How do you build a 📌 security/controls methodology🔐 that works for any organization?
After years of working with complex cyber risk management methodologies, I decided to think outside the box 💡 and build something simpler - but no less effective.
📈 When I need to adapt a methodology to an organization, I usually start with a risk management framework (such as CIAAN), and instead of approaching it only through traditional risk management, I create a threat map and build an appropriate control structure. Here I developed a methodology based on the 12 Pillar’s, which I developed for the information protection architects of a large healthcare organization, and as I did, each organization can adapt to its unique needs. 👍🏻
Why 12? 🎓
The number 12 carries a meaning of completeness and order in many cultures 🖖🏻 - 12 tribes, 12 messengers, 12 months 📅, 12 hours 🕓, 12 zodiac signs 🏹. It represents a foundation for stability and integrity, exactly what we are looking for in information security. 📓
The 12 key pillars for reducing cyber risks:
📍 Authentication - Identifying and validating user identities
📍 Authorization - Defining permissions and approaches
📍 Encryption - Protecting information at rest and in motion
📍 Network Security - Protecting the communication infrastructure
📍 Endpoint Security - Secure devices and connections
📍 API Security - Protecting software interfaces
📍 SSDLC and container security - Security at the development level
📍 Vulnerability Management - Identifying and addressing weaknesses
📍 Supply Chain and Third-Party Controls - Protecting against suppliers
📍 Auditing and Compliance - Compliance with standards and regulations
📍 Incident Response - Preparedness to handle security incidents
📍 Disaster Recovery and BCP - Business Continuity
The advantage of this methodology:
✅ Simplicity - Easy to implement and understand
✅ Flexibility - Adaptable to any organization
✅ Comprehensive Coverage - Covers all aspects of security
✅ Practicality - Focuses on applicable controls
This methodology helps organizations build a customized security strategy without getting into the unnecessary tangle of complex frameworks.
🤏🏻 What do you think of this approach? 🤷🏻 How do you build the security methodology in your organization?
For a detailed and effective reading, go to the document: https://lnkd.in/dE-Bbkiv
