Cyber security services reporting framework
Tiainen, Teemu (2021)
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-202105118355
https://urn.fi/URN:NBN:fi:amk-202105118355
Tiivistelmä
The objective of this study is to create a cyber security services reporting framework to enable reporting to cyber security stakeholders of customer that supports business needs of customer to improve security posture. The case company provides managed cyber security services, and the reporting of the services is done differently for each customer and the current reporting structure is mainly focusing on operative and technological aspects without bringing additional value to customer business needs. The cyber security services have been provided only for a few years and the case company is looking for a solution to improve and harmonise the reporting of cyber security services supports customer’s business needs to improve security posture.
The study includes four stages that are performed according to the research design that is the research approach. The first stage is the current state analysis stage of the strengths and weaknesses of the current reporting structure and deliverables. The second stage is a literature review where knowledge and best practices to overcome weaknesses are compiled as the conceptual framework. The third stage is a co-creation stage to create a proposal for reporting framework together with internal and external stakeholders based on the findings in the previous stages. The fourth and last stage is a multiple step validation of the proposal by the internal and external stakeholders to validate the final proposal for cyber security services reporting framework. The study also includes a recommendation for the steps to implement the framework in the case company.
The outcome of this study is a comprehensive cyber security services reporting framework that incorporates the customer and service provider relationship and responsibilities. The framework describes best practice for cyber security management. The cyber security management includes cyber security target setting through risk management. The framework describes what and how the service provider reports the outcomes of cyber security services to improve security posture of customers.
The initial steps for the implementation of the framework are included in the study. The framework has received positive comments and the implementation plan has received management support to move forward with the development of cyber security services reporting.
The study includes four stages that are performed according to the research design that is the research approach. The first stage is the current state analysis stage of the strengths and weaknesses of the current reporting structure and deliverables. The second stage is a literature review where knowledge and best practices to overcome weaknesses are compiled as the conceptual framework. The third stage is a co-creation stage to create a proposal for reporting framework together with internal and external stakeholders based on the findings in the previous stages. The fourth and last stage is a multiple step validation of the proposal by the internal and external stakeholders to validate the final proposal for cyber security services reporting framework. The study also includes a recommendation for the steps to implement the framework in the case company.
The outcome of this study is a comprehensive cyber security services reporting framework that incorporates the customer and service provider relationship and responsibilities. The framework describes best practice for cyber security management. The cyber security management includes cyber security target setting through risk management. The framework describes what and how the service provider reports the outcomes of cyber security services to improve security posture of customers.
The initial steps for the implementation of the framework are included in the study. The framework has received positive comments and the implementation plan has received management support to move forward with the development of cyber security services reporting.