Sunteți pe pagina 1din 25

RESILIA™ Cyber Resilience Best Practice

Stuart Rance Consultant, trainer and author IT service management and information security management @StuartRance

Stuart Rance Consultant, trainer and author IT service management and information security management @StuartRance

Agenda

Best practice overview

Certification syllabus and exam overview

Q & A

Agenda Best practice overview Certification syllabus and exam overview Q & A 2 @StuartRance

2

@StuartRance

Best Practice Overview 3 @StuartRance

Best Practice Overview

3

@StuartRance

RESILIA: best practice overview

RESILIA is documented in a single publication

Covering the entire lifecycle of cyber resilience

RESILIA describes a similar lifecycle to ITIL

Strategy, design, transition, operation, continual improvement

The RESILIA lifecycle is about cyber resilience, not ITSM

RESILIA integrates well with ITSM and other management system approaches

cyber resilience, not ITSM – RESILIA integrates well with ITSM and other management system approaches 4

4

@StuartRance

Publication structure

1. Introduction

2. Risk management

3. Managing cyber resilience

4. Cyber resilience strategy

5. Cyber resilience design

6. Cyber resilience transition

7. Cyber resilience operation

8. Cyber resilience continual improvement

9. Roles and responsibilities

continual improvement 9. Roles and responsibilities 5 Three case studies about fictional organizations are

5

Three case studies about fictional organizations are threaded through all the chapters

@StuartRance

The case studies

SellUGoods

Retail organization

International

Large internet presence

Many physical stores

Worry about payment card data breaches

PCI-DSS compliant

about payment card data breaches – PCI-DSS compliant MedUServ – Private medical lab – Single location

MedUServ

Private medical lab

Single location

Carries out tests for doctors and hospitals

Worry about confidentiality of patient records

ISO 9001 certified

6

MakeUGoods

Manufacturing

One country

Secret production methods

Customers in the defence industry

SCADA systems

Worry about leaked secrets and lost production

@StuartRance

1. Introduction

Cyber resilience is not just information security

More focus on network connectivity and the internet

The need for balance

Prevent, detect and correct

People, process and technology

Risks and opportunities

Getting it right and continual improvement

Characteristics needed for information

Confidentiality, integrity and availability

Authentication and non-repudiation

for information – Confidentiality, integrity and availability – Authentication and non-repudiation 7 @StuartRance

7

@StuartRance

2. Risk management

Cyber resilience is largely about managing risks

management Cyber resilience is largely about managing risks A risk is created by a threat exploiting

A risk is created by a threat exploiting a vulnerability to impact an asset

is largely about managing risks A risk is created by a threat exploiting a vulnerability to

8

@StuartRance

3. Managing cyber resilience

You need a single management system

Not one management system for security, one for ITSM, one for quality and yet another for governance

You can make use of many best practices and standards

ITIL

ISO/IEC 27001, ISO/IEC 20000-1

ISO 31000, Management of Risk (M_o_R)

ISO 9001, ISO 22301

COBIT 5

NIST Framework for improving Critical Infrastructure Security

– ISO 9001, ISO 22301 – COBIT 5 – NIST Framework for improving Critical Infrastructure Security

9

@StuartRance

Chapters 4 to 8 - the lifecycle stages

Lifecycle stage summary

.1 Control objectives and controls

.2 Aligning with ITSM

.3 Scenarios (from the three case studies)

.4 Questions

and controls • .2 Aligning with ITSM • .3 Scenarios (from the three case studies) •

10

@StuartRance

4 to 8 – Aligning with ITSM - example

4 to 8 – Aligning with ITSM - example 11 @StuartRance
4 to 8 – Aligning with ITSM - example 11 @StuartRance

11

@StuartRance

4 to 8 – Questions - examples

Strategy

How effective is governance of cyber resilience in your organization? Are the right people involved? What could be improved?

Design

To what extent does your organization risk assess its supply chain?

Continual improvement

How do you measure the effectiveness of your controls?

its supply chain? • Continual improvement – How do you measure the effectiveness of your controls?

12

@StuartRance

4. Cyber resilience strategy

Strategy controls

Establish governance

Manage stakeholders

Create and manage policies

Manage audit and compliance

Aligning with ITSM

Strategy scenarios

Strategy questions

– Manage audit and compliance • Aligning with ITSM • Strategy scenarios • Strategy questions 13

13

@StuartRance

5. Cyber resilience design

Design controls

HR security

System acquisition, development, architecture & design

Supplier and third party security

Endpoint security

Cryptography

Business continuity management

Aligning with ITSM

Design scenarios

Design questions

– Business continuity management • Aligning with ITSM • Design scenarios • Design questions 14 @StuartRance

14

@StuartRance

6. Cyber resilience transition

Transition controls

Asset management and configuration management

Change management

Testing

Training

Documentation management

Information retention and disposal

Aligning with ITSM

Transition scenarios

Transition questions

retention and disposal • Aligning with ITSM • Transition scenarios • Transition questions 15 @StuartRance

15

@StuartRance

7. Cyber resilience operation

Operation controls

Access control

Network security management

Physical security

Operations security

Cyber resilience incident management

Aligning with ITSM

Operation scenarios

Operation questions

resilience incident management • Aligning with ITSM • Operation scenarios • Operation questions 16 @StuartRance

16

@StuartRance

8. Cyber resilience continual improvement

Continual improvement controls

Cyber resilience audit and review

Control assessment

KPIs, KRIs and benchmarking

Improvement planning

Aligning with ITSM

Using the ITIL CSI approach

Using MSP

Maturity models

Continual improvement scenarios and questions

ITIL CSI approach • Using MSP • Maturity models • Continual improvement scenarios and questions 17

17

@StuartRance

9. Cyber resilience roles and responsibilities

Roles and responsibilities across the organization

Segregation of duties and dual controls

Roles and responsibilities questions

the organization • Segregation of duties and dual controls • Roles and responsibilities questions 18 @StuartRance

18

@StuartRance

Certification syllabus and exam overview

Certification syllabus and exam overview 19 @StuartRance

19

@StuartRance

RESILIA Foundation

Similar to other Axelos foundation certifications

Three day training course (online or face-to-face)

50 question multiple choice exam

Covers all chapters of the publication

General understanding of cyber resilience

Purpose of risk management and how to do it

Purpose of each lifecycle stage

Key features of each control

Interactions between cyber resilience and ITSM

EXAMPLES AND CASE STUDIES ARE NOT EXAMINED

– Interactions between cyber resilience and ITSM • EXAMPLES AND CASE STUDIES ARE NOT EXAMINED 20

20

@StuartRance

Example foundation question

Which could be a vulnerability?

A. A secret document

B. Anti-virus software on a laptop

C. A poorly trained staff member

D. A breach of credit card data

B. Anti-virus software on a laptop C. A poorly trained staff member D. A breach of

22

@StuartRance

RESILIA Practitioner

Similar to other Axelos practitioner certifications

Foundation is a pre-requisite

Two day training course (online or face-to-face)

50 question multiple choice exam

With a case study and scenarios

More complex questions, but still only one correct answer

Same content knowledge as foundation

Demonstrates that you can apply the knowledge

answer • Same content knowledge as foundation • Demonstrates that you can apply the knowledge 23

23

@StuartRance

Example practitioner question

Which is the biggest risk in the scenario?

A. There might be no virus controls on the laptop

B. The confidential data might be leaked

C. The factory might be unable to operate

D. The firewall might be breached by a hacker

might be leaked C. The factory might be unable to operate D. The firewall might be

25

@StuartRance

Q & A 26 @StuartRance

Q & A

26

@StuartRance

Thank you

@StuartRance

StuartR@optimalservicemanagement.com

Thank you @StuartRance StuartR@optimalservicemanagement.com