InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
They’re the quiet ones—the ones that will silently gut your continuity strategy while leadership watches the wrong fire.
1️⃣ Shadow SaaS Is Out of Control Business units are adopting tools without IT oversight—no security, no backups, no DR. It works… until it doesn’t. Then it becomes your problem.
2️⃣ RTOs Are Fiction, Not Strategy “30 hours” looks good—until the CEO demands answers three hours in. If your recovery needs a miracle, it’s not a plan. It’s a pending failure.
3️⃣ Resilience Theater Is Everywhere Policies? Written. Boxes? Checked. But when the real incident hits, no one knows what to do. You’ve got documentation, not readiness.
4️⃣ Hidden Dependencies Will Break You APIs, scripts, microservices—no SLAs, no visibility, no accountability. They fail quietly. Business halts. And no one saw it coming.
5️⃣ Continuity Teams Have Quiet Quit Resilience professionals are exhausted, underfunded, and unheard. Their silence isn’t safety—it’s burnout. And it’s dangerous.
🔶 Resilience doesn’t fail loudly. It erodes quietly. CISOs and leadership teams: It’s time to stop watching the wrong fire.
ISO 27001 is an internationally recognized standard for establishing an Information Security Management System (ISMS) that protects an organization’s information assets. The standard lays out a structured, systematic approach to information security: it explicitly defines requirements that cover people, processes, and technology, and it is built on a risk-based management process. In other words, ISO 27001 requires an organization to identify its critical data and assets, assess the risks to them, and implement controls to mitigate those risks. As the AuditBoard blog explains, ISO 27001 “provid[es] a systematic approach to managing sensitive company information, and ensuring its confidentiality, integrity, and availability,” and “employ[s] a risk-based management process”​. By achieving ISO 27001 certification, a company demonstrates its commitment to security best practices and gains “improved risk management” capabilities​. In practice, this means ISO 27001 embeds risk reduction into the company’s daily operations: the organization is continually considering where its vulnerabilities lie and how to address them. This alignment of policy and process with identified risks helps prevent incidents that could lead to breaches or financial losses (outcomes the blog warns are costly for non-compliant companies​).
A core principle of ISO 27001 is systematic risk assessment. The standard mandates that organizations catalog information assets and regularly evaluate threats and vulnerabilities to those assets. This formal risk assessment process – often codified as a risk register – forces management to confront what could go wrong, estimate the likelihood and impact of each threat, and then select controls to lower that risk. The AuditBoard article highlights that effective compliance “starts with a deep understanding of your organization’s unique risk profile” through “comprehensive risk assessments that identify, analyze, and prioritize potential security threats and vulnerabilities”​. By building this into the ISMS, ISO 27001 ensures that controls are not applied haphazardly but are directly tied to the organization’s actual threat landscape. In short, ISO 27001’s risk-based approach means the organization is proactively scanning for problems, rather than only reacting after a breach occurs. This systematic identification and treatment of risks measurably lowers the chance that a threat will go unnoticed and turn into a serious incident.
Another key principle of ISO 27001 is continual improvement of the security program. ISO 27001 is inherently iterative: it follows the Plan–Do–Check–Act cycle, which requires the organization to plan security controls, implement them, monitor and review their effectiveness, and act on the findings to improve. In practice, this means an ISO 27001–certified organization must regularly review and update its security policies and controls to keep pace with new threats. The AuditBoard blog emphasizes this proactive stance: it notes that maintaining compliance “encourages businesses to regularly review and update their security policies, practices, and systems,” allowing the organization to adapt to evolving threats and maintain “long-term resilience”​. Furthermore, ISO 27001 requires ongoing monitoring and measurement of the ISMS. Automated monitoring tools, for example, can detect anomalies or intrusions in real time. The blog underlines that such continuous monitoring “strengthens an organization’s security posture” by enabling a quick response to new risks​. By continuously detecting issues and feeding back lessons learned, an ISO 27001 ISMS avoids stagnation: it evolves as the threat landscape evolves. This dedication to continual assessment and enhancement means that security controls are always improving, which keeps residual risk as low as possible over time.
ISO 27001 also enforces organizational accountability for security. It requires that top management be directly involved in the ISMS: leaders must establish a clear security policy, assign roles and responsibilities, and ensure adequate resources are available for security. Every risk and control must have an owner. The AuditBoard article reinforces this by stressing the importance of a cross-functional security team and collaboration among IT, legal, HR, and business units​. In an ISO 27001 context, this means everyone from the CISO to line managers shares responsibility for protecting data. Accountability is further ensured through documentation: ISO 27001 demands thorough records of all security processes. The blog points out that maintaining “comprehensive records of risk assessments, security controls, training activities, and incident response efforts” provides clear evidence of compliance and highlights where improvements are needed​. This audit trail makes the organization’s security posture transparent to auditors and stakeholders. In effect, ISO 27001 turns vague good intentions into concrete, assigned tasks and documented procedures, so that it is always possible to trace who did what, and to hold the organization accountable for gaps or successes alike.
By combining these elements – structured risk analysis, continuous improvement, and built-in accountability – ISO 27001 compliance significantly reduces overall organizational risk. The AuditBoard blog summarizes the core idea of compliance in cybersecurity as a security framework that can withstand emerging threats, noting that adherence to standards “ensures that organizations protect their data and build trust by demonstrating their commitment to information security”​. In practical terms, this means a company with an ISO 27001 ISMS is far better equipped to prevent the “significant consequences” of non-compliance – such as data breaches, financial losses, and reputational damage​. By embedding a risk-based approach into daily routines and maintaining a culture of vigilance and responsibility, ISO 27001 helps an organization identify issues early and handle them before they become disasters. Ultimately, this strong, systematic compliance posture not only shields sensitive information, but also saves the company from costly incidents – improving its bottom line and competitive standing (as noted, certification can confer a competitive edge and “improved risk management”​). In summary, ISO 27001 reduces risk by making effective information security practices a formal, organization-wide process that is continuously managed and improved.
Continual improvement doesn’t necessarily entail significant expenses. Many enhancements can be achieved through regular internal audits, management reviews, and staff engagement. By fostering a culture of continuous improvement, organizations can maintain an ISMS that effectively addresses current and emerging information security risks, ensuring resilience and compliance with ISO 27001 standards.
At DISC InfoSec, we streamline the entire process—guiding you confidently through complex frameworks such as ISO 27001, and SOC 2.
Here’s how we help:
Conduct gap assessments to identify compliance challenges and control maturity
Deliver straightforward, practical steps for remediation with assigned responsibility
Ensure ongoing guidance to support continued compliance with standard
Confirm your security posture through risk assessments and penetration testing
Let’s set up a quick call to explore how we can make your cybersecurity compliance process easier.
Feel free to get in touch if you have any questions about the ISO 27001 Internal audit or certification process.
Successfully completing your ISO 27001 audit confirms that your Information Security Management System (ISMS) meets the required standards and assures your customers of your commitment to security.
Get in touch with us to begin your ISO 27001 audit today.
​The RSA Conference Executive Security Action Forum (ESAF) report, How Top CISOs Are Transforming Third-Party Risk Management, presents insights from Fortune 1000 Chief Information Security Officers (CISOs) on evolving strategies to manage third-party cyber risks. The report underscores the inadequacy of traditional risk management approaches and highlights innovative practices adopted by leading organizations.​
1. Escalating Third-Party Risks
The report begins by emphasizing the increasing threat posed by third-party relationships. A survey revealed that 87% of Fortune 1000 companies experienced significant cyber incidents originating from third parties within a year. This statistic underscores the urgency for organizations to reassess their third-party risk management strategies.​
2. Limitations of Traditional Approaches
Traditional methods, such as self-assessment questionnaires and cybersecurity ratings, are criticized for their ineffectiveness. These approaches often lack context, fail to reduce actual risk, and do not foster resilience against cyber threats. The report advocates for a shift towards more proactive and context-aware strategies.​
3. Innovative Strategies by Leading CISOs
In response to these challenges, top CISOs are implementing bold new approaches. These include establishing prioritized security requirements, setting clear deadlines for control implementations, incorporating enforcement clauses in contracts, and assisting third parties in acquiring necessary security technologies and services. Such measures aim to enhance the overall security posture of both the organization and its partners.​
4. Emphasizing Business Leadership and Resilience
The report highlights the importance of involving business leaders in managing cyber risks. By integrating cybersecurity considerations into business decisions and fostering a culture of resilience, organizations can better prepare for and respond to third-party incidents. This holistic approach ensures that cybersecurity is not siloed but is a shared responsibility across the enterprise.​
5. Case Studies Demonstrating Effective Practices
Six cross-sector case studies are presented, showcasing how organizations in industries like defense, healthcare, insurance, manufacturing, and technology are successfully transforming their third-party risk management. These real-world examples provide valuable insights into the practical application of the recommended strategies and their positive outcomes.​
6. The Role of Technology and Security Vendors
The report calls upon technology and security vendors to play a pivotal role in minimizing complexities and reducing costs associated with third-party risk management. By collaborating with organizations, vendors can develop solutions that are more aligned with the evolving cybersecurity landscape and the specific needs of businesses.​
7. Industry Collaboration for Systemic Change
Recognizing that third-party risk is a widespread issue, the report advocates for industry-wide collaboration. Establishing common standards, sharing best practices, and engaging in joint initiatives can lead to systemic changes that enhance the security of the broader ecosystem. Such collective efforts are essential for addressing the complexities of modern cyber threats.​
8. Moving Forward with Proactive Measures
The ESAF report concludes by encouraging organizations to adopt proactive measures in managing third-party risks. By moving beyond traditional methods and embracing innovative, collaborative, and resilient strategies, businesses can better safeguard themselves against the evolving threat landscape. The insights provided serve as a roadmap for organizations aiming to strengthen their cybersecurity frameworks in partnership with their third parties.​
​The document “Step-by-Step Explanation of ISO 27001/ISO 27005 Risk Management” by Advisera Expert Solutions offers a comprehensive guide to implementing effective information security risk management in alignment with ISO 27001 and ISO 27005 standards. It aims to demystify the process, providing practical steps for organizations to identify, assess, and treat information security risks efficiently.​ Advisera
1. Introduction to Risk Management
Risk management is essential for organizations to maintain competitiveness and achieve objectives. It involves identifying, evaluating, and treating risks, particularly those related to information security. The document emphasizes that while risk management can be complex, it doesn’t have to be unnecessarily complicated. By adopting structured methodologies, organizations can manage risks effectively without excessive complexity.​
2. Six Basic Steps of ISO 27001 Risk Assessment and Treatment
The risk management process is broken down into six fundamental steps:​
Risk Assessment Methodology: Establishing consistent rules for conducting risk assessments across the organization.
Risk Assessment Implementation: Identifying potential problems, analyzing, and evaluating risks to determine which need treatment.
Risk Treatment Implementation: Developing cost-effective strategies to mitigate identified risks.
ISMS Risk Assessment Report: Documenting all activities undertaken during the risk assessment process.
Statement of Applicability: Summarizing the results of risk treatment and serving as a key document for auditors.
Risk Treatment Plan: Outlining the implementation of controls, including responsibilities, timelines, and budgets.​
Management approval is crucial for the Risk Treatment Plan to ensure the necessary resources and commitment for implementation.​
3. Crafting the Risk Assessment Methodology
Developing a clear risk assessment methodology is vital. This involves defining how risks will be identified, analyzed, and evaluated. The methodology should ensure consistency and objectivity, allowing for repeatable and comparable assessments. It should also align with the organization’s context, considering its specific needs and risk appetite.​
4. Identifying Risks: Assets, Threats, and Vulnerabilities
Effective risk identification requires understanding the organization’s assets, potential threats, and vulnerabilities. This step involves creating an inventory of information assets and analyzing how they could be compromised. By mapping threats and vulnerabilities to assets, organizations can pinpoint specific risks that need to be addressed.​
5. Assessing Consequences and Likelihood
Once risks are identified, assessing their potential impact and the likelihood of occurrence is essential. This evaluation helps prioritize risks based on their severity and probability, guiding the organization in focusing its resources on the most significant threats. Both qualitative and quantitative methods can be employed to assess risks effectively.​
6. Implementing Risk Treatment Strategies
After assessing risks, organizations must decide on appropriate treatment strategies. Options include avoiding, transferring, mitigating, or accepting risks. Selecting suitable controls from ISO 27001 Annex A and integrating them into the Risk Treatment Plan ensures that identified risks are managed appropriately. The plan should detail the implementation process, including responsible parties and timelines.​
7. Importance of Documentation and Continuous Improvement
Documentation plays a critical role in the risk management process. The ISMS Risk Assessment Report and Statement of Applicability provide evidence of the organization’s risk management activities and decisions. These documents are essential for audits and ongoing monitoring. Furthermore, risk management should be a continuous process, with regular reviews and updates to adapt to changing threats and organizational contexts.​
By following these structured steps, organizations can establish a robust risk management framework that aligns with ISO 27001 and ISO 27005 standards, enhancing their information security posture and resilience.
Continual improvement doesn’t necessarily entail significant expenses. Many enhancements can be achieved through regular internal audits, management reviews, and staff engagement. By fostering a culture of continuous improvement, organizations can maintain an ISMS that effectively addresses current and emerging information security risks, ensuring resilience and compliance with ISO 27001 standards.
At DISC InfoSec, we streamline the entire process—guiding you confidently through complex frameworks such as ISO 27001, and SOC 2.
Here’s how we help:
Conduct gap assessments to identify compliance challenges and control maturity
Deliver straightforward, practical steps for remediation with assigned responsibility
Ensure ongoing guidance to support continued compliance with standard
Confirm your security posture through risk assessments and penetration testing
Let’s set up a quick call to explore how we can make your cybersecurity compliance process easier.
Feel free to get in touch if you have any questions about the ISO 27001 Internal audit or certification process.
Successfully completing your ISO 27001 audit confirms that your Information Security Management System (ISMS) meets the required standards and assures your customers of your commitment to security.
Get in touch with us to begin your ISO 27001 audit today.
Cyber security risk management is a critical aspect of data security, underpinning various frameworks and regulations such as GDPR, NIST CSF, and ISO 27001. The process begins by establishing a common vocabulary to ensure clear communication across the organization. Risk in this context typically refers to potential negative outcomes for the organization, with the goal of identifying and mitigating these risks while considering time and cost implications.
When assessing risks, two key factors are considered: likelihood and impact. These need to be clearly defined and quantified to ensure consistent interpretation throughout the organization. Risk levels are often categorized as low, medium, or high, with corresponding color-coding for easy visualization. A low risk might be something the organization can tolerate, while a high risk could have catastrophic consequences requiring immediate action.
Impact categories can include financial, strategic, customer-related, employee-related, regulatory, operational, and reputational aspects. Not all categories apply to every organization, and some may overlap. Defining the values for these categories is crucial for establishing a common language and meeting ISO 27001 requirements for consistent risk assessments.
Financial impact is typically the easiest to define, using currency figures or percentages of annual turnover. Non-financial impacts, such as operational or reputational, require more nuanced definitions. For example, operational impact might be measured by the duration of business disruption, while reputational impact could be assessed based on the level of media interest.
Likelihood categories are usually defined on a scale from “very unlikely” to “very likely,” with clear descriptions of what each category means. These can be based on expected frequency of occurrence, such as annually, monthly, weekly, or daily. Estimating likelihood can be based on past experiences within the organization or industry-wide occurrences.
Using multiple impact categories is important because security is everyone’s responsibility, and different departments may need to assess impact in different terms. For instance, a chemical manufacturer might need to define impact levels in terms of employee health and safety, while other departments might focus on financial or operational impacts.
A risk heat map, which combines likelihood and impact levels, is a useful tool for visualizing risk severity. The highest risk area (typically colored red) represents what would be catastrophic for the organization, regardless of the specific impact category. This approach allows for a comprehensive view of risks across different aspects of the business, enabling more effective risk management strategies.
DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.
The best approach for SMBs to start the cybersecurity risk management process involves the following steps:
Understand Your Risks:
Conduct a basic risk assessment to identify critical assets, potential threats, and vulnerabilities.
Prioritize risks based on their potential impact and likelihood.
Set Clear Goals:
Define your cybersecurity objectives, such as protecting customer data, complying with regulations, or avoiding downtime.
Develop a Security Policy:
Create a simple, easy-to-follow cybersecurity policy that outlines acceptable use, password management, and data handling practices.
Start with the Basics:
Implement basic cybersecurity measures like using firewalls, antivirus software, and regular system updates.
Use strong passwords and enable multi-factor authentication (MFA).
Train Your Employees:
Provide ongoing security awareness training to help employees recognize phishing, social engineering, and other threats.
Back Up Your Data:
Regularly back up critical data and store it in a secure, offsite location.
Test your backup and recovery process to ensure it works effectively.
Monitor and Respond:
Set up basic monitoring to detect suspicious activity (e.g., failed login attempts).
Establish an incident response plan to know what to do in case of an attack.
Leverage External Resources:
Work with a trusted Managed Security Service Provider (MSSP) or consultant to cover any expertise gaps.
Consider using frameworks like NIST Cybersecurity Framework (CSF) or CIS Controls for guidance.
Start Small and Scale Up:
Focus on quick wins that provide maximum risk reduction with minimal effort.
Gradually invest in more advanced tools and processes as your cybersecurity maturity grows.
Regularly Review and Update:
Reassess risks, policies, and controls periodically to stay ahead of evolving threats.
This structured approach helps SMBs build a solid foundation without overwhelming resources or budgets.
You can’t eliminate risk entirely, but you can minimize it. If a cyberattack occurs, here are three key steps to take:
Plan Ahead: Create a detailed incident response plan now, involving all key departments (e.g., technical, legal, financial, marketing). Practice it through tabletop exercises to prepare for unexpected scenarios. The better your preparation, the less chaos you’ll face during an attack.
Contact Your Cyber Insurance Company: Reach out to your cyber insurance provider immediately. They can coordinate response teams, provide legal and regulatory support, handle public relations, negotiate ransoms, assist with technical recovery, and help strengthen security post-incident. Follow their guidance to avoid unnecessary expenses.
Return to Normal Operations: Once the active threat is contained, declare the incident over and shift your team back to regular duties. Fix vulnerabilities and train staff but avoid staying in “response mode” indefinitely, as it can lead to burnout, distraction, and reduced productivity.
Preparation and thoughtful responses are key to minimizing damage and ensuring a smoother recovery from cyber incidents.
Additional steps to help minimize information security risks:
1. Conduct Regular Risk Assessments
Identify vulnerabilities in your systems, applications, and processes.
Prioritize risks based on their likelihood and potential impact.
Address gaps with appropriate controls or mitigations.
2. Implement Strong Access Controls
Use multi-factor authentication (MFA) for all critical systems and applications.
Follow the principle of least privilege (grant access only to those who truly need it).
Regularly review and revoke unused or outdated access permissions.
3. Keep Systems and Software Up-to-Date
Patch operating systems, software, and firmware as soon as updates are released.
Use automated tools to manage and deploy patches consistently.
4. Train Employees on Security Best Practices
Conduct regular security awareness training, covering topics like phishing, password hygiene, and recognizing suspicious activity.
Simulate phishing attacks to test and improve employee vigilance.
5. Use Endpoint Detection and Response (EDR) Solutions
Deploy advanced tools to monitor, detect, and respond to threats on all devices.
Set up alerts for abnormal behavior or unauthorized access attempts.
6. Encrypt Sensitive Data
Use strong encryption protocols for data at rest and in transit.
Ensure proper key management practices are followed.
7. Establish Network Segmentation
Separate critical systems and sensitive data from less critical networks.
Limit lateral movement in case of a breach.
8. Implement Robust Backup Strategies
Maintain regular, secure backups of all critical data.
Store backups offline or in isolated environments to protect against ransomware.
Test recovery processes to ensure backups are functional and up-to-date.
9. Monitor Systems Continuously
Use Security Information and Event Management (SIEM) tools for real-time monitoring and alerts.
Proactively look for signs of intrusion or anomalies.
10. Develop an Incident Reporting Culture
Encourage employees to report security issues or suspicious activities immediately.
Avoid a blame culture so employees feel safe coming forward.
11. Engage in Threat Intelligence Sharing
Join industry groups or forums to stay informed about new threats and vulnerabilities.
Leverage shared intelligence to strengthen your defenses.
12. Test Your Defenses Regularly
Conduct regular penetration testing to identify and fix exploitable weaknesses.
Perform red team exercises to simulate real-world attacks and refine your response capabilities.
By integrating these steps into your cybersecurity strategy, you’ll strengthen your defenses and reduce the likelihood of an incident.
Feel free to reach out if you have any additional questions or feedback.
DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.
“The SOA can easily be produced by examining the risk assessment to identify the necessary controls and risk treatment plan to identify those that are planned to be implemented. Only controls identified in the risk assessment can be included in the SOA. Controls cannot be added to the SOA independent of the risk assessment. There should be consistency between the controls necessary to realize selected risk treatment options and the SOA. The SOA can state that the justification for the inclusion of a control is the same for all controls and that they have been identified in the risk assessment as necessary to treat one or more risks to an acceptable level. No further justification for the inclusion of a control is needed for any of the controls.”
This paragraph from ISO 27005 explains the relationship between the Statement of Applicability (SoA) and the risk assessment process in an ISO 27001-based Information Security Management System (ISMS). Here’s a breakdown of the key points:
SoA Derivation from Risk Assessment
The SoA must be based on the risk assessment and risk treatment plan.
It should only include controls that were identified as necessary during the risk assessment.
Organizations cannot arbitrarily add controls to the SoA without a corresponding risk justification.
Consistency with Risk Treatment Plan
The SoA must align with the selected risk treatment options.
This ensures that the controls listed in the SoA effectively address the identified risks.
Justification for Controls
The SoA can state that all controls were chosen because they are necessary for risk treatment.
No separate or additional justification is needed for each individual control beyond its necessity in treating risks.
Why This Matters:
Ensures a risk-driven approach to control selection.
Prevents the arbitrary inclusion of unnecessary controls, which could lead to inefficiencies.
Helps in audits and compliance by clearly showing the link between risks, treatments, and controls.
Practical Example of SoA and Risk Assessment Linkage
Scenario:
A company conducts a risk assessment as part of its ISO 27001 implementation and identifies the following risk:
Risk: Unauthorized access to sensitive customer data due to weak authentication mechanisms.
Risk Level: High
Risk Treatment Plan: Implement multi-factor authentication (MFA) to reduce the risk to an acceptable level.
How This Affects the SoA:
Control Selection:
The company refers to Annex A of ISO 27001 and identifies Control A.9.4.1 (Use of Secure Authentication Mechanisms) as necessary to mitigate the risk.
This control is added to the SoA because the risk assessment identified it as necessary.
Justification in the SoA:
The SoA will list A.9.4.1 – Secure Authentication Mechanisms as an included control.
The justification can be: “This control has been identified as necessary in the risk assessment to mitigate the risk of unauthorized access to customer data.”
No additional justification is needed because the link to the risk assessment is sufficient.
What Cannot Be Done:
The company cannot arbitrarily add a control, such as A.14.2.9 (Protection of Test Data), unless it was identified as necessary in the risk assessment.
Adding controls without risk justification would violate ISO 27005’s requirement for consistency.
Key Takeaways:
Every control in the SoA must be traceable to a risk.
The SoA cannot contain controls that were not justified in the risk assessment.
Justification for controls can be standardized, reducing documentation overhead.
This approach ensures that the ISMS remains risk-based, justifiable, and auditable.
The article emphasizes the importance of integrating risk management and information security management systems (ISMS) for effective IT security. It recommends a risk-based approach, leveraging frameworks like ISO/IEC 27001 and NIST Cybersecurity Framework (CSF) 2.0, to guide decisions that counteract risks while aligning with business objectives. Combining these methodologies enhances control accuracy and ensures that organizational assets critical to business goals are appropriately classified and protected.
An enterprise risk management system (ERMS) bridges IT operations and business processes by defining the business value of organizational assets. This alignment enables ISMS to identify and safeguard IT assets vital to achieving organizational objectives. Developing a registry of assets through ERMS avoids redundancies and ensures ISMS efforts are business-driven, not purely technological.
The NIST CSF 2.0 introduces a “govern” function, improving governance, priority-setting, and alignment with security objectives. It integrates with frameworks like ISO 27001 using a maturity model to evaluate controls’ effectiveness and compliance. This approach ensures clarity, reduces redundancies, and provides actionable insights into improving cybersecurity risk profiles and resilience across the supply chain.
Operationally, integrating frameworks involves a centralized tool for managing controls, aligning them with risk treatment plans (RTP), and avoiding overlaps. By sharing metrics across frameworks and using maturity models, organizations can efficiently evaluate security measures and align with business goals. The article underscores the value of combining ISO 27001’s holistic ISMS with NIST CSF’s risk-focused profile to foster continual improvement in an evolving digital ecosystem.
For example, let’s consider an elementary task such as updating the risk policy. This is part of control 5.1 of ISO27001 on information security policies. It is part of the subcategory GV.PO-01 of the NIST CSF on policies for managing cybersecurity risks, but it is also present in the RTP with regard to the generic risk of failure to update company policies. The elementary control tasks are evaluated individually. Then, the results of multiple similar tasks are aggregated to obtain a control of one of the various standards, frameworks or plans that we are considering.
Best method for evaluating the effectiveness of control activities may be to adopt the Capability Maturity Model Integration (CMMI). It is a simple model for finding the level of maturity of implementation of an action with respect to the objectives set for that action. Furthermore, it is sufficiently generic to be adaptable to all evaluation environments and is perfectly linked with gap analysis. The latter is precisely the technique suitable for our evaluations – that is, by measuring the current state of maturity of implementation of the control and comparing it with the pre-established level of effectiveness, we are able to determine how much still needs to be done.
In short, the advantage of evaluating control tasks instead of the controls proposed by the frameworks is twofold.
The first advantage is in the very nature of the control task that corresponds to a concrete action, required by some business process, and therefore well identified in terms of role and responsibility. In other words, something is used that the company has built for its own needs and therefore knows well. This is an indicator of quality in the evaluation.
The second advantage is in the method of treatment of the various frameworks. Instead of building specific controls with new costs to be sustained for their management, it is preferable to identify each control of the framework for which control tasks are relevant and automatically aggregate the relative evaluations. The only burden is to define the relationship between the companys control tasks and the controls of the chosen framework, but just once.
Clause 6.1.1 is often misunderstood and frequently overlooked. It requires organizations to assess risks and opportunities specifically related to the Information Security Management System (ISMS)—focusing not on information security itself, but on the ISMS’s effectiveness. This is distinct from the information security risk assessment activities outlined in 6.1.2 and 6.1.3, which require different methods and considerations.
In practice, it’s rare for organizations to assess ISMS-specific risks and opportunities (per 6.1.1), and certification auditors seldom address this requirement.
To clarify, it’s proposed that the information security risk assessment activities (6.1.2 and 6.1.3) be moved to clause 8. This aligns with the structure of other management system standards (e.g., ISO 22301 for Business Continuity Planning). Additionally, a note similar to ISO 22301’s should be included:
“Risks in this sub clause relate to information security, while risks and opportunities related to the effectiveness of the management system are addressed in 6.1.1.”
Need expert guidance? Book a free 30-minute consultation with a ISO27k expert.
The “Risk Assessment analysis” covers key areas of risk assessment in information security:
Risk Assessment Process: The core steps include identifying assets, analyzing risks, and evaluating the value and impact of each risk. This process helps determine necessary controls and treatments to mitigate or accept risks.
Types of Risk:
Asset-Based Risk: Focuses on assessing risks to tangible assets like data or hardware.
Scenario-Based Risk: Evaluates hypothetical risk scenarios, such as potential data breaches.
Risk Analysis:
Impact Analysis: Measures the financial, operational, and reputational impact of risks, assigning scores from 1 (very low) to 5 (very high).
Likelihood Analysis: Assesses how likely a risk event is to occur, also on a scale from 1 to 5.
Risk Response Options:
Tolerate (accept risk),
Treat (mitigate risk),
Transfer (share risk, e.g., via insurance),
Terminate (avoid risk by ceasing the risky activity).
Residual Risk and Risk Appetite: After treatments are applied, residual risk remains. Organizations determine their acceptable level of risk, known as risk appetite, to guide their response strategies.
These structured steps ensure consistent, repeatable risk management across information assets, aligning with standards like ISO 27001.
The Risk Assessment Process involves systematically identifying and evaluating potential risks to assets. This includes:
Identifying Assets: Recognizing valuable information assets, such as data or physical equipment.
Risk Analysis: Analyzing the potential threats and vulnerabilities related to these assets to assess the level of risk they pose.
Evaluating Impact and Likelihood: Measuring the potential impact of each risk and estimating how likely each risk is to occur.
Implementing Controls: Deciding on control measures to mitigate, transfer, accept, or avoid each risk, based on organizational risk tolerance.
To streamline this process, organizations often use risk assessment tools. These tools assist by automating data collection, calculating risk levels, and supporting decision-making on risk treatments, ultimately making the assessment more consistent, thorough, and efficient.
CyberComply makes compliance with cybersecurity requirements and data privacy laws simple and affordable.
Manage all your cybersecurity and data privacy obligations
Accelerate certification and supercharge project effectiveness
Get immediate visibility of critical data and key performance indicators
Stay ahead of regulatory changes with our scalable compliance solution
Reduce errors and improve completeness of risk management processes
Identify and treat data security risks before they become critical concerns
Reduce data security risks with agility and efficiency
Quickly identify and treat data security risks before they become critical concerns with the intuitive, easy-to-use risk manager tool
Keep track of data security compliance requirements and the security controls you have in place in conjunction with critical laws and information security frameworks
Demonstrate compliance with ISO 27001, the leading information security management standard, with powerful built-in reports
The software includes control sets from ISO 27001, ISO 27017, ISO 27018, ISO 22301, ISO 27032, NIST, CSA CCM, the PCI DSS, SOC 2, and the CPRA
Need expert guidance? Book a free 30-minute consultation with a Risk assessment specialist.
The ISO 27001 risk management guide provides a structured methodology for managing information security risks aligned with ISO standards. It first covers setting risk criteria, helping organizations define their risk appetite and identify high-priority assets and vulnerabilities. Risk assessment follows, where risks are quantified based on their likelihood and impact, allowing for prioritization.
The guide emphasizes the importance of treatment planning, advising on risk responses: avoidance, transfer, mitigation, or acceptance, with decisions documented for compliance. Documentation ensures transparency and traceability, forming a record of risk decisions.
A key component is regular review, where organizations reassess risks as threats change, supporting ISO 27001’s principle of continuous improvement. This cyclical approach helps keep the risk management framework adaptable and responsive to evolving security needs.
Additionally, the guide underscores the role of management, recommending their involvement in review and support of risk processes. Management buy-in ensures that security efforts align with strategic goals, encouraging organization-wide commitment.
In summary, the guide helps organizations maintain a robust, adaptive risk management system that meets ISO 27001 standards, enabling proactive risk control. For more detail, you can access the document here.
There is a misconception among security professionals: the belief that all information security risks will result in significant business risks. This perspective is misleading because not every information security incident has a severe impact on an organization’s bottom line. Business decision-makers can become desensitized to security alerts if they are inundated with generalized statements, leading them to ignore real risks. Thus, it is essential for security experts to present nuanced, precise analyses that distinguish between minor and significant threats to maintain credibility and ensure their assessments are taken seriously.
There are two types of risks:
Information Security Risk: This occurs when a threat (e.g., a virus) encounters a vulnerability (e.g., lack of antivirus protection), potentially compromising confidentiality, availability, or integrity of information. Depending on the severity, it can range from a minor issue, like a temporary power outage, to a critical breach, such as theft of sensitive data.
Business Risk: This affects the organization’s financial stability, compelling decision-makers to act. It can manifest as lost revenue, increased costs (e.g., penalties), or reputational damage, especially if regulatory fines are involved.
Not all information security risks translate directly to business risks. For example, ISO27001 emphasizes calculating the Annual Loss Expectation (ALE) and suggests that risks should only be addressed if their ALE exceeds the organization’s acceptable threshold.
Example:
Small Business Data Breach: A small Apple repair company faced internal sabotage when a disgruntled employee reformatted all administrative systems, erasing customer records. The company managed to recover by restoring data from backups and keeping customer communication open. Despite the breach’s severity, the company retained its customers, and the incident was contained. This case underscores the importance of adequate data management and disaster recovery planning.
Several factors to consider when assessing the relationship between information security and business risk:
Business Model: Certain businesses can withstand breaches with minimal financial impact, while others (e.g., payment processors) face more significant risks.
Legal Impact: Fines and legal costs can sometimes outweigh the direct costs of a breach. Organizations must assess regulatory requirements and contractual obligations to understand potential legal implications.
Direct Financial Impact: While breaches can lead to financial loss, this is sometimes treated as a routine cost of doing business, akin to paying for regular IT services.
Affected Stakeholders: It is crucial to identify which parties will bear the brunt of the damage. In some cases, third parties, like investors, may suffer more than the organization experiencing the breach.
Ultimately, information security risks must be evaluated within the broader business context. A comprehensive understanding of the company’s environment, stakeholders, and industry will help in prioritizing actions and reducing overall breach costs.
Andrew Pattison, a seasoned expert with over 30 years in information security and risk management, emphasizes the pragmatic nature of ISO 27001 in this interview. He explains that ISO 27001 is often misunderstood as a rigid framework when, in fact, it takes a flexible, risk-based approach. This misconception arises because many implementers prioritize certification, leading them to adopt a “you must do X” attitude, which gives the impression that the standard’s clauses are more rigid than they are. Pattison stresses that organizations can tailor controls based on risk, selecting or excluding controls as needed, provided they can justify these decisions.
He explains that a true risk-based approach to ISO 27001 involves understanding risk as the combination of a vulnerability, a threat to that vulnerability, and the likelihood of that threat being exploited. Organizations often focus on sensationalized, niche technical risks rather than practical issues like staff awareness training, which can be addressed easily and cost-effectively. Pattison advises focusing on risks that have a real-world impact, rather than obscure ones that are less likely to materialize.
To keep risk assessments manageable, Pattison advocates for simplicity. He favors straightforward risk matrices and encourages organizations to focus on what truly matters. According to him, risk management should answer two questions: “What do I need to worry about?” and “How do I address those worries?” Complicated risk assessments, often bogged down by mathematical models, fail to provide clear, actionable insights. The key is to maintain focus on where the real risks lie and avoid unnecessary complexity.
Pattison also believes in actively involving clients in the risk assessment process, rather than conducting it on their behalf. By guiding clients through the process, he helps them develop a deeper understanding of their own risks, linking these risks to their business objectives and justifying the necessary controls. This collaborative approach ensures that clients are better equipped to manage their risks in a meaningful and practical way, rather than relying on third parties to do the work for them.
For more information on Andrew Pattison interview, you can visit here
Factor Analysis of Information Risk (FAIR), a powerful methodology for assessing and quantifying information risks. Here’s a comprehensive overview:
1. What Is FAIR? a. FAIR, short for Factor Analysis of Information Risk, is a quantitative risk quantification methodology designed to help businesses evaluate information risks. b. It stands out as the only international standard quantitative model framework that addresses both operational risk and information security. c. Mature organizations that utilize Integrated Risk Management (IRM) solutions significantly benefit from FAIR.
2. Objective of FAIR: a. The primary goal of FAIR is to support existing frameworks and enhance risk management strategies within organizations. b. Unlike cybersecurity frameworks (such as NIST CSF), FAIR is not a standalone framework. Instead, it complements other industry-standard frameworks like NIST, ISO 2700x, and more. c. As organizations shift from a compliance-based approach to a risk-based approach, they need a quantitative risk methodology to support this transition.
3. How FAIR Differs from Legacy Risk Quantification Methods: a. FAIR is not a black-box approach like traditional penetration testing. Instead, it operates as a “glass-box” method. b. Legacy methods focus on penetration testing without internal knowledge of the target system. While they identify vulnerabilities, they cannot provide the financial impact of risks. c. In contrast, FAIR translates an organization’s loss exposure into financial terms, enabling better communication between technical teams and non-technical leaders. d. FAIR provides insights into how metrics were derived, allowing Chief Information Security Officers (CISOs) to present detailed information to board members and executives.
4. Benefits of FAIR: a. Financial Context: FAIR expresses risks in dollars and cents, making it easier for decision-makers to understand. b. Risk Gap Identification: FAIR helps organizations efficiently allocate resources to address risk gaps. c. Threat Level Scaling: Unlike other frameworks, FAIR scales threat levels effectively. d. Board Engagement: FAIR fosters interest in cybersecurity among board members and non-technical leaders.
5. Drawbacks of FAIR: a. Complexity: FAIR lacks specific, well-defined documentation of its methods. b. Complementary Methodology: FAIR is not an independent risk assessment tool; it complements other frameworks. c. Probability-Based: While FAIR’s probabilities are not baseless, they may not be entirely accurate due to the unique nature of cyber-attacks and their impact.
In summary, FAIR revolutionizes risk analysis by providing a quantitative, financially oriented perspective on information risk. It bridges the gap between technical and non-technical stakeholders, enabling better risk management decisions.
Continuous Threat Exposure Management (CTEM) is an evolving cybersecurity practice focused on identifying, assessing, prioritizing, and addressing security weaknesses and vulnerabilities in an organization’s digital assets and networks continuously. Unlike traditional approaches that might assess threats periodically, CTEM emphasizes a proactive, ongoing process of evaluation and mitigation to adapt to the rapidly changing threat landscape. Here’s a closer look at its key components:
Identification: CTEM starts with the continuous identification of all digital assets within an organization’s environment, including on-premises systems, cloud services, and remote endpoints. It involves understanding what assets exist, where they are located, and their importance to the organization.
Assessment: Regular and ongoing assessments of these assets are conducted to identify vulnerabilities, misconfigurations, and other security weaknesses. This process often utilizes automated scanning tools and threat intelligence to detect issues that could be exploited by attackers.
Prioritization: Not all vulnerabilities pose the same level of risk. CTEM involves prioritizing these weaknesses based on their severity, the value of the affected assets, and the potential impact of an exploit. This helps organizations focus their efforts on the most critical issues first.
Mitigation and Remediation: Once vulnerabilities are identified and prioritized, CTEM focuses on mitigating or remedying these issues. This can involve applying patches, changing configurations, or implementing other security measures to reduce the risk of exploitation.
Continuous Improvement: CTEM is a cyclical process that feeds back into itself. The effectiveness of mitigation efforts is assessed, and the approach is refined over time to improve security posture continuously.
The goal of CTEM is to reduce the “attack surface” of an organization—minimizing the number of vulnerabilities that could be exploited by attackers and thereby reducing the organization’s overall risk. By continuously managing and reducing exposure to threats, organizations can better protect against breaches and cyber attacks.
CTEM VS. ALTERNATIVE APPROACHES
Continuous Threat Exposure Management (CTEM) represents a proactive and ongoing approach to managing cybersecurity risks, distinguishing itself from traditional, more reactive security practices. Understanding the differences between CTEM and alternative approaches can help organizations choose the best strategy for their specific needs and threat landscapes. Let’s compare CTEM with some of these alternative approaches:
1. CTEM VS. PERIODIC SECURITY ASSESSMENTS
Periodic Security Assessments typically involve scheduled audits or evaluations of an organization’s security posture at fixed intervals (e.g., quarterly or annually). This approach may fail to catch new vulnerabilities or threats that emerge between assessments, leaving organizations exposed for potentially long periods.
CTEM, on the other hand, emphasizes continuous monitoring and assessment of threats and vulnerabilities. It ensures that emerging threats can be identified and addressed in near real-time, greatly reducing the window of exposure.
2. CTEM VS. PENETRATION TESTING
Penetration Testing is a targeted approach where security professionals simulate cyber-attacks on a system to identify vulnerabilities. While valuable, penetration tests are typically conducted annually or semi-annually and might not uncover vulnerabilities introduced between tests.
CTEM complements penetration testing by continuously scanning for and identifying vulnerabilities, ensuring that new threats are addressed promptly and not just during the next scheduled test.
3. CTEM VS. INCIDENT RESPONSE PLANNING
Incident Response Planning focuses on preparing for, detecting, responding to, and recovering from cybersecurity incidents. It’s reactive by nature, kicking into gear after an incident has occurred.
CTEM works upstream of incident response by aiming to prevent incidents before they happen through continuous threat and vulnerability management. While incident response is a critical component of a comprehensive cybersecurity strategy, CTEM can reduce the likelihood and impact of incidents occurring in the first place.
4. CTEM VS. TRADITIONAL VULNERABILITY MANAGEMENT
Traditional Vulnerability Management involves identifying, classifying, remediating, and mitigating vulnerabilities within software and hardware. While it can be an ongoing process, it often lacks the continuous, real-time monitoring and prioritization framework of CTEM.
CTEM enhances traditional vulnerability management by integrating it into a continuous cycle that includes real-time detection, prioritization based on current threat intelligence, and immediate action to mitigate risks.
KEY ADVANTAGES OF CTEM
Real-Time Threat Intelligence: CTEM integrates the latest threat intelligence to ensure that the organization’s security measures are always ahead of potential threats.
Automation and Integration: By leveraging automation and integrating various security tools, CTEM can streamline the process of threat and vulnerability management, reducing the time from detection to remediation.
Risk-Based Prioritization: CTEM prioritizes vulnerabilities based on their potential impact on the organization, ensuring that resources are allocated effectively to address the most critical issues first.
CTEM offers a comprehensive and continuous approach to cybersecurity, focusing on reducing exposure to threats in a dynamic and ever-evolving threat landscape. While alternative approaches each have their place within an organization’s overall security strategy, integrating them with CTEM principles can provide a more resilient and responsive defense mechanism against cyber threats.
CTEM IN AWS
Implementing Continuous Threat Exposure Management (CTEM) within an AWS Cloud environment involves leveraging AWS services and tools, alongside third-party solutions and best practices, to continuously identify, assess, prioritize, and remediate vulnerabilities and threats. Here’s a detailed example of how CTEM can be applied in AWS:
1. IDENTIFICATION OF ASSETS
AWS Config: Use AWS Config to continuously monitor and record AWS resource configurations and changes, helping to identify which assets exist in your environment, their configurations, and their interdependencies.
AWS Resource Groups: Organize resources by applications, projects, or environments to simplify management and monitoring.
2. ASSESSMENT
Amazon Inspector: Automatically assess applications for vulnerabilities or deviations from best practices, especially important for EC2 instances and container-based applications.
AWS Security Hub: Aggregates security alerts and findings from various AWS services (like Amazon Inspector, Amazon GuardDuty, and IAM Access Analyzer) and supported third-party solutions to give a comprehensive view of your security and compliance status.
3. PRIORITIZATION
AWS Security Hub: Provides a consolidated view of security alerts and findings rated by severity, allowing you to prioritize issues based on their potential impact on your AWS environment.
Custom Lambda Functions: Create AWS Lambda functions to automate the analysis and prioritization process, using criteria specific to your organization’s risk tolerance and security posture.
4. MITIGATION AND REMEDIATION
AWS Systems Manager Patch Manager: Automate the process of patching managed instances with both security and non-security related updates.
CloudFormation Templates: Use AWS CloudFormation to enforce infrastructure configurations that meet your security standards. Quickly redeploy configurations if deviations are detected.
Amazon EventBridge and AWS Lambda: Automate responses to security findings. For example, if Security Hub detects a critical vulnerability, EventBridge can trigger a Lambda function to isolate affected instances or apply necessary patches.
5. CONTINUOUS IMPROVEMENT
AWS Well-Architected Tool: Regularly review your workloads against AWS best practices to identify areas for improvement.
Feedback Loop: Implement a feedback loop using AWS CloudWatch Logs and Amazon Elasticsearch Service to analyze logs and metrics for security insights, which can inform the continuous improvement of your CTEM processes.
IMPLEMENTING CTEM IN AWS: AN EXAMPLE SCENARIO
Imagine you’re managing a web application hosted on AWS. Here’s how CTEM comes to life:
Identification: Use AWS Config and Resource Groups to maintain an updated inventory of your EC2 instances, RDS databases, and S3 buckets critical to your application.
Assessment: Employ Amazon Inspector to regularly scan your EC2 instances for vulnerabilities and AWS Security Hub to assess your overall security posture across services.
Prioritization: Security Hub alerts you to a critical vulnerability in an EC2 instance running your application backend. It’s flagged as high priority due to its access to sensitive data.
Mitigation and Remediation: You automatically trigger a Lambda function through EventBridge based on the Security Hub finding, which isolates the affected EC2 instance and initiates a patching process via Systems Manager Patch Manager.
Continuous Improvement: Post-incident, you use the AWS Well-Architected Tool to evaluate your architecture. Insights gained lead to the implementation of stricter IAM policies and enhanced monitoring with CloudWatch and Elasticsearch for anomaly detection.
This cycle of identifying, assessing, prioritizing, mitigating, and continuously improving forms the core of CTEM in AWS, helping to ensure that your cloud environment remains secure against evolving threats.
CTEM IN AZURE
Implementing Continuous Threat Exposure Management (CTEM) in Azure involves utilizing a range of Azure services and features designed to continuously identify, assess, prioritize, and mitigate security risks. Below is a step-by-step example illustrating how an organization can apply CTEM principles within the Azure cloud environment:
STEP 1: ASSET IDENTIFICATION AND MANAGEMENT
Azure Resource Graph: Use Azure Resource Graph to query and visualize all resources across your Azure environment. This is crucial for understanding what assets you have, their configurations, and their interrelationships.
Azure Tags: Implement tagging strategies to categorize resources based on sensitivity, department, or environment. This aids in the prioritization process later on.
STEP 2: CONTINUOUS VULNERABILITY ASSESSMENT
Azure Security Center: Enable Azure Security Center (ASC) at the Standard tier to conduct continuous security assessments across your Azure resources. ASC provides security recommendations and assesses your resources for vulnerabilities and misconfigurations.
Azure Defender: Integrated into Azure Security Center, Azure Defender provides advanced threat protection for workloads running in Azure, including virtual machines, databases, and containers.
STEP 3: PRIORITIZATION OF RISKS
ASC Secure Score: Use the Secure Score in Azure Security Center as a metric to prioritize security recommendations based on their potential impact on your environment’s security posture.
Custom Logic with Azure Logic Apps: Develop custom workflows using Azure Logic Apps to prioritize alerts based on your organization’s specific criteria, such as asset sensitivity or compliance requirements.
STEP 4: AUTOMATED REMEDIATION
Azure Automation: Employ Azure Automation to run remediation scripts or configurations management across your Azure VMs and services. This can be used to automatically apply patches, update configurations, or manage access controls in response to identified vulnerabilities.
Azure Logic Apps: Trigger automated workflows in response to security alerts. For example, if Azure Security Center identifies an unprotected data storage, an Azure Logic App can automatically initiate a workflow to apply the necessary encryption settings.
STEP 5: CONTINUOUS MONITORING AND INCIDENT RESPONSE
Azure Monitor: Utilize Azure Monitor to collect, analyze, and act on telemetry data from your Azure resources. This includes logs, metrics, and alerts that can help you detect and respond to threats in real-time.
Azure Sentinel: Deploy Azure Sentinel, a cloud-native SIEM service, for a more comprehensive security information and event management solution. Sentinel can collect data across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
STEP 6: CONTINUOUS IMPROVEMENT AND COMPLIANCE
Azure Policy: Implement Azure Policy to enforce organizational standards and to assess compliance at scale. Continuous evaluation of your configurations against these policies ensures compliance and guides ongoing improvement.
Feedback Loops: Establish feedback loops using the insights gained from Azure Monitor, Azure Security Center, and Azure Sentinel to refine and improve your security posture continuously.
EXAMPLE SCENARIO: SECURING A WEB APPLICATION IN AZURE
Let’s say you’re managing a web application hosted in Azure, utilizing Azure App Service for the web front end, Azure SQL Database for data storage, and Azure Blob Storage for unstructured data.
Identification: You catalog all resources related to the web application using Azure Resource Graph and apply tags based on sensitivity and function.
Assessment: Azure Security Center continuously assesses these resources for vulnerabilities, such as misconfigurations or outdated software.
Prioritization: Based on the Secure Score and custom logic in Azure Logic Apps, you prioritize a detected SQL injection vulnerability in Azure SQL Database as critical.
Mitigation: Azure Automation is triggered to isolate the affected database and apply a patch. Concurrently, Azure Logic Apps notifies the security team and logs the incident for review.
Monitoring: Azure Monitor and Azure Sentinel provide ongoing surveillance, detecting any unusual access patterns or potential breaches.
Improvement: Insights from the incident lead to a review and enhancement of the application’s code and a reinforcement of security policies through Azure Policy to prevent similar vulnerabilities in the future.
By following these steps and utilizing Azure’s comprehensive suite of security tools, organizations can implement an effective CTEM strategy that continuously protects against evolving cyber threats.
IMPLEMENTING CTEM IN CLOUD ENVIRONMENTS LIKE AWS AND AZURE
Implementing Continuous Threat Exposure Management (CTEM) in cloud environments like AWS and Azure involves a series of strategic steps, leveraging each platform’s unique tools and services. The approach combines best practices for security and compliance management, automation, and continuous monitoring. Here’s a guide to get started with CTEM in both AWS and Azure:
COMMON STEPS FOR BOTH AWS AND AZURE
Understand Your Environment
Catalogue your cloud resources and services.
Understand the data flow and dependencies between your cloud assets.
Define Your Security Policies and Objectives
Establish what your security baseline looks like.
Define key compliance requirements and security objectives.
Integrate Continuous Monitoring Tools
Leverage cloud-native tools for threat detection, vulnerability assessment, and compliance monitoring.
Integrate third-party security tools if necessary for enhanced capabilities.
Automate Security Responses
Implement automated responses to common threats and vulnerabilities.
Use cloud services to automate patch management and configuration adjustments.
Continuously Assess and Refine
Regularly review security policies and controls.
Adjust based on new threats, technological advancements, and changes in the business environment.
IMPLEMENTING CTEM IN AWS
Enable AWS Security Services
Utilize AWS Security Hub for a comprehensive view of your security state and to centralize and prioritize security alerts.
Use Amazon Inspector for automated security assessments to help find vulnerabilities or deviations from best practices.
Implement AWS Config to continuously monitor and record AWS resource configurations.
Automate Response with AWS Lambda
Use AWS Lambda to automate responses to security findings, such as isolating compromised instances or automatically patching vulnerabilities.
Leverage Amazon CloudWatch
Employ CloudWatch for monitoring and alerting based on specific metrics or logs that indicate potential security threats.
IMPLEMENTING CTEM IN AZURE
Utilize Azure Security Tools
Activate Azure Security Center for continuous assessment and security recommendations. Use its advanced threat protection features to detect and mitigate threats.
Implement Azure Sentinel for SIEM (Security Information and Event Management) capabilities, integrating it with other Azure services for a comprehensive security analysis and threat detection.
Automate with Azure Logic Apps
Use Azure Logic Apps to automate responses to security alerts, such as sending notifications or triggering remediation processes.
Monitor with Azure Monitor
Leverage Azure Monitor to collect, analyze, and act on telemetry data from your Azure and on-premises environments, helping you detect and respond to threats in real-time.
BEST PRACTICES FOR BOTH ENVIRONMENTS
Continuous Compliance: Use policy-as-code to enforce and automate compliance standards across your cloud environments.
Identity and Access Management (IAM): Implement strict IAM policies to ensure least privilege access and utilize multi-factor authentication (MFA) for enhanced security.
Encrypt Data: Ensure data at rest and in transit is encrypted using the cloud providers’ encryption capabilities.
Educate Your Team: Regularly train your team on the latest cloud security best practices and the specific tools and services you are using.
Implementing CTEM in AWS and Azure requires a deep understanding of each cloud environment’s unique features and capabilities. By leveraging the right mix of tools and services, organizations can create a robust security posture that continuously identifies, assesses, and mitigates threats.
Recently, it was revealed that Nickelodeon, an American TV channel and brand, has been the victim of a data leak. According to sources, the breach occurred at the beginning of 2023, but much of the data involved was “related to production files only, not long-form content or employee or user data, and (appeared) to be decades old.” The implication of this ambiguous statement: because the data is old and not related to individuals’ personally identifiable information (PII) or any proprietary information that hasn’t already been publicly released, this is a non-incident.
Let’s say Nickelodeon didn’t suffer any material harm because of this incident — great! It’s probable, though, that there are facts we don’t know. Any time proprietary data ends up where it shouldn’t, warning bells should go off in security professionals’ heads. What would be the outcome if the “decades old” files did contain PII? Some of the data would be irrelevant, but some could be crucial. What if the files contained other protected or private data? What if they compromised the integrity of the brand? All organizations need to think through the “what ifs” and apply the worst and base case scenarios to their current security practices.
The Nickelodeon case raises the question of whether keeping “decades old” data is necessary. While holding onto historical data can, in some cases, benefit the organization, every piece of kept data increases the company’s attack surface and increases risk. Why did Nickelodeon keep the old files in a location where it could be easily accessed? If the files were in a separate location, the security team likely did not apply adequate controls to accessing the files. Given that the cost of securing technology and all its inherent complexity is already astronomically high, CISOs need to prioritize budgetary and workforce allocation for all security projects and processes, including those for all past, present, and future data protection.
In a slow economy, balancing system security and budget requires skill and savvy. Even in boom times, though, throwing more money at the problem doesn’t always help. There is no evidence that an increase in security spending proportionately improves an organization’s security posture. In fact, some studies suggest that an overabundance of security tools leads to more confusion and complexity. CISOs should therefore focus on business risk tolerance and reduction.
Approaches to cyber risk management
Because no two organizations are alike, every CISO must find a cyber risk management approach that aligns with the goals, culture, and risk tolerance of the organization. Budget plays an important role here, too, but securing more budget will be an easier task if the security goals align with those of the business. After taking stock of these considerations, CISOs may find that their organizations fall into one or more core approaches to risk management.
Risk tolerance-based approach
Every company– and even every department within a company– has a tolerance for the amount and type of risk they’re willing to take. Security-specific tolerance levels must be based on desired business outcomes; cyber security risk cannot be determined or calculated based on cybersecurity efforts alone, rather how those efforts support the larger business.
To align cybersecurity with business risk, security teams must address business resilience by considering the following questions:
How would the business be impacted if a cybersecurity event were to occur?
What are the productivity, operational, and financial implications of a cyber event or data breach?
How well equipped is the business to handle an event internally?
What external resources would be needed to support internal capabilities?
With answers to these types of questions and metrics to support them, cyber risk levels can be appropriately set.
Maturity-based approach
Many companies today estimate their cyber risk tolerance based on how mature they perceive their cybersecurity team and controls to be. For instance, companies with an internal security operations center (SOC) that supports a full complement of experienced staff might be better equipped to handle continuous monitoring and vulnerability triage than a company just getting its security team up and running. Mature security teams are good at prioritizing and remediating critical vulnerabilities and closing the gaps on imminent threats, which generally gives them a higher security risk tolerance.
That said, many SOC teams are too overwhelmed with data, alerts, and technology maintenance to focus on risk reduction. The first thing a company must do if it decides to take on a maturity-based approach is to honestly assess its own level of security maturity, capabilities, and efficacy. A truly mature cybersecurity organization isbetter equipped to manage risk, but self-awareness is vital for security teams regardless of maturity level.
Budget-based approach
Budget constraints are prevalent in all aspects of business today, and running a fully staffed, fully equipped cybersecurity program is no bargain in terms of cost. However, organizations with an abundance of staff and technology don’t necessarily perform better security- or risk-wise. It’s all about being budget savvy for what will be a true compliment to existing systems.
Invest in tools that move the organization toward a zero trust-based architecture, focusing on security foundation and good hygiene first. By laying the right foundations, and having competent staff to manage them, cybersecurity teams will be better off than having the latest and greatest tools implemented without mastering the top CIS Controls: Inventory and control of enterprise and software assets, basic data protection, secure configuration management, hardened access management, log management, and more.
Threat-based approach
An important aspect of a threat-based approach to risk management is understanding that vulnerabilities and threats are not the same thing. Open vulnerabilities can lead to threats (and should therefore be a standard part of every organization’s security process and program). “Threats,” however, refer to a person/persons or event in which a vulnerability has the potential to be exploited. Threats also rely on context and availability of a system or a resource.
For instance, the Log4Shell exploit took advantage of a Log4j vulnerability. The vulnerability resulted in a threat to organizations with an unpatched version of the utility running. Organizations that were not running unpatched versions — no threat.
It is therefore imperative for organizations to know concretely:
All assets and entities present in their IT estates
The security hygiene of those assets (point in time and historical)
Context of the assets (non-critical, business-critical; exposed to the internet or air-gapped; etc.)
Implemented and operational controls to secure those assets
With this information and context, security teams can start to build threat models appropriate for the organization and its risk tolerance. The threat models used will, in turn, allow teams to prioritize and manage threats and more effectively reduce risk.
People, process and technology-based approach
People, process, and technology (PPT) are often considered the “three pillars” of technology. Some security pros consider PPT to be a framework. Through whatever lens PPT is viewed, it is the most comprehensive approach to risk management.
A PPT approach has the goal of allowing security teams to holistically manage risk while incorporating an organization’s maturity, budget, threat profile, human resources, skill sets, and the entirety of the organization’s tech stack, as well as its operations and procedures, risk appetite, and more. A well-balanced PPT program is a multi-layered plan that relies evenly on all three pillars; any weakness in one of the areas tips the scales and makes it harder for security teams to achieve success — and manage risk.
The wrap up
Every organization should carefully evaluate its individual capabilities, business goals, and available resources to determine the best risk management strategy for them. Whichever path is chosen, it is imperative for security teams to align with the business and involve organizational stakeholders to ensure ongoing support.
Security risk assessment services are crucial in the cybersecurity industry as they help organizations identify, analyze, and mitigate potential security risks to their systems, networks, and data. Here are some opportunities for providing security risk assessment services within the industry:
Conducting Vulnerability Assessments: As a security risk assessment service provider, DISC can conduct vulnerability assessments to identify potential vulnerabilities in an organization’s systems, networks, and applications. You can then provide recommendations to mitigate these vulnerabilities and enhance the organization’s overall security posture.
Performing Penetration Testing: Penetration testing involves simulating a real-world attack on an organization’s systems and networks to identify weaknesses and vulnerabilities. As a security risk assessment service provider, DISC can perform penetration testing to identify potential security gaps and provide recommendations to improve security.
Risk Management: DISC can help organizations identify and manage risks associated with their information technology systems, data, and operations. This includes assessing potential threats, analyzing the impact of these threats, and developing plans to mitigate them.
Compliance Assessment: DISC can help organizations comply with regulatory requirements by assessing their compliance with industry standards such as ISO 27001, HIPAA, or NIST-CSF. DISC can then provide recommendations to ensure that the organization remains compliant with these standards.
Cloud Security Assessments: As more organizations move their operations to the cloud, there is a growing need for security risk assessment services to assess the security risks associated with cloud-based systems and applications. As a service provider, DISC can assess cloud security risks and provide recommendations to ensure the security of the organization’s cloud-based operations.
Security Audit Services: DISC can provide security audit services to assess the overall security posture of an organization’s systems, networks, and applications. This includes reviewing security policies, processes, and procedures and providing recommendations to improve security.
By providing these services, DISC can help organizations identify potential security risks and develop plans to mitigate them, thereby enhancing their overall security posture.
We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form
Contact DISC InfoSec if you need further assistance in your ISO 27001 2022 transition Plan
GRC (Governance, Risk, and Compliance) online tools are designed to help organizations manage their internal processes, risk assessments, compliance, and audits. Here are some of the best GRC online tools available:
ZenGRC: ZenGRC is a cloud-based GRC tool that offers risk management, compliance management, and vendor management solutions. It allows users to streamline compliance tasks, track risks, and manage third-party vendors.
LogicManager: LogicManager is a GRC platform that helps businesses identify, assess, and manage risks. It offers a variety of modules, including regulatory compliance, vendor risk management, and incident management.
RSA Archer: RSA Archer is an enterprise GRC platform that helps businesses manage risk, compliance, and audit processes. It offers a variety of modules, including risk management, compliance management, and policy management.
SAP GRC: SAP GRC is a suite of GRC tools that helps businesses manage risk, compliance, and audit processes. It offers a variety of modules, including access control, process control, and risk management.
MetricStream: MetricStream is a cloud-based GRC platform that helps businesses manage compliance, risk, and audit processes. It offers a variety of modules, including regulatory compliance, risk management, and quality management.
NAVEX Global: NAVEX Global is a GRC platform that helps businesses manage compliance, risk, and ethics. It offers a variety of modules, including policy management, incident management, and third-party risk management.
Compliance 360: Compliance 360 is a GRC platform that helps businesses manage compliance, risk, and audit processes. It offers a variety of modules, including risk management, compliance management, and incident management.
Each of these tools offers unique features and benefits, so it’s important to evaluate your organization’s specific needs before choosing the best GRC tool for your business.
From Jack Jones, Chairman of the FAIR Institute and creator of the FAIR model for cyber risk quantification (CRQ) — the definitive guide to understanding CRQ: What it is (and isn’t), its value proposition and limitations, and facts regarding the misperceptions that are commonplace.
If you’re considering or are actively shopping for an analysis solution that treats cyber risk in financially-based business terms, Jack’s extensive, jargon-free guide — including an evaluation checklist — will give you the objective and practical advice you need.
And just in time. There’s never been more interest or, frankly, confusion in the marketplace over what exactly is cyber risk quantification. As you’ll read in this buyer guide, many solutions may count vulnerabilities, provide ordinal values, or deliver numeric “maturity” scores but don’t measure risk, let alone put a financial value on it to help make business decisions.
This paper answers questions such as:
What does CRQ provide that I’m not already getting from other cyber risk-related measurements?
What makes CRQ reliable? Why should I believe the numbers?
Do I have enough data to run an analysis?
Jack also provides red flags to look out for in CRQ solutions, such as:
Mis-identification of risks.
Mis-use of control frameworks as risk measurement tools.
Over-simplification that can result in poorly-informed decisions, especially when performed at scale.
The ‘Understanding Cyber Risk Quantification’ guide is designed to be of use to security and risk executives, industry analysts, consultants, auditors, investors, and regulators–essentially anyone who has a stake in how well cyber risk is managed.
