Home / Resources / ISACA Journal / Issues / 2021 / Volume 3 / Demystifying the Implementation of Cyberresilience Programs

Demystifying the Implementation of Cyberresilience Programs

Author: Vimal Mani, CISA, CISM, Six Sigma Black Belt
Date Published: 19 May 2021

Cyberattacks are emerging faster than ever across the world in the wake of the COVID-19 pandemic. With newer dimensions incorporated into emerging disruptive cyberattacks, organizations globally are more vigilant about protecting their critical information assets. Attackers have started using more sophisticated tools, techniques and processes (TTPs) in their attacks. Using advanced persistent threats (APTs)1, 2, 3 is seen as an emerging trend in these sophisticated cyberattacks. Although organizations can never fully predict when or how unethical hackers will launch cyberattacks on them, they can work proactively to do something about it.

In short, organizations can become cyberresilient. This proactive thought process has resulted in cyberresilience programs being undertaken globally by various organizations. Cybersecurity is often mostly about reacting to cyberattacks. Cyberresilience is all about constantly anticipating cyberattacks and the ability of the organization to recover quickly from dynamically emerging cyberattacks so that the organization and its information systems will not be compromised. Implementing good cyberresilient practices and programs can provide adequate cyberprotection and help organizations handle continuing and emerging cyberrisk in an effective and efficient manner.

The key elements of implementing a cyberresilience program in an organization are:

  • Develop a cyberresilience strategy
  • Redefine corporate governance4
  • Choose a cyberresilient architecture
  • Strengthen the people factor
  • Strengthen process implementation
  • Strengthen technology implementation
  • Strengthen audit and assurance implementation

Developing a Cyberresilience Strategy

There is no single solution that can protect organizations from emerging cyberthreats. To reduce the risk of business loss from cyberthreats, it is critical for organizations to strategically use effective and proactive cyberresilience measures. Organizations need to have a cyberresilience strategy to prevent the most dynamic and innovative cyberattacks launched by the intelligent cybercriminals of this era. Having a cyberresilience strategy in place can improve an organization’s cybersecurity, data protection and IT disaster recovery capabilities in an integrated manner that will help the organization effectively face emerging cyberthreats.5 When developing a cyberresilient strategy, the following critical aspects should be considered:

  • Determine the organizational objective for implementing a cyberresilience program. This should be done in consideration of the risk appetite and business objectives of the organization in order to have a pragmatic cyberresilience strategy.
  • Define the scope and limitations of implementing a cyberresilience program. Security controls can be implemented in multiple layers in an organization, but not having limitation can lead to overkill and increased security costs.
  • Identify the critical information assets that need to be protected. This can include core banking systems, critical servers placed in data centers and closed-circuit television (CCTV) systems, outages of which could cause significant business disruption.
  • Discover cybercrime-related laws and regulations applicable in the region. Each country has its own cybercrime and privacy-related laws. In addition, regulators from various business sectors also enforce a wide variety of cybersecurity and privacy-related regulations such as the UAE National Electronic Security Authority Information Assurance Standards (NESA IAS),6 the EU General Data Protection Regulation (GDPR)7 and the US Federal Information Security Management Act (FISMA).
  • Develop a cyberrisk management strategy and ensure it is aligned with business strategy using strategy planning tools such as strategy maps and a balanced scorecard (BSC).8 It is necessary to consider the strategic direction of the organization, key enablers, expected outcomes and planned initiatives/projects while developing the cyberrisk management strategy to make it more effective and feasible to implement.
  • Select a management system for certifying the organization’s cyberresilience capabilities such as the International Organization for Standardization (ISO) standard ISO 27001. Having such certifications will help the organization demonstrate its cyberresilience capabilities to external regulators. A recent survey taken in the Gulf Cooperation Council region shows that the number of ISO certificates has grown gradually.9
  • Select a governance model to manage cyberresilience, such as COBIT® 2019. Using effective risk-based frameworks such as COBIT 2019 helps organizations effectively manage cyberrisk and enhance the cyberresiliency capabilities of their organizations.10
  • Describe the various roles and responsibilities involved in a cyberresilience program. Achieving good cyberresilience requires support from various roles such as the board, senior managers, line managers, project and program managers, and partners and suppliers who are expected to handle and manage varied responsibilities at their respective position levels in their organization.
  • Specify key performance indicators (KPIs) and key risk indicators (KRIs) for a cyberresilience program. Having the right set of cyberresilience metrics and measures helps organizations identify potential areas of cyberresiliency improvement.11
  • Identify the resources required for implementing a cyberresilience program to help build, improve, communicate and report the outcome of cyberresilience practices of an organization in a timely and effective manner.
  • Create an effective communication strategy. Having a structured communication strategy/plan helps an organization communicate with its various stakeholders on its cyberresilience strategy and initiatives in a timely and effective manner.
  • Determine the governance, risk and compliance (GRC) requirements for management oversight, compliance reporting and risk management. Having well-laid-out GRC principles and management oversight strengthens the implementation of cyberresilience practices in an organization.12

Once an organization defines and implements a cyberresilience strategy, it should then define KPIs for cyberresilience capability improvement13 within the organization, as they can be early indicators of any gaps in the cyberresilience strategy. Such cyberresilience strategies focus not only on combating cyberattacks but also on ensuring business and IT services continuity during cyberattacks and fast recovery after the effects of cyberthreats are neutralized. Cyberresilience strategies should be benchmarked against best practices to become more reliable and remain effective.14

Figure 1 illustrates the high-level flow of cyberresilience measures that can be implemented in an organization.

Redefining Corporate Governance

Corporate governance refers to the set of responsibilities to be fulfilled by the higher-level management structures of an organization, such as the management team, board of directors (BoD), and board and management committees. The demands and expectations set by investors and regulators have been a wake-up call, and it has become imperative for these higher-level management bodies to be aware of the governance aspects of cybersecurity in addition to their regular corporate governance activities.

The BoD and senior management need to take appropriate measures to ensure the optimum alignment of corporate and cyberrisk governance. To do this, changes need to be initiated from the board level down throughout the enterprise. Best practice guidelines on corporate governance need to be considered for improving the alignment of corporate and cybersecurity governance practices. Specifically, the COBIT 2019 framework helps define and implement a responsible, accountable, consulted and informed (RACI) matrix, which helps organizations ensure that board members are responsible, accountable, consulted and informed on the various happenings centered around cybersecurity at the board level.

BoDs should set the tone to ensure adequate cyberrisk mechanisms exist. Board-level cybersecurity awareness is critical for contemporary organizations. In addition, boards should have good insights into the risk appetite, cybersecurity strategy, implemented operational and tactical cybersecurity controls, investments made in lieu of cybersecurity threat prevention and protection arrangements, and threat intelligence management practices of their organizations.

BOARD MEMBERS SHOULD BE AWARE OF THE DISASTER RECOVERY AND CRISIS MANAGEMENT CAPABILITIES OF THE ORGANIZATION.

BoDs should review the results of cybersecurity audits and assessments. Based on the insights gathered from the reviews, they should ask the right questions to the management team to ensure that timely measures are taken to reduce the cyberrisk of the organization. As a corrective and recovery measure from cyberattacks, BoDs should ensure that management teams subscribe to the relevant cyberinsurance plans available in the market. Board members should be aware of the disaster recovery and crisis management capabilities of the organization.

BoDs should invite industry experts to be part of their meetings to discuss cyberrisk management best practices. Boards should also invite law enforcement (e.g., police, civil defense authorities of the region where the organization operates) and market intelligence agencies to present on the potential cyberthreats and attack trends emerging in the region.

BoDs should guide the management team in establishing a strong operational risk management culture that should include a cyberrisk management element as an integral component. BoDs should ensure that cyberrisk management guidelines are seamlessly integrated into the enterprise risk management framework. The board should also ensure that cybersecurity risk disclosures are made to investors as appropriate and as required.

Choosing a Cyberresilience Architecture

There is a wide variety of cyberresilience architectures to choose from. Common architectures include the following:

  • Defense-in-depth (DiD) security architecture—This is a multilayer security architecture in which if controls positioned in one layer fail, the controls positioned in the other layers will still ensure the safety and security of the organization. Controls such as policies and procedures, network security appliance, firewalls, malware prevention solutions, managed detection and response solution, and data loss prevention are placed in these layers of control to effectively prevent cyberattacks (figure 2).
  • ISO 27001-driven architecture—Setting up an information security management system (ISMS) based on ISO 27001:2013 is the key aspect of this security architecture. ISO 27001:2013 has a variety of security controls organized under 14 different domains,15 which will help an organization achieve foolproof cyberresilience.
  • US National Institute of Standards and Technology (NIST)-driven architecture—NIST Special Publication (SP) 800-160 Volume 2 guides organizations in methodically achieving cyberresilience through its cyberresilience engineering approach.16
  • MITRE Cyberresilience engineering-driven architecture—The MITRE Corporation is a US not-for-profit organization that manages various research and development initiatives supporting several US government agencies and is funded by the US federal government. MITRE Corporation has developed a cyberresilience engineering framework17 that guides organizations in building and engineering products with built-in cyberresiliency.
  • Zero trust model-driven security architecture—The zero trust model supports organizations in achieving resilience against cyberattacks such as identity threats.18
  • Cybermaturity model (CMM)-driven architecture—The CMM19 helps organizations baseline their cybersecurity and resilience requirements to improve the maturity of the cybersecurity practices of the organization.
FOR AN ORGANIZATION TO HAVE STRONG CYBERRESILIENCE, THE CONTRIBUTION OF ITS PEOPLE IS CRITICAL.

As there is no one-size-fits-all approach, it is the organization’s responsibility to consider the risk appetite, cybersecurity practice maturity, investment and organizational culture and choose the most reasonable and cost-effective cyberresilient architecture for the organization.

Strengthening the People Factor

People make things happen for their organizations. They can make or break the organization with their contributions. For an organization to have strong cyberresilience, the contribution of its people is critical. Consider the following needs in relation to the people of an organization:

  • Start building red, blue and purple teams as part of cybersecurity capability development. Using these teams in an integrated manner can help an organization improve its incident management capabilities and overall cybersecurity posture by introducing state-of-the-art cybersecurity skills and solutions. Red and blue team exercises are generally carried out by military forces to mimic an enemy and their attack techniques and devise counterattack techniques to learn how to prevent attacks. This red team approach is being adopted by contemporary organizations globally to create foolproof business strategies that will help them beat their competition. Recently, global organizations have started embracing the red and blue team approaches to bolster their cybersecurity capabilities by addressing the dynamically emerging cyberthreats from adversaries. Organizations can conduct red teaming engagements through external consultants or develop their own internal red teams.20 Purple teams are teams that have the combination of skills possessed by blue and red teams, coming together with offensive and defensive techniques, working together to bolster the cybersecurity posture of an organization. In the era of dynamically emerging innovative cyberattacks, organizations require the collective thoughts and offensive/defensive techniques of red and blue teams together to battle adversaries. This warrants the need for purple team members in an organization’s security team.
  • Carry out upskilling and reskilling efforts to develop and improve the skills of staff who work with emerging cyberthreats and the cyberresilience measures of which the organization needs to be aware.
  • Identify and promote business unit-level cyberchampions. These employees can then work closely with the central cybersecurity team to implement the various cyberresilience measures identified by the organization. These cyberchampions need to be well-recognized for their contributions.
  • Provide ongoing and as needed ad hoc security awareness trainings for staff to sustain and improve their cyberreadiness.
  • Encourage senior management to have continuous dialog with staff on the various cyberresilience initiatives planned and executed in the organization and make sure the staff participates and contributes to those initiatives.
  • Maintain good relationships with suppliers and service providers who have a vital part in strengthening an organization’s cyberresilience practice through the solutions and services they provide on an ongoing basis. Well-established cyberresilience practices can help an organization successfully manage the cyberattacks targeted on its information and communications technology (ICT) supply chain.21

Strengthening Process Implementation

Having effective processes, standards and guidelines implemented bolsters the cybersecurity posture of an organization and helps it withstand the innovative and disruptive nature of emerging cyberattacks. The following are the most critical process areas to focus on to build and strengthen the cyberresilience of an organization:

  • Secured development
  • Access management
  • Security by design
  • Data protection
  • Privacy by design
  • Vulnerability management
  • Incident management (security operations center [SOC] operations)
  • Digital forensics
  • Malware analysis
  • Threat hunting
  • Threat intelligence management
  • Cybersecurity risk management
  • Fraud management

Cybersecurity process frameworks and standards provide a strong foundation for organizations in achieving strong and evolving security postures, which help organizations effectively handle dynamically emerging cyberattacks and enables them to be compliant with specific standards such as ISO 27001 and the Payment Card Industry Data Security Standard (PCI DSS). Most organizations worldwide now have mandates to comply with different security standards. Cybersecurity process frameworks can be a great way to manage this challenge. Cybersecurity process frameworks help organizations define and implement security controls that will help them to achieve compliance with various security standards. There are several effective cybersecurity process frameworks and standards22 followed by global organizations that can be considered to implement to improve cybersecurity:

  • Information assurance standards including the NESA IAS.23 NESA is a government body tasked with protecting the UAE’s critical information infrastructure and improving national cybersecurity. To achieve this, the UAE has produced a set of standards and guidance for government entities in critical sectors. Compliance with standards is mandatory.
  • ISO/IEC 27001:201324 is an international standard on how to manage information security. The standard was originally published jointly by the ISO and the International Electrotechnical Commission (IEC) in 2005 and then revised in 2013.
  • ISO 2230125 specifies management system requirements (certifiable) to protect against, reduce the likelihood of and help ensure the organization is in the best place to recover from disruptive incidents.
  • ISO/IEC 2703126 provides concepts and principles behind improving the resilience of an organization’s IT structure to support business continuity objectives.
  • COBIT 201927 is a framework that helps organizations define critical IT governance components comprising (among others) processes, organizational structures, policies and procedures.
  • NIST Cybersecurity Framework28 consists of a variety of standards, guidelines and best practices to manage the cybersecurity risk faced by global organizations.
  • Information Security Forum (ISF) Standard of Good Practice29 provides a comprehensive framework of information security controls and information risk-related guidelines.
  • Generally Accepted System Security Principles (GASSPs)30 guide organizations in understanding the requirements for building and maintaining cyberreliant IT systems.
  • Cybersecurity maturity model31 provides a framework for benchmarking and improving cybersecurity practices of global organizations.
CYBERSECURITY STANDARDS, WHEN FOLLOWED, CAN PROVIDE INCREASED SECURITY TO THE CRITICAL INFORMATION SYSTEMS AND HELP ORGANIZATIONS STRENGTHEN THEIR CYBERRESILIENCE CAPABILITIES.

Using the various cybersecurity frameworks available in the industry, organizations can create a hybrid cyberresilience framework. Each organization can choose the specific controls that fill the organization’s specific cyberresilience architecture to implement a cyberresilience program supported by layered security architecture. Various governments across the world have mandated organizations to achieve compliance with various cybersecurity process frameworks and standards. Cybersecurity standards, when followed, can provide increased security to the critical information systems and help organizations strengthen their cyberresilience capabilities. Highly regulated industries such as banking have published their own cybersecurity guidelines, which are mandated for the entire sector. For example, the Reserve Bank of India (Banking Regulator of India) has published its own cybersecurity framework32 and has mandated all banks in India achieve compliance with it. Kuwait Central Bank has also published its own cybersecurity standard.33 In the Kingdom of Saudi Arabia, Saudi Arabia Monetary Authority (SAMA) has published an exclusive cybersecurity framework to be followed for all the banks and financial services firms operating out of the kingdom.34

Strengthening Technology Implementation

Organizations can build effective security technology solutions by considering the cyberrisk landscape of their respective organization. It is very important to ensure that implementation of these technology solutions are identified as action items from information security risk assessments. Organizations also need to ensure that these solutions help mitigate the cyberrisk identified from the risk assessments. There are several security technology solutions that an organization can use to strengthen its cyberresilience practice:

  • Endpoint security
  • Multifactor authentication (MFA)
  • Identity and access management (IAM)
  • Privileged access management (PAM)
  • Email security
  • Encryption
  • Data loss prevention (DLP)
  • Deception technology (e.g., honeypots)
  • User behavior analytics (UBA)
  • User and entity behavior analytics (UEBA)
  • Network behavior analysis (NBA)
  • Security incident and event management (SIEM)
  • Security Operations, Analytics and Reporting (SOAR)
  • Service Orchestration and Automation Platform (SOAP)
  • Incident response automation (MDR)
  • Vulnerability management
  • Next-generation firewalls
  • Code analyzers (used for security code reviews)
  • Network access control
  • Compliance management
  • Digital surveillance (e.g., closed-circuit television [CCTV])
  • Data center security
  • Automatic teller machine (ATM) security

It is not possible for an organization to bring in and implement all these solutions. Based on the organization’s risk appetite and its cyberthreat landscape, the list of most critical security technology solutions should be identified. Then, the organization should develop a technology road map with clearly identified implementation timelines. This road map should be the guiding document for an organization to implement various security technology solutions to strengthen the organization’s cyberresilience practice. To effectively support this, organizations need to continuously explore the marketplace to identify the right solutions for their organization that are financially feasible to implement. Based on requirements, organizations may need to combine one or more solutions to improve the cyberresilience practice.35 With the arrival of new-age technologies such as artificial intelligence (AI) and machine learning (ML), the organization’s technological cyberresilience practices can be significantly improved.

Strengthening Audit and Assurance Implementation

Organizations should plan to complete several audit and assurance interventions focused on cybersecurity in planned intervals. Having planned audit and assurance interventions helps an organization strengthen its cyberresilience practices by identifying risk areas and weaknesses that exist when implementing controls and providing advice to prevent cybersecurity attacks:

  • Vulnerability analysis
  • Penetration testing (internal and external)
  • Cybersecurity gap and risk assessments (based on external standards such as ISO 27001 and COBIT®)
  • Third-party and internally conducted cybersecurity audits against policies established in an organization
  • Testing incident response and IT disaster recovery plans
  • ATM security reviews
  • Phishing simulations
ORGANIZATIONS SHOULD PLAN TO COMPLETE SEVERAL AUDIT AND ASSURANCE INTERVENTIONS FOCUSED ON CYBERSECURITY IN PLANNED INTERVALS.

Conclusion

To survive and thrive in the increasingly complex cyberthreat landscape, organizations should consider transforming their cybersecurity practices by implementing strategic and structured cyberresilience programs in a collaborative manner. After implementing a cyberresilience program, to achieve maturity, organizations should integrate their cyberrisk management practices with organizational enterprise risk management (ERM) audit and assurance, compliance, communication and learning, and development strategies in a seamless manner. Periodically, the cyberresilience maturity of the organization should be evaluated by the management team and appropriate corrective actions taken to ensure that the implementation of a cyberresilience program in an organization is successful. Internal audit departments should provide the assurance to organizations periodically and, when required, on the effectiveness of cyberresilience measures taken by the organization. Becoming certified for global security standards can help ensure an appropriate level of cyberresilience in an organization.

Endnotes

1 Malware Bytes Lab, “APTS and COVID-19: How Advanced Persistent Threats Use the Coronavirus as a Lure,” 9 April 2020, https://blog.malwarebytes.com/threat-analysis/2020/04/apts-and-covid-19-how-advanced-persistent-threats-use-the-coronavirus-as-a-lure/
2 Nawrat, A.; “COVID-19 Pandemic: Russian Hackers Target UK, US and Canadian Research,” Pharmaceutical Technology, 3 August 2020, https://www.pharmaceutical-technology.com/features/covid19-ncsc-russian-cyber-attack/
3 Cybersecurity and Infrastructure Security Agency, “APT Groups Target Healthcare and Essential Services,” USA, 5 May 2020, https://us-cert.cisa.gov/ncas/alerts/AA20126A
4 Mani, V.; “Redefining Corporate Governance for Better Cyberrisk Management,” ISACA® Journal, vol. 4, 2019, https://www.isaca.org/archives
5 Sathyanarayan, T.; “Cyber Resilience vs. Cyber Security, What Is More Important for a Business?” Pulse, 10 August 2020, https://pulseis.com/cyber-resilience-vs-cyber-security-what-is-more-important-for-a-business/
6 Shadab, S.; “A Brief Insight to NESA Compliance,” Paladion, 12 January 2016, https://www.paladion.net/blogs/insight-to-uae-nesa-compliance
7 Irwin, L.; “How Cyber Resilience Can Help You Comply With the GDPR,” IT Governance, 19 January 2019, https://www.itgovernance.eu/blog/en/how-cyber-resilience-can-help-you-comply-with-the-gdpr
8 Brink, D.; “A Strategy Map for Security Leaders: Applying the Balanced Scorecard Framework to Information Security,” Security Intelligence, 13 January 2016, https://securityintelligence.com/a-strategy-map-for-security-leaders-applying-the-balanced-scorecard-framework-to-information-security/
9 Hakmeh, J.; J. Shires; “Is the GCC Cyber Resilient?” Chatham House, 9 March 2020, https://www.chathamhouse.org/2020/03/gcc-cyber-resilient-0/state-cybersecurity-gcc-overview
10 Financial Services Sector Coordinating Council, “International Frameworks for Cyber Resilience in the Financial Sector,” 6 November 2019, http://pubdocs.worldbank.org/en/424231573146917521/Day-1-Session-I-Josh-Magri.pdf
11 Bodeau, D. J.; R. D. Graubart; R. M. McQuaid; J. Woodill; “Cyber Resiliency Metrics, Measures of Effectiveness, and Scoring,” MITRE, USA, 2018, https://www.mitre.org/sites/default/files/publications/pr-18-2579-cyber-resiliency-metrics-measures-of-effectiveness-and-scoring.pdf
12 Islam, E.; C. Christoforides; “Fundamentals of Cybersecurity and the Cyber Resilience Oversight Expectations (CROE),” European Central Bank, Mexico, November 2019, http://pubdocs.worldbank.org/en/880611573146903991/Day-1-Session-III-and-IV-ECB-Emran-and-Constantinos.pdf
13 Peláez, J. D.; “46 Metrics to Improve Cyber Resilience in an Essential Service,” INCIBE-CERT, 23 November 2017, https://www.incibe-cert.es/en/blog/46-metrics-improve-cyber-resilience-essential-service
14 Nappo, S.; L. Morozova-Buss; “Ten Commandments for Cyber Resilience Strategy,” TechNative, 13 March 2019, https://www.technative.io/ten-commandments-for-cyber-resilience-strategy/
15 Irwin, L.; “ISO 27001: The 14 Control Sets of Annex A Explained,” IT Governance, 27 July 2020, https://www.itgovernance.co.uk/blog/iso-27001-the-14-control-sets-of-annex-a-explained
16 National Institute of Standards and Technology (NIST), “NIST Releases SP 800-160 Vol. 2: Developing Cyber Resilient Systems—A Systems Security Engineering Approach,” USA, 27 November 2019, https://csrc.nist.gov/news/2019/sp-800-160-vol2-developing-cyber-resilient-systems
17 Bodeau, D. J.; R. Graubart; Cyber Resiliency Engineering Framework, MITRE, USA, September 2011, https://www.mitre.org/publications/technical-papers/cyber-resiliency-engineering-framework
18 Kathuria, S.; “Zero Trust Security Model Imperative for Resilience Against Identity Threats,” Medium, 8 October 2019, https://medium.com/microsoft-cybersecurity/zero-trust-security-model-imperative-for-resilience-against-identity-threats-c2436d066b0e
19 Hoover, A.; “Cybersecurity Maturity Model Certification (CMMC) Part 2: Process Maturity’s Role in Cybersecurity,” Carnegie Mellon University Software Engineering Institute Blog, 1 June 2020, https://insights.sei.cmu.edu/sei_blog/2020/06/cybersecurity-maturity-model-certification-cmmc-part-2-process-maturitys-role-in-cybersecurity.html
20 Mani, V.; “Bolstering Cybersecurity Posture With Red, Blue and Purple Teams,” CISO MAG, 9 July 2020, https://cisomag.eccouncil.org/red-blue-purple-teams/
21 Urciuoli, L.; “Cyber-Resilience: A Strategic Approach for Supply Chain Management,” Technology Innovation Management Review, April 2015, https://timreview.ca/article/886
22 Mutune, G.; “23 Top Cybersecurity Frameworks,” Cyber Experts, https://cyberexperts.com/cybersecurity-frameworks/
23 Downton, B.; “NESA—The New Standard of Information Security in the UAE,” F-Secure, https://www.f-secure.com/en/consulting/our-thinking/nesa-the-new-standard-of-information-security-in-the-uae
24 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 27001:2013 Information technology—Security techniques—Information security management systems—Requirements, Switzerland, 2013, https://www.iso.org/standard/54534.html
25 International Organization for Standardization (ISO), ISO 22301:2019 Security and resilience—Business continuity management systems—Requirements, Switzerland, 2019, https://www.iso.org/standard/75106.html
26 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 27031:2011 Information technology—Security techniques—Guidelines for information and communication technology readiness for business continuity, Switzerland, 2011, https://www.iso.org/standard/44374.html
27 ISACA®, COBIT® 2019, https://www.isaca.org/resources/cobit
28 Hall, J.; “A Guide to the NIST Cyber Security Framework,” IFSEC Global, 24 September 2020, https://www.ifsecglobal.com/cyber-security/a-guide-to-the-nist-cyber-security-framework/
29 Information Security Forum (ISF), Standard of Good Practice for Information Security 2020, 2020, https://www.securityforum.org/tool/standard-of-good-practice-for-information-security-2020/
30 Generally Accepted System Security Principles (GSSPs), https://csrc.nist.gov/CSRC/media/Publications/Shared/documents/itl-bulletin/cslbul1996-10.txt
31 Institute of Electrical and Electronics Engineers (IEEE), “What Is a Cyber Security Maturity Model,” IEEE Innovation at Work, https://innovationatwork.ieee.org/what-is-a-cyber-security-maturity-model/
32 Reserve Bank of India, “Cyber Security Framework in Banks,” 2 June 2016, https://rbidocs.rbi.org.in/rdocs/notification/PDFs/NT41893F697BC1D57443BB76AFC7AB56272EB.PDF
33 Central Bank of Kuwait, “CBK Introduces Cyber Security Framework for the Kuwaiti Banking Sector,” 18 February 2020, https://www.cbk.gov.kw/en/cbk-news/announcements-and-press-releases/press-releases/2020/02/202002181127-cbk-introduces-cyber-security-framework-for-the-kuwaiti-banking-sector
34 O’Connell, N.; “Cyber Security in the Saudi Financial Services Sector: The SAMA Cyber Security Framework,” Al Tamimi and Co, https://www.tamimi.com/law-update-articles/cyber-security-in-the-saudi-financial-services-sector-the-sama-cyber-security-framework/
35 Chase, D. “Three Reasons Your SIEM Should Be Paired With SOAR to Optimize Your Security Operations,” Security Boulevard, 18 September 2019, https://securityboulevard.com/2019/09/three-reasons-your-siem-should-be-paired-with-soar-to-optimize-your-security-operations/

Vimal Mani, CISA, CISM, Six Sigma Black Belt

Is the head of the information security department at Bank of Sharjah. He is responsible for the bank’s end-to-end cybersecurity program, coordinating cybersecurity efforts within the banking operations spread across the Middle East. Mani is also responsible for coordinating bankwide cybersecurity strategy and standards; leading periodic security risk assessment efforts, incident investigations and resolution; and coordinating the bank’s security awareness and training programs. He is an active member of the ISACA® Dubai (UAE) Chapter. He can be reached at vimal.consultant@gmail.com.