by: Elena Garrett
Elemental RSC 80/20 - solving the risk, security, and compliance dilemma
The Elemental RSC (Risk, Security, Compliance) approach aligns cyber Risk (R), Security (S), and Compliance (C) controls into a single workflow. It can be used to improve cyber security, reduce risks, and achieve compliance using a set of strategic, resource-conscious project cycles. Each cycle focuses on identifying and remediating 20% of issues that account for 80% of cyber risk within the organization while at the same time controlling the risks that have not been fully addressed yet.
Elemental RSC 80/20 approach cycle:
The Elemental RSC 80/20 workflow encourages using maximum resources to identify and control the highest severity risks within each cycle. Each time the cycle is repeated, more and more risk and compliance gaps should be fully remediated or mitigated using available security controls. Breaking the list of risk- and compliance-related projects into smaller cycles using the RSC (Risk, Security, Compliance) workflow allows for maximum risk reduction, close alignment of risk and compliance initiatives, and better coordination between risk, compliance, and security teams.
Elemental RSC 80/20 Cycle explained:
Step 1. At the beginning of each cycle, identify overall cyber risks facing organization, rank them in terms of severity, and select highest priority risks. Use the 80/20 approach when deciding which risks to select. Look for 20% of issues that cause 80% of the security risks in the organization.
Step 2. Use a compliance framework (NIST 800-53, NIST 800-171, HIPAA/HITRUST, SOX, etc) to identify best practices and recommended technical (actionable) controls associated with the types of risks you selected. If your organization does not need to be compliant with any industry-specific cyber security framework, we recommend using NIST 800-171&172 or ISO 27001 as generic security frameworks that can guide you through the control selection process. We recommend using ESP policy templates to quickly identify available controls.
Step 3. Use RSC-capable tools like ESP to measure the gap between the desired security posture and the current security posture of any endpoint in scope.
Step 4. Use RSC-capable tools like ESP to remediate those highest priority risks in full.
Step 5. If full remediation is not possible, use RSC-capable tools like ESP to add mitigating controls.
Step 6. For all other lower-priority risks, use a containment approach to keep the risk of security breach to a minimum (ex. use micro-segmentation).
Step 7. Use RSC-capable tools to provide reporting on the status of remediation / mitigation /containment activities, and the updated security gap information.
Continue with the next cycle to address the next set of risks.
Using ESP to implement RSC 80/20
ESP is a RSC-capable solution that provides the following features:
- - Risk assessment and reporting at the endpoint level
- - Continuous Compliance Gap assessment - before and after deployment of remediation, mitigation or containment controls
- - Broad range of host configuration and network access controls to utilize for remediation, mitigation, and containment techniques
- - Detailed, audit-ready reports that can be utilized by higher-level governance, risk, and compliance (GRC) processes
Benefits of the Elemental approach:
Elemental RSC 80/20 was designed to solve some of the most common problems within organizations:
- Resource limitations (staff, time, skills, budget) that reduce organizations' ability to manage broad cyber risk, compliance, and security programs
- Lack of coordination among information systems governance, risk and compliance (GRC) programs and other control management activities
- Lack of strategic, organization-wide approach to resource-intensive security initiatives
The Elemental RSC 80/20 workflow helps to address those problems by bringing risk, security, and compliance into one workflow that is implemented in cycles, allowing security teams to better manage cyber security related issues and controls.