can be shared with current and potential customers. SOC 2 is most popular in the US but is gaining traction in regions such as the UK. I have reviewed SOC 2 reports when assessing 3rd party vendors, and have been asked by potential customers to review ours and as such, the SOC 2 is becoming a standard must have in the corporate world.
• HIPAA HITRUST - The health information trust alliance is a security framework developed by healthcare and IT organizations to provide a set of best practices for protecting PHI. It is based on several standards and frameworks, including HIPAA, NIST 800-53, and ISO 27001. I have used this framework to audit programs within the Alameda County Department of Health. Because it maps well with known standards I have worked with extensively, the controls are easy to understand and observed nonconformities are easily mitigated, particularly if one has established a cybersecurity baseline through either ISO 27001 or NIST 800-53. 
• FedRAMP - The Federal Risk and Authorizatin Management Program, FedRAMP is a government-wide program that prrovides a standardized approach to security products and organizations used by federal agencies. This program is much more perscriptive and controlled, requiring a third party assessment organization or 3PAO. My involvement in FedRAMP has been in assisting companies that want government organizations as customers. I have worked in preparing  the FedRAMP system security plan, or SSP and addressing plan of action milestones or POAMs. The challenge in attaining and maintaining FedRAMP compliance is balancing their requirements with the business and product requirements. For example, FedRAMP requires encryption standards to be FIPS 140-2 compliant, but the encryption cyphers can take up to 18 months to be approved. Where more current and better cyphers may be available for a company's product, it may force the company to either 'downgrade' certain aspects of their product, or run 2 branches; one for government organizations requiring FIPS 140-2 compliance, and one for corporations that may benefit from a more secure and faster cypher. The key to working with FedRAMP compliance is to maintain an excellent relationshp with your 3PAO and bridge any perceived gaps with business roadmaps as early as possible.
• StateRAMP - Established in 2021, StateRAMP focuses on providing security standards for organizations who desire state and local governments as customers. Similar to FedRAMP, StateRAMP requires certification from a 3PAO but one can use their FedRAMP compliance to fulfil portions of the StateRAMP compliance. The key to obtaining StateRAMP certification in the companies I've worked for is in establishing processes for continuous monitoring. Once the general requirements have been established and validated by the PMO of StateRAMP, the company will be listed on the authorized product list (APL) making procurement by state and local government entities much easier.
• CJIS - Criminal Justice Information Services (CJIS) is a compliance program that is focused on protecting law enforcement information. Similar to other certifications based on best practices, CJIS is very specific regarding who can access, handle its information and, as such, in addition to technology, very specific training and background checks are required for those who have access to CJIS information. I primarily worked with Alameda County's sheriff, DA, and court systems in addressing these needs.

 

Each of these certifications requires review and continuous monitoring. Since many of them have similar controls, mapping these requirements to each other, automating the collection of data, and scheduling the audits to allow enough time to address compliance issues per each audit is critical. It is manageble to have several certifications and compliance programs if they are well planned and have the support of the business and leadership.

Certifications

• Certified Information Security Manager (CISM) #1841436

• Certified Incident Handling Engineer (CIHE) #14282-162-075-8681

• ISO 27001 Lead Auditor (TPECS)

• Certified Project Manager (CPM)

• Project Manager Professional (PMP)