Difference between revisions of "Template:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/Develop and create the cybersecurity plan/Define scope and responsibilities"
From LIMSWiki
Jump to navigationJump to searchShawndouglas (talk | contribs) m (Suppress TOC autonumbering) |
Shawndouglas (talk | contribs) (Updated for 2023.) |
||
| Line 5: | Line 5: | ||
Now that the cybersecurity mission goals are clear and supported by leadership, it's time to tailor strategies based on those stated goals. | Now that the cybersecurity mission goals are clear and supported by leadership, it's time to tailor strategies based on those stated goals. | ||
How broad of scope will the mission goals take you across your business assets? Information technology (IT) and data will surely be at the forefront, but don't forget to also address operational technology (OT) assets as well.<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate= | How broad of scope will the mission goals take you across your business assets? Information technology (IT) and data will surely be at the forefront, but don't forget to also address operational technology (OT) assets as well.<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=21 March 2023}}</ref> One helpful tool in determining the strategies and requirements needed to meet mission goals is to clearly define the logical and physical boundaries of your information system.<ref name="NARUCCyber18" /><ref name="LebanidzeGuide11">{{cite web |url=https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf |format=PDF |title=Guide to Developing a Cyber Security and Risk Mitigation Plan |author=Lebanidze, E. |publisher=National Rural Electric Cooperative Association, Cooperative Research Network |date=2011 |accessdate=21 March 2023}}</ref> When considering those boundaries, remember the following<ref name="LebanidzeGuide11" />: | ||
* An information system is more than a piece of software; it's a collection of all the components and other resources within the system's environment. Some of those will be internal and some external. | * An information system is more than a piece of software; it's a collection of all the components and other resources within the system's environment. Some of those will be internal and some external. | ||
| Line 13: | Line 13: | ||
* The information system's primary functions are directly tied to the goals of the business. | * The information system's primary functions are directly tied to the goals of the business. | ||
Additionally, when considering the scope of the plan, you'll also want to take into account advancements in both technology and cyber threats. "Unprecedented cybersecurity challenges loom just beyond the horizon," states CNA, a nonprofit research and analysis organization located in Arlington, Virginia. But we have to focus on more than just the "now." CNA adds that "today's operational security agenda is too narrow in scope to address the wide range of issues likely to emerge in the coming years."<ref name="CNACyber19">{{cite web |url=https://www.cna.org/centers/ipr/safety-security/cyber-security-project |title=Cybersecurity Futures 2025 |work=Institute for Public Research |publisher=CNA |date=2019 |accessdate= | Additionally, when considering the scope of the plan, you'll also want to take into account advancements in both technology and cyber threats. "Unprecedented cybersecurity challenges loom just beyond the horizon," states CNA, a nonprofit research and analysis organization located in Arlington, Virginia. But we have to focus on more than just the "now." CNA adds that "today's operational security agenda is too narrow in scope to address the wide range of issues likely to emerge in the coming years."<ref name="CNACyber19">{{cite web |url=https://www.cna.org/centers/ipr/safety-security/cyber-security-project |archiveurl=https://web.archive.org/web/20220109120854/https://www.cna.org/centers/ipr/safety-security/cyber-security-project |title=Cybersecurity Futures 2025 |work=Institute for Public Research |publisher=CNA |date=2019 |archivedate=09 January 2022 |accessdate=21 March 2023}}</ref> Just as CNA is preparing a global initiative to shape policy on future cybersecurity challenges, so should you apply some focus to what potential technology upgrades may be made and what new cyber threats may appear. | ||
Finally, some of the plan's scope may be dictated by prioritized assessment of risks to critical assets—addressed in the next section—and other assessments. It's important to keep this in mind when developing the scope; it may be affected by other parts of the plan. As you develop further sections of the plan, you may need to update previous sections with what you've learned. | Finally, some of the plan's scope may be dictated by prioritized assessment of risks to critical assets—addressed in the next section—and other assessments. It's important to keep this in mind when developing the scope; it may be affected by other parts of the plan. As you develop further sections of the plan, you may need to update previous sections with what you've learned. | ||
====5.2.2 Define the roles, responsibilities, and chain of command of those enacting and updating the cybersecurity plan==== | ====5.2.2 Define the roles, responsibilities, and chain of command of those enacting and updating the cybersecurity plan==== | ||
You'll also want to define who will fill what roles, what responsibilities they will have, and who reports to who | You'll also want to define who will fill what roles, what responsibilities they will have, and who reports to who as part of the scope of your plan. This will include not only who's responsible for developing the cybersecurity plan (which you'll have hopefully determined early on) but also implementing, enforcing, and updating it. Having a senior manager who's able to oversee these responsibilities, make decisions, and enforce requirements will improve the plan's chance of success. Having clearly defined security-related roles and responsibilities (including security risk management) at one or more organizational levels (depending on how big your organization is) will also improve success rates.<ref name="NARUCCyber18" /><ref name="LebanidzeGuide11" /><ref name="CopelandHowToDev18">{{cite web |url=https://www.copelanddata.com/blog/how-to-develop-a-cybersecurity-plan/ |title=How to Develop A Cybersecurity Plan For Your Company (checklist included) |publisher=Copeland Technology Solutions |date=17 July 2018 |accessdate=21 March 2023}}</ref><ref name="TalamantesDoesYour17">{{cite web |url=https://www.redteamsecure.com/blog/does-your-cybersecurity-plan-need-an-update |title=Does Your Cybersecurity Plan Need an Update? |author=Talamantes, J. |work=RedTeam Knowledge Base |publisher=RedTeam Security Corporation |date=06 September 2017 |accessdate=21 March 2023}}</ref> | ||
====5.2.3 Ensure that roles and responsibility for security (the “who” of it) are clear==== | ====5.2.3 Ensure that roles and responsibility for security (the “who” of it) are clear==== | ||
Defining roles, responsibilities, and chain of command isn't enough. Effectively communicating these roles and responsibilities to everyone inside and outside the organization—including third parties such as contractors and cloud | Defining roles, responsibilities, and chain of command isn't enough. Effectively communicating these roles and responsibilities to everyone inside and outside the organization—including third parties such as contractors and [[Cloud computing|cloud providers]]—is vital. This typically involves encouraging transparency of cybersecurity and responsibility goals of the organization, as well as addressing everyday communications and education of everyone affected by the cybersecurity plan.<ref name="NARUCCyber18" /><ref name="LebanidzeGuide11" /><ref name="CopelandHowToDev18" /> However, through it all, keep in mind for future communications and training that ultimately security is everyone's responsibility, from employees to contractors, not just those enacting and updating the plan. | ||
Latest revision as of 15:25, 21 March 2023
5.2 Define scope and responsibilities
.jpg)
5.2.1 Define the scope and applicability through key requirements and boundaries
Now that the cybersecurity mission goals are clear and supported by leadership, it's time to tailor strategies based on those stated goals.
How broad of scope will the mission goals take you across your business assets? Information technology (IT) and data will surely be at the forefront, but don't forget to also address operational technology (OT) assets as well.[1] One helpful tool in determining the strategies and requirements needed to meet mission goals is to clearly define the logical and physical boundaries of your information system.[1][2] When considering those boundaries, remember the following[2]:
- An information system is more than a piece of software; it's a collection of all the components and other resources within the system's environment. Some of those will be internal and some external.
- The system is more than just hardware; the interfaces—physical and logical—as well as communication protocols also make up the system.
- The system has physical, logical, and security control boundaries, as well as data flows tied to those boundaries.
- The data housed and transmitted in the system is likely composed of varying degrees of sensitivity, further shaping boundaries.
- The information system's primary functions are directly tied to the goals of the business.
Additionally, when considering the scope of the plan, you'll also want to take into account advancements in both technology and cyber threats. "Unprecedented cybersecurity challenges loom just beyond the horizon," states CNA, a nonprofit research and analysis organization located in Arlington, Virginia. But we have to focus on more than just the "now." CNA adds that "today's operational security agenda is too narrow in scope to address the wide range of issues likely to emerge in the coming years."[3] Just as CNA is preparing a global initiative to shape policy on future cybersecurity challenges, so should you apply some focus to what potential technology upgrades may be made and what new cyber threats may appear.
Finally, some of the plan's scope may be dictated by prioritized assessment of risks to critical assets—addressed in the next section—and other assessments. It's important to keep this in mind when developing the scope; it may be affected by other parts of the plan. As you develop further sections of the plan, you may need to update previous sections with what you've learned.
5.2.2 Define the roles, responsibilities, and chain of command of those enacting and updating the cybersecurity plan
You'll also want to define who will fill what roles, what responsibilities they will have, and who reports to who as part of the scope of your plan. This will include not only who's responsible for developing the cybersecurity plan (which you'll have hopefully determined early on) but also implementing, enforcing, and updating it. Having a senior manager who's able to oversee these responsibilities, make decisions, and enforce requirements will improve the plan's chance of success. Having clearly defined security-related roles and responsibilities (including security risk management) at one or more organizational levels (depending on how big your organization is) will also improve success rates.[1][2][4][5]
5.2.3 Ensure that roles and responsibility for security (the “who” of it) are clear
Defining roles, responsibilities, and chain of command isn't enough. Effectively communicating these roles and responsibilities to everyone inside and outside the organization—including third parties such as contractors and cloud providers—is vital. This typically involves encouraging transparency of cybersecurity and responsibility goals of the organization, as well as addressing everyday communications and education of everyone affected by the cybersecurity plan.[1][2][4] However, through it all, keep in mind for future communications and training that ultimately security is everyone's responsibility, from employees to contractors, not just those enacting and updating the plan.
- ↑ 1.0 1.1 1.2 1.3 Cadmus Group, LLC (30 October 2018). "Cybersecurity Strategy Development Guide" (PDF). National Association of Regulatory Utility Commissioners. https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204. Retrieved 21 March 2023.
- ↑ 2.0 2.1 2.2 2.3 Lebanidze, E. (2011). "Guide to Developing a Cyber Security and Risk Mitigation Plan" (PDF). National Rural Electric Cooperative Association, Cooperative Research Network. https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf. Retrieved 21 March 2023.
- ↑ "Cybersecurity Futures 2025". Institute for Public Research. CNA. 2019. Archived from the original on 09 January 2022. https://web.archive.org/web/20220109120854/https://www.cna.org/centers/ipr/safety-security/cyber-security-project. Retrieved 21 March 2023.
- ↑ 4.0 4.1 "How to Develop A Cybersecurity Plan For Your Company (checklist included)". Copeland Technology Solutions. 17 July 2018. https://www.copelanddata.com/blog/how-to-develop-a-cybersecurity-plan/. Retrieved 21 March 2023.
- ↑ Talamantes, J. (6 September 2017). "Does Your Cybersecurity Plan Need an Update?". RedTeam Knowledge Base. RedTeam Security Corporation. https://www.redteamsecure.com/blog/does-your-cybersecurity-plan-need-an-update. Retrieved 21 March 2023.
