Cybersecurity CS5L CMM
- Since the advent of the Internet, the numbers of data networks, applications, home computers and mobile data-driven devices such as smartphones have increased exponentially. Likewise, the opportunities for all of these to be exploited by computer viruses, hackers, and various other threats has grown in parallel. The net results of these threats range from annoyances to literally life-threatening situations.
- Across approximately the last four decades, beginning allegedly with the Creeper virus on the precurser to the Internet, known as (Arpanet), an entire industry has spawned around hacking, identity theft, computer piracy,[1] and a host of other type attacks. And, a corresponding industry spanning all of Information Technology was born in response: Cybersecurity.
Background[edit]
Evolution to be inclusive
- In the Information Technology industry IT, the evolution of the Capability Maturity Model CMM began with the Capability modeling for software development. There was a security component limited to security elements included in the development of software applications. Capability Maturity Model
- With the advent of many cybersecurity solutions providers, including those that developed cybersecurity solutions into their products, like CISCO, and others that were solely cybersecurity solutions providers, the model became outdated as it failed to include these elements. In the energy industry a cybersecurity capability maturity model developed, named C2M2. It has been progressive in addressing measurement specific to SCADA compliance, but did not include all elements or areas of cybersecurity.
- Cybersecurity solution providers, or vendors gravitated to solutions that were specific to their areas of expertise or market share. Initially there was a lot of emphasis on an all inclusive solution using technology, which later changed to incorporate social engineering, the human behavior element, only in the 5 years, leading up to 2015. This was because of the trend of, successful cyber attacks, beginning with user behavior, that was unable to be controlled with a technically solution. The big omission, cyber security awareness training.
A strategic approach
- In collaboration with many companies, associations and government, a strategic approach, to include the elements or areas in 5 layouts. The layouts included Training. The 5 layout strategy was adopted, and became part of many initiatives, in organizing cybersecurity measurement in state government and private industry. The approach is to have a strategic defense, hence a cybersecurity strategy. This is much like a military defense strategy, where assets (Air force, Tanks, Infantry are used strategically to develop a tactical plan)
- This also simplifies the analytic phase of the resulting data collected, and the data acquisition process in the CMM, having the strategy is broken out into 5 areas or Layouts.
- This allows easier identification of responsible parties in an organization, areas that cybersecurity solutions providers are focused, and an simplified view for management.
- This inherently provides a clear understanding that a cybersecurity strategy is an executive responsibility reaching across the organization, (including training) encompassing computer systems, hardware, software, people, policies and procedures.
- This helps negate, "ask my IT guy about compliance", and the "white horse cybersecurity solution".
Measurement
- This modeling evolved to address the layouts and encompass all vendors providing cybersecurity solutions, and thereby provide a model that is useful at an executive level, to measure and manage not only its enterprise but those it does business with, and allows access to its systems.
Hence we arrive at a Cybersecurity Strategy 5 Layout Capability Maturity Model. CS5L CMM.
Cybersecurity Strategy 5 Layout Capability Maturity Model[edit]
The Cybersecurity Strategy is used to manage and measure all the aspects of IT security, by grouping security functionality into 5 areas, or layouts of defense. Computer security Cybersecurity.
- A strategic approach identifies 5 layouts and adopts a Cybersecurity Strategy 5 Layout Capability Maturity Model (CS5L CMM)
The CS5L CMM model has a tool CS5L CMM, which is an open source web application that is used to collect data and measure. This is part of a "Mature Cybersecurity Strategy".
Cybersecurity Strategy[edit]
The Cyber Security Strategy is a framework to determine gaps and to measure using 5 Layout approach (CS5L), which results in standard measurement from which a tactical plan can be developed. In military terms the strategy is how we plan our defenses. The tactical plan is how we implement and perform it.
- In practice, companies have various vendors that provide security, most of which participate in providing data, have system interfaces and are able to supply iterative answers to their layout of defense, sometimes spanning more than one areas or layouts.
- The five layouts cover the general areas known at this time, and the strategy model formalizes measurement of each, and facilitates a road map to improve by using capability maturity modeling. (CMM)
- This way we identify security risks, address them, and have a plan to improve going forward, whilst maintaining a record of such.
- We show how the CS5L CMM measurement fits into a complete 'mature' defense approach.
- A ‘mature’ cyber security defense includes a cycle of before and after processes to the data gathering CS5L and measurement CMM, namely, before, a situation awareness study (largely a self study), and after, vulnerability and compliance mapping and risk management. The CS5L CMM framework is developing quickly into a measurement standard, this is the groundwork of the complete cycle.
- CS5L The Cybersecurity Strategy 5 layout are the strategic asset areas, devices, people, policies and procedures, in the strategy model.
- CMM Using a Capability Maturity Model, which formalizes and standardizes measurement of each layout, and facilitates a road map to improve capability.
Mature cybersecurity defense[edit]
The CS5L CMM is part of a bigger process we call a Mature cybersecurity defense.
A mature cybersecurity defense, is called mature as it implies that all the process are addressed.
The CS5L CMM is used in the two processes, to collect data and to measure.
The processes are as follows, and are a continuous cycle:
- A situation awareness self study,
- Data gathering (a checklist of questions and answers and data inputs on a user and devise level) - CS5L,
- Measurement using a Capability Maturity Model - CMM,
- Vulnerability mapping,
- Regulatory compliance check and planning,
- Risk planning and risk management including incident mitigation.
Cybersecurity 5 layout[edit]
The strategy areas or layouts,
- * help organize an all encompassing approach
- * lends to separating the data into manageable segments for measurement.
- In the analysis phase, this allows drill down of the measurement results.
- Measurement, results in identifying security risks, addressing them, and devising a plan to manage and improve improve going forward.
Five Layouts The 5 layout Cyber Security defense strategy, CS5L is a developed standard for measuring people, procedures and systems at an enterprise. When engaged at a client site, System Soft deploys trained Cyber Security, system and analytical experts to support this five layout approach to Cyber security. The process begins with a ‘situational awareness study’ which is primarily done together with the client. The process is performed in two stages, gathering data and measurement. Both are performed using the 5 layouts:
- 1. Network (Communication)
Vendors providing VPN virtual private network hardware, networking equipment, Firewall and software. E.g.: CISCO. This is part of a defense layout to every endpoint and BYOD Bring your own devise. Includes data gathering on, network encryption and all devices, and user access. Analysis on the design and configuration of these networks and firewalls, with a focus on vulnerabilities.
- 2. AppSec (Software systems)
AppSec (Application Security) are applications developed by the client that interact with services hosted by the client, and applications that are installed on any part of their network, either hosted, on an end client or server. This includes, Wireless, DMZ servers, Telephony, Border routing, Remote Administration, Web Security Gateway, Remote Access VPN, etc. Access policies, authentication and methods to systems and data.
- 3. Security Awareness (People capability and procedures)
Often measured by the level of training. A part of which is sometimes called Employee cyber Security Awareness Training (ESAT). Measure access to ESAT for all employees, and agents or B2B companies that have tier 1. The ESAT program should work through an online Web app which under the control of the IT department and collaboration of HR, performs a cyber-security attack on employees known a Phishing and measures performance. Then it runs a training programs driven via email and performed on the Web which allows users to proceed at their pace allowing stopping and restarting. Once complete the ‘dummy’ attack is performed again and measured. Security awareness would also include developer training for application developers, administration policy, managing privacy, and risk assessment.
- 4. Internal Defense (In-house scanning, policies and controls)
AV Anti-Virus, Data Encryption, Disaster recovery, Backup and recovery, Installation and version control, USB usage, Managing alerts, and incident mitigation.
- 5. Forensics (CSI and real time monitoring)
Analyze and measure the configuration of, and monitoring of all system access. Design and deliver custom action plans for responsive action to denial of service attacks and access breach attempts. E.g.: Sourcefire now a CISCO product.
Measurement[edit]
- The levels are each measured using the Capability Maturity Model (CMM) for all 5 layouts.
- GRADE A. Self optimizing
- At the optimizing level, processes are constantly being improved through monitoring feedback from current processes and introducing innovative processes to better serve the :::organization's particular needs. At the self optimizing level, the organization has the processes in place to in addition to be managed, replicate and educate the process to have an ongoing maturing capability as the organization changes, people come and go, and the processes change.
- GRADE A. Self optimizing
- GRADE B. Managed
- At the managed level, an organization monitors and controls its own processes through data collection and analysis.
- GRADE B. Managed
- GRADE C. Defined and Measured
- At the defined and measured level, an organization has developed its own standard process through greater attention to documentation, standardization, and integration.
- GRADE C. Defined and Measured
- GRADE D. Repeatable
- At the repeatable level, basic project management techniques are established, and successes could be repeated, because the requisite processes would have been made established, defined, and documented.
- GRADE D. Repeatable
- GRADE E. Initial
- At the initial level, processes are disorganized, even chaotic. Success is likely to depend on individual efforts, and is not considered to be repeatable, because processes would not be sufficiently defined and documented to allow them to be replicated.
- GRADE E. Initial
Data collection[edit]
Using the Cyber Security Strategy CS5L CMM system, two steps are performed to collect data for each layout.
- a survey of questions directed to the responsible person in the organization is performed, and
- where applicable data is drawn in and applied dynamically to the CMM.
Capability for each question is rated on each CMM level:
- 'As is' (where you are now) and
- 'To be' (where you need to be).
The choice of levels, where you are at today and where you[who?] need to be establishes the 'gaps' which enables us[who?] to identify and focus on maturing your capability. Hence we[who?] call this Capability Maturity Modeling.
An example of how a question is presented;
In step 2., where data is drawn in dynamically, (an example would be each users training courses completed), the data is applied to the CMM by the system, using some preset rules, like if the user has completed these sets of courses the user will be mapped to the CMM level say, managed.
Dynamic links are set up in co-operation with each cybersecurity vendor. Questions are created in co-operation with each cybersecurity vendor.
Questions are assigned to a responsible person in the organization to provide answers, all communicated using emails.
CS5L CMM system[edit]
The CS5L CMM system is an open web SAAS system which delivers measurement data to a MS SQL Database which is then available free to report on the measured data.
There are two parts, Data collection CS5L, and measurement CMM.
- Data is collected on Policies, procedures, devices, users, each employees training maturity, in each area or layout by questions and answers and input feeds from various vendors. (sometimes crosses two or more layouts).
As part of the CS5L Data is collected in these main ways,
1. In a survey method, using emails, questions and CMM Answers (CMM levels are selected) to the responsible person for a layout or part thereof,
- Questions that will be added to the database of questions that are specific for a vendor, are surveyed and added in to the system. These are then in turn send out to the responsible person for the management of that security vendors product.
2. Data inputs are configured specifically for the security vendor, and inserted into the database, for later dynamic CMM level assignment, that is specifically configurable.
As part of the CMM, data is applied and analysed.
- The CMM records data through its maturity and assists in drill downs to easily identify deficits, and retains and reports the CMM data.
References[edit]
- Energy.gov, David Oritz, ELECTRICITY SUBSECTOR CYBERSECURITY CAPABILITY MATURITY MODEL (ES-C2M2), 2014
- The National Institute of Standards and Technology (NIST), Framework for Improving Critical Infrastructure Cybersecurity, 2014;
- Matthew J. Butkovic, Richard A. Caralli, Advancing Cybersecurity Capability Measurement Using the CERT®-RMM, Advancing Cybersecurity Capability Measurement Using the CERT®-RMM Maturity Indicator Level Scale Maturity Indicator Level Scale , http://resources.sei.cmu.edu/asset_files/TechnicalNote/2013_004_001_69194.pdf
- Gartner - The Security Processes You Must Get Right, 23 January 2013 by Analyst(s): Rob McMillan
- CMM Capability Maturity Model for Software Development - http://searchsoftwarequality.techtarget.com/definition/Capability-Maturity-Model
Related Publications[edit]
- Energy Sector Cybersecurity Framework Implementation Guidance (January 2015)
Significant coverage[edit]
- AIF Associated Industries of Florida, Building an initiative to bring capability measurement to Florida State
- RSA Conference 2015, Where the world talks security - the US, the EMEA region and the Asia-Pacific region - See more at: http://www.rsaconference.com/about#sthash.yuqaR11p.dpuf
Reliable sources[edit]
In collaboration with academic institutions like Florida State University FSU, and independent corporations, a federal and state governments, there is a growing need to have a standard in measurement of cyber security capability and maturity. Not only to measure organizations themselves, but who they do business with, and allow tier 1 access to their systems, thus exposing their defense to malware insertions and such like. Retail giants with thousands of agents/suppliers are the most exposed.
Independent sources[edit]
The framework, CS5L CMM is open source, as a SAAS solution, and is made available without cost to enhance the measurement and thereby cybersecurity, including the human element like training. There are many security vendors that deliver solutions in any and combinations of the layers. They voluntary contribute to the measurement techniques.
Notes[edit]
- The intent of the Cybersecurity Strategy Capability Maturity Model framework is to adopt a measurement standard of an all inclusive cybersecurity defense which includes gathering performance data via question and data links to security vendors for the measurement of PEOPLE (Training), PROCEDURES, HARDWARE, SOFTWARE, DATA and ACCESS.
- According to Gartner; CISOs Must Own the Following Six Security Processes and Ensure That They Are Defined and Executed Reliably
Security Governance, Policy Management, Awareness and Education, Identity and Access Management, Vulnerability Management, Incident Response
- CISOs Must Ensure That the Following Four Processes Are Defined and Executed Reliably, Regardless of Ownership
Change Management, Business Continuity Management, and Disaster Recovery Management, Project Life Cycle Management Vendor Management
- These processes are accounted for in the cybersecurity strategy measurement framework.
- The current version of the CERT® Resilience Management Model (CERT®-
Advancing the CMM by adding levels, argument by the 'Software Engineering institute', see references.
- RMM v1.2) utilizes the maturity architecture (levels and descriptions) as provided in the
- Capability Maturity Model Integration (CMMI) constellation models to ensure consistency with
- CMMI. The spacing between maturity levels often causes CERT-RMM practitioners some
- difficulty. To address some of these issues, the CERT Division of Carnegie Mellon University’s
- Software Engineering Institute did a comprehensive review of the existing specific and generic
- goals and practices in CERT-RMM to determine if a better scale could be developed to help users
- of the model show incremental improvement in maturity without breaking the original intent of
- the CMMI maturity levels. This technical note presents the results: the maturity indicator level
- scale, or CERT-RMM MIL scale.
This article "Cybersecurity CS5L CMM" is from Wikipedia. The list of its authors can be seen in its historical. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.