Management and Cyber Security
Cyber Security is not a new concept, nor is it something being ignored in businesses around the world. So why do we continue to see data breaches and hacking of large corporations and governments? I believe this boils down to business leaders and practices not being prepared for what’s next and only focusing on what happened last. It is these band aid approach practices that set companies up for the next attacker. Instead, leaders should get back to basics and reassess their business practices as it pertains to Cyber Security. Of which are their current security policies and Information System Security Plan (ISSP).
Basic security policies lay the foundation for all security decisions throughout and organization. But in order to any system security certification a well thought out and executed Information System Security Plan (ISSP) is required. This plan must completely identify an describe what controls are currently in place now or are planned. After the ISSP is completed you should have an overview of those security requirements of the system and record the technical information and the controls that were implemented to mitigate risks and vulnerabilities. The ISSP should also work to achieve compliance with any laws or regulations necessary to achieve system certification.
Throughout the CSOL 550 course, we were able to take a step back and review all the components that are apart of including Cyber Security into our management strategies. Below are some examples of these key components in ensuring a successful implementation of not only an ISSP, but building upon current company cultures and how to embed Cyber Security amongst it.
Basic security policies lay the foundation for all security decisions throughout and organization. But in order to any system security certification a well thought out and executed Information System Security Plan (ISSP) is required. This plan must completely identify an describe what controls are currently in place now or are planned. After the ISSP is completed you should have an overview of those security requirements of the system and record the technical information and the controls that were implemented to mitigate risks and vulnerabilities. The ISSP should also work to achieve compliance with any laws or regulations necessary to achieve system certification.
Throughout the CSOL 550 course, we were able to take a step back and review all the components that are apart of including Cyber Security into our management strategies. Below are some examples of these key components in ensuring a successful implementation of not only an ISSP, but building upon current company cultures and how to embed Cyber Security amongst it.
Organizational vs Contingency Planning
Organizational Planning
Organizational Planning through Business Continuity is about supporting the businesses goals and objectives through Strategic Planning, Tactical Planning, and Operational Planning that all make up our Information Security Programs while focusing on sustaining our organization’s mission(s) during and after any disruption. “An information security strategic plan can position an organization to mitigate, transfer, accept or avoid information risk related to people, processes and technologies” (Evans). It also allows I.T. initiatives to align with business goals while prescribing to the security objectives through confidentiality, integrity, and availability. This is done by allowing for a bottom-up approach to security implementation that is initiated by system administrators and/or a top-down approach that is initiated by C-Suite management. While this allows for balance between the hierarchy, agile changes to security implementations can be hindered by the process it entails.
Contingency Planning
Contingency Planning is where necessary actions are carried out to limit damages and/or any loss of information guided by procedural steps for recovering from an incident. It is important that the contingency planning does not impact our business processes where applicable and where risk has been accepted. This approach allows for more flexibility as it will change according to the situation and on case by case basis. However, this means it will involve more complexity when it comes down to initiating the appropriate actions during an event as no one situation will be the same. It is also reactive in nature and puts onus solely on management. As our goals are to respond to unexpected events while restoring our business to normal operations with minimum cost and/or disruption you can see how from a practical standpoint this becomes considerably difficult.
Conclusion
NIST SP 800-34 mentions, “resiliency is not a process, but rather an end-state for organizations” (Swanson, M., Bowen, P., Phillips, A., Gallup, D., Lynes, D.). This is an important mindset to exercise and the goal of what both Organizational and Contingency Planning are aiming to accomplish. While one aims to operate through a disastor and the other to suspend operations until completely restored, both strive to protect the operation of the business. The balance between the two planning methods is a delecate one, esepecially when executing durring or after any disruptions. A Business Coontinuity Plan (BCP) is often costly and difficult to implement as apposed to contingency planning through restoration of backups. This of course depends on the expected downtime of our systems vs the loss of revenue while down. That said, as more and more assests are microsegmented though a variation of off-premisses data centers (cloud), containerized software, and air-gapped networks, the cost of BCP can vastly varry depending on the system(s) affected.
Organizational Planning through Business Continuity is about supporting the businesses goals and objectives through Strategic Planning, Tactical Planning, and Operational Planning that all make up our Information Security Programs while focusing on sustaining our organization’s mission(s) during and after any disruption. “An information security strategic plan can position an organization to mitigate, transfer, accept or avoid information risk related to people, processes and technologies” (Evans). It also allows I.T. initiatives to align with business goals while prescribing to the security objectives through confidentiality, integrity, and availability. This is done by allowing for a bottom-up approach to security implementation that is initiated by system administrators and/or a top-down approach that is initiated by C-Suite management. While this allows for balance between the hierarchy, agile changes to security implementations can be hindered by the process it entails.
Contingency Planning
Contingency Planning is where necessary actions are carried out to limit damages and/or any loss of information guided by procedural steps for recovering from an incident. It is important that the contingency planning does not impact our business processes where applicable and where risk has been accepted. This approach allows for more flexibility as it will change according to the situation and on case by case basis. However, this means it will involve more complexity when it comes down to initiating the appropriate actions during an event as no one situation will be the same. It is also reactive in nature and puts onus solely on management. As our goals are to respond to unexpected events while restoring our business to normal operations with minimum cost and/or disruption you can see how from a practical standpoint this becomes considerably difficult.
Conclusion
NIST SP 800-34 mentions, “resiliency is not a process, but rather an end-state for organizations” (Swanson, M., Bowen, P., Phillips, A., Gallup, D., Lynes, D.). This is an important mindset to exercise and the goal of what both Organizational and Contingency Planning are aiming to accomplish. While one aims to operate through a disastor and the other to suspend operations until completely restored, both strive to protect the operation of the business. The balance between the two planning methods is a delecate one, esepecially when executing durring or after any disruptions. A Business Coontinuity Plan (BCP) is often costly and difficult to implement as apposed to contingency planning through restoration of backups. This of course depends on the expected downtime of our systems vs the loss of revenue while down. That said, as more and more assests are microsegmented though a variation of off-premisses data centers (cloud), containerized software, and air-gapped networks, the cost of BCP can vastly varry depending on the system(s) affected.
Auditing and Security Approaches
Cyber Security Audits
When we look to identify vulnerabilities within our information systems infrastructure, we seek to ascertain what risks we as a company face and the likelihood of them occurring. To begin this process, our Cyber Security team generates a Vulnerability Checklist, which will help us look at a few key factors such as: (1) What, if any, intellectual property or trade secrets need protecting? (2) Do we enable Universal Serial Bus (USB) connections to be used on our computer systems? (3) Do we store backups off-site or on-site? (4) Do we have any external contractors that are system administrators or software engineers?
The importance of our intellectual property and value has generally been summarized by its profit value, cost to acquire or develop, maintain, replace, restore, and any liabilities if it is compromised. However, we identify the risks by performing a qualitative risk assessment as they “do not utilize detailed calculations to assign monetary values to assets and losses like the quantitative method” (Touhill & Touhill). Our first step in our cyber vulnerability audits begins by identifying the threats and threat sources. These include, but are not limited to:
• Human threats: Unauthorized access, Virus infection, and/or improper data entry.
• Natural Disaster: Flood, Tornado, Earthquakes.
• Physical Environment: Failure of Power, HVAC, and/or fire.
After the assessment, we look to identify the likelihood of the threat occurring versus the business impact should the threat be realized. A key component is ensuring we are communicating the risks efficiently. We do this by adhering to our risk management process that includes:
• C-Suite ownership of risks while ensuring everyone has a stake in the consequences.
• Ensure all employees are well informed in any risk the business faces and our plan for mitigation or acceptance.
• Continue to document any critical information associated to an audit or risk assessment for senior management oversight.
• Make sure the information on critical vulnerabilities is on a need to know basis and not publicly published.
Security Approaches: Normal vs Outside the box
We need to avoid being resistant to change; the thought process of “We have always don’t it this way” has no place in any of our business strategies. This open mindset is especially important as we investigate our business utilizing standard security approaches which involve internal-only audits of our information systems, or utilizing “hackers” in external testing that is conducted from outside our security perimeter, and in doing so, allowing for an unbiased assessment in revealing any vulnerabilities and exploitable attacks. Below is a table identifying the benefits and risks of hiring hackers:
Conclusion
Businesses all over the world face varying risks every day. C-Suite management carry the burden of being responsible for managing those risks in order to protect the business and promote growth for years to come. Following our risk management program and identifying the best security approaches to better identify and assess vulnerabilities within our infrastructure is paramount in ensuring our business’ success.
When we look to identify vulnerabilities within our information systems infrastructure, we seek to ascertain what risks we as a company face and the likelihood of them occurring. To begin this process, our Cyber Security team generates a Vulnerability Checklist, which will help us look at a few key factors such as: (1) What, if any, intellectual property or trade secrets need protecting? (2) Do we enable Universal Serial Bus (USB) connections to be used on our computer systems? (3) Do we store backups off-site or on-site? (4) Do we have any external contractors that are system administrators or software engineers?
The importance of our intellectual property and value has generally been summarized by its profit value, cost to acquire or develop, maintain, replace, restore, and any liabilities if it is compromised. However, we identify the risks by performing a qualitative risk assessment as they “do not utilize detailed calculations to assign monetary values to assets and losses like the quantitative method” (Touhill & Touhill). Our first step in our cyber vulnerability audits begins by identifying the threats and threat sources. These include, but are not limited to:
• Human threats: Unauthorized access, Virus infection, and/or improper data entry.
• Natural Disaster: Flood, Tornado, Earthquakes.
• Physical Environment: Failure of Power, HVAC, and/or fire.
After the assessment, we look to identify the likelihood of the threat occurring versus the business impact should the threat be realized. A key component is ensuring we are communicating the risks efficiently. We do this by adhering to our risk management process that includes:
• C-Suite ownership of risks while ensuring everyone has a stake in the consequences.
• Ensure all employees are well informed in any risk the business faces and our plan for mitigation or acceptance.
• Continue to document any critical information associated to an audit or risk assessment for senior management oversight.
• Make sure the information on critical vulnerabilities is on a need to know basis and not publicly published.
Security Approaches: Normal vs Outside the box
We need to avoid being resistant to change; the thought process of “We have always don’t it this way” has no place in any of our business strategies. This open mindset is especially important as we investigate our business utilizing standard security approaches which involve internal-only audits of our information systems, or utilizing “hackers” in external testing that is conducted from outside our security perimeter, and in doing so, allowing for an unbiased assessment in revealing any vulnerabilities and exploitable attacks. Below is a table identifying the benefits and risks of hiring hackers:
Conclusion
Businesses all over the world face varying risks every day. C-Suite management carry the burden of being responsible for managing those risks in order to protect the business and promote growth for years to come. Following our risk management program and identifying the best security approaches to better identify and assess vulnerabilities within our infrastructure is paramount in ensuring our business’ success.
Cyber Security vs Business Practices
Business Practices
When looking at common business practices of the past, such as the procurement of substandard products and services to meet profit margins, it’s important to note the significant risks to security inherent here. Outside of risks in the supply chain of outsourcing significantly, “businesses around the world suffer countless hours of monetary and mission loss due to unexpected equipment and system failures caused by these substandard products” (Touhill). Outside of highly governed businesses like Department of Defense (DoD) or Financial sectors that prevent the use of such outsourcing, companies here in the U.S. and around the globe continue to follow these outdated practices.
Cyber Security
Archaic business practices are not the only cause of increased Cyber Security threats over the years. Hacktivist, or computer-savvy people with a political or social agenda, are elements outside of a business practice. Sure, updating a companies Cyber Security posture by means of policies, training and technical solutions are all great ways to promote proactive means of protecting your company’s assets. However, this doesn’t always prevent a politically motivated individual or group. This has shown to be the case with more known groups such as Anonymous.
Conclusion
Business practices are ever changing and in today's world leaders must proactively adapt to these changes in order to preserve the continuity of their businesses. Finding balance in business practices they’ve always known to work with the need for adapt change in regards to Cyber Security is paramount for corporate leadership in today's world.
When looking at common business practices of the past, such as the procurement of substandard products and services to meet profit margins, it’s important to note the significant risks to security inherent here. Outside of risks in the supply chain of outsourcing significantly, “businesses around the world suffer countless hours of monetary and mission loss due to unexpected equipment and system failures caused by these substandard products” (Touhill). Outside of highly governed businesses like Department of Defense (DoD) or Financial sectors that prevent the use of such outsourcing, companies here in the U.S. and around the globe continue to follow these outdated practices.
Cyber Security
Archaic business practices are not the only cause of increased Cyber Security threats over the years. Hacktivist, or computer-savvy people with a political or social agenda, are elements outside of a business practice. Sure, updating a companies Cyber Security posture by means of policies, training and technical solutions are all great ways to promote proactive means of protecting your company’s assets. However, this doesn’t always prevent a politically motivated individual or group. This has shown to be the case with more known groups such as Anonymous.
Conclusion
Business practices are ever changing and in today's world leaders must proactively adapt to these changes in order to preserve the continuity of their businesses. Finding balance in business practices they’ve always known to work with the need for adapt change in regards to Cyber Security is paramount for corporate leadership in today's world.
CSOL 550 Course Reflections
Information is transmitted and exchanged at breakneck speeds in today’s information age. Business leaders must adapt to these changes in order to protect their companies’ profits, employees and stakeholders, as well as their customers. This can be difficult as business practices of the past are often not agile enough to compete with the ever-growing technologies nor provide the level of security to protect their assets. This course has shown that just having a plan doesn't mean a business will be successful. It's the proper implementation of a plan, continued training of employees, and making sure both are organic enough to meld into the companies culture.
Management and Cyber Security References
Top 10 Pros and Cons of Hiring Hackers to Enhance Security
Cyber Security for Executives: A Practicle Guide
The Importance of Building an Information Security Strategic Plan
Contingency Planning Overview
NIST SP 800-34: Contingency Planning Guide for Federal Information Systems
BDO USA's What CEOs Should Know & Do About Cybersecurity
CEOs Must Champion Corporate Cybersecurity
Top 10 Pros and Cons of Hiring Hackers to Enhance Security
Cyber Security for Executives: A Practicle Guide
The Importance of Building an Information Security Strategic Plan
Contingency Planning Overview
NIST SP 800-34: Contingency Planning Guide for Federal Information Systems
BDO USA's What CEOs Should Know & Do About Cybersecurity
CEOs Must Champion Corporate Cybersecurity