Cloud Control Matrix(CCM), Governance Risk and Compliance (GRC)

Standards, guidelines and practices follows the organization mechanism:

- Describe their current cybersecurity posture;
- Describe their target state for cybersecurity;
- Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
- Assess progress toward the target state;
- Communicate among internal and external stakeholders about cybersecurity risk.

The Cloud Controls Matrix (CCM) is a baseline set of security controls created by the Cloud Security Alliance to help enterprises assess the risk associated with a cloud computing provider.

Applications and programming interfaces (APIs) shall be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.

AUDIT ASSURANCE AND COMPLIANCE

Audit assurance and compliance starts with audit planning and ends with understanding a control framework based on regulations and standards. This part of the matrix includes independent audits, audit planning, and information system regulatory mapping.

CATEGORIES ON NIST SPECIAL PUBLICATION 800-53 Revision 4 and Revision 5

AUDIT PLANNING: Audit plans shall be developed and maintained to address business process disruptions. Auditing plans shall focus on reviewing the effectiveness of the implementation of security operations. All audit activities must be agreed upon prior to executing any audits. Read: https://csf.tools/reference/cloud-controls-matrix/version-3-0-1/aac/aac-01/

INDEPENDENT AUDITS: Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, authorization, vulnerability monitoring and scanning, procedures, and compliance obligations. Read: https://csf.tools/reference/cloud-controls-matrix/version-3-0-1/aac/aac-02/

INFORMATION SYSTEM REGULATORY MAPPING: Organizations shall create and maintain a control framework which captures standards, regulatory, legal, and statutory requirements relevant for their business needs. The control framework shall be reviewed at least annually to ensure changes that could affect the business processes are reflected. Read NIST Publications: https://csf.tools/reference/cloud-controls-matrix/version-3-0-1/aac/aac-03/

Read more: https://linfordco.com/blog/audit-procedures-testing

The Five Types of Audit Tests: These Include (listed in order of complexity from lowest to highest): Inquiry, Observation, Examination or Inspection of evidence, Re-performance, and Computer Assisted Audit Technique (CAAT).

Inquiry: The auditor asks appropriate management and staff about the controls in place at the service organization to determine some relevant information. This method is often used in conjunction with other, more reliable methods. For example, an auditor may inquire of management if visitors to the data center are escorted at all times if the auditor is not able to observe this activity while on site. No control objective or criteria should ever be supported by controls only tested through inquiry procedures.

Observation: Activities and operations are tested using observation. This method is useful when there is no documentation of the operation of a control, such as observing that a security camera is in place or observing that a fire suppression system is installed.

Examination or Inspection of Evidence: This method is used to determine whether or not manual controls are being performed. For instance, are backups scheduled to run on a regular basis? Are forms being filled out appropriately? This method often includes reviewing written documentation and records such as employee manuals, visitor logs, and system databases.

Re-performance: Re-performance (sometimes called recalculation) is used when the three above methods combined fail to provide sufficient assurance that a control is operating effectively or this method can be used to prove by itself to demonstrate that controls are operating effectively. This method of testing (as well as a CAAT) is the strongest type of testing to show the operating effectiveness of a control. Re-performance requires the auditor to manually execute the control, such as re-performing a calculation that a system automatically calculates to confirm that the system performs the control correctly.

CAAT: This method can be used to analyze large volumes of data, or just be able to analyze every transaction rather than just a sample of all transactions. Software is generally used to perform a CAAT, which can range from using a spreadsheet to using specialized databases or software designed specifically for data analytics (e.g. ACL).

Operational resilience and business continuity are measures that organizations use to help with such risk mitigation. They can also help you avoid unintended consequences, missed opportunities, and operational failures.

Change and Configuration Management (CCM) is seen as a way to manage the Cross Life Cycle i.e. controlling of creation and maintenance of application systems across the whole life cycle. This requires Integrating, Onboarding and Implementing, Managing Change, release and tasks, Using reports flashboard and dashbards, Administering and Developing within IT organization.

What is Data Center Security?

Data center security is the practice of applying security controls to the data center. Components of a data center design include routers, switches, firewalls, storage systems, servers, and application-delivery controllers and follows the workload across physical data centers and multicloud environments to protect applications, infrastructure, data, and users. The practice applies from traditional data centers based on physical servers to more modern data centers based on virtualized servers. It also applies to data centers in the public cloud.

Steps to secure an application with threat modeling:

- Identify the potential threats and threat actors to the application.
- Identify the functions of the application and its objectives.
- Analyze the assets that can be targeted by cybercriminals
- Determine the type of attacks and attack vectors that can be used and the type of vulnerabilities that can be exploited by these vectors
- Set the security measures that can be put in place to mitigate the risks

The goal is to protect it from threats from data security types that could compromise the confidentiality, integrity and availability of business information assets or intellectual property. Critical needs are visibility, segmentation and Threat Protection.

Read reference article: https://versprite.com/blog/security-operations/software-development-lifecycle-threat-modeling/

Advantages of Embedding Threat Modeling in all the Phases of the SDLC:

1. Risk management: It allows risks to be managed proactively from the early stages of SDLC.

2. Security requirements: Deriving the security requirements to mitigate potential risks of vulnerability exploits and targeted attacks against application components.

3. Secure design: Ability to identify security design flaws, their exposure to threat actors and attacks, and prioritize fixing them by issuing new design documentation prior to the next phase of the SDLC.

4. Security issue prioritization: Determining the risk exposure and impact of threats targeting issues identified during secure code reviews and prioritizing them for mitigation.

5. Security testing: Deriving security tests from use and abuse cases of the application for testing of the effectiveness of security measures in mitigating threats and attacks targeting the application.

6. Secure release of applications after development: Allowing business to make informed risk decisions prior to releasing the application based on the mitigation of high-risk vulnerabilities and assertion of testing countermeasures that mitigate specific threats.

7. Secure release of application after an incident: Determining and identifying additional countermeasures that can be deployed.

CONTROLS:

DCS-01: Asset Management
Assets must be classified in terms of business criticality, service-level expectations, and operational continuity requirements. A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time shall be maintained and updated regularly, and assigned ownership by defined roles and responsibilities. Read article: https://csf.tools/reference/cloud-controls-matrix/version-3-0-1/dcs/dcs-01/

DCS-02: Controlled Access Points
Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) shall be implemented to safeguard sensitive data and information systems. Read article: https://csf.tools/reference/cloud-controls-matrix/version-3-0-1/dcs/dcs-02/

DCS-03: Equipment Identification
Automated equipment identification shall be used as a method of connection authentication. Location-aware technologies may be used to validate connection authentication integrity based on known equipment location. Read article: https://csf.tools/reference/cloud-controls-matrix/version-3-0-1/dcs/dcs-03/

DCS-04: Off-Site Authorization
Authorization must be obtained prior to relocation or transfer of hardware, software, or data to an offsite premises. Read article: https://csf.tools/reference/cloud-controls-matrix/version-3-0-1/dcs/dcs-04/

DCS-05: Off-Site Equipment
Policies and procedures shall be established for the secure disposal of equipment (by asset type) used outside the organization’s premises. This shall include a wiping solution or destruction process that renders recovery of information impossible. Read article: https://csf.tools/reference/cloud-controls-matrix/version-3-0-1/dcs/dcs-05/

DCS-06: Policy
Policies and procedures shall be established, and supporting business processes implemented, for maintaining a safe and secure working environment in offices, rooms, facilities, and secure areas storing sensitive information. Read article: https://csf.tools/reference/cloud-controls-matrix/version-3-0-1/dcs/dcs-06/

DCS-07: Secure Area Authorization
Ingress and egress to secure areas shall be constrained and monitored by physical access control mechanisms to ensure that only authorized personnel are allowed access. Read article: https://csf.tools/reference/cloud-controls-matrix/version-3-0-1/dcs/dcs-07/

DCS-08: Unauthorized Persons Entry
Ingress and egress points such as service areas and other points where unauthorized personnel may enter the premises shall be monitored, controlled and, if possible, isolated from data storage and processing facilities to prevent unauthorized data corruption, compromise, and loss. Read article: https://csf.tools/reference/cloud-controls-matrix/version-3-0-1/dcs/dcs-08/

DCS-09: User Access
Physical access to information assets and functions by users and support personnel shall be restricted. Read article: https://csf.tools/reference/cloud-controls-matrix/version-3-0-1/dcs/dcs-09/

GRC is a system intended to correct the "silo mentality" that leads departments within an organization to hoard information and resources. They are integrated into every department for greater efficiency and to reduce risks, costs, and duplication of effort.

Title II of the Sarbanes Oxley Act addresses auditor independence. It prohibits the registered external auditor of a public company from providing certain nonaudit services to that public company audit client.