- Organizations need to have an accurate view of security in order to function and grow without being exposed to too much risk.
- However, the complexity of IT systems and the sophistication of threat actors makes it difficult for security leaders to have the best information about how secure the organization truly is. This blueprint enables security leaders to aggregate relevant information into one place and gain an informed and insightful view of information security.
Our Advice
Critical Insight
- Simply meeting regulatory compliance is not enough for security.
- Changes to the business are just as dangerous as malicious attackers. The business is changing every day and security measures need to evolve to keep up.
- Your perception of security is only good as the information you collect.
- Being able to show the business how well you are protected is critical to having support for security and being accepted as a business partner.
Impact and Result
- Have a clear picture of:
- Identified critical data and data flows
- Organizational threat exposure
- Security countermeasure deployment and coverage
- Understand which threats are appropriately mitigated and which are not
- Generate a list of initiatives to close security gaps
- Create a quantified risk and security model to reassess program and track improvement
- Develop measurable information to present to stakeholders
Workshop: Optimize Security Mitigation Effectiveness Using STRIDE
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Setup: Risk Tolerance, and Data and Element Inventory
The Purpose
- Discuss the organizational risk tolerance / risk management strategy.
- Establish a foundational frame for data and element categorization.
Key Benefits Achieved
- A map is created of the valuable data and which assets it flows through
Activities
Outputs
Validate pre-work (data classification, IT systems element inventory, rough data mapping).
- Data classification scheme
- Categorized systems elements
- Rough map of data flows (resting and transmission)
Review Info-Tech’s quantified risk model and STRIDE threat model.
Begin threat modeling activity.
Module 2: Threat Severity Assessment
The Purpose
- Perform a detailed analysis of the organizational threat and risk exposure.
Key Benefits Achieved
- Understand Info-Tech’s quantified threat severity model
- A map of the systems threat landscape
Activities
Outputs
Complete threat modeling activity
- Mitigation Effectiveness Tool, Threat Severity tab
Module 3: Control Maturity Assessment
The Purpose
- Catalog all the existing security capabilities and map them to the threats that they mitigate.
Key Benefits Achieved
- Security control capabilities and maturity mapped to the system threats
Activities
Outputs
Review the STRIDE security traits and threat – countermeasure relationships.
Perform a security control and maturity assessment.
- Mitigation Effectiveness Tool, Control Maturity tab
Identify gap initiatives to address unacceptable risks.
- Gap initiative list
Module 4: Gap Initiative Identification and Prioritization
The Purpose
- Identify security gaps based on threat-control assessments.
- Create a prioritized roadmap and plan to implement gap initiatives.
Key Benefits Achieved
- Clearly identified and documented security gaps
- Prioritized list of initiatives required to address security gaps to the organizational needs
Activities
Outputs
Prioritize gap initiatives.
- Prioritized gap initiative list
Make a plan to incorporate the gap initiatives into a security roadmap, and discuss how to integrate risk model into overall risk management decisions.
- Workshop results incorporated into risk management and security strategy