This post is to clarify the different between CSF Tiers and Maturity level. A security maturity model is a set of characteristics or indicators that represent capability and progression within an organization’s security program. The Cyber Security Framework Implementation Tiers are not intended to be maturity levels. The Tiers are intended to provide guidance to organizations on the interactions and coordination between cybersecurity risk management and operational risk management. The key tenet of the Tiers…
Posts published in “Architecture”
Still Under Writing… A Threat and Risk Assessment analyzes a software or hardware system for vulnerabilities, examines potential threats associated with those vulnerabilities, and evaluates the resulting security risks. A vulnerability is any “flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy” (NIST SP800-30 Risk Management Guide for Information…
- The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand.
- The Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management.
- Framework Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core.
Layered Security & Defense In Depth
A layered approach to security can be implemented at any level of a complete information security strategy. Whether you are the administrator of only a single computer, accessing the Internet from home or a coffee shop, or the go-to guy for a thirty thousand user enterprise WAN, a layered approach to security tools deployment can help improve your security profile.
In short, the idea is an obvious one: that any single defense may be flawed, and the most certain way to find the flaws is to be compromised by an attack -- so a series of different defenses should each be used to cover the gaps in the others' protective capabilities. Firewalls, intrusion detection systems, malware scanners, integrity auditing procedures, and local storage encryption tools can each serve to protect your information technology resources in ways the others cannot.
One of the most recent and wide-ranging laws impacting the security profession globally is the European Union’s General Data Protection Regulation, or GDPR. As of May 25, 2018, the GDPR is a legal and enforceable act of the European Union. In this post, we will detail the key findings as a security professional how to work to satisfy the requirements of GDPR. General Data Protection RegulationGDPR Chapter 1 – 1 2 3 4 Chapter 2 – 5 6 7 8 9 10 11 Chapter…