Security Objectives dodati u Questionnaire #36
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Traziti da odaberu 3 security objectives. Plus mogu dopisati Other.
Odabrani Objectives se moraju referencirati kod top 10 rizika. Sta kaze Enisa za Risk plan: "The plan should at least include:
o a description of the identified risk and how it can negatively affect security objectives;
o a risk treatment option (for example risk avoidance, risk mitigation, risk transfer or sharing or risk acceptance);
o the assets associated with the risk;
o the measures which mitigate the risk;
o a procedure for assessing the effectiveness of implementation of the measure(s);
o implementation timelines; and
o responsible roles."
Core Strategic Security Objectives
Pitanje bi bilo:
"If we could only excel at three of these in the next 12-18 months, which ones would have the biggest impact on protecting our business?"
This objective is laser-focused on safeguarding your most critical data and systems—the assets that, if compromised, would cause the most severe damage to your reputation, finances, or operations.
Primary Goal: To guarantee the Confidentiality (secrecy), Integrity (trustworthiness), and Availability (accessibility) of your most valuable information and the systems that process it.
Key Activities: Data classification, strong encryption (at rest and in transit), robust access control, and ensuring uptime for mission-critical services.
Who should prioritize this?
Companies whose entire business model is built on proprietary data (e.g., tech, R&D).
Organizations handling highly sensitive information (e.g., healthcare, finance).
Any business where the loss of a specific dataset or system would be an existential threat.
This objective is about making your organization an unattractive and difficult target for attackers. The philosophy is to build strong walls, lock all doors and windows, and proactively eliminate weaknesses before they can be exploited.
Primary Goal: To minimize the organization's "attack surface" and prevent security incidents from happening in the first place.
Key Activities: Continuous vulnerability management (scanning and patching), system hardening (secure configurations), network segmentation, and strong perimeter defense (firewalls, email security).
Who should prioritize this?
Organizations that are constantly targeted by automated and opportunistic attacks.
Companies that prefer a proactive, prevention-oriented posture rather than a reactive one.
Businesses that lack a mature ability to detect and respond to attacks, making prevention their best bet.
This objective operates on the principle that prevention will eventually fail. The focus shifts from trying to be impenetrable to being incredibly good at finding and neutralizing threats that get inside your network before they can achieve their goals.
Primary Goal: To minimize the "dwell time" of an attacker—the critical period between initial compromise and final impact (e.g., data theft or ransomware).
Key Activities: Comprehensive logging and monitoring, deploying threat detection tools (like an EDR), establishing a formal Incident Response Plan, and conducting regular drills.
Who should prioritize this?
Mature organizations that understand prevention isn't foolproof.
Companies in industries targeted by advanced, persistent threats (e.g., defense, critical infrastructure).
Businesses that need to demonstrate to regulators or clients that they can effectively manage a breach.
This objective is about survival. It's focused on ensuring your organization can withstand a major disruptive event—like a catastrophic ransomware attack, natural disaster, or critical system failure—and return to operations quickly.
Primary Goal: To minimize downtime and data loss after a major incident, ensuring the business can continue to function.
Key Activities: Robust data backup and recovery systems, developing and testing a Disaster Recovery (DR) plan, and creating a Business Continuity Plan (BCP) for the entire organization.
Who should prioritize this?
Businesses where operational uptime is paramount (e.g., manufacturing, e-commerce, logistics).
Organizations that cannot tolerate data loss for legal or operational reasons.
Any company whose biggest fear is being completely shut down by a ransomware attack.
This objective is driven by external requirements. The focus is on meeting legal, regulatory, and contractual obligations to avoid fines, maintain certifications, and build trust with customers and partners.
Primary Goal: To ensure the security program meets all required external standards and to manage the risk introduced by vendors and suppliers.
Key Activities: Gap assessments against frameworks (GDPR, HIPAA, NIS2, CRA, DORA, ISO 27001, SOC2, PCI DSS, etc.), maintaining auditable evidence of controls, and implementing a formal vendor security management program.
Who should prioritize this?
Companies in heavily regulated industries (finance, healthcare, government contracting).
Businesses that process credit card payments or handle personal data of EU citizens.
Organizations with a complex supply chain or heavy reliance on third-party vendors.
This objective recognizes that people are often the primary attack vector and, simultaneously, the best line of defense. The focus is on transforming employees from a potential liability into a vigilant security asset.
Primary Goal: To reduce the risk of human error by embedding security awareness and responsibility throughout the entire organization.
Key Activities: Ongoing security awareness training, regular phishing simulations, promoting a "see something, say something" culture, and establishing clear, simple security policies.
Who should prioritize this?
Organizations where phishing and social engineering are the most common threats.
Companies with a large, non-technical workforce.
Any business that wants to make security a shared responsibility rather than just an "IT problem."
This modern objective acknowledges that in a world of cloud services and remote work, the traditional network "perimeter" is gone. The new perimeter is the identity of the user or device. If you can perfectly control who can access what, you can secure your data no matter where it resides.
Primary Goal: To enforce a "Zero Trust" model where every access request is strongly authenticated and authorized, regardless of whether it originates from inside or outside the old corporate network.
Key Activities: Implementing universal Multi-Factor Authentication (MFA), deploying robust Identity and Access Management (IAM), managing Privileged Access Management (PAM) for administrators, and enforcing access policies based on user context (device health, location, etc.).
Who should prioritize this?
Cloud-native or cloud-heavy organizations.
Companies with a large remote or hybrid workforce.
Businesses moving towards a "Zero Trust" architecture.
This is an advanced, proactive posture that goes beyond passive monitoring. It assumes sophisticated adversaries are already in, or will get into, your network. The goal is to actively find them and kick them out by understanding their methods and searching for their specific footprints.
Primary Goal: To actively hunt for and eliminate advanced threats inside the network by using intelligence on attacker tactics, techniques, and procedures (TTPs).
Key Activities: Establishing a formal threat hunting function, operationalizing threat intelligence (e.g., MITRE ATT&CK framework), conducting regular red/blue team exercises, and using deception technology (e.g., honeypots).
Who should prioritize this?
Organizations with a mature security program that have already mastered the basics.
Companies in industries targeted by nation-states or highly sophisticated cybercrime groups (e.g., finance, defense, critical infrastructure).
Businesses that want the highest level of assurance against advanced persistent threats (APTs).
This objective focuses on the security team itself. As businesses and threats scale, security teams can become overwhelmed with manual tasks and endless alerts. This objective is about using automation to make security operations efficient, scalable, and sustainable.
Primary Goal: To automate repetitive security tasks, orchestrate tools to work together, and reduce manual effort, allowing human analysts to focus on high-value investigation and response.
Key Activities: Implementing a Security Orchestration, Automation, and Response (SOAR) platform, automating vulnerability triage, developing security "playbooks" for common incidents, and integrating security into DevOps (DevSecOps).
Who should prioritize this?
Organizations with a small security team struggling with a large volume of alerts.
Rapidly growing companies where manual security processes can't keep up.
Any business looking to improve the effectiveness and reduce the burnout of their security staff.
This objective reframes security from a defensive cost center into a proactive driver of business value. The goal is to use a strong, transparent security posture as a competitive advantage to win deals, build customer loyalty, and enhance brand reputation.
Primary Goal: To leverage security and privacy investments to directly support business growth by demonstrating trustworthiness to customers, partners, and regulators.
Key Activities: Achieving and marketing key certifications (e.g., SOC 2, ISO 27001), creating public-facing "Trust Centers" to explain security practices, streamlining the process for answering customer security questionnaires, and positioning privacy as a product feature.
Who should prioritize this?
Business-to-Business (B2B) SaaS companies where customers perform deep security vetting.
Companies in competitive markets looking for a differentiator.
Any organization seeking to demonstrate a strong return on investment (ROI) for its security program to the board of directors.