About Us Our Work Employment News & Events
MITRE Remote Access for MITRE Staff and Partners Site Map
Our Work
Overview
Mission Areas
Systems Engineering
Information Technology
MITRE Research Program
MITRE Federal Employee Fellowship Program
Technology Transfer Office
Technical Papers

Follow Us:
Visit MITRE on Facebook
Visit MITRE on Twitter
Visit MITRE on Linkedin
Visit MITRE on YouTube
View MITRE's RSS Feeds
View MITRE's Mobile Apps
Home > Our Work > Technical Papers >

Cyber Security Governance

November 2010

Deb Bodeau, The MITRE Corporation
Steve Boyle, The MITRE Corporation
Jenn Fabius-Greene, The MITRE Corporation
Rich Graubart, The MITRE Corporation

ABSTRACT

Cyber Prep is a conceptual framework, together with a practical methodology, which an organization uses to define and implement its strategy for addressing adversarial threats related to its dependence on cyberspace. In particular, Cyber Prep enables organizations to articulate their strategies for addressing the advanced persistent threat (APT). The Cyber Prep framework defines five levels of organizational preparedness, characterized in terms of

  • The organization's perspective on, and/or assumptions about, the threat it faces;
  • The organization's strategy for addressing the threat, including which adversary tactics, techniques, and procedures (TTPs) it addresses; and
  • The organization's approach to cyber security governance.

This white paper presents the governance component of Cyber Prep. As with the component that addresses technical and operational security measures, Cyber Prep expects that organizations apply sound principles for information systems security governance and make effective use of standards of good practice for security management. The cyber security governance component of Cyber Prep focuses on what organizations must do differently from or in addition to generally accepted information security governance practices in order to address the APT. In Cyber Prep, the five levels of organizational preparedness entail different approaches to

  • Strategic integration. To what extent is the cyber security strategy integrated with other organizational strategies? To what extent does the strategy extend beyond the organization?
  • Disciplines. What disciplines are part of, or aligned with, cyber security?
  • Risk mitigation approaches. To what extent does the organization focus on compliance with standards vs. state of the practice security engineering vs. state of the art?
  • Adaptability / agility of cyber decision making. To what extent do governance and decision making address the concern that adversaries may target decision makers and decision processes?
  • Senior engagement. What is the highest level of official or staff member within the organization actively engaged in cyber security decision making?
  • Cyber risk analytics. How are threats modeled and risks contextualized and assessed?

View/Download Document

Additional Search Keywords

n/a

 

Page last updated: December 20, 2010   |   Top of page

Homeland Security Center Center for Enterprise Modernization Command, Control, Communications and Intelligence Center Center for Advanced Aviation System Development

 
 
 

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.
IDG's Computerworld Names MITRE a "Best Place to Work in IT" for Eighth Straight Year The Boston Globe Ranks MITRE Number 6 Top Place to Work Fast Company Names MITRE One of the "World's 50 Most Innovative Companies"
 

Privacy Policy | Contact Us