Components of a Cyber Security Program

Cyber Security Governance

The Information Security Officer (ISO) provides guidance and support for the overall Information Security Portfolio. The ISO establishes the Security Lifecycle through the development and management of agency wide governance. The ISO facilitates the lifecycle of Security Operations, Risk Management and Security Architecture through a number of activities and repeatable processes.
  • Information Security Strategic Planning
  • Information Security Roadmap Development
  • Information Security Resource Planning
  • Establishment of Information Security Policies, Standards, Processes and Procedures
  • Information Security Training, Education and Awareness
Electronic Key
Best practices for Information Governance is found in NIST SP 800-39 "Managing Information Security Risk Organizational, Mission, and Information System View" (PDF). This document provides a best practice framework for facilitating information management.

Threat Identification

The purpose of your Security Operations Center (SOC) is to identify threats to Information Security. As threats are identified, they should be provided to Risk Management for Analysis. Threats can be identified through a number of mechanisms including:
  • Intrusion Detection and Prevention Technologies
  • Notices from organizations such as the Multi-State Information Sharing and Analysis Center
Malware in Software Code
Best practice for identifying threats is found in Appendix D of NIST SP 800-30 Revision 1 (PDF).

Risk Management

The purpose of your Risk Management Program is to quantify the Risks Identified by your Security Operations Center. As risks are quantified and prioritized, they should be provided to the security architects so security controls can be established or configured, which mitigate the risks identified. The risks of threats can be managed through a number of strategies including:
  • Cataloging the Risk - Establish a Risk Register
  • Quantifying the Risk - Determine if vulnerabilities exist which can be exploited by the threats identified
  • Measuring the Risk - Identify the impacts of realized risks
  • Communicate the Risk - Convey prioritized risks to architects so that a solution can be established
Risk Flow Chart
There are a number of ways in which risks can be managed. NIST SP 800-37 "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach," (PDF) provides a best practice framework for facilitating this activity.

Risk Mitigation

Risks are provided to Security Architects who implement or configure security controls to mitigate the identified risks. As risks are mitigated, security architects should inform the Security Operations team how they should monitor to ensure that they are not realized. The following represents a process steps that can be used to mitigate risk:
  • Determine how the risk results in exploitation of a vulnerability.
  • Determine if there are existing security controls which can mitigate exploitation.
  • Implement or re-configure the security control to mitigate the risk.
  • Develop a mechanism to identify if risk exploitation is occurring and solution for monitoring for this risk.
Computer Keyboard Keys
Security controls are implemented across the infrastructure to mitigate various risks which are presented. As risks are presented by your Risk Management Program, your architects should be working to implement solutions to mitigate them. NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations,” illustrates a catalogue of security controls that can be used to identify mitigation strategies.

National Cybersecurity Workforce Framework

NICE developed the National Cybersecurity Workforce Framework (the Framework) to codify cybersecurity work and to identify the specialty areas of cybersecurity professionals.
The Framework establishes:
  • A common taxonomy and lexicon for cyber security workers that organizes cyber security into 31 specialty areas within 7 categories.
  • A baseline of tasks, specialty areas, and knowledge, skills and abilities (KSAs) associated with cyber security professionals.
The Framework assists with strategic human capital efforts, including:
  • Workforce Planning
  • Recruitment and Selection
  • Training and Development
  • Succession Planning
Cyber Security Workforce Framework
Specialty Areas
Securely Provision Specialty areas responsible for conceptualizing, designing, and building secure information technology (IT) systems, i.e., responsible for some aspect of systems development.
Operate and Maintain Specialty areas responsible for providing support, administration, and maintenance necessary to ensure effective and efficient information technology (IT) system performance and security.
Protect and Defend Specialty area responsible for identification, analysis and mitigation of threats to internal information technology (IT) systems and networks.
Investigate Specialty areas responsible for investigation of cyber events and/or crimes of information technology (IT) systems, networks, and digital evidence.
Operate and Collect Specialty areas responsible for specialized denial and deception operations and collection of cyber security information that may be used to develop intelligence.
Analyze Specialty area responsible for highly specialized review and evaluation of incoming cyber security information to determine its usefulness for intelligence.
Oversight and Development Specialty areas that providing leadership, management, direction, and/or development and advocacy so that individuals and organizations may effectively conduct cyber security work.
The Framework organizes cyber security work into 31 specialty areas within 7 categories. Each specialty area represents an area of concentrated work, or function, within cybersecurity. Below are the 7 categories (bold), with corresponding specialty areas.
Securely Provision
  • Systems Requirements Planning
  • Systems Development
  • Software Assurance and Security Engineering
  • Systems Security Architecture
  • Test and Evaluation
  • Technology Research and Development
  • Information Assurance (IA) Compliance
Operate & Maintain
  • System Administration
  • Network Services
  • Systems Security Analysis
  • Customer Service and Technical Support
  • Data Administration
  • Knowledge Management
Collect & Operate
  • Collection Operations
  • Cyber Operations Planning
  • Cyber Operations
Protect & Defend
  • Vulnerability Assessment and Management
  • Incident Response
  • Computer Network Defense (CND) Analysis
  • Computer Network Defense (CND) Infrastructure Support
  • Investigation
  • Digital Forensics
  • Cyber Threat Analysis
  • Exploitation Analysis
  • Targets
  • All Source Intelligence
Oversight & Development
  • Legal Advice and Advocacy
  • Education and Training
  • Strategic Planning and Policy Development
  • Information Systems Security Operations (ISSO)
  • Security Program Management (Chief Information Security Officer [CISO])