Baseline Cyber Security Requirements
Use for all your projects and changes. Will save you at least 10 hours per week. Self service!
I’m the co-founder of Identity Revive. We can help you:
Help you with defining all your cyber security requirements so you can encourage self service from the business and technology teams and keep your cyber team costs lower but scale effectively.
Architect, design, deliver and run your cyber security controls in code so you are compliant with regulation and don't suffer from a cyber incident.
Make sure you are getting value out of your Managed Service Providers (MSP’s) and help them use less ClickOps so you get charged less and they make fewer errors.
Also remember if you are a Not-For-Profit (NFP) or in Education or Health sectors as an Non-Government-Organization (NGO), we provide free consulting as a way to Give Back to the community and our Country (Australia). Email me at: rakkhi@identityrevive.com .
Background / Description
These are a set of baseline cyber security requirements that we have cultivated as global best practices over 20 years across multiple ASX, Dow Jones etc, listed companies. They are broadly based on the NIST framework with useful things added from the cloud security alliance. The are better than both though IMHO but feedback welcome:
Benefits
You want sub-linear scaling of your cyber security functions. This means you can add: staff, revenue, customers, geographical locations much faster than the cost and size of your cyber security cost (people and technology) increases. This will help you get there both:
Directly - self service requirements means your projects and changes understand what “good looks like” and “what cyber wants us to do”, but also you don’t need to review and engage with all projects and change. They can “self-service” and you can "manage or engage by exception” when they cannot or do not want to meet a requirement or follow a pattern. In a company with 3000 staff, operating in 2 geographies, with approx 20 major projects in progress concurrently, with a cyber engagement or architecture or design team of approx 5 FTE, I estimate self service cyber security requirements will save you approx 10 hours per week.
Indirectly - promotes re-use, use of enterprise technologies and processes and patterns.
Meet regulatory, contractual and industry requirements. Avoid fines.
Avoid a breach and recover faster to business as usual if you are unfortunate enough to suffer a breach.
Improve productivity by re-use.
Improve customer satisfaction and staff and partner engagement. Cyber is telling them upfront what they want, not at the end.
Caveats and Limitations
These are cyber requirements are for projects and changes. They are not meant to replicate all the requirements in your policies and standards.
These are generally applicable, “baseline”, cyber security requirements for all your projects and changes. IT, OT, SaaS, cloud, datacenter, mobile, endpoint.
They are not an exhaustive list. Add more as required.
They are not guaranteed to meet your specific policies, standards, regulations. Caveat Emptor. Tailor to what you need or we can do this for you: rakkhi@identityrevive.com . We do not provide any warranty that these requirements are suitable for your specific environments or solutions. They are general advice only. We will provide a warranty and be liable for any negligence where we perform a paid engagement for your company with a specific contract agreed by both parties.
You may not want all these requirements. You may not be at a maturity level where all these are appropriate. Feel free to delete or change.
You may not have all these processes or technologies nor needed them. Feel free to modify or delete.
Once you publish these requirements, your auditors or regulators may hold you to them. This can be for new, modified or existing solutions. Be careful. Get help.
Audience
Self service for business and technology stakeholders for any project, solution or change where you care about being hacked or you will get fined if controls are not met.
They should be easy enough for any interested layman to digest, however a walk through by a cyber security architect, designer, consultant is always advisable to ensure understanding.
You can also use these or whatever subset of these you want as the “cyber section” in a Request for Proposal (RFP) to chose a capability. We will publish a specific set of really useful requirements for cyber technologies at a later date.
How to use
Perform a two way mapping to your Policies, Standards and Regulatory or Industry requirements e.g. Essential 8. Capture mapping in Column E. This is great when a project or change does not want to or does not have the money or time to meet a requirement. Or we can do this for you as part of a paid engagement.
Add a link to your Cyber Security Exemption process where a solution cannot or will not meet a requirement. Don’t have one? Well we can help you write one and communicate it effectively.
Find replace $ team name in column D to your own teams or state does not exist yet i.e. “emerging”.
Find replace $ in column G to your own technology and patterns does not exist yet i.e. “emerging”. Be careful of asking a project or change to do something you do not have the people, process and/or technology at the right maturity level to support.
Review the Must, Should, Could etc. in column F and ensure makes sense to your company maturity level and regulatory and industry requirements.
Additional columns you can add:
Onboarding $ITIL service (e.g. ServiceNow) or merge request links.
Links to Policies, Standards, Guidelines for more detail on every requirement.
Technology status e.g. Promote, Contain, Emerging, Decommissioned.
Change back cost for use of technology or process.
Higher maturity: move this to markdown, SharePoint Forms or something else that is not Excel. Link to what is actually implemented via code you can have an automated requirements to solution traceability matrix.