Ciso checklist

Eran Goldman-Malka · November 24, 2017

כללי

So,You want your company to be safe

I’ve collect some sans recommendation to a list.

!!!! Disclaimer - any list is no alternative to auditing and fixing the list to yourself !!!!

Leadership Skills

• Business Strategy
• Industry Knowledge
• Business Acumen
• Communication Skills
• Presentation Skills
• Strategic Planning
• Technical Leadership
• Security Consulting
• Stakeholder Management
• Negotiations
• Mission and Vision
• Values and Culture
• Roadmap Development
• Business Case Development
• Project Management
• Employee Development
• Financial Planning
• Budgeting
• Innovation
• Marketing
• Leading Change
• Customer Relationships
• Team Building
• Mentoring

  Business Enablement

• Product Security
• Secure DevOps
• Secure Development Lifecycle
• Bug Bounties
• Web, Mobile, Cloud AppSec
• Cloud Computing
• Cloud Security Architecture
• Cloud Guidelines
• Mobile
• Bring Your Own Device (BYOD)
• Mobile Policy
• Emerging Technologies
• Internet of Things (IoT)
• Augmented Reality (AR)
• Virtual Reality (VR)
• Mergers and Acquisitions
• Security Due Diligence

  Risk Management

• Risk Management Frameworks
• Risk Assessment Methodology
• Business Impact Analysis
• Risk Assessment Process
• Risk Analysis and Quantification
• Security Awareness
• Vulnerability Management
• Vendor Risk Management
• Physical Security
• Disaster Recovery (DR)
• Business Continuity Planning
• Policies and Procedures
• Risk Treatment
• Mitigation Planning, Verification
• Remediation, Cyber Insurance

  Identity and Access Management

• Provisioning/Deprovisioning
• Single Sign On (SSO)
• Federated Single Sign On (FSSO)
• Multi-Factor Authentication
• Role-Based Access Control (RBAC)
• Identity Store (LDAP, ActiveDirectory)
• Security Operations

  Security Operations

• Prevention
• Data Protection
• Encryption, PKI, TLS
• Data Loss Prevention (DLP)
• Email Security
• Network Security
• Firewall, IDS/IPS, Proxy Filtering
• VPN, Security Gateway
• DDoS Protection
• Application Security
• Threat Modeling
• Design Review
• Secure Coding
• Static Analysis
• Web App Scanning
• WAF, RASP
• Endpoint Security
• Antivirus, Anti-malware
• HIDS/HIPS, FIM
• App Whitelisting
• Secure Configurations
• Active Defense
• Patching
• Detection
• Log Management/SIEM
• Continuous Monitoring
• Network Security Monitoring
• NetFlow Analysis
• Advanced Analytics
• Threat Hunting
• Penetration Testing
• Red Team
• Vulnerability Scanning
• Human Sensor
• Data Loss Prevention (DLP)
• Security Operations Center (SOC)
• Threat Intelligence
• Threat Information Sharing
• Industry Partnerships
• Response
• Incident Handling Plan
• Breach Preparation
• Tabletop Exercises
• Forensic Analysis
• Crisis Management
• Breach Communications

  Legal and Regulatory

• Compliance
• PCI
• SOX
• HIPAA
• FFIEC, CAT
• FERPA
• NERC CIP
• NIST SP 800-37 and 800-53
• Privacy
• Privacy Shield
• EU GDPR
• Audit
• SSAE 16
• SOC 2
• ISO 27001
• FISMA and FedRAMP
• NIST SP 800-53A
• COSO
• Investigations
• eDiscovery
• Forensics
• Intellectual Property Protection
• Contract Review
• Customer Requirements
• Lawsuit Risk

  Governance

• Strategy
• Business Alignment
• Risk Management
• Program Framework
• NIST CSF
• ISO 27000
• Control Frameworks
• NIST 800-53
• Critical Security
• Controls (CSC)
• Program Structure
• Program Management
• Communications Plan
• Roles and Responsibilities
• Workforce Planning
• Resource Management
• Data Classification
• Security Policy
• Creating a Security Culture
• Security Training
• Awareness Training
• Role-Based Training
• Metrics and Reporting
• IT Portfolio Management
• Change Management
• Board Communications Building a SOC Security Operations Center
• Outsourcing Pros
• Potential cost savings – building a SOC is expensive
• Fully trained and qualified staff
• Experience handling stressful situations
• Experience handling all types of security events effectively and efficiently
• Augments existing staff/fills gaps in hiring skills professionals
• Threat Intelligence – keeps you current on emerging threats
• Helps you leverage security intelligence across industries
• Industry information sharing
• Enables organizations to focus on core tasks
• Breaks down barriers in organizations where silos exist
• Enables 24x7x365 requirement
• Provides SLAs on how service will be provided
• Well-defined run book
• Outsourcing Cons
• Unfamiliar with organization’s business drivers/industry
• Limited on depth of service and capabilities
• Optimizes its systems to scale and services a large volume of customers
• Large customer base, lacks intimate knowledge
• Lack of dedicated resources & support for your organization
• Focused on maximizing profits
• Lack of specialization, excels at providing standard security services vs. customized
• Minimal opportunities for correlation unless all data are sent to the MSSP
• Outsourced threat intelligence has a short lifespan
• No incentive to help improve your operations
• Limited ability to store data

  MSSP Onboarding Checklist

• Organizational Requirements
• Defined ownership of security
• Good cultural fit
• Business partnership
• Hiring Standards
• Background checks
• Credit checks
• Security clearance
• References
• Certifications
• Adequately Staffed
• Staffing member ratios
• Hiring Practices
• Drug tests
• Citizenship requirements
• Suppliers, Partners, and Resellers
• Access to customer data
• Connection to network
• Communication Tools
• Case management solution
• Information sharing portal
• Secure chat
• Reports
• Metrics and dashboards
• Status delivery frequency
• MTTD, MTTR
• Organizational Stability
• Years in business
• Financially stable
• SLAs and failover capability
• Exit strategy

Thanks to Rafeeq Rehman for his mind map

Share: Twitter, Facebook