| |February 20147CIOReviewRecommendations: Five recommendations zero-in on how to address these critical issues, move information security programs forward, and prepare for the future:Shift Focus from Technical Assets to Critical Business ProcessesMove away from a strictly technical viewpoint of protecting information assets, such as servers and applications. Take a bigger picture perspective by looking how information is used in conducting business. Think about how to protect the most critical business processes from end-to-end. Work with business units to document critical business processes. Institute Business Estimates of Cybersecurity RisksDevelop techniques for describing cybersecurity risks in business terms and integrate the use of business estimates into the risk-advisory process. Define detailed scenarios which describe the likelihood of security incidents and the magnitude of business impact. Where feasible or required, quantify the risk in dollar values and increasingly move towards financial estimates. Establish Business-Centric Risk AssessmentsMove to more automated tools for tracking information risks as they are identified, evaluated, accepted, or remediated, in order to speed decision-making and enable business units to be held accountable for managing risks. Look to service providers for mundane, repetitive assessments. Build flexibility into the risk-acceptance process to enable the business to take advantage of time-sensitive opportunities. Set a Course for Evidence-Based Controls AssuranceDevelop the capability to collect relevant data to test the efficacy of controls on an on-going basis. Begin by documenting and reviewing controls, focusing on the most important controls that are protecting critical business processes. Determine what evidence will attest to each control and set up procedures to systematically collect and report evidence and make continual adjustments. Over time automate collection of evidence and reporting in order to improve internal and third-party assessments.Develop Informed Data Collection TechniquesStart by looking at the types of questions data analytics can answer in order to identify relevant sources of data. Build a set of data analytics use cases. Modify logging where original data is insufficient, negotiating with system owners when necessary. Know how to apply external threat intelligence to enrich analysis. Comprehensively plan to improve overall collection architecture, produce more data-rich logs and increase data-storage capacity. (As told to Joe Philip)Develop techniques for describing cybersecurity risks in business terms and integrate the use of business estimates into the risk-advisory process
< Page 6 | Page 8 >