The following page includes my Copyrighted “CyberSecurity 11 Essential Process Reference Model” including a process explanation. This CSF is based on ISO/IEC 27001 ISMS the only Internationally accepted framework standard.
The following describes each of the established processes within the “ISO CyberSecurity Program” once implemented.
Governance: During this process the security program is aligned with organizational goals and objectives by the leaders that are responsible for assets such as information and resources.
Risk Management: During this process the threats and vulnerabilities are balanced against existing controls and decisions are made to add or remove risk mitigation controls based on the importance of assets.
Compliance Management: During this process the security program identifies legal obligations defined in statutes, regulations, contract and maps them to the master control deck providing real-time, continuous evidence.
Vulnerability Management: During this process the security program identifies and mitigates known vulnerabilities. In addition, the VM process also examines Enterprise Architecture for unknown vulnerabilities and in turn treats those vulnerabilities.
Communication Management: During this process the security program identifies opportunities to share security related information by creating appropriate communication pieces and carefully selecting and leveraging channels.
Awareness Training: During this process we share tools and techniques used to apply security to daily roles and responsibilities within the organization. During this process we raise awareness and influence employees to become more security conscious.
Access and Identity: During this process the security program ensures that persons accessing the organization’s information and systems can be positively identified and that they have appropriate authorization to access to the information and resources.
Asset Management: During this process the security program ensures that assets are identified and registered so that risk management, vulnerability management, change management, configuration management and availability management can be effective.
Document Control: During this process the security program identifies and controls documentation that is crucial to produce consistent and reproducible results.
Records Management: During this process the security program identifies records that are crucial to produce evidence of conformity to standards and compliance with legal obligations.
Internal/External Auditing: During this process the security program provides assurance by verifying and validating that the security program is operating effectively and makes recommendations where appropriate and necessary for the continuous improvement of the program.
Monitoring and Reporting: During this process the security program identifies security events and incidents that require follow up. These events can range from systems faulting to attempts to access unauthorized information or system resources potentially leading to a breach of security and activation of the security incident response process or business continuity plans.
Copyright 2019 © Secure Knowledge Management Inc. All Rights Reserved.