Comments

Latest Posts

CISO Leadership Workshop Overview

The Chief Information Security Office (CISO) workshop helps accelerate security program modernization with reference strategies built using Zero Trust principles.

The workshop covers all aspects of a comprehensive security program including strategic initiatives, roles and responsibilities, success metrics, maturity models, and more.






CISO Workshop

Note: Ciso Workshop Videos : https://learn.microsoft.com/en-us/security/ciso-workshop/the-ciso-workshop


The workshop videos (about 4 hours total) and slides are organized into these discussions:

  • Introduction and Overview of the CISO Workshop
  • Part A - Key Context and Fundamentals
  • Part B - Business Alignment
    • Engaging business leaders on security – guidance to have a conversation in the language of leaders to explain security, key metrics to measure success of a program, and how to get support for security goals.
    • Risk Insights – discusses the dual mission of security to reduce risk to the organization and enable business goals, shares tips on aligning security business goals and business risk, and shares insights on the types of attacker motivations organization’s face.
    • Security Integration - guidance for successfully integrating security teams together and integrating security into IT and Business processes. Including an in-depth discussion of how to build a posture management program – an operational team focused on preventive controls (which complements the security operations (SecOps/SOC) team focused on detection, response, and recovery)
    • Business Resilience – discusses how business resilience is the north star of the security program across all the security disciplines that requires balancing security investments (before, during, and after an incident) and creating a strong feedback loop. This section also includes discussion of the impact of unbalanced strategies (which is a common antipattern).
    • Maturity models describing real world journeys for Risk Insights, Security Integration, and Business Resilience – including specific concrete actions to help you move up to the next level
  • Part C – Security Disciplines
    • Access Control - discusses how the Zero Trust approach is transforming access control, including identity and network access converging into a single coherent approach, and the emergence of the Known-Trusted-Allowed model (which updates the classic authenticated/authorized approach).
    • Security Operations – discusses key leadership aspects of a security operations capability, often called SecOps or a Security Operations Center (SOC) including critical success metrics, key touchpoints with business leaders and functions, and the most important cultural elements.
    • Asset Protection – discusses two key imperatives for teams that manage and secure assets (often IT Operations or Workload operations in DevOps). These teams must prioritize security work based on business criticality and must strive to efficiently scale security across the large, growing, and continuously evolving set of assets in the technical estate.
    • Security Governance – discusses the role of Security Governance as a bridge between the world of business goals and technology and how this role is changing with the advent of cloud, digital and zero trust transformations. This section also covers key components of security governance including risk, compliance, security architecture, posture management, (strategic) threat intelligence, and more.
    • Innovation Security - discussion of how application security evolves into a modern approach (including DevSecOps) and key focus areas to drive success of this capability.
    • Security Governance Maturity models describing real world journeys for Security Architecture, Posture Management, and IT Security Maintenance – including specific concrete actions to help you move up to the next level
    • Next Steps/Closing – wraps up the workshop with key quick wins and next steps



Imperative: Coverage for commom attack chains (Insider and external threats)


Microsoft Digital Defense Report: 

https://aka.ms/MDDR = https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2022





Mindmap 



Resources: 

A CISO (Chief Information Security Officer) has a complex role within a company. They have a wide array of tasks to perform, that involves many differing parts, which the average individual is not always aware of.

CISO Mind Map is an overview of responsibilities and ever expanding role of the CISO.  This Security Leadership poster made by SANS shows exactly the matters a CISO needs to mind when creating a world class IT Security team. It also highlights the essential features necessary of a Security Operations Centre (SOC).

To make this chart more practical, I put them into the tables and will update it with some technologies and thoughts applied in my daily work. This update will last a long term. It will be put into navigation bar for easy access.



Security Operations


Prevention
Detection
Response

  • Data Protection
    • IBM Guardium
  • Network Security
    • Network IPS
    • Firewall
      • Cisco
      • CheckPoint
      • Fortigate
      • Juniper
      • Palo Alto
      • etc
  • Application Security
    • OWASP
    • WASC
    • Qualys WAS
    • IBM Appscan
    • HP Fortify
    • VeraCode
  • Endpoint Security
    • Host IPS
    • AntiVirus
    • AntiSpam
    • Endpoint Encryption
  • Secure Configurations
  • Active Defense
  • Patching
    • WSUS
  • Web Filtering
    • Cisco IronPort
  • Email Filtering
    • ProofProint
  • Log Management / SIEM
    • IBM Qradar
    • ArcSight
  • Continuous Monitoring
  • Network Security Monitoring
    • Solarwinds
    • PRTG
    • MRTG
  • NetFlow Analysis
  • Threat Hunting
  • Penetration Testing
    • Kali
  • Red Team
  • Vulnerability Scanning
    • Nessus
    • Qualys
  • Human Sensor
  • Data Loss Prevention (DLP)
    • Symantec DLP
  • Security Operation Center (SOC)
  • Threat Intelligence
    • Symantec ATP
    • FireEye
  • Threat Modeling
    • Microsoft STRIDE Tool
  • Incident Handling Plan
    • Document
  • Breach Preparation
  • Tabletop Exercise
  • Forensic Analysis
    • SANS SIFT
    • Paladin
  • Crisis Management
  • Breach Communication




Legal and Regulatory



Compliance Privacy Audit Investigation
  • PCI
  • SOX
  • HIPAA
  • FFIEC, CAT
  • FERPA
  • NERC CIP
  • NISP SP 800-37 and 800-53
  • Public Service of Ontario Act, 2006 (PSOA).
  • Employment Standards Act (Ontario) (ESA)
  • Privacy Shield
  • EU GDPR
  • SSAE 16
  • SOC 2
  • ISO27001
  • FISMA and FedRAMP
  • NIST SP 800-53A
  • COSO
  • eDiscovery
  • Forensics
    • SANS SIFT
    • Paladin
Intellectual Property Contract Review Customer Requirments Lawsuit Risk
& Acts
  • Documents
  • Documents
  • Documents






Risk Management




Risk Framework Risk Assessment Methodology Business Impact Analysis
  • FAIR
  • NIST RMF
  • OCTAVE
  • TARA
Risk Assessment Process Risk Analysis and Quantification Security Awareness


  • Training
  • Lunch Learn
  • Communication
Vulnerability Management Vendor Risk Management Physical Security
  • Qualys

  • Badge 
  • Gate / Turnstile
  • Camera
Disaster Recovery (DR) Business Continuity Planning Risk Treatment


  • Mitigation Planning Verification
  • Remediation
  • Cyber Insurance
Policies and Procedures
  • Code of Conduct
    • Accessibility Policy – Providing Services to People with Disabilities
    • Appropriate Use of Information and Computing Resources Policy
    • Financial Policies and Procedures, including Procurement & Contract Management Policy
    • Adjudication Guideline
    • Guidance for Staff on Invitations to Third Party Functions and Other Gifts
    • Guidelines to Personal Trading Rules
    • Information and Records Management Policy
    • Media Relations Policy
    • Political Activity Policy
    • Respectful Workplace Policy
    • Security/Safety and Emergency Procedures
    • Travel, Meal and Hospitality Expenses Policy
    • Your Guide to Working at the Company
  • Policy on Protecting Information When Outside the Office
  • Security Classification Guidance
  • Proper recordkeeping and appropriate records management: relevant principles and best practices
  • Classification Scheme and Retention Schedule - Transitory Records Schedule


Business Enablement


Product Security Cloud Computing Mobile
  • Secure DevOps
  • Secure Development Lifecycle
  • Bug Bounties
  • Web, Mobile, Cloud AppSec
  • Cloud Security Architecture
  • Cloud Guidelines
  • BYOD (Bring Your Own Device)
  • Mobile Policy
Emerging Technologies Mergers and Acquisitions
  • Internet of Things (IoT)
  • Augmented Reality (AR)
  • Virtual Reality (VR)
  • Block Chain
  • Security Due Diligence




Governance




StrategyBusiness AlignmentRisk Management
  • Team Charter
  • Roadmap
  • Security Posture


Program FrameworksControl FrameworksProgram Structure
  • NIST CSF
  • ISO27000
  • NIST 800-53
  • CIS Controls

Program ManagementCommunications PlanRoles and Responsibilities



Workforce PlanningResource ManagemnetData Classification


  • Documentation
Security PolicyCreate a Security CultureSecurity Training
  • Security Handbook
  • Policy

  • Awareness Training
    • Wombat
  • Role-Based Training
Metrics and ReportingIT Portfolio ManagementChange Management
  • TIBCO Spotfire

  • ITIL

Board Communications

  • Information Security Steering Board





Identify and Access Management




Provisioning/
Deprovisioning
Single Sign On
(SSO)
Federated Single Sing on (FSSO)



Multi-Factor Authentication
Role-Based Access Control (RBAC)
Identity Store (LDAP, ActiveDirectory)






Leadership Skills



Business StrategyIndustry KnowledgeBusiness Acumen



Communication SkillsPresentation SkillsStrategic Planning



Technical LeadershipSecurity ConsultingStakeholder Management
  • ISO Charter
  • Advisory 
  • Group / Team Mail Box 
    • Coloring Categorie

NegotiationsMission and VisionValues and Culture



Roadmap DevelopmentBusiness Case DevelopmentProject Management
  • Company / Organization Wide Information Security RoadMap

  • Project Charter
Employee DevelopmentFinancial PlanningBudgeting



InnovationMarketingLeading Change



Customer RelationshipsTeam BuildingMentoring

  • ISO Team Dashboard
    • Project Portfolio
    • Operational Activities



Note: ISO = Information Security Office



Another CISO Mind Map example:
Note: The original image concept was created by Rafeeq Rehman and later redesigned by Momentum Partners.

===================================================================


CISO Job



What is the job of Chief Information Security Officer (CISO) in ISO 27001?

Compliance:

Documentation:

Human resources management:
  • Perform background verification checks of job candidates
  • Prepare the training and awareness plan for information security (see also How to perform training & awareness for ISO 27001 and ISO 22301)
  • Perform continuous activities related to awareness raising
  • Performing induction training on security topics for new employees
  • Propose disciplinary actions against employees who performed the security breach
Relationship with top management:
  • Communicate the benefits of information security (see also Four key benefits of ISO 27001 implementation)
  • Propose information security objectives (see also ISO 27001 control objectives – Why are they important?)
  • Report on the results of measuring
  • Propose security improvements and corrective actions
  • Propose budget and other required resources for protecting the information
  • Report important requirements of interested parties
  • Notify top management about the main risks
  • Report about the implementation of safeguards
  • Advise top executives on all security matters
Improvements:
  • Ensure that all corrective actions are performed
  • Verify if the corrective actions have eliminated the cause of nonconformities
Asset management:
  • Maintain an inventory of all important information assets
  • Delete the records that are not needed any more
  • Dispose of media and equipment no longer in use, in a secure way
Third parties:
  • Perform risk assessment for activities to be outsourced
  • Perform background check for candidates for outsourcing partners
  • Define security clauses that must be part of an agreement
Communication:
  • Define which type of communication channels are acceptable and which are not
  • Prepare communication equipment to be used in case of an emergency / disaster
Incident management:
  • Receive information about security incidents
  • Coordinate response to security incidents
  • Prepare evidence for legal action following an incident
  • Analyze incidents in order to prevent their recurrence
Business continuity:
  • Coordinate the business impact analysis process and the creation of response plans
  • Coordinate exercising and testing
  • Perform post-incident review of the recovery plans
Technical:
  • Approve appropriate methods for the protection of mobile devices, computer networks and other communication channels
  • Propose authentication methods, password policy, encryption methods, etc.
  • Propose rules for secure teleworking
  • Define required security features of Internet services
  • Define principles for secure development of information systems
  • Review logs of user activities in order to recognize suspicious behavior

References





No comments