Sh d C b i R ibili MShared Cybersecurity Responsibility Maps‐‐‐‐‐‐‐‐‐‐‐‐

C bi i SIPOC RACI P idCombining SIPOC + RACI ProvidesEnd‐to‐End Visualization ofRoles ResponsibilitiesRoles, Responsibilities,

Expectations, and Dependencies

Many Aspects of Cybersecurity are Beyond the Domain of IT Departmentsp Cybersecurity Responsibilities are Shared Among Multiple 

Departments, Stakeholders, and Business Partners p , , Finance and Risk Management (NIST CSF ID.RA)

• Ensures the organization understands the cybersecurity risk to mission, functions, reputation, organizational assets, individuals, and business partners

H R (NIST CSF PR AT) Human Resources (NIST CSF PR.AT)• Responsible for training personnel to perform information security related duties and responsibilities consistent with policies, procedures, and agreements

Legal (NIST CSF ID.GV‐3)Legal (NIST CSF ID.GV 3)• Ensures the organization understands and manages legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations

( ) Business Process Owners (NIST CSF PR.IP)• Ensures security policies, processes, and procedures are maintained and used to manage protection of information systems and assets

Shared Responsibility Maps Provide End to End Visualization of Shared Responsibility Maps Provide End‐to‐End Visualization of These Roles, Responsibilities, Expectancies, and Dependencies

Responsibilities and Expectations Externalto Cybersecurity Processes and Activitiesy y

All Cybersecurity Processes and Activities Receive InputsInputs

All Cybersecurity Processes and Activities Create OutputsOutputs

Someone or Something (Could be a Process, Department or External Entity) Is Responsible forDepartment, or External Entity) Is Responsible for Providing the Inputs According to Predefined Specifications

Someone or Something (Could be a Process, Department, or External Entity) Expects to Receive the Outputs According to Predefined  Specifications

SIPOC: Defines Responsibilities and Expectancies External to Processes and Activities

Suppliers Receive the input specifications from the process team and provides the inputs to 

the process team according to specifications

Inputs The resources and their specifications defined by the process team

Processes The steps the process team will execute to create the outputs

Outputsp The deliverables created by the process team that will be delivered to the 

customer/consumer within predefined specifications

Customers Expects to receive the outputs/deliverables developed according to predefined 

specifications by the process team

RACI: Responsible, Accountable, Consult, InformTeam Responsibilities for Process Executionp

Responsible  (The Doers) ‐ Those who do the work to achieve the task There is at(The Doers)  Those who do the work to achieve the task. There is at 

least one role with a participation type of Responsible

Accountable (The Buck Stops Here) ‐ The one ultimately answerable for correctness(The Buck Stops Here)  The one ultimately answerable for correctness 

and thoroughness of the completed task

Consult Those whose opinions are sought, typically subject matter experts.Those whose opinions are sought, typically subject matter experts. 

Two‐way communication

InformThose kept up to date on progress with̶ Those kept up to date on progress with whom there is one‐way communication

Shared Responsibility MappingCombines SIPOC & RACI

Defines and Visually Illustrates End‐to‐End Roles, Responsibilities, Expectations, and Dependencies of All Departments, Stakeholders, and Business Partners

Serves to Penetrate Departmental Silos, Tool Conflicts, and Tribal Knowledge Improves Communications and Collaboration

Computer Security Incident Response Plan Shared Responsibility Map

Computer Security Incident Response PlanProcess Resource (NIST 800‐61 R2 Base) Shared Cybersecurity Responsibility Maps can be delivered as stand‐alone 

documents, integrated into existing plans, or integrated into web frameworks h ill b i i i i d i dthat illustrate cybersecurity processes, activities, and associated resources 

Shared CSIRP Responsibility Map ofStep 2.1 Monitor and Detection Process

High‐level and detailed views are available within a few clicks

Computer Security Incident Response PlanStep 2.1: Monitor & Detection

CSIRP Step 2.1 Monitor & DetectionSIPOC & RACI Detail

Identifying Factors that Contribute toUnsatisfactory Outcomes Variation Impacts the Predictability of Effectiveness and Efficiencies Inputs and Process Activities are Sources of Variation in the Management of 

y

p gthe Quality of Deliverables

Shared Responsibility Maps Illustrate Where and How Variation Impacts the Ability to Effectively Manage Cybersecurity

Example of a Factor Contributing to Less Than Desirable Cybersecurity Management

A User Not Properly Trained to Recognize and Report Anomalous Malware BehaviorMalware Behavior Extends the time from initial 

entry to detection Extends dwell timeExtends dwell time  Increases the opportunity 

for the malware to spread laterally in the system

The Solution: Human Resources provides appropriate and continuous user 

laterally in the system

cybersecurity training, testing, and proficiency tracking 

Shared Responsibility Maps Illustrate Multistep Activity/Process Dependencies

Activity/Process Start

Step 1 Outputs & CustomerBecomes Step 2

Supplier and Inputs

Activity/Process Step 1

Step 2 Outputs & Customer

Activity/Process Step 2

Becomes Step 3Supplier and Inputs

Variation in Earlier Steps Influence Latter Dependent 

Activity/Process Step 3Activity/Process End

Activity and Process Steps

In Summary Shared Cybersecurity Responsibility Maps

Enable End‐to‐End Definition and Visualization of Responsibilities for All Involved with CybersecurityResponsibilities for All Involved with Cybersecurity

Clarifies Inputs and Outputs including Specifications Illustrates Where and How Variation Influences Illustrates Where and How Variation Influences Deliverables

Contact

Henry DraughonProcess Delivery SystemsProcess Delivery Systems(972) 980‐9041hdraughon@processdeliverysystems.comh // d li / / h d b i ibili h lhttps://www.processdeliverysystems.com/resources/shared_cybersecurity_responsibility_maps.html