Thursday, November 3, 2022

Most Requested Compliance Documents

Indicator of what’s important around the world.

Current: Monthly Selected Authority Documents - September, 2022 - Unified Compliance

Monthly Updates & History: Monthly Updates Archives - Unified Compliance


Top 10:

  1. NIST CSF 1.1
  2. CIS Controls, V8
  3. ISO 27001-2013
  4. EU General Data Protection Regulation (GDPR)
  5. NIST SP 800-53 R5
  6. Sarbanes-Oxley Act of 2002
  7. PCI DSS v3.2.1
  8. ISO/IEC 27701:2019
  9. Cloud Controls Matrix, v4.0
  10. ISO 27002 

Tuesday, October 25, 2022

Summary of All Data Breaches 2004-2022

The pictures speak for themselves. It's interesting..... Looking at the average data sensitivity for all records lost each year, ranked according to the simple scale below, you get this chart. 

Data sourceWorld’s Biggest Data Breaches & Hacks — Information is Beautiful

Data sensitivity

1. Just email address/Online information
2 SSN/Personal details
3 Credit card information
4 Health & other personal records
5 Full details


By number of records lost


Putting it together




Tuesday, October 11, 2022

IT Audit Process: Identify blind spots & streamline operations

I created this to use as a backdrop for discussions around the IT audit process with a focus on identifying blind spots and streamlining operations.



Thursday, October 6, 2022

Top Leadership Tips! XL Management Post

 I brought up the Tuckman model of team phases while coaching an OKR session for a new team. The purpose was to encourage them to anticipate - and perceive as normal - a little chaos and contention. 

A quick Google search later to send a funny video, and I ran across this excellent list. I copied it here and cleaned it up. 

TOP LEADERSHIP TIPS

1: Be familiar with the phases of Teamwork. Tuckman’s forming, storming, norming, and performing model.

2:.If you want good leaders to lead teams give them the tools to do it. Train and manage the process of leadership building.

3: If you want followers (team members) train them to work together – manage the process and monitor progress.

4: Support the process from the very top but be prepared to be lonely. Leading is often a lonely role – the buck stops with you.

5: Give each leader and each team identity to hold onto. A reason to be proud of membership and an acknowledgment of achievement.

6: Foster the identity to increase group/team cohesion. Leading and following are not always doom and gloom. Make business fun – work hard play hard.

7: Establish The Norms You Want. It is imperative to agree on the core norms setting ground rules to prevent problems later on.

8: Clearly define roles and responsibilities in order to establish boundaries and set expectations governing relationships.

9: Establish key group/team processes. Meetings, decisions, brainstorming, timekeeping, and problem-solving.

10: Everyone’s time is valuable. If you don’t expect your team to waste your time – don’t waste theirs. Give power to the team on the ground – trust in their judgment. They are the ones delivering the goods.

11: Truly great leaders have mastered courtesy along with being bold, courageous, dynamic, and visionary.

12: Communicate, communicate, communicate. But above all get to the point! Make sure you get the message out to your audience – don’t waffle. Do not leave people wondering what all the slides were about when there was only one point to be made. Leaders have a knack for cutting through the BS and simplifying the solution so that everybody can embrace it.

13: Don’t be afraid to give bad news. Every company has bad news – it makes the good news look better too.

14: If you want your team to be engaged, committed and good followers say thank you! You expect team members to be cohesive and achieve great things; when they do, thank them. As General Colin Powell (US Army retired) once said “Organization doesn't really accomplish anything.  Plans don't accomplish anything, either.  Theories of management don't much matter.  Endeavors succeed or fail because of the people involved.  Only by attracting the best people will you accomplish great deeds.”

15: Integrity counts. Neither your customer nor your team is wedded to you so they need to believe and trust in you.  

16. Never doubt your own vision – you are the leader, and you are expected to know all the answers until proven differently. And remember optimism multiplies if fostered.

17. Being responsible sometimes means pissing people off. It’s better to get the right thing done in the right way than to let your team believe that mediocrity is good enough. Keep looking below the surface – even when what is below may not be palatable.

18. Be happy with your team bringing problems and complaints as well as the good news. The day this stops either means they don’t care or have lost confidence in you.

19. Advisors have their place. But at the end of the day, it is your judgment that counts. Separate data from judgment and constantly reference your own hard-won insight.

20. Pick good followers for now and leaders for tomorrow. Formulate your list of criteria and be choosey who you work with. Make sure each person ticks most if not all of the key boxes. E.g. Intelligence, judgment, insight, loyalty, integrity, and a high-energy drive.

Friday, September 16, 2022

SP 800-66 Rev. 2 Reverse Mapped HIPPA - NIST Updated Guidance for Health Care Cybersecurity

Here's a NIST mapping crosswalk between the HIPAA requirements and NIST SP 800-53r5 in a spreadsheet format.

Spreadsheet Here: 2022 HIPAA Crosswalk SP 800-66 ipd Table 12.ver.01.xlsx - Google Drive from Blog Downloads (compliancequickstart.com)

NIST PageSP 800-66 Rev. 2 (Draft), Implementing the HIPAA Security Rule: Cybersecurity Resources | CSRC (nist.gov)

Publication LinkNIST SP 800-66r2 initial public draft, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide

I reworked the information from the initial public draft into a spreadsheet that also allows easy importing into different tools. Additionally, I included a direct NIST map, essentially reversing the look-up. Finally, all control IDs are now two digits which allows for proper sorting and lookups with tools inside arrays.

Here's a snapshot of the format (click to view): 




Thursday, August 18, 2022

Federal Auditing is... Complicated.

Breaking down your understanding of all things Federal, eh? Yeah, I'm *still* learning. I love this compilation you can find at https://csiac.org/resources/the-dod-cybersecurity-policy-chart. I've been using this chart for years to demonstrate to my peers how different bodies of work interact. You'll find this in compliance slide decks I've created for graduate college classes to drive the point that there is a lot to consider when making control selection, design, implementation, and operational decisions. 

You can use this as another tool for peeling back layers and quickly finding related directives and publications. 
From the website (do yourself a favor and read this before looking at the chart...): 
  • "The goal of the DoD Cybersecurity Policy Chart is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware of, in a helpful organizational scheme. The use of colors, fonts, and hyperlinks is designed to provide additional assistance to cybersecurity professionals navigating their way through policy issues in order to defend their networks, systems, and data.
  • At the bottom center of the chart is a legend that identifies the originator of each policy by a color-coding scheme. On the right-hand side are boxes identifying key legal authorities, federal/national level cybersecurity policies, and operational and subordinate level documents that provide details on defending the DoD Information Network (DoDIN) and its assets. Links to these documents can also be found in the chart."

Wednesday, August 17, 2022

Global 500 vs Fortune (US) 500 Sector Comparisons - I.e. Profit Margins!


I created this out of curiosity about the macro business environment changes and differences over the last year and between US and Global markets among different sectors. As usual - Follow the money... There's some interesting insights. 

So what line of business is the most profitable?? This is organized by the average profit margin of companies within each sector.

Tuesday, August 16, 2022

Brilliant Article: (Don’t) Focus on Your Job at the Expense of Your Career

Credit to HBR and specifically Dorie Clark. Brilliant. Young people need to hear this. 

Don’t Focus on Your Job at the Expense of Your Career (hbr.org)

Summary: "The gap between what we have to do today and where we see ourselves in the future can be vexing. We’d like to advance toward our goals, but we feel dragged down by responsibilities that seem banal or off-target for our eventual vision. In this piece, the author offers four strategies you can try so that you can simultaneously accomplish what’s necessary for the short-term while playing the long game for the betterment of your career." 

  1. Analyze the strategic value of your activities.
  2. Enlist allies.
  3. Manage your brand.
  4. Be willing to experiment with “120% time.”
IMHO - This is what I tell my own teenagers and students in college:
  • Put in the time when you are young because you have the energy, mental capacity, and the greatest amount of neural plasticity.
  • The world and the workplace are not fair. Position yourself to capitalize on opportunities. That can be many things - training, visibility, kindness, someone others want to be around and emulate.
  • Embrace the opposite of Imposter Syndrome. Be confident and go for it. Why not you? 
  • Hard work beats talent when talent doesn't work hard. 
More excellent articles by Dorie Clark

  1. Haven't Networked in a While? Here's How to Jump Back In.
  2. Stop Procrastinating and Tackle That Big Project
  3. Approach Your Personal Brand Like a Project Manager
  4. How to Make Progress on Your Long-Term Career Goals
  5. The Upside of Feeling Uncertain About Your Career

Thursday, August 11, 2022

Open Cybersecurity Schema Framework (OCSF)

Who: Amazon, Cloudflare, CrowdStrike, IBM, Okta, and Salesforce

What: They have collaborated on a joint initiative to solve a critical bottleneck in the sharing of threat information: The different data formats currently in use across multiple cybersecurity tools and products.

  • Schema includes: Activity; Activity ID; Category; Category ID; Class; Class ID; Count; Duration; End Time; Enrichments; Event Time; Message; Metadata; Observables; Original Time; Product; Profiles; Raw Data; Reference Event Code; Reference Event ID; Reference Event Name; Severity; Severity ID; Start Time; Status; Status Code; Status Details; Status ID; Timezone Offset; Type ID; Type Name; Unmapped Data

Thoughts: There's still a tremendous amount of work to be done and it will realistically be quite some time before the value is realized from this effort. However, it's good to see some progress and interest. This has been a problem for a very, very long time. 

Tags: Open Cybersecurity Schema Framework (OCSF)

Sources:

Thursday, July 28, 2022

[MITRE CREF Navigator]: Cyber Resiliency Engineering Framework (CREF)

Tags: MITRE; CREF; Navigator; Cyber Resiliency Engineering Framework; NIST SP 800-160

Source

What is it?

“a relational database of NIST SP 800-160 Volume 2 concepts that is searchable, visualizes resilience relationships & presents a Web UI while utilizing portable, opensource components to enable use in tools. The CREF Navigator distills tons of useful terms, tables, and relationships from the CREF/NIST SP 800-160 Volume 2 into an online tool.”

Must-see Images:

Visualize the interaction between the Goals, Objectives, Techniques, and Approaches of Cyber Resiliency:


 

Interaction of Techniques, Approaches, and Adversarial Effects:



Wednesday, July 27, 2022

Learning Cybersecurity

So you want to learn cybersecurity? 

The knowledge base is available to you. You can do it! Find the time and prioritize the effort. Focus on the outcome. Focus on your why and make it bigger than the effort to get there. There are hundreds of books available. Dozens of free resources. Google is your friend... Or if you prefer, here's a tiny snippet of online available resources: 

Top Schools...

Many top schools have open courseware such as:

Additional Online Courses...

In addition, there are great free online courses available:

And if you have a subscription (it's worth it IMHO): 

Certifications...

These cost money - and time - but they demonstrate a fundamental level of knowledge highly desirable by hiring managers. They also demonstrate your passion for the topic and desire to put in the additional work to stand out from your peers. 



Tuesday, July 12, 2022

2022 CMMCv2 and SP 800-171r2 and SP 800-171A Combined

CMMC depends on the content from 800-171r2 and 171A... Here is something I created that combines all three into one place. I find this helps visualize and focus discussions between the driver (CMMC) requirement, implementation, and assessment. 

Download it from my files here: 2022 CMMCv2 and SP 800-171r2 and SP 800-171A Combined.ver.02a

Relevant Sources


Tuesday, July 5, 2022

Hello Big News! Quantum-Resistant Cryptographic Algorithms

Tags: NIST; Quantum-Resistant Cryptographic Algorithms

Source: NIST Announces First Four Quantum-Resistant Cryptographic Algorithms | NIST

Big news in the standards world!

Why do I care?

Taken from a different blog, this is why quantum resistant cryptographic algorithms are important today:

“Rather than breaking an entire class of encryption in total and all at the same time, an adversary would have to collect that encrypted information and then apply the quantum capability against that single session of communication, break that, and then move to the next one.

We don’t anticipate talking about your personal bank accounts at first, but rather very valuable information that will be worth the expense of using those first cryptographically capable quantum machines, national security information as an example. That's why, even though there's not a cryptographically relevant quantum machine now, we need to be preparing now so that even the data we have today is quantum proof tomorrow.”

What just happened?

Synopsis…

NIST Announces First Four Quantum-Resistant Cryptographic Algorithms

Federal agency reveals the first group of winners from its six-year competition

The algorithms are designed for two main tasks for which encryption is typically used: general encryption, used to protect information exchanged across a public network; and digital signatures, used for identity authentication. All four of the algorithms were created by experts collaborating from multiple countries and institutions. 

For general encryption, used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation. 

For digital signatures, often used when we need to verify identities during a digital transaction or to sign a document remotely, NIST has selected the three algorithms CRYSTALS-DilithiumFALCON and SPHINCS+ (read as “Sphincs plus”). Reviewers noted the high efficiency of the first two, and NIST recommends CRYSTALS-Dilithium as the primary algorithm, with FALCON for applications that need smaller signatures than Dilithium can provide. The third, SPHINCS+, is somewhat larger and slower than the other two, but it is valuable as a backup for one chief reason: It is based on a different math approach than all three of NIST’s other selections.

Thursday, June 30, 2022

The Zen of Python by Tim Peters... Applied to standards.

Not all regulations, standards, and security practices are the same. Some have too little detail, and some have too much detail. Some have great clarity and focus, and others are all over the place. 

See how beautifully this applies to the standards community. This should be read before every standards meeting...! 

The Zen of Python, by Tim Peters

Beautiful is better than ugly.

Explicit is better than implicit.

Simple is better than complex.

Complex is better than complicated.

Flat is better than nested.

Sparse is better than dense.

Readability counts.

Special cases aren't special enough to break the rules.

Although practicality beats purity.

Errors should never pass silently.

Unless explicitly silenced.

In the face of ambiguity, refuse the temptation to guess.

There should be one-- and preferably only one --obvious way to do it.

Although that way may not be obvious at first unless you're Dutch.

Now is better than never.

Although never is often better than *right* now.

If the implementation is hard to explain, it's a bad idea.

If the implementation is easy to explain, it may be a good idea.

Namespaces are one honking great idea -- let's do more of those!

Thursday, June 23, 2022

PCI DSSv4 Spreadsheet Format

PCI DSSv4 Spreadsheet Format!

Source: Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards

Available hereBlog Downloads (compliancequickstart.com) 

Direct Link: HERE

About

It can be helpful to have the PCI Data Security Standard content in a spreadsheet format to facilitate learning and the creation of related artifacts and mappings. I've provided this for other versions and now have an updated PCI DSS version 4 in a similar format to facilitate learning about the standard's content. This format helps me absorb and structure (yes - an active verb) a large amount of information quickly. I've learned that I'm wired differently than others - and this is what works for me. 

I'm a fan of what the PCI Standards Security Council has created with the DSS. They have had a significant impact on the overall security posture of many organizations because of their output.

PLEASE DEFER TO THE PCI SSC FOR ANY OFFICIAL USE - THIS IS UNOFFICIALLY PROVIDED AS A HELPFUL RESOURCE FOR LEARNING PURPOSES ONLY. 

The tabs in the spreadsheet contain: 

  • Original Content: Keeps tables in the same organization as the original. All text is retained. 
  • Nested Content: Recognizes the intentional nesting of content. All text is retained. 

Example given:                                 

  • X.Y is used as a top-level control descriptor for the items under it and never has a testing procedure.  
  • X.Y.Z is used as the primary control descriptor which always has a testing procedure

Nested Content is therefore: 



Gartner’s Top Cybersecurity Predictions 2022-23

 Tags: Gartner; Risk Management; Predictions

Source: Gartner Unveils the Top Eight Cybersecurity Predictions for 2022-23

Relevance: Cyber security risk management runs as a central theme throughout each of these predictions.

  • Formal risk management critical thinking and processes have been central to peer conversations for more than 10 years. It’s now time to bring quantitative and qualitative measurement and evaluation into business decisions regarding controls that protect critical assets. We do this to protect our business.
  • Just as importantly, perhaps more so, risk management must be part of product security decision making. We do this to protect our customers… which protects our business.

Gartner recommends that cybersecurity leaders build the following strategic planning assumptions into their security strategies for the next two years.

  1. Through 2023, government regulations requiring organizations to provide consumer privacy rights will cover 5 billion citizens and more than 70% of global GDP.

As of 2021, almost 3 billion individuals had access to consumer privacy rights across 50 countries, and privacy regulation continues to expand. Gartner recommends that organizations track subject rights request metrics, including cost per request and time to fulfill, to identify inefficiencies and justify accelerated automation.

  1. By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor’s SSE platform.

With a hybrid workforce and data everywhere accessible by everything, vendors are offering an integrated security service edge (SSE) solution to deliver consistent and simple web, private access and SaaS application security. Single-vendor solutions provide significant operational efficiency and security effectiveness compared with best-of-breed solutions, including tighter integration, fewer consoles to use, and fewer locations where data must be decrypted, inspected and re-encrypted.

  1. 60% of organizations will embrace Zero Trust as a starting point for security by 2025. More than half will fail to realize the benefits

The term zero trust is now prevalent in security vendor marketing and in security guidance from governments. As a mindset — replacing implicit trust with identity- and context-based risk appropriate trust — it is extremely powerful. However, as zero trust is both a security principle and an organizational vision, it requires a cultural shift and clear communication that ties it to business outcomes to achieve the benefits.

  1. By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.

Cyberattacks related to third parties are increasing. However, only 23% of security and risk leaders monitor third parties in real time for cybersecurity exposure, according to Gartner data. As a result of consumer concerns and interest from regulators, Gartner believes organizations will start to mandate cybersecurity risk as a significant determinant when conducting business with third parties, ranging from simple monitoring of a critical technology supplier to complex due diligence for mergers and acquisitions.

  1. Through 2025, 30% of nation states will pass legislation that regulates ransomware payments, fines and negotiations, up from less than 1% in 2021.

Modern ransomware gangs now steal data as well as encrypt it. The decision to pay the ransom or not is a business-level decision, not a security one. Gartner recommends engaging a professional incident response team as well as law enforcement and any regulatory body before negotiating.

  1. By 2025, threat actors will have weaponized operational technology environments successfully to cause human casualties.

Attacks on OT – hardware and software that monitors or controls equipment, assets and processes – have become more common and more disruptive. In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft, according to Gartner.

  1. By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coinciding threats from cybercrime, severe weather events, civil unrest and political instabilities.

The COVID-19 pandemic has exposed the inability of traditional business continuity management planning to support the organization’s response to a large-scale disruption. With continued disruption likely, Gartner recommends that risk leaders recognize organizational resilience as a strategic imperative and build an organization-wide resilience strategy that also engages staff, stakeholders, customers and suppliers.

  1. By 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts

Most boards now regard cybersecurity as a business risk rather than solely a technical IT problem, according to a recent Gartner survey. As a result, Gartner expects to see a shift in formal accountability for the treatment of cyber risks from the security leader to senior business leaders.


Monday, May 9, 2022

Coding Resources

This isn't for everyone, but for those with the intelligence, work ethic, proclivity...

There's a LOT of money to be made here. 

There's a fascinating website, www.leetcode.com, which has a list of coding problems you can explore. Consistently hitting medium problems successfully? Let me know if you'd like a job. This is where really good money starts. 

Specific to cloud computing, a slightly different route that is also profitable, is www.acloudguru.com.

Specific to *learning* how to code, and what programming language to learn... C, C#, python, JavaScript, Java, SQL, no SQL. Right now I hear a lot about “R” for statistical modeling and graphical programming. It’s used a lot in data analysis. I know that there’s a huge shortage of people with this expertise because it’s hard, but reach out if you excel at solving these kinds of problems!  

There are a ton of free and low-cost resources online! Two really popular websites for learning how to code include www.codecademy.com and www.freecodecamp.org

Choose to become a mentor. Pass along your experiences.

It's important that we all do our best to share our experiences, and perhaps, help others make solid decisions that impact their careers and growth. These stories make up the tapestry of our experiences, but sometimes, it's a gift to someone else. 

So let's say that you have made the decision to become a mentor. Here is an example of how to break the ice. Purposefully, with intent, enter into that initial dialogue so that you can make it the best possible experience for both you and the mentee.

\\

Here are some ideas to start a dialogue with your mentee:
  • Share personal details like your role at VMware, any hobbies, interests, or other fun facts about yourself. Ask your mentee to share the same with you.
    • [Chris] Industry Standards Technical Manager, Office of the CTO; kids, family, friends, learning, church; Texas, US Navy submarines, Nuclear Engineering, McCombs MBA, 20 years information security with concurrent 10 years graduate teaching and 13 books. I've learned how little I know and how to ask others for help.
    • You can find out more about me here: Chris Davis | LinkedIn | Cloud Audit Controls
       
  • Get to know your mentee by asking questions about their career and how they got started at VMware.
    • [Chris] I came to VMware by way of VCE, left for Amazon, Oracle, startup, came back.
       
  • Share your career goals and aspirations with your mentee, and the steps you’ve been taking to achieve them.
    • [Chris] I’ve achieved far more than I ever set out to achieve. Why? It's not because I'm the smartest. 100% believe in yourself. Determination. Extreme ownership. Accept imperfection. Accept failure. We will discuss these. 
       
  • If relevant, ask your mentee for insight into their current work projects. They may have questions and an outside opinion may be helpful.
    • [Chris] I have several opinions. Not all of them will be helpful! 20% will be wrong. 60% will be solid. 20% will be nuggets. You’ll have to have the discernment to determine which opinions follow into which category for you. We will discuss this as well.
       
  • Share about recent books or podcasts you’ve enjoyed. If they also read or listen, set up a meeting to exchange thoughts (like an informal book club!).
    • [Chris] I regularly read and listen to podcasts. I have several current favorites.
       
  • Discuss tips and tricks for working from home. Your new hire may not be used to working in a virtual environment. Openly discuss any pain points and if relevant, provide recommendations.
    • [Chris] Choose to arrive at the beginning of the day with intent and a plan. Otherwise, by default, you choose to invite failure as an option and you choose to accept that.
Desired Outcomes

Expectations

Plan of Actions and Milestones

Wednesday, April 20, 2022

Highlight Reel: CISA Database of Known Exploited Vulnerabilities

Tags: CISA, known exploited vulnerabilities, US National Cybersecurity Infrastructure Security Agency, VMware, penetration testing, vulnerability testing

Relevance:

  • The list is continuously updated with vulnerabilities if they have known, and actively used exploits.  
  • One of many indicators of priority importance - as a function of risk.
  • Listing contains excellent metadata.
  • There are 644 entries for all vulnerabilities.
OK, so why does this matter? Because every company seems to struggle with how to prioritize. Sure, there's a lot to get done. But how do I prioritize what to fix? What to build? Where to focus? Perhaps you have an interesting project to track vulnerabilities. Another dimension that can be added to provide intelligence or meaningful input into priority ranking includes indicators of whether an exploit is being used by a population of attackers.

Sources & Links:

Tuesday, February 8, 2022

Discussion on XDR and the SOC

 Tags: SOC, XDR, Gartner, Ponemon Institute

Sources:

Relevance: What is XDR going to be when it matures? EDR… XDR… It's not quite the same thing. XDR is starting to gain traction as a beloved moniker. How do we shape the industry and VMware's story? The following is a representative, but not exhaustive, list of potential future XDR vendors from Gartner’s Innovation Insight: Cisco, Fortinet, Fidelis Cybersecurity, McAfee, Microsoft, Palo Alto Networks, Symantec, Trend Micro, FireEye, Rapid7, and Sophos. How does VMware fit into this narrative?

Pushing this further – welcome to the intersection of XDR and the SOC.

From Gartner Innovation Insight report:

The three primary requirements of an XDR system are:

1.      Centralization of normalized data, but primarily focusing on the XDR vendors’ ecosystem only.

2.      Correlation of security data and alerts into incidents.

3.      A centralized incident response capability that can change the state of individual security products as part of incident response or security policy setting.

Extended Detection and Response Conceptual Architecture:

This was insightful from the Ponemon Institute research report on SOCs:

Systems Security Engineering: A Primer

 Tags: advanced persistent threat; assurance; controls; cyber resiliency; cyber resiliency approaches; cyber resiliency design principles; cyber resiliency engineering framework; cyber resiliency goals; cyber resiliency objectives; cyber resiliency techniques; risk management strategy; system life cycle; systems security engineering; trustworthiness

Sources:

Discussion: Where can you go to learn how to engineer and develop secure systems?

Take a look at the newly released SP 800-160 Vol. 2 Rev. 1 to learn more about cyber-resilience. Specifically, cyber resiliency engineering “intends to architect, design, develop, implement, maintain, and sustain the trustworthiness of systems with the capability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises that use or are enabled by cyber resources.”

Know a smart architect or developer interested in strengthening their knowledge of security principles?

Have them read each of the sections below one week apart and test them over the content.

  • D.3 CYBER RESILIENCY TECHNIQUES....................................................................................................... 89
    • Basic concepts… e.g. ANALYTIC MONITORING
  • D.4 CYBER RESILIENCY IMPLEMENTATION APPROACHES....................................................................... 92
    • Expanded concepts briefly covered in D3… e.g. ANALYTIC MONITORING extrapolates into [1] MONITORING AND DAMAGE ASSESSMENT, [2] SENSOR FUSION AND ANALYSIS, and [3] FORENSIC AND BEHAVIORAL ANALYSIS
  • D.5 CYBER RESILIENCY DESIGN PRINCIPLES .......................................................................................... 109
    • Covers specific strategic design principles