Foundational Risk Management: The COSO Framework
The COSO Framework provides a structured approach to internal controls, risk management, and fraud deterrence. This section explores its core objectives and the five key components that form the backbone of a robust cybersecurity strategy. Interact with the cards below to learn about each component.
Core Objectives
Operations
Protecting IT assets to ensure the effectiveness and efficiency of business operations against cyber threats and fraud.
Reporting
Ensuring controls don't affect the transparency, reliability, and timeliness of internal and external reporting.
Compliance
Adhering to governmental laws and industry standards like NIST, HIPAA, and GDPR.
Key Components
Control Environment
The "tone at the top" that sets ethical values and pushes the framework forward throughout the organization.
Risk Assessment
Evaluating internal and external factors to analyze cyber risks, their likelihood, and potential impact.
Control Activities
The policies and procedures (e.g., penetration testing) put in place to implement the control environment.
Information & Communication
Using consistent language and best practices to share information about cyber threats and policies.
Monitoring Activities
Ongoing evaluation of internal controls to identify vulnerabilities and ensure effectiveness against evolving threats.
Governance: Policies, Standards, and Procedures
Effective security relies on a clear hierarchical structure of rules. This section visualizes how high-level policies are translated into actionable standards and detailed procedures, forming a comprehensive governance framework.
Security Policies (High-Level)
The foundation of the security framework. This document outlines the security vision, risk tolerance, and provides evidence of due care by management.
Security Standards (Mid-Level)
Mandatory requirements or adopted best practices that serve as a course of action to achieve policy goals. Often reference frameworks like NIST, GDPR, or PCI DSS.
Standard Operating Procedures (SOPs)
The lowest level of documentation. Detailed, step-by-step instructions on how to perform specific security tasks or controls, owned by relevant departments.
Network Defense Simulation
A modern network is protected by multiple layers of security. Explore the various technological and procedural safeguards used to defend against cyberattacks, from filtering traffic to hardening systems.
Network Segmentation
Controlling traffic by pocketing the network to improve security and limit the spread of breaches.
Firewall
Physical or software-based filters for incoming/outgoing traffic to block malicious activity.
VPN (Virtual Private Network)
Provides secure remote access by encrypting communications using protocols like IPsec and tunneling.
WPA3 (Wi-Fi Protected Access 3)
The latest security protocol to encrypt traffic between wireless access points and devices.
Endpoint Security
Ensuring every connected device has local security like antivirus, firewalls, and auditing software.
System Hardening
Reducing the number of attack points by securing all aspects of IT infrastructure.
Access Control: Authorization & Authentication
Controlling who can access what is paramount. This section covers the guiding principles for access, the technologies used for authentication, and the importance of strong password management.
Guiding Principles
Zero Trust
Assume the network is always at risk. Trust is never implicit; continuous verification is required.
Least Privilege
Grant users and systems only the minimum access needed to perform a function.
Need-to-Know
Give employees access only to the specific data they absolutely must have to do their job.
Password Complexity: The Power of Length
This chart visualizes the exponential increase in security gained by adding just a few characters to a password, making brute-force attacks significantly more difficult.
Vulnerability Management Protocol
Effective security is not a one-time setup; it's a continuous lifecycle. This section illustrates the proactive, cyclical process for managing vulnerabilities, aligned with the five core functions of the NIST Cybersecurity Framework (CSF).
Identify
Discover assets & vulnerabilities
Protect
Implement safeguards
Detect
Identify security events
Respond
Take action on incidents
Recover
Restore & improve
This cycle repeats continuously to adapt to the evolving threat landscape. Key tools in this process include vulnerability scanners, the CVE dictionary for standardized naming, and robust patch management.
Control Implementation Matrix
Security controls are categorized by their function: to prevent, detect, or correct incidents. This interactive chart and the corresponding lists below demonstrate how a defense-in-depth strategy uses a variety of controls to protect the organization at every stage of a potential attack. Click on a chart segment to see examples.
