ABC Maturity Model and RAMPART Framework


This is version 2016.2, last updated on Monday, 22 August 2016.

Introduction

Cybersecurity is more than just cyber, and more than just security. In this area holistic view and delivery is the only way to go.

For SMEs, it is hard to understand the big picture of it, much less decide what to do. How does a business know what step to take today to survive tomorrow?

This document outlines a practical approach in developing cybersecurity capability for businesses. It is designed to be understandable, actionable, comprehensive, and, at the same time, manageable and affordable for even a smallest company - a band of one.

Main idea behind this approach is to give SMEs a tool that can guide them step by step towards adequate cybersecurity capabilities and combat existing perception of security as being purely technical, highly complicated, and expensive endeavour. It can be used as a framework, checklist, goal-setting document, and a basis for a cybersecurity management plan at the same time, while being short and written in plain English.

Who should read this?

This document is written for business owners, directors, executives, and senior managers that are governing or running a business, are concerned about cybersecurity, and want to have this capability in their organisation.

It can also be used as education material for all levels of staff.

What is inside?

This document consists of several chapters.

  1. Introduction (you are reading it at the moment). It sets the stage for the rest of the document and answers the most common questions. It also provides guidelines on using this document to implement the concepts within.
  2. RAMPART Framework. This chapter contains all details of the cybersecurity framework, which in conjunction with the maturity model acts as a practical guide to implementing cybersecurity capabilities for the business. It has several parts (one per each framework area) of a similar structure, which makes it easy to follow the content.
  3. ABC Maturity Model. This chapter outlines a simple maturity model that is in this case applied to the cybersecurity framework. It shows progression through maturity levels and connects it with business strategy for cybersecurity.
  4. Implementation and Customisation Tips. This chapter summarises content of the previous ones, and highlights important considerations for implementing the proposed approach while adapting it to your business.

What is a security framework in this context?

In order to assess cybersecurity capabilities of an organisation, this document proposes a set of criteria that will be checked. They are grouped together for convenience. Together, they cover all areas of cybersecurity in the scope of the minimally required practices.

All criteria together form a cybersecurity framework. It can be used as is, or it can be modified to suit the needs of a particular business. It is also a recommended foundation for more advanced cybersecurity activities.

What is a maturity model in this context?

A maturity model is a tool used to access parts of business. In this context, it is used to assess cybersecurity capabilities of an organisation.

Although usually maturity model provides “best practice” guidance, we acknowledge that cybersecurity is more complex than that, and the model described in this document covers only minimally required practices. It means that achieving maximum maturity level in this model represents a recommended minimal maturity level for any business.

Do I need technical background to understand this document?

There is no requirement to have a technical background to understand this document. Basic knowledge of business and information technology is enough. If, at any point, a term will be required, it will be defined on its first use.

If you find something that is unclear or allows ambiguous interpretation, please contact us using details in the end of this document, so that we can update it and resolve the issue.

The best way to work with this document is to read it first without stopping to assess anything on the fly, and then to go back and methodically assess a business going through each area of the proposed framework.

A printed copy of the framework chapter can be used as a live checklist and a goal-setting document, for both governance and management purposes. Margins are specifically set wide enough to allow writing down target and actual implementation dates. All objectives in the framework are listed with white squares instead of bullet points to use them as checkboxes, for convenience.

When is this document applicable?

This document is specifically designed for small and medium-size businesses. It recognises the complexity of other existing frameworks and the amount of time necessary to implement them, and advocates for faster start with the basics. It is much more valuable to have an adequate level of security using a smaller framework than spending a lot of time and effort to have a minimal level on a larger one. For businesses with more than a hundred people it may be only a stepping stone on the way to larger frameworks, or a practical guide to cybersecurity basics.

New Zealand government is at the moment working on a Cyber Credentials Scheme. When it is released, the approach described in this document will be adjusted in a new version to be compatible with the upcoming scheme, and to complement it.

How can the approach described in this document be customised?

Various parts of the framework described later in this document have lists of objectives. Some of the objectives may not be applicable to a specific business. In addition, a business may have special requirements that fit into the framework areas. In both cases, it is a good idea to amend objective lists, while documenting the reason for the change.

Maturity model, on the other hand, is simple and does not leave space for customisation.

RAMPART Framework

Different frameworks define different areas, or domains, in relation to cybersecurity. The goal of this framework is to be applicable to SMEs. To do that, the number of areas must be manageable, and areas themselves must be understandableto non-technical people.

This framework is called RAMPART - serving as both the description of its purpose, and as an acronym to remember all its areas. Its goal is to let you build necessary fortifications around your business.

RAMPART Framework covers the following seven areas:

  • R: Risk and Response Management
  • A: Access Control
  • M: Malware Protection
  • P: Perimeter Protection
  • A: Asset and Vulnerability Management
  • R: Recovery and Business Continuity
  • T: Training and Situational Awareness

RAMPART Framework Model with ABC Levels

These seven areas cover everything a small or medium business needs to care about. It is important that all these areas need to be balanced. For example, there is no point to have a state-of-the-art backup and restore solution, if your antivirus protection is rudimentary.

Each area contains a set of objectives. A business can have either none, some, or all objectives completed.

Some objective will mention identifying and documenting things. All such documentation must be up to date and regularly reviewed. There must be a specific review frequency for each document. If this is not done, then such objective is (or becomes) incomplete.

The following chapters describe each area in detail.

Risk and Response Management

In this area company ensures that someone takes care of cyber risks and knows what to do when events occur.

Activities in this area fit into a risk management strategy for the entire business. Understanding of this area must be shared at all levels of company.

Cyber risk is a potential threat or uncertainty to the business that is related to information technology systems.

Objectives

  • there is a director (or a board of directors) responsible for cybersecurity governance (long-term planning and goal setting)
  • there is a person responsible for cybersecurity management (short-term planning and execution)
  • there is a documented cyber risk management plan that includes all cyber risks relevant to the business (see details below)
  • there is a documented procedure to execute when any cyber risk event occurs
Cyber risk management plan

Cyber risk management plan is a list of cyber risks along with processes and policies related to them. It includes risks that might impact the company. It is regularly reviewed and updated.

It contains the following information for each risk:

  • definition/description of the risk and description of its potential events
  • impact and its magnitude
  • likelihood and potential frequency of events happening
  • stakeholders related to this risk
  • risk management decision (ignore/tolerate/accept, mitigate/prevent, or transfer/outsource)
  • risk management guidelines (if accepted, then why; if mitigated/prevented, then how; if transferred/outsourced, then what are the side effects and how to manage this relationship)
  • monitoring guidelines (make sure that event is detected when it occurs)
  • response guidelines in case an event occurs

Risk monitoring and management priority always goes from the high impact and high likelihood down to the low impact and low likelihood.

Impact and likelihood must be on the same scale for all cyber risks to enable comparison.

Access Control

This area is about controlling who can get where, why, and how.

It includes physical and digital access, identity management, policies and processes to granting access, and password management. This area is the most complicated one, too. If the access controls are messed up, actions in most other security areas will not have much impact.

Identity in the information system is an object serving to establish who the holder is, containing details that allow identification. Identity management system can verify whether someone has the identity they claim (for example, by checking the password).

Objectives

  • there is a list of all information systems used by the business, and identity management systems that work with them
  • there is a process to create, update, block, and remove identities or access to them (for example, revoking access when no longer required)
  • there is a list of all individuals, devices, applications, and systems that use information systems, and identities that they use
  • there is a list of all assets in the information systems used by the business, and access rules for all identities (or groups of identities) that need access, managed by asset owners
  • all identity management systems that are capable of multi-factor authentication have it enabled
  • no identities share the same authentication key (password, certificate, etc.), even if they belong to the same individual, device, application, or system
  • authentication keys for identities are not publicly available and are not shared between individuals unless they use shared identities (then the reasons for that must be justified)
  • all identities that need access only during specified time frames or from specified locations have those restrictions enforced
  • all identities have minimal required access
  • there are different identities for different duties within the same systems
  • all identity authentication attempts are monitored and recorded
  • there are alerts for repeated identity authentication failures
  • there are alerts for actions performed by administrative identities
  • physical access to information systems is controlled in the same way as digital access to them (see points above)

Malware Protection

This area is about protecting from malicious software that seeks to damage or destroy your information, or disrupt your work.

There are different types of malware, with different modes of operation. Nevertheless, protection against them is usually available in a single software application. Tools that provide central administration and monitoring are preferable over tools that require individual attention for each system that they are installed to.

Objectives

  • there is a real-time antivirus solution deployed on all systems used by the business, and it is up to date
  • there is filtering of undesirable web content between the users and the public networks
  • there is an antivirus solution that processes incoming and outgoing email communication
  • there are administrative restrictions in place to prevent users from installing and running unauthorised software applications
  • there are administrative restrictions in place to prevent users from disabling antivirus solutions on systems they use
  • events and alerts from antivirus solutions used by the business are monitored
  • there is a response and containment plan for malware that was not detected before its activation (for example, disconnection and destruction of infected systems and restoration from backups)
  • user account controls in software systems that require additional confirmation for sensitive actions are enabled and there are administrative restrictions in place to prevent their deactivation
  • whitelisting of applications is used on every system it is available for

Perimeter Protection

This area is about keeping bad things away from your networks and communication channels. Think about it as walls and doors in the house.

It includes boundary firewalls, gateways, communication channels, and dealings with third parties and partners.

Objectives

  • there are firewalls between each private and public network used by the business that control both incoming and outgoing communications with whitelisting (everything is blocked except explicitly permitted traffic)
  • if there is a central network, and individuals need outside access to it, then there is an inbound VPN connection
  • only explicitly authorised devices and individuals can use the network (there is no dynamic network address allocation except when the connecting device is securely authenticated)
  • sensitive information is shared inside and outside the organisation through secure channels only (for example, document sharing only through secure platforms, and outside access to email only through encrypted channels)
  • information that comes from partners or third parties is verified to be authentic and unchanged
  • there is an intrusion detection system in the company’s network

Asset and Vulnerability Management

This area is about keeping track of what business has, and how vulnerable those assets are.

It includes patch management, asset and configuration management, and vulnerability monitoring.

Objectives

  • there is a complete and up to date inventory of all information assets and physical assets used to run them that business uses, which includes threats to their operation
  • there is process in place to review, approve, and document all configuration changes in all assets, and prevent unauthorised changes otherwise
  • all software used by the business is supported by its vendors and is up to date
  • there are ongoing vulnerability scans against all assets that are performed by external parties, and discovered vulnerabilities are resolved or otherwise managed as risks
  • there are regular penetration tests and security audits against all assets that are performed by external parties, and discovered problems are resolved or otherwise managed as risks
  • information and physical assets are destroyed or otherwise wiped at the end of their usage
  • all assets that have authentication capabilities (for example, passwords, keys, or certificates) had their default credentials changed

Recovery and Business Continuity

This area is about preserving the business during and after the incident.

It includes storage access and encryption, backups, disaster recovery planning, and business continuity planning.

Objectives

  • for every business-critical activity there is a list if information systems and physical assets that are necessary for it to run, along with plans to maintain their operation and restore it if it is disrupted or lost (this includes determining what has to be backed up, for how long, and doing the backups themselves)
  • all backups are regularly tested to ensure the possibility of restoration
  • there is at least one backup copy that is not changeable after it is created
  • there is at least one backup copy that is kept off business premises
  • access to backups is available only to authorised individuals, and the backups are encrypted
  • there is a documented process to restore business activities that use information systems
  • all storage is encrypted and unavailable for access for unauthenticated users

Training and Situational Awareness

This area is all about people.

No amount of smart systems and software put in place can protect you from a person who is unaware of the consequences of his actions. It includes education and practice drills.

Objectives

  • everybody in the company knows and understands:
    • cyber risks relevant to the business
    • access control and perimeter protection areas of this framework
    • importance of updating software when prompted
    • dangers of use of their personal information to get access to business assets
  • everybody with administrative privileges or access to sensitive information understands:
    • dangers of phishing
    • password management practices
    • dangers of social engineering
    • dangers of unprotected communication channels like password-free WiFi
    • importance of immediate reporting and escalation of cyber events
  • there are regular cyber event drills (practice exercises)

ABC Maturity Model

A maturity model is a tool used to access parts of business. The goal of this model is to provide a business with a way to understand its current cybersecurity capabilities and identify the immediate next steps to take to improve it.

This model contains only three maturity levels. Complexity of more levels is an overkill for SMEs, and a simpler approach is used instead.

Maturity Levels

ABC Maturity Model defines three levels (from the lowest to the highest):

  • Concerned. This levels means that the business is aware of the subject, but nothing is actually being done.
  • Bothered. This level means that at least something is done, but not all the objectives of a framework used for the assessment are being met.
  • Adequate. This level means that all the objectives of the used framework are met.

In short, the progression through Concerned, Bothered, and Adequate means that first, nothing is done, second, something is done, and, in the end, everything is done.

Application to the RAMPART Framework

This model is used in conjunction with the RAMPART Framework. Each area is assessed for completion of its objectives.

In security, you are as strong as your weakest link. Therefore, the overall maturity level of the organisation equals the lowest grade it gets in any of the seven areas. There are neither complicated formulas, nor exceptions: if you get an “A” in six areas, and “C” in one of them, your overall level will still be “C”.

In short, having a “B” means that there is at least one objective completed in every area of the RAMPART Framework, and having an “A” means that all objectives (including those added or removed during customisation) are met. In case there is an area which has no completed objectives at all, overall level is “C”.

Maturity Progression

Theoretically, there is a “zero” level, meaning that business has no idea about the area. However, as soon as one reads through the RAMPART Framework description, the fact that the business cares enough to do that automatically brings it to the first level, called Concerned. It is a starting point on the ABC journey. It means that business knows about the area and problems related to it, and cybersecurity is on the agenda.

After getting concerned, business becomes Bothered enough to do something about it, which moves it to the next level. At this stage, efforts are basic and ad-hoc. The important distinction from the previous level is that it is not just talking anymore.

Systematising efforts, and moving from makeshift solutions to something stable and mature propels business to the last level - Adequate. At this point, cybersecurity state is good enough, and investment corresponds to threat levels. It is not necessarily the same for every company. For example, a small business that does health insurance brokerage, and a small business that runs a retail store will have significantly different requirements to security. But both should have measures in place that are adequate to their situation.

Cybersecurity Management Strategy

ABC Maturity Model in conjunction with the RAMPART Framework can be used as a basis for the Cybersecurity Management Strategy for the organisation.

Why is it needed?

Cybersecurity Management Strategy provides common understanding and guidance for the entire organisation in relation to cybersecurity. It is used to set goals and monitor progress towards them.

What is the easiest way to implement it?

The goal for a business using approach described in this document is to get to the “A” level of maturity.

For that, is it enough to use a chapter with the details of the RAMPART Framework, and for each objective define target date, and record completion date. This will provide both overview and plans for improving cybersecurity capabilities.

Once level “A” is reached, strategy should be reviewed, and, if necessary, extended to either continue customising the approach from this document, or move on to larger maturity models and standards.

Overall, ABC Maturity Model with RAMPART Framework provides an essential stepping stone to wider scale cybersecurity maturity, and its step-by-step implementation provides a foundation for a cybersecurity management strategy.

Implementation: Building Ramparts

There are only three steps essential for the implementation of this approach:

  1. Assess the organisation.
  2. Get every area of the RAMPART Framework to level “B”.
  3. Get every area to level “A”.

In each area, the order of completion should be prioritised according to the high impact and high likelihood risks first.

For most objectives, there are no prerequisites, so they can be completed independently and in parallel.

Customisation guidelines

There are two ways to customise objectives described in the framework. You can either add them, or remove them.

The best way to do that is during Risk and Response Management activities. Depending on risk management decisions, existing objectives may be ignored or new ones may be introduced. All such changes should be documented.

Some systems may be required to comply with industry certifications. Non-compliance can be managed as a risk.

While customising the framework, it is important to remember that its applicability is limited to small and medium-size businesses. In larger organisations it should only be used at a department level when an overarching cybersecurity strategy does not exist.

Summary

Current document describes version 2016.2 of the approach.

New Zealand government is at the moment working on a Cyber Credentials Scheme. When it is released, the approach described in this document will be adjusted in a new version to be compatible with the upcoming scheme, and to complement it.

Questions and comments to this document should be addressed by email to lab@knowledgelab.nz or by post to Knowledge Lab Ltd, PO Box 55156, Eastridge, Auckland 1146, New Zealand.