#63 – CYBER SECURITY CONTROL EFFECTIVENESS – MARK BERNARD

Mark BernardCyberSecurity requires the effective identification of risks and efficient implementation of controls designed to mitigate those risks. The efficient design and architecture of integrated control frameworks is crucial to limiting the potential negative impact on agility and competitiveness of many organizations.

CONTROL EFFECTIVENESS
Making the determination if a control is effective or not requires the assessment of several characteristics of a the control in scope.  One of the goals is to reduce the number of security events and incidents that resulted in outages of services for customers.  Another goal is to lower operational controls, improving the return on investments in security.  These integrated control frameworks are evidence based, designed to mitigate the risk of financial penalties and liabilities associated with lost confidentiality, lost data integrity or the lost availability of business information.

The effectiveness of a control can be assessed using multiple characteristics including conformity to standards, knowledge transfer, competence, verification and validation by testing.  Each of these control points plays an important role in the overall risk management of data, information and knowledge under the care of respective organizations.   These risks can impact the operational risk /costs, compliance risk /costs with direct implications to strategic risks and financial risks.

During the assessment of CyberSecurity risks we have evaluated potential threats in step one and ranked them. In step two we evaluated potential vulnerabilities to determine if there was a match between an identified threat and existing vulnerability.  In step three we will evaluate existing controls to determine if they are functioning as planned and designed. At the conclusion of step three we will arrive at a decision point where management will choose to make improvements to existing controls or add new controls.

Mandatory controls must be 100% implemented to be effective. Discretionary controls can be risk justified in-scope or out-of-scope Once that decision has been made based on the risk to information assets we turn our attention to evaluating evidence.

Evidence can be observed or reviewed. The need for documented policies, procedures and standards will depend upon the risk involved. More mature processes are documented so that knowledge can be transferred through mentoring and /or on-the-job training. Tacit knowledge is how humans record processes within their own brains and how we execute these process without documented standards or procedures to follow. In contrast  explicit knowledge is documented making it easier to transfer and validate.  This assessment is recorded in the spreadsheet with a ‘T’ for Tacit or ‘E’ for Explicit.

The competence or skill of a professional executing the process is important to the effectiveness of mitigating the realization of a threat successfully exploiting existing vulnerabilities.  This competency is contingent upon the professionals knowledge and experience.  The CyberSecurity risk evaluator will use a scale of 1 – 6, where 1 = awareness and 6 is the equivalent of a PhD. Additional information regarding this assessment is available by contacting me.  Last but not least we need to test the control and determine if it is functioning as designed and intended.  Finally, the overall assessment of control effectiveness will be used as part of the formula combining the threat and vulnerability assessments and the output will be a risk rating reported to  management for a risk based decision to accept, reject or mitigate the risk by initiating corrective and /or preventive action plans.

Bio:

Mark E.S. Bernard, CRISC, CGEIT, CISA, CISM, CISSP, PM, ISO 27001, SABSA-F2

Information Security, Privacy, Governance ,Risk Management, Consultant.  Mark has 24 years of proven experience within the domain of Information Security, Risk, Governance and Compliance.  Mark has led teams of 30 or more as a Director and Project Manager and managed budgets of $5 Million +.  Mark has also provided over sight as a senior manager during government outsourcing contract valued at $300 million and smaller contracts for specialized services for ERP systems and security testing.  Mark has led his work-stream during RFP process, negotiations, on-boarding, contract renegotiation and as Service Manager.  Mark has architected information security and privacy programs based on ISO 27001 and reengineered IT processes based on Service Manager ITIL/ISO 20000 building in Quality Management ISO 9001.   He can be reached at: mesbernard@gmail.com

Leave a Reply

Your email address will not be published. Required fields are marked *