Ciso checklist

So… You want your company to be safe…
I collect some sans recommendation to a list …
Thanks to Rafeeq Rehman for his mind map
!!!! Disclaimer – any list is no alternative to full auditing and fixing the list to yourself !!!!

Leadership Skills

  • Business Strategy
  • Industry Knowledge
  • Business Acumen
  • Communication Skills
  • Presentation Skills
  • Strategic Planning
  • Technical Leadership
  • Security Consulting
  • Stakeholder Management
  • Negotiations
  • Mission and Vision
  • Values and Culture
  • Roadmap Development
  • Business Case Development
  • Project Management
  • Employee Development
  • Financial Planning
  • Budgeting
  • Innovation
  • Marketing
  • Leading Change
  • Customer Relationships
  • Team Building
  • Mentoring

Business Enablement

  • Product Security
    • Secure DevOps
    • Secure Development Lifecycle
    • Bug Bounties
    • Web, Mobile, Cloud AppSec
  • Cloud Computing
    • Cloud Security Architecture
    • Cloud Guidelines
  • Mobile
    • Bring Your Own Device (BYOD)
    • Mobile Policy
  • Emerging Technologies
    • Internet of Things (IoT)
    • Augmented Reality (AR)
    • Virtual Reality (VR)
  • Mergers and Acquisitions
    • Security Due Diligence

Risk Management

  • Risk Management Frameworks
  • Risk Assessment Methodology
  • Business Impact Analysis
  • Risk Assessment Process
  • Risk Analysis and Quantification
  • Security Awareness
  • Vulnerability Management
  • Vendor Risk Management
  • Physical Security
  • Disaster Recovery (DR)
  • Business Continuity Planning
  • Policies and Procedures
  • Risk Treatment
    • Mitigation Planning, Verification
    • Remediation, Cyber Insurance

Identity and Access Management

  • Provisioning/Deprovisioning
  • Single Sign On (SSO)
  • Federated Single Sign On (FSSO)
  • Multi-Factor Authentication
  • Role-Based Access Control (RBAC)
  • Identity Store (LDAP, ActiveDirectory)
  • Security Operations

Security Operations

  • Prevention
    • Data Protection
      • Encryption, PKI, TLS
      • Data Loss Prevention (DLP)
      • Email Security
    • Network Security
      • Firewall, IDS/IPS, Proxy Filtering
      • VPN, Security Gateway
      • DDoS Protection
    • Application Security
      • Threat Modeling
      • Design Review
      • Secure Coding
      • Static Analysis
      • Web App Scanning
      • WAF, RASP
    • Endpoint Security
      • Antivirus, Anti-malware
      • HIDS/HIPS, FIM
      • App Whitelisting
    • Secure Configurations
    • Active Defense
    • Patching
  • Detection
    • Log Management/SIEM
    • Continuous Monitoring
    • Network Security Monitoring
    • NetFlow Analysis
    • Advanced Analytics
    • Threat Hunting
    • Penetration Testing
    • Red Team
    • Vulnerability Scanning
    • Human Sensor
    • Data Loss Prevention (DLP)
    • Security Operations Center (SOC)
    • Threat Intelligence
    • Threat Information Sharing
    • Industry Partnerships
  • Response
    • Incident Handling Plan
    • Breach Preparation
    • Tabletop Exercises
    • Forensic Analysis
    • Crisis Management
    • Breach Communications

Legal and Regulatory

  • Compliance
    • PCI
    • SOX
    • HIPAA
    • FFIEC, CAT
    • FERPA
    • NERC CIP
    • NIST SP 800-37 and 800-53
  • Privacy
    • Privacy Shield
    • EU GDPR
  • Audit
    • SSAE 16
    • SOC 2
    • ISO 27001
    • FISMA and FedRAMP
    • NIST SP 800-53A
    • COSO
  • Investigations
    • eDiscovery
    • Forensics
  • Intellectual Property Protection
  • Contract Review
  • Customer Requirements
  • Lawsuit Risk

Governance

  • Strategy
  • Business Alignment
  • Risk Management
  • Program Framework
    • NIST CSF
    • ISO 27000
  • Control Frameworks
    • NIST 800-53
    • Critical Security
  • Controls (CSC)
  • Program Structure
  • Program Management
  • Communications Plan
  • Roles and Responsibilities
  • Workforce Planning
  • Resource Management
  • Data Classification
  • Security Policy
  • Creating a Security Culture
  • Security Training
    • Awareness Training
    • Role-Based Training
  • Metrics and Reporting
  • IT Portfolio Management
  • Change Management
  • Board Communications

Building a SOC

Security Operations Center

  • Outsourcing Pros
    • Potential cost savings – building a SOC is expensive
    • Fully trained and qualified staff
    • Experience handling stressful situations
    • Experience handling all types of security events effectively and efficiently
    • Augments existing staff/fills gaps in hiring skills professionals
    • Threat Intelligence – keeps you current on emerging threats
    • Helps you leverage security intelligence across industries
    • Industry information sharing
    • Enables organizations to focus on core tasks
    • Breaks down barriers in organizations where silos exist
    • Enables 24x7x365 requirement
    • Provides SLAs on how service will be provided
    • Well-defined run book
  • Outsourcing Cons
    • Unfamiliar with organization’s business drivers/industry
    • Limited on depth of service and capabilities
    • Optimizes its systems to scale and services a large volume of customers
    • Large customer base, lacks intimate knowledge
    • Lack of dedicated resources & support for your organization
    • Focused on maximizing profits
    • Lack of specialization, excels at providing standard security services vs. customized
    • Minimal opportunities for correlation unless all data are sent to the MSSP
    • Outsourced threat intelligence has a short lifespan
    • No incentive to help improve your operations
    • Limited ability to store data

MSSP Onboarding Checklist

  • Organizational Requirements
    • Defined ownership of security
    • Good cultural fit
    • Business partnership
  • Hiring Standards
    • Background checks
    • Credit checks
    • Security clearance
    • References
    • Certifications
  • Adequately Staffed
    • Staffing member ratios
  • Hiring Practices
    • Drug tests
    • Citizenship requirements
  • Suppliers, Partners, and Resellers
    • Access to customer data
    • Connection to network
  • Communication Tools
    • Case management solution
    • Information sharing portal
    • Secure chat
  • Reports
    • Metrics and dashboards
    • Status delivery frequency
    • MTTD, MTTR
  • Organizational Stability
    • Years in business
    • Financially stable
    • SLAs and failover capability
    • Exit strategy