In a previous post, I wrote about my key take-aways from Verizon’s 2019 Payment Security Report. While it’s no surprise it was full of interesting and useful data, (Verizon’s yearly Data Breach Investigation Report (DBIR) has become required reading.) I was delighted to find an excellent guide on the the 9-5-4 model, a means by which an organization can measure and improve its data protection program. It also details ways in which a company can measure the maturity of the program. What I appreciated most about this guidance was that it is broadly applicable. It works well with a data protection compliance program as well as with any program you may want to measure. The working details will be different, but the concepts are extremely flexible.
The 9-5-4 model is very simple and easily applied: nine (9) factors of effective data protection controls, five (5) constraints, and four (4) lines of assurance. The factors are assessed against the constraints for each line of assurance. This forms a handy matrix and a quick visual guide for which factors are healthy, which are in need of help, and what kind of help they need. The lines of assurance pinpoint where that help should be applied.
The 9 Factors of the 9-5-4 Model
- Control environment
The sustainability and effectiveness of controls depend on a healthy control environment.
- Control design
Proper control operation to meet security control objectives depends on sound control design.
- Control risk
Without on-going maintenance (security testing, risk management, etc.), controls can degrade over time and eventually break down. Mitigation of control failures requires integrated management of control risk.
- Control robustness
Controls operate in dynamic business and ever-changing threat environments. They must be robust to resist unwanted change to remain functional and perform to specifications (config standards, access control, system hardening, reviews etc.).
- Control resilience
Security controls can potentially still fail despite adding layers of control for increased robustness; therefore, control resilience with proactive discovery and quick recovery from failure is essential for effectiveness and sustainability.
- Control lifecycle management
To achieve all of the above, monitor and manage security controls throughout each stage from inception to retirement.
- Performance management
Establish performance standards (define, communicate, measure).
- Maturity measurement
Prevent a stagnant control environment through continuous improvement
Achieve all of the above requires in-house proficiency, capacity, capability, competency and commitment.
Taken from “The Top Nine factors for Effective Data Protection Controls What, Why & How Lessons from Payment Security Report”
The first part of developing an effective and sustainable data protection program is to understand what you are trying to protect, the things which may harm that environment, the controls that can decrease or eliminate that harm, and the need for regular assessments and improvement exercises.
The 5 Constraints (+1)
The amount of a resource available – time, people, money.
The ability to perform the actions required to achieve the desired outcome.
How effective can the capability be applied? While capability tends to be quantitative or binary, competence is qualitative.
Willingness to achieve the outcome. This reflects both leadership and contributors.
Effectiveness relies on good communication horizontally and vertically as well as internally and externally.
Use the five constraints to assess each factor. For instance, your vulnerability assessment activities are an essential part of your risk management program. You may have the people, time, and budget (capacity) and the technology in place (capability) but not the skills to configure the system and analyze the results (competence). This points to a need for training the technical staff. If, on the other hand, the staff was competent but already over-burdened, that would mean that the staff needs augmentation. Additional hiring or perhaps a managed service could help bolster this control.
What the five constraints provide is a quick diagnostic and a maturity rubric by which one can assess the state of a data protection program. They are also broadly applicable across other domains, so I find this tool particularly useful for assessing other types of programs or projects. For instance, they fit very well into organizing a risk register for new or ongoing programs, and they highlight potential points of failure and mitigations.
Verizon added this in their report as an aside, and I wanted to highlight it. Culture can be a constraint if not cultivated. Security is a discipline, and developing a security-minded culture will go a long way toward sustaining an effective data protection program.
The 4 Lines of Assurance
- Individual accountability
- Risk management and compliance teams
- Internal audit
- External audit, regulators
The four lines of assurance are the groups responsible for the control environment. The individual operators, those responsible for establishing policies and oversight over the operations, and the auditors (internal and external) who validate controls report their findings to management and boards.
Each line interacts with each factor and is affected by the constraints. Each line will have different responsibilities for each factor and will be affected by the constraints in different ways. By assessing each line of assurance, a picture of the overall control system emerges, and a holistic approach to program improvement can be seen.
Final Thoughts: 9-5-4 Model
The 9-5-4 model provides a robust framework for establishing, measuring, and improving a data protection program. It is not prescriptive as to what controls should be in place – the PCI DSS, NIST 800-53, and ISO 27001 are better tools for this. Rather, the 9-5-4 model complements an organization’s implementation of those controls. By combining prescriptive frameworks with a model for measuring implementation, a sustainable and effective data program can be built and continuously improved upon over its lifecycle.