Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
When creating a cybersecurity services catalog, security teams must ensure the contents are simple to understand, expectations are set appropriately and everything is aligned to business needs.
This piece provides best practices for creating a cybersecurity services catalog, including pitfalls to avoid along with templates and examples that can be referenced throughout the organization.
When building a cybersecurity service catalog, proper planning is essential. For example, setting clear expectations helps the cybersecurity team be more successful in delivery and the business better plan around a level of service, accountability and
cost. The cybersecurity team should strive to take a realistic approach to what will and will not be offered. The catalog should align with the cybersecurity team’s technical and intellectual abilities, and it should also be customer-centric.
When creating the menu of security services, it’s important to:
Constructing and maintaining a services catalog is not a one-and-done affair. It usually requires several iterations to ensure it improves over time. The services catalog won’t be perfect from the beginning, but some pitfalls to avoid include:
READ: Infosec Project Management Best Practices
No two organizations provide the same services within their cybersecurity catalog. The clearer the catalog, however, the better the outcome for both the technical team and business units. Typically, each entry in the catalog will include the following:
Figure 1 provides some typical examples of general service categories and the services under them.
Figure 1: Example General Categories
Conduct third-party review and assessment
Provision roles and permissions
Create policies and procedures
Secure hosts with endpoint solutions
Secure remote access
Audit and decommission accounts
Review third-party and system dependencies
Conduct vulnerability assessments
Source: IANS, 2022
Security teams will want to make the catalog their own. However, the following resources from NIST and CISA can help guide teams in their journey:
READ: A Guide to NIST Standards and Frameworks
To ensure your catalog works well for both the cybersecurity team and the business units consuming the services, it’s important to:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
December 7, 2023
By IANS Research
Learn how to create an actionable CISO dashboard with meaningful security metrics using the three C’s principle that supports informed decision-making.
December 5, 2023
By Bryson Bort
As the year draws to a close, IANS Faculty provide their 2024 Cyber Predictions. Watch our video with Bryson Bort for tips on planning your 2024 IT/OT security strategy.
November 30, 2023
CISOs, find guidance on what to focus on within the first 30 days, 6 months and first year of your tenure to ensure a fast, successful start.