Selecting Infrastructure Controls
(OBJ 3.2)
Control
- A protective measure put in place to reduce potential risks and safeguard an organization’s assets
- Minimize breaches and vulnerabilities while ensuring that our resources are bing used efficiently.
Key Principles
- Least Privilege
- Users and systems should have only necessary access rights to perform their duties in order to reduce the attack surface
- Defense in Depth
- Utilize multiple layers of security to ensure robust protection even if one control fails
- Risk-based Approach
- Prioritize controls based on potential risks and vulnerabilities specific to the infrastructure
- Effectively use resources
- No organization has enough time/people/money to completely mitigate every single potential threat out there.
- Prioritize controls based on potential risks and vulnerabilities specific to the infrastructure
- Lifecycle Management
- Regularly review, update, and retire controls to adapt to the evolving threat landscape
- Open Design Principle
- Ensure transparency and accountability through rigorous testing and scrutiny of controls
- Also ensure our controls are effective and being implemented securely
Methodology
- Assess Current State
- Understand existing infrastructure, vulnerabilities, and current controls before adding new
- Gap Analysis
- Identify discrepancies between current and desired security postures
- Set Clear Objectives
- Define specific goals for adding new controls (data protection, uptime, compliance, etc.)
- Benchmarking
- Compare your organization's processes and security metrics with industry best practices
- Cost-Benefit Analysis
- Evaluate the balance between desired security level and required resources
- Stakeholder Involvement
- Engage relevant stakeholders to ensure controls align with business operations and goals
- Monitoring and Feedback Loops
- Continuously revisit control selection to adapt to evolving threats
- The cyber threat landscape is constantly changing and evolving
Best Practices
- Conduct Risk Assessment
- Regularly assess threats and vulnerabilities specific to your organization, and update it with significant changes
- Not a one-time thing, it should be a recurring process that's going to be repeated anytime there's a significant change in your enterprise infrastructure or operations
- Align with Frameworks
- Utilize established frameworks (e.g., NIST , ISO) to ensure comprehensive and tested methodologies
- By adhering to these frameworks you can be assured that your approach is comprehensive and based on tried and tested methodologies.
- Example:
- Use NIST Cybersecurity Framework and NIST Risk Management framework as a Cybersecurity consultant
- Very in-depth and well-regarded frameworks that we can rely upon.
- Customize Frameworks
- Tailor framework controls to your organization's unique risk profile and business operations
- Stakeholder Engagement and Training
- Engage all relevant stakeholders in the decision-making process, and conduct regular training to keep the workforce updated on security controls and threats
- Rely on a knowledgeable and engaged workforce to achieve a higher level of security for your infrastructure