Write a white paper on the SANS Critical Security Controls (CSC) Survey document below.
SANS 2013 Critical Security Controls Survey: Moving from Awareness to ActionPreview the document
The final paper will run from 4 to 6 pages long, double spaced with appropriate citations and will be due during the final week of the course. The paper is to be written in either the APA and will include a cover page and a works cited page. The cover page and the references page do not count toward the minimum page requirement.
Adoption of the Critical Security Controls is a hot topic in today's organizations. Review the CSC survey document and provide at least one suggestion on three different controls for an organization to move from awareness of the CSC's to implementation. Please feel free to make assumptions as needed for you to develop recommendations for a fictional CISO. You are to act as a external consultant providing recommendations to this CISO. You should specifically ensure that you do not spend much time defining the control rather suggest how implementing that control can positively impact the security of that CISO's company. Also, students should bring in any other examples, cases, or lessons learned based on your research.
Control Issues identified in DRE CISO organization
The critical security control strategy is aligned with the development of the operations for aligning with the modification of the operations for forming the deployment of the operations and integration of the supportive management process (Kobezak et al., 2018). The formation of the supportive integration had listed the formation of the intrigue development models. The efforts of the operation had supported the management of the implementation for the processes.
The following assignment would involve the use of the effective control strategy for the alignment of the operations and the development of the operations. The integration had helped in forming the analysis of the control issues that would form the hindrance in the completion of the activities. The formation of the final documents had been largely helpful for listing the analysis of the issues and provides some suggestions that would be helpful for improving the process of implementation of the CSC in DRE CISO business organization.
A number of control issues have been identified for forming the hindrance in the development of the security functions for CISO. The adoption of CSC or Critical Security Controls is largely induced from the prospect of the integration of the effective integration management (Bajramovic et al., 2017). The various control issues identified in CISO include,
Increment of Intrusions: The increasing number of intrusion attacks on the operations had formed the major issue in harming the operations of the business organization (Almorsy, Grundy & Muller, 2016). The intrusion in the information process is aligned for the formation of the successive and intrigued development factors. The intrusion in the deployment of the information processing and its misuse for personal gain by the external influence results in the formation of the issues in the development of the final deliverable for the system.
System Attacks: The various attacks like DDoS and malware results in forming the hindrance in the operations of the operations. The management of the operations were supported by the alignment of the functional development model (Knapp & Langill, 2014). The integrated development of the functions had helped in listing the management of the system configuration. The various attacks in the system would tend to the formation of the hindrance in alignment of the successive operations. The attacks would tend to cause the system slackness and issues in forming the completeness of the system processing.
Vulnerabilities and Risk factors: The vulnerabilities of the system operations would tend to form the final outcomes of the project integration management. The risk factors of technological structure of the system are defined for the formation of the intrigued management process. The vulnerability analysis is deployed for the formation of the successive operations management (Woods et al., 2017). However, the vulnerabilities of the system would tend to form the issue resolution for the system management.
Suggestions for improving the implementation
The implementation of the CSC in DRE CISO organization would require the use of the implication of the various strategies that would help in firmly aligning the operations of the system implementation. The suggestion strategies for the implementation of the CSC in CISO are,
Mitigation of IT Deficiencies: The deficiency of the IT system forms the major setback in the complete operations of the system. The deficiency can be in terms of lack of function, system component issue, operation slackness, and infiltration (Martellini et al., 2017). All these deficiencies would tend to result in forming the issues in the deployment of the system functions for CISO. For example- the malfunctioning of the payment machine would result in forming delay in the processing of the payment and printing the bills for the customers in retail store. The mitigation of the IT deficiencies would tend to resolve the issue in these system components and formation of the final alignment of the operation. The mitigation process considers the involvement of the effective system development and the formation of the plan for removing the problems of the system. It would consider the involvement of the analysis and planning for reducing the impact of the deficiencies of IT.
Integration of IT Operations and Security Functions: The integration of the IT operations with the various security functions is helpful for the alignment of the success development. The various IT operations related to the technology is required for being modified and used at the development of the supportive operations (Rawnsley & Rawnsley, 2018). The analysis had provided the use of the system components visible for the alignment of the operations. The IT operations in DRE CISO organization would require the use of the information available for the management of the operations. The functional development of the operations would help in listing the formation of the analysis and operations. For example- the operations of the bookstore include the virtual database storage of the available book stock that can be bought. The security function of encryption should be used else the people would be able to extract its information for their personal use (Rahimian, Bajaj & Bradley, 2016). The CSC security functions are helpful in many cases of protecting the information from theft or frauds.
Ability of Prioritization: The ability of prioritizing is helpful for forming a list of required functional development and operations. The prioritization of the information is helpful for forming the development of the strategies for the implementation of the CSC with the integration of information system (Stergiopoulos et al., 2015). The functions and requirements of IT infrastructure are based on the alignment of the successive carrying out of the activities of the DRE CISO organization. The prioritization would help in considering the most crucial factor for the implementation and forming the analysis of it for DRE CISO organization. The prioritization would allow the selection of the correct path of implementation of the security control in the organization. The allowance of the system control is helpful for forming the deployment of the improved functional operations.
Positive Impact of the CSC implementation in DRE CISO organization
The implementation of the CSC is helpful for forming the alignment of the operational development of the security functions in DRE CISO organization. The benefits or positive impacts of implementing CSC in DRE CISO organization is helpful for,
Reduction of risk: The reduction of the risk is the primary benefit of implementing the CSC in DRE CISO organization. The risk factors that have negative impact on the operations of the organization would be mitigated and their overall impact on the operations of the organization would be reduced (Alcaraz & Zeadally, 2015). The probability of occurrence of the risk impact would also be negated with the help of implementation of CSC. The risk impact would be nullified that would result in achievement of the desired outcomes from the processes implied.
Improvement of operation: The use of the CSC would help the DRE CISO organization in improving the performance of their operations (Fielder et al., 2016). The security functions implied would be helpful for forming the deployment of the successive development of the improved operation development. The operation development had allowed the formation of the improved information system development in the organization. The development of the activities had supported the listing of the performance and organization.
Incident Response: The response of the incident would be helpful for the deployment of the incident response for the development of the activities (Rebollo et al., 2015). The integration of the analysis is aligned with the modification of the operations are aligned with the formation of the supportive development model. The response of the incident is aligned for the deployment of the cohesive management operations.
Threat Mitigation: The mitigation of the threats is another major factor that would allow the formation of the operation management. The mitigation of the threat is aligned with the influential development of the operation and cohesive formation of the operations (Stergiopoulos et al., 2015). The security function of encryption should be used else the people would be able to extract its information for their personal use.
Advanced Attack Detection: The detection and prevention of the attacks like DDoS and malware would be possible with the help of CSC security functions in CISO. The advanced attack detection would allow the formation of the successive and influential overcoming of the operations (Rawnsley & Rawnsley, 2018). The CSC security functions are helpful in many cases of protecting the information from theft or frauds.
It can be concluded from the report that the deployment of the successive management process and deployment of the security functions. The various control issues identified in CISO had included increment of intrusions, system attacks, and vulnerabilities and risk factors. The suggestion strategies for the implementation of the CSC in CISO that had been highlighted in the report were mitigation of it deficiencies, integration of it operations and security functions, and ability of prioritization. The benefits or positive impacts of implementing CSC in DRE CISO organization were helpful for reduction of risk, improvement of operation, incident response, threat mitigation, and advanced attack detection. The intrigue deployment had supported the formation of the critical security controls that are favourable for the management of the risk posture. The security function development had formed for the consideration of the functional operations.
Kobezak, P., Marchany, R., Raymond, D., & Tront, J. (2018, January). Host Inventory Controls and Systems Survey: Evaluating the CIS Critical Security Control One in Higher Education Networks. In Proceedings of the 51st Hawaii International Conference on System Sciences.
Almorsy, M., Grundy, J., & Müller, I. (2016). An analysis of the cloud computing security problem. arXiv preprint arXiv:1609.01107.
Knapp, E. D., & Langill, J. T. (2014). Industrial Network Security: Securing critical infrastructure networks for smart grid, SCADA, and other Industrial Control Systems. Syngress.
Woods, D., Agrafiotis, I., Nurse, J. R., & Creese, S. (2017). Mapping the coverage of security controls in cyber insurance proposal forms. Journal of Internet Services and Applications, 8(1), 8.
Martellini, M., Abaimov, S., Gaycken, S., & Wilson, C. (2017). Known Weaknesses with Security Controls. In Information Security of Highly Critical Wireless Networks (pp. 27-28). Springer, Cham.
Rawnsley, G. D., & Rawnsley, M. Y. (2018). Critical security, democratisation and television in Taiwan. Routledge.
Rahimian, F., Bajaj, A., & Bradley, W. (2016). Estimation of deficiency risk and prioritization of information security controls: A data-centric approach. International Journal of Accounting Information Systems, 20, 38-64.
Stergiopoulos, G., Kotzanikolaou, P., Theocharidou, M., & Gritzalis, D. (2015). Risk mitigation strategies for Critical Infrastructures based on graph centrality analysis. International Journal of Critical Infrastructure Protection, 10, 34-44.
Alcaraz, C., & Zeadally, S. (2015). Critical infrastructure protection: Requirements and challenges for the 21st century. International journal of critical infrastructure protection, 8, 53-66.
Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., & Smeraldi, F. (2016). Decision support approaches for cyber security investment. Decision Support Systems, 86, 13-23.
Rebollo, O., Mellado, D., Fernández-Medina, E., & Mouratidis, H. (2015). Empirical evaluation of a cloud computing information security governance framework. Information and Software Technology, 58, 44-57.
Bajramovic, E., Waed, K., Gao, Y., & Parekh, M. (2017, July). Shared responsibility for forensic readiness-related security controls: Prerequisite for critical infrastructure maintenance and supplier relationships. In Smart Technologies, IEEE EUROCON 2017-17th International Conference on (pp. 364-369). IEEE.