If a CISO gets into trouble, it’s usually because they were unable to navigate the many nuances of the work, as the dividing line between responsibilities among teams for security is often very blurry. Or they neglect relationships and don’t get the broader support of the internal community often necessary to move initiatives forward.
Well, let's share, the lessons of the senior director of cyber security as art of
خوب برويم به اشتراك بگذاريم، لسن لرن هاي مدير ارشد امنيت سايبري
به عنوان
art of
😅:
——————————————————
1.I don’t recommend you let the infrastruc- ture team perform the log analysis for conflict-of-interest reason
بهتر است در حملات سايبري با رويكرد جرميابي سايبري در نقش
As
Incident Respond commander
اجازه تحليل و بررسي به تيم هاي شبكه، زيرساخت، سرويس، ديتاسنتر و ساير تيم هاي مشابه داده نشود، چرا؟؟
for conflict-of-interest reasons.😊
——————————————————
2. If your goal is to col- lect telemetry from all systems to support monitoring, you’ll need all the system owners and developers to send logs to a central logging service. Good luck with this. This can take several years to fully achieve🤓 unless the leader or CEO or chief information offi- cer (CIO) is a supporter of security and directs teams to make it a priority. I’ve found that this is a slow road, and to maintain good working relationships, your monitoring program often functions far from its ideal state for several years.
مثلا براي يك شركت در حوزه نفت ، گاز، پتروشيمي😅آن هم با كلي حمايت از سمت مديريت عامل، حراست، و … و بودن كار تيمي حدودا ٢ سال طول كشيد كه بتوان از سيستم هاي با ارزش سازمان لاگ اوليه دريافت شود و اين يك فاجعه بود🥸🤯بايد مديران شبكه، زيرساخت و ساير تيم هاي مشابه دانش مديريت ريسك، كنترل هاي امنيتي را در سطح مناسبي ياد بگيرند ويكسري موارد كه تداخلي با تيم هاي امنيت نداشته باشد جهت تسهيل همكاري هاي جز وظايف آن تيم ها قرار گيرد
——————————————————
3. most of our companies are developing software for mobile apps, cloud services, and websites. Depending on the type of business your company is in, you may develop mobile applications, ecommerce websites, cloud services, APIs, desktop software, and IoT/firmware, and you may use open source software and scripting languages to integrate systems. You will want to spend a lot of time on this topic, and have dedicated software security engineers partnered with and integrated into the development processes. Unless the leader of the software teams is a security-minded individual, this area takes much patience and many laps around the track to secure.
اهميت كنترل چرخه كد نويسي امن با
-مميزي فني و سيستمي سيستم
-ارزيابي امنيتي سامانه VA,PT
-تحليل شكاف آن همراه با RCA
-نقشه راه آموزشي كد نويسي امن منطبق با راهنما ها و استاندارد هاي مطرح
Security SDLC,(Its Agile😊)
-سياست گذاري بر خط as GRC
-طراحي در معماري و پياده سازي كنترل هاي امنيت محور در چرخه توليد و توسعه نرم افزار
-فرهنگ سازي مستمر
-certified by the CyberSecurity,GRC department prior to being placed into production👍🏽(Maybe Its Not Agile🙃)
-مميزي و ارزيابي صريح و شفاف سوم شخص🤓
- اگر عدم انطباق و آسيب پذيري كشف نشد بريم باگ بانتي سوراخ هاي سيستمي🥸😁🤣😂را كشف كنيم
-مدل بلوغ
As PDCA
پ ن: شروع سرويس CISO as a Service در زون منطقه ويژه عسلويه🥹
-Cyber Security awareness-
Up2date 4 Defence Today,
Secure Tomorrow
@CisoasaService
2024.06.05