Wednesday, May 27, 2015

Cybersecurity Strategy 5 layout capability maturity model (CS5L CMM)

Historical background
In the Information Technology industry IT, the '''evolution of the Capability Maturity Model CMM''' began with Capability modeling for software development. The security component was limited to elements for development of software applications. With the advent of many cybersecurity solutions providers (CSP), providing defenses, including those that developed cybersecurity solutions into their products, like CISCO networks, and others that were solely CSP's, the model became outdated.  It failed to include the elements outside of the  application. It reflected just one part of Application Security (AppSec).In the energy industry a cybersecurity capability maturity model developed, named C2M2. It has been progressive in addressing measurement specific to SCADA compliance, but also did not include all elements or areas of cybersecurity.

Cybersecurity solution providers, or vendors gravitated to solutions that were specific to their areas of expertise or market share. Initially there was a lot of emphasis on an all inclusive solution using technology, which later changed to incorporate social engineering, the human behavior element, only in the last 5 years, leading up to 2015. This was because of the trend of, successful cyber attacks, beginning with user behavior, that was unable to be controlled with a technically solution. The big omission, cyber security awareness training.

Defenses
As the insurance industry began servicing companies with cybersecurity insurance, It became apparent that there was a lack of data on 'incidents' unlike for example, hurricanes or wildfires.
There has been an attempt to measure capability on network incidents, that is, attack attempts on IP addresses and even more sophisticated traffic analysis. This however renders useless results as a noise signature on any company at the time of an attack has no correlation to the likeliness a breach may occur.  Thus capability has to be measured using defenses, or defenses from CSP's at a company.


A strategic approach
In collaboration with many companies, associations and government, a strategic approach, to include the elements or areas in 5 layouts. The layouts included Training. The 5 layout strategy was adopted, and became part of many initiatives, in organizing cybersecurity measurement in state government and private industry. The approach is to have a strategic defense, hence a cybersecurity strategy. This is much like a military defense strategy, where assets (Air force, Tanks, Infantry are used strategically to develop a tactical plan) This also simplifies the analytic phase of the resulting data collected, and the data acquisition process in the CMM, having the strategy is broken out into 5 areas or Layouts. This allows easier identification of responsible parties in an organization, areas that cybersecurity solutions providers are focused, and an simplified view for management, while inherently providing a clear understanding that '''a cybersecurity strategy is an executive responsibility''' reaching across the organization, (including training) encompassing computer systems, hardware, software, people, policies and procedures. This helps negate, "ask my IT guy about compliance", and the "white horse cybersecurity solution".

Measurement
This modeling evolved to address the layouts and encompass all vendors providing cybersecurity solutions, and thereby provide a model that is useful at an executive level, '''to measure and manage''' not only its enterprise but those it does business with, and allows access to its systems.

   Hence we arrive at a Cybersecurity 5 Layout Capability Maturity model. CS5L CMM.

Side Note: The Cybersecurity Strategy 5 layout capability maturity model (CS5L CMM) now inherits the yet to be published Energy sector, CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2)

Cybersecurity Strategy 5 Layout Capability Maturity Model
The Cybersecurity Strategy is used to manage and measure all the aspects of IT security, by grouping security functionality into 5 areas, or layouts of defense. A strategic approach identifies 5 layouts and adopts a Cybersecurity Strategy 5 Layout Capability Maturity Model (CS5L CMM) The CS5L CMM model has a tool CS5L CMM, which is an open source web application that is used to collect data and measure. This is part of a "Mature Cybersecurity Strategy".

Cybersecurity Strategy
The Cyber Security Strategy is a framework to determine gaps and to measure using 5 Layout approach (CS5L), which results in standard measurement from which a tactical plan can be developed. In military terms the strategy is how we plan our defenses.

The tactical plan is how we implement and perform it. In practice, companies have various vendors that provide security, most of which participate in providing data, have system interfaces and are able to supply iterative answers to their layout of defense, sometimes spanning more than one areas or layouts.

The five layouts cover the general areas known at this time, and the strategy model formalizes measurement of each, and facilitates a road map to improve by using capability maturity modeling. (CMM) This way we identify security risks, address them, and have a plan to improve going forward, whilst maintaining a record of such.

We show how the CS5L CMM measurement fits into a complete 'mature' defense.. A ‘mature’ cyber security defense includes a cycle of before and after processes to the data gathering CS5L and measurement CMM, namely, before, a situation awareness study (largely a self study), and after, vulnerability and compliance mapping and risk management. The CS5L CMM framework is developing quickly into a measurement standard, this is the groundwork of the complete cycle. CS5L The Cybersecurity Strategy 5 layout are the strategic asset areas, devices, people, policies and procedures, in the strategy model. CMM Using a Capability Maturity Model, which formalizes and standardizes measurement of each layout, and facilitates a road map to improve capability.

Mature cybersecurity defense
The CS5L CMM is part of a bigger process we call a Mature cybersecurity defense.

A mature cybersecurity defense, is called mature as it implies that all the process are addressed. The CS5L CMM is used in the two processes, to collect data and to measure.

The processes are as follows, and are a continuous cycle:
 * A situation awareness self study,
 * Data gathering (a checklist of questions and answers and data inputs on a user and devises etc) - CS5L,
 * Measurement using a Capability Maturity Model - CMM,
 * Vulnerability mapping,
 * Regulatory compliance check and planning,
 * Risk planning and risk management including incident mitigation.


Cybersecurity 5 layout
The strategy areas or layouts, help organize an all encompassing approach and lend to separating the data into manageable segments for measurement. This allows drill down of the measurement results, in the analysis phase.

Measurement results in identifying security risks, addressing them, and devising a plan to manage and improve improve going forward.

The five layouts are;

1. AppSec - Application Security

2. Networks - Networks, and Firewall Hardware and devices, Bring Your Own Devise BYOD, network encryption, Multi-locations, ...

3. Security Awareness - Administration, policies and procedures, Cyber security training Employee training, application developer security training, ...

4. Internal defense Anti-virus, data encryption, backup and recovery, version control, ...

5. Forensics Denial of service attacks, breach attempts, ...




Measurement
The levels are each measured using the Capability Maturity Model (CMM) for all 5 layouts.

GRADE A. '''Self optimizing'''
At the optimizing level, processes are constantly being improved through monitoring feedback from current processes and introducing innovative processes to better serve the :::organization's particular needs. At the self optimizing level, the organization has the processes in place to in addition to be managed, replicate and educate the process to have an ongoing maturing capability as the organization changes, people come and go, and the processes change.

GRADE B. '''Managed'''
At the managed level, an organization monitors and controls its own processes through data collection and analysis.

GRADE C. '''Defined and Measured'''
At the defined and measured level, an organization has developed its own standard process through greater attention to documentation, standardization, and integration.

GRADE D. '''Repeatable'''
At the repeatable level, basic project management techniques are established, and successes could be repeated, because the requisite processes would have been made established, defined, and documented.

GRADE E. '''Initial'''
At the initial level, processes are disorganized, even chaotic. Success is likely to depend on individual efforts, and is not considered to be repeatable, because processes would not be sufficiently defined and documented to allow them to be replicated.


Data Collection
Using the Cyber Security Strategy CS5L CMM system, two steps are performed to collect data for each layout.

1. a survey of questions directed to the responsible person in the organization is performed, and
2. where applicable data is drawn in and applied dynamically to the CMM.

Capability for each question is rated on each CMM level using
         ... 'As is' (where you are now) and
         ... 'To be' (where you need to be) as the choice of levels, where you are at today and where you need to be establishes the 'gaps' which enables us to identify and focus on maturing your capability.

Hence we call this Capability Maturity Modeling. An example of how a question is presented;

In step 2., where data is drawn in dynamically, (an example would be each users training courses completed), the data is applied to the CMM by the system, using some preset rules, like if the user has completed these sets of courses the user will be mapped to the CMM level say, manged. Dynamic links are setup in co-operation with each cybersecurity vendor. Questions are created in co-operation with each cybersecurity vendor. Questions are assigned to a responsible person in the organization to provide answers, all communicated using emails.

CS5L CMM system
The CS5L CMM system is a open web SAAS system which delivers measurement data to a MS SQL Database which is then available free to report on the measured data. There are two parts, Data collection CS5L, and measurement CMM.

Data is collected on Policies, procedures, devices, users, each employees training maturity, in each area or layout by questions and answers and input feeds from various vendors. (sometimes crosses two or more layouts). As part of the CS5L Data is collected in these main ways,
     1. In a survey method, using emails, questions and CMM Answers (CMM levels are selected) to the responsible person for a layout or part thereof.
Questions that will be added to the database of questions that are specific for a vendor, are surveyed and added in to the system. These are then in turn send out to the responsible person for the management of that security vendors product.
     2. Data inputs are configured specifically for the security vendor, and inserted into the database, for later dynamic CMM level assignment, that is specifically configurable. As part of the CMM, data is applied and analysed.

The CMM records data through it's maturity and assists in drill downs to easily identify deficits, and retains and reports the CMM data.

Notes
* The intent of the Cybersecurity Strategy Capability Maturity Model framework is to adopt a measurement standard of an all inclusive cybersecurity defense which includes gathering performance data via question and data links to security vendors for the measurement of PEOPLE (Training), PROCEDURES, HARDWARE, SOFTWARE, DATA and ACCESS. * According to Gartner; CISOs Must Own the Following Six Security Processes and Ensure That They Are Defined and Executed Reliably Security Governance, Policy Management, Awareness and Education, Identity and Access Management, Vulnerability Management, Incident Response * CISOs Must Ensure That the Following Four Processes Are Defined and Executed Reliably, Regardless of Ownership Change Management, Business Continuity Management, and Disaster Recovery Management, Project Life Cycle Management Vendor Management * These processes are accounted for in the cybersecurity strategy measurement framework. * The current version of the CERT® Resilience Management Model (CERT®- Advancing the CMM by adding levels, argument by the 'Software Engineering institute', see references. * RMM v1.2) utilizes the maturity architecture (levels and descriptions) as provided in the :Capability Maturity Model Integration (CMMI) constellation models to ensure consistency with :CMMI. The spacing between maturity levels often causes CERT-RMM practitioners some :difficulty. To address some of these issues, the CERT Division of Carnegie Mellon University’s :Software Engineering Institute did a comprehensive review of the existing specific and generic :goals and practices in CERT-RMM to determine if a better scale could be developed to help users :of the model show incremental improvement in maturity without breaking the original intent of :the CMMI maturity levels. This technical note presents the results: the maturity indicator level :scale, or CERT-RMM MIL scale.