Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/Develop and create the cybersecurity plan/Develop strategic cybersecurity goals and define success
- 1 5. Develop and create the cybersecurity plan
- 1.1 5.1. Develop strategic cybersecurity goals and define success
- 1.1.1 5.1.1 Broadly articulate business goals and how information technology relates
- 1.1.2 5.1.2 Articulate why cybersecurity is vital to achieving those goals
- 1.1.3 5.1.3 State the cybersecurity mission and define how to achieve it, based on the above
- 1.1.4 5.1.4 Gain and promote active and visible support from executive management in achieving the cybersecurity mission
- 1.1 5.1. Develop strategic cybersecurity goals and define success
- 2 References
5. Develop and create the cybersecurity plan
What follows is a template to help guide you in developing your own cybersecurity plan. Remember that this is a template and strategy for developing the cybersecurity plan for your organization, not a regulatory guidance document. This template has at its core a modified version of the template structure suggested in the late 2018 Cybersecurity Strategy Development Guide created for the National Association of Regulatory Utility Commissioners (NARUC). While their document focuses on cybersecurity for utility cooperatives and commissions, much of what NARUC suggests can still be more broadly applied to all but the tiniest of businesses. Additional resources such as the American Health Information Management Association's AHIMA Guidelines: The Cybersecurity Plan; National Rural Electric Cooperative Association (NRECA), Cooperative Research Network's Guide to Developing a Cyber Security and Risk Mitigation Plan; and various cybersecurity experts' articles have been reviewed to further supplement the template. This template covers 10 main cybersecurity planning steps, each with multiple sub-steps. Additional commentary, guidance, and citation is included with those sub-steps.
Note that before development begins, you'll want to consider the knowledge resources available and key stakeholders involved. Do you have the expertise available in-house to address all 10 planning steps, or will you need to acquire help from one or more third parties? Who are the key individuals providing critical support to the business and its operations? Having the critical expertise and stakeholders involved with the plan's development process early on can enhance the overall plan and provide for more effective strategic outcomes.
Also remind yourself that completing this plan will likely not require a straightforward, by-the-numbers approach. The most feasible outcome will have you jumping around a few steps and filling in blanks or revising statements in previous portions of the plan. While the ordering of these steps is deliberate, completing them in order may not make the best sense for your organization. Don't be afraid to jump around or go back and update sections you've worked on previously using new-found knowledge. For example, some organizations with limited professional expertise in cybersecurity may find value in jumping to the end of section 5.3 and reviewing the wording of some of the cybersecurity controls early in the process in order to become more familiar with the related vocabulary.
Finally, the various steps of this plan will recommend the development of a variety of other policies, procedures, and documents, e.g., a communications plan and a response and continuity plan. As NIST notes in its SP 800-53 framework, effective security plans make reference to other policy and procedure documents and don't necessarily fully contain those actual policies and procedures themselves. Rather, the plan should "provide explicitly or by reference, sufficient information to define what needs to be accomplished" by those policies and procedures. All of that is to say that when going through the steps below, be cognizant of that advice. Recommendations to make a communications plan or response plan don't necessarily mean those plans should be an actual portion of your overall cybersecurity plan, but rather a component external to the plan yet referenced and detailed sufficiently within the plan.
An Example Cybersecurity Plan
The following instructional template for developing a cybersecurity plan is admittedly a lot of information to take in at once. Some people are much better understanding a concept through examples. As such, what is modestly called An Example Cyberssecurity Plan has been developed to accompany this guide. That example plan includes an introduction to provide more context concerning its creation, as well as a simple outline of the following steps 5.1 through 5.10. The example plan itself comes afterwards, presented from the persepctive of fictional environmental laboratory company ABC123 Co. This example is slightly unorthodox in that it presents a cybersecurity plan in an iterative state of development, emphasizing the "living document" aspect of cybersecurity plan. The document demonstrates the concepts emphasized in this guide, including the concept of referencing other relevant policies and documents without duplicating them within the cybersecurity plan. Note that while a separate document, An Example Cybersecurity Plan is released under the same Creative Commons license as this guide, and those license requirements should still be followed.
Link to file: An Example Cybersecurity Plan
Instructions: After clicking the above link, click the link (underneath the PDF icon) at the top of the resulting page to view in browser, or right-click and "save as" to save a copy.)
5.1. Develop strategic cybersecurity goals and define success
5.1.1 Broadly articulate business goals and how information technology relates
Something should drive you to want to implement a cybersecurity plan. Sometimes the impetus may be external, such as a major breach at another company that affects millions of people. But more often than not, well-formulated business goals and the resources, regulations, and motivations tied to them will propel development of the plan. Business goals have, hopefully, already been developed by the time you consider a cybersecurity plan. Now is the time to identify the technology and data that are tied to those goals. A clinical testing laboratory, for example, may have as a business goal "to provide prompt, accurate analysis of specimens submitted to the laboratory." Does the lab utilize information management systems as a means to better meet that goal? How secure are the systems? What are the consequences of having mission-critical data compromised in said systems?
5.1.2 Articulate why cybersecurity is vital to achieving those goals
Looking to your business goals for the technology, data, and other resources used to achieve those goals gives you an opportunity to turn the magnifying glass towards why the technology, data, and resources need to be secure. For example, the clinical testing lab will likely be dealing with protected health information (PHI), and an electric cooperative must reliably provide service practically 100 percent of the time. Both the data and the service must be protected from physical and cyber intrusion, at risk of significant and costly consequence. Be clear about what the potential consequences actually may be, as well as how business goals could be hindered without proper cybersecurity for critical assets. Or, conversely, clearly state what will be positively achieved by addressing cybersecurity for those assets.
5.1.3 State the cybersecurity mission and define how to achieve it, based on the above
You've stated your business goals, how technology and data plays a role in them, and why it's vital to ensure their security. Now it's time to develop your strategic mission in regards to cybersecurity. You may wish to take a few extra steps before defining the goals of that mission, however. The NARUC has this to say in that regard:
Establishing a strategic [mission] is a critical first step that sets the tone for the entire process of drafting the strategy. Before developing [the mission], a commission may want to do an internal inventory of key stakeholders; conduct blue-sky thinking exercises; and do an environmental assessment and literature review to identify near-, mid-, and long-term drivers of change that may affect its goals.
Whatever cybersecurity mission goals you inevitably declare, you'll want to be sure they "provide a sense of purpose, identity, and long-term direction" and clearly communicate what's most important in regards to cybersecurity to internal and external customers. Also consider adding concise points that paint the overall mission as one dedicated to limiting vulnerabilities and keeping risks mitigated.
5.1.4 Gain and promote active and visible support from executive management in achieving the cybersecurity mission
Ensuring executive management is fully on-board with your stated cybersecurity mission is vital. If key business leaders have not been intimately involved with the process as of yet, it is now time to gain their input and full support. As NARUC notes, "with leadership buy-in, it will be easier to institutionalize the idea that cybersecurity is a priority and can result in more readily available resources." Consider what AHIMA calls a "State of the Union" approach to presenting the cybersecurity mission goals to leadership, being prepared to answer questions from them about responsible parties, communication policies, and "cyber insurance." (Answers to such questions are addressed further into this template. You may wish to have some of what follows informally addressed before taking it to leadership. Or perhaps have an agreement to keep leadership appraised throughout cybersecurity plan development, gaining their feedback and overall acceptance of the plan as development comes to a close.)
- Cadmus Group, LLC (30 October 2018). "Cybersecurity Strategy Development Guide" (PDF). National Association of Regulatory Utility Commissioners. https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204. Retrieved 23 July 2020.
- Downing, K. (December 2017). "AHIMA Guidelines: The Cybersecurity Plan" (PDF). American Health Information Management Association. https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf. Retrieved 23 July 2020.
- Lebanidze, E. (2011). "Guide to Developing a Cyber Security and Risk Mitigation Plan" (PDF). National Rural Electric Cooperative Association, Cooperative Research Network. https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf. Retrieved 23 July 2020.
- Lago, C. (10 July 2019). "How to implement a successful cybersecurity plan". CIO. IDG Communications, Inc. https://www.cio.com/article/3295578/how-to-implement-a-successful-security-plan.html. Retrieved 23 July 2020.
- Norton, K. (21 June 2018). "Similar but Different: Gap Assessment vs Risk Analysis". HIPAA One. https://www.hipaaone.com/2018/06/21/gap-assessment-vs-risk-analysis/. Retrieved 23 July 2020.
- Ewing, S. (12 July 2017). "4 Ways to Integrate Your Cyber Security Incident Response and Business Continuity Plans". Delta Risk. https://deltarisk.com/blog/4-ways-to-integrate-your-cyber-security-incident-response-and-business-continuity-plans/. Retrieved 23 July 2020.
- Krasnow, M.J. (February 2017). "Cyber-Security Event Recovery Plans". International Risk Management Institute, Inc. https://www.irmi.com/articles/expert-commentary/cyber-security-event-recovery-plans. Retrieved 23 July 2020.
- "How to Develop A Cybersecurity Plan For Your Company (checklist included)". Copeland Technology Solutions. 17 July 2018. https://www.copelanddata.com/blog/how-to-develop-a-cybersecurity-plan/. Retrieved 23 July 2020.
- Talamantes, J. (06 September 2017). "Does Your Cybersecurity Plan Need an Update?". RedTeam Knowledge Base. RedTeam Security Corporation. https://www.redteamsecure.com/blog/does-your-cybersecurity-plan-need-an-update/. Retrieved 23 July 2020.