Difference between revisions of "User:Shawndouglas/sandbox/sublevel24"

From LIMSWiki
Jump to: navigation, search
(5.1.3 Based on the above, state the cybersecurity mission and define how to achieve it)
(5.4.1 Determine baselines and indicators based on the assessments and objectives from the previous step)
(5 intermediate revisions by the same user not shown)
Line 125: Line 125:
  
 
====5.3.7 Perform a risk analysis and prioritize risk based on threat, vulnerability, likelihood, and impact====
 
====5.3.7 Perform a risk analysis and prioritize risk based on threat, vulnerability, likelihood, and impact====
With cybersecurity goals, asset inventory, and gap analysis in hand, its time to go comprehensive with risk assessment and prioritization. Regardless of whether or not you're hosting and transmittied PHI or other types of sensitive information, you'll want to look at all your cybersecurity goals, systems, and applications as part of the risk analysis.<ref name="DowningAHIMA17" /> Functions of risk analysis include, but are not limited to<ref name="LebanidzeGuide11" /><ref name="NortonSimilar18" /><ref name="TalamantesDoesYour17" />:
+
With cybersecurity goals, asset inventory, and gap analysis in hand, its time to go comprehensive with risk assessment and prioritization. Regardless of whether or not you're hosting and transmitting PHI or other types of sensitive information, you'll want to look at all your cybersecurity goals, systems, and applications as part of the risk analysis.<ref name="DowningAHIMA17" /> Functions of risk analysis include, but are not limited to<ref name="LebanidzeGuide11" /><ref name="NortonSimilar18" /><ref name="TalamantesDoesYour17" />:
  
 
* considering the operations supporting business goals and how those operations use technology to achieve them;
 
* considering the operations supporting business goals and how those operations use technology to achieve them;
Line 132: Line 132:
 
* compiling the risks identified during threat modeling and architecture analysis and prioritizing them based on threat, vulnerability, likelihood, and impact.
 
* compiling the risks identified during threat modeling and architecture analysis and prioritizing them based on threat, vulnerability, likelihood, and impact.
  
Additionally, as part of this process, you'll also want to examine the human element of risk in your business. How thorough are your background checks of new employees and third-parties accessing your systems? How easy is it for them to access the software and the hardware? Is the principle of "least privilege" being used appropriately? Have any employee loyalties shifted drastically? Are the vendors supplying your IT and data services thoroughly vetted? These and other questions can supplement the human-based aspect of cybersecurity risk assessment.
+
Additionally, as part of this process, you'll also want to examine the human element of risk in your business. How thorough are your background checks of new employees and third parties accessing your systems? How easy is it for them to access the software and the hardware? Is the principle of "least privilege" being used appropriately? Have any employee loyalties shifted drastically lately? Are the vendors supplying your IT and data services thoroughly vetted? These and other questions can supplement the human-based aspect of cybersecurity risk assessment.
  
 
====5.3.8 Declare and describe objectives based on the outcomes of the above assessments====
 
====5.3.8 Declare and describe objectives based on the outcomes of the above assessments====
====5.3.9 Develop new policies for passwords, physical security, etc. where gaps have been identified from the above assessments and objectives====
+
After performing all that research, it's finally time to distill it down into a clear set of cybersecurity objectives. Those objectives will act as the underlying core for the actions the business will take to develop policies, fill in security gaps, monitor progress, and educate staff. The objectives that come out of this step "should be specific, realistic, and actionable."<ref name="NARUCCyber18" /> In a world where cyber threats are constantly evolving, being "100 percent secure against cyber threats" is an unrealistic goal, for example.<ref name="NARUCCyber18" />
<ref name="DowningAHIMA17" />
+
 
====5.3.10 Select and refine security controls for identification, protection, detection, response, and recovery based on the assessments, objectives, and policies above (NIST security controls are used for this example plan)====
+
One way to go about this process is to go back to the cybersecurity goals you created (see 5.1.3) and place your objectives under the goals they support. Perhaps one of your goals is to promote a culture of cybersecurity awareness among all employees and contractors. Under that goal you could list objectives such as "improve subject-matter expertise among leadership" and "support and encourage biannual cybersecurity training exercises throughout the business." You may also want to, at this point, make mention of what prioritization the objectives have and what progress measurement mechanisms can and should be put in place. Finally, work a certain level of adaptability into the objectives, not only in what they should achieve but also how they should be evaluated and updated. Technology, attack vectors, and even business needs can change rapidly. The objectives you develop should take this into consideration, as should the review and update policy for the cybersecurity plan itself (discussed later).
 +
 
 +
====5.3.9 Identify policies for creation or modification concerning passwords, physical security, etc., particularly where gaps have been identified from the prior assessments and objectives====
 +
Say you previously noted your business has a few password and other access management policies in place, but they are relatively weak compared to where you want to be. If you haven't already, now is a good time to start tracking those and other policies that need to be updated or even created from scratch. Note that you may also discover additional policies that should be addressed during the next step of selecting and refining security controls. Consider performing this step in tandem with the next to gain the clearest idea of all the policy updates the business will require to meet its cybersecurity objectives.
 +
 
 +
====5.3.10 Select and refine security controls for identification, protection, detection, response, and recovery based on the assessments, objectives, and policies above====
 +
 
 +
Still need to complete this subsection.
 +
 
 +
(NIST security controls are used for this example plan)
  
 
<br />
 
<br />
Line 144: Line 153:
 
[[File:Opsview Monitor 6.0 Dashboard.jpg|right|440px]]
 
[[File:Opsview Monitor 6.0 Dashboard.jpg|right|440px]]
 
====5.4.1 Determine baselines and indicators based on the assessments and objectives from the previous step====
 
====5.4.1 Determine baselines and indicators based on the assessments and objectives from the previous step====
 +
Your cybersecurity goals are formulated, their associated objectives are set, and security controls are selected. But how should you best measure their implementation, and over what sort of timeline should they be measured? This is where performance indicators come into play. A performance indicator is "an item of information collected at regular intervals to track the performance of a system."<ref name="Fitz-GibbonPerformance90">{{cite book |url=https://books.google.com/books?id=uxK0MUHeiI4C&pg=PA1 |title=Performance Indicators |editor=Fitz-Gibbon, C.T. |publisher=Multilingual Matters Ltd |page=1 |year=1990 |isbn=1853590932}}</ref> They tend not to be perfect measures of performance, but performance indicators remain an important function of quality control and business management. There's also a social aspect to performance indicators: what is the implied message and behavioral implications of implementing such a monitoring system? Does the monitoring of the indicator, in the end, have a beneficial impact?<ref name="Fitz-GibbonPerformance90" />
 +
 +
Regardless of what industry you work in, deciding on the most appropriate indicators is no easy task. In March 2019, Axio CTO Jason Christopher spoke at a cybersecurity summit about security metrics (a metric is typically a number-based measurement within an indicator), with a focus on the energy industry. During that talk, he discussed various myths concerning collecting metric data for indicators, as well as the mixed success of tools such as heat maps and scorecards. After highlighting the difficulties, he gave a few pieces of useful advice. Among the more interesting suggestions he turned to was a security metrics worksheet to better define, understand, and track what you'll measure for your indicators. In his example, he used the EPRI's (Electric Power Research Institute) ''Cyber Security Metrics for the Electric Sector'' document, pulling an example metric and explaining how it was created. Among other aspects, their worksheet format includes an identifier for the metric, the associated organizational goal, and the associated cybersecurity control, which helps ensure the metric is aligned with both organizational policy, existing terminology, and current best practices.<ref name="ChristopherCreating19">{{cite web |url=https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1552942066.pdf |format=PDF |title=Creating a Security Metrics Program: How to Measure Success |author=Christopher, J.D. |publisher=Axio |date=18 March 2019 |accessdate=03 December 2019}}</ref><ref name="EPRICyber17">{{cite web |url=https://www.epri.com/#/pages/product/3002010426 |title=Cyber Security Metrics for the Electric Sector: Volume 3 |author=EPRI |date=18 December 2017 |accessdate=03 December 2019}}</ref>
 +
 +
Regardless of industry, you may find it useful to use similar worksheet documentation for the indicators you choose to use. Unfortunately, unlike the EPRI and power industry, many industries don't have a developed set of technical cybersecurity metrics. However, the ground that EPRI has already covered, plus insights gained during the security controls selection process (see 5.3.10), should aid you in choosing the most appropriate indicators. (Jason Christopher's description of the fields of the security metrics worksheet can be found at [https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1552942066.pdf sans.org] [PDF]. The EPRI cybersecurity metrics document can be downloaded for free at [https://www.epri.com/#/pages/product/3002010426/?lang=en-US EPRI.com].) Whatever indicators you choose, be sure they are specific, measurable, actionable, relevant, and focused on a timely nature.
 +
 +
Finally, consider the advice of author and strategic adviser Bernard Marr that business shouldn't be run heavily on KPI data. This goes for the development of your indicators for cybersecurity success. Instead, he says, "the focus should be on selecting a robust set of value-adding indicators that serve as the beginning a rich performance discussion focused on the delivery of your strategy." He adds with a reminder that people and actions are behind the indicators, which shouldn't be taken purely at face value.<ref name="MarrKey12">{{cite book |url=https://books.google.com/books?id=WleQ-F6WC3sC&printsec=frontcover |chapter=Introduction |title=Key Performance Indicators (KPI): The 75 Measures Every Manager Needs to Know |author=Marr, B. |publisher=Pearson UK |year=2012 |page=xxvii |isbn=9780273750116}}</ref>
 +
 
====5.4.2 Determine how to measure progress and assess performance (quantitative vs. qualitative) and what tools are needed for such measurement and assessment (e.g., monitoring anomalous activity, system and asset activity logging)====
 
====5.4.2 Determine how to measure progress and assess performance (quantitative vs. qualitative) and what tools are needed for such measurement and assessment (e.g., monitoring anomalous activity, system and asset activity logging)====
 
<ref name="DowningAHIMA17" />
 
<ref name="DowningAHIMA17" />

Revision as of 20:45, 3 December 2019

Contents

1. What is a cybersecurity plan and why do you need it?

Incidents Reported by Federal Agencies in Fiscal Years 2006-2012 (15400517077).jpg
Developing a cybersecurity plan is not a simple process; it requires expertise, resources, and diligence. Even a simple plan may involve several months of development, more depending on the complexity involved. The time it takes to develop the plan may also be impacted by how much executive support is provided, the size of the development team (bigger is not always better), and how available required resources are.[1]

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

2. What are the major standard and regulations dictating cybersecurity action?

3. The NIST Cybersecurity Framework and its control families

4. Fitting a framework or specification into a cybersecurity plan

5. Develop and create the cybersecurity plan

What follows is a template to help guide you in developing your own cybersecurity plan. Remember that this is a template and strategy for developing the cybersecurity plan for your organization, not a regulatory guidance document. This template has at its core a modified version of the template structure suggested in the late 2018 Cybersecurity Strategy Development Guide created for the National Association of Regulatory Utility Commissioners (NARUC).[1] While their document focuses on cybersecurity for utility cooperatives and commissions, much of what NARUC suggests can still be more broadly applied to all but the tiniest of businesses. Additional resources such as AHIMA's AHIMA Guidelines: The Cybersecurity Plan[4]; National Rural Electric Cooperative Association (NRECA), Cooperative Research Network's Guide to Developing a Cyber Security and Risk Mitigation Plan[2]; and various cybersecurity experts' articles[3][5][6][7][8][9] have been reviewed to further supplement the template. This template covers 10 main cybersecurity planning steps, each with multiple sub-steps. Additional commentary, guidance, and citation is included with those sub-steps.

Note that before development begins, you'll want to consider the knowledge resources available and key stakeholders involved. Do you have the expertise available in-house to address all 10 planning steps, or will you need to acquire help from one or more third parties? Who are the key individuals providing critical support to the business and its operations? Having the critical expertise and stakeholders involved with the plan's development process early on can enhance the overall plan and provide for more effective strategic outcomes.[1]

Also remind yourself that completing this plan will likely not require a straightforward, by-the-numbers approach. The most feasible outcome will have you jumping around a few steps and filling in blanks or revising statements in previous portions of the plan. While the ordering of these items is deliberate, completing them step by step may not make the best sense for your organization. Don't be afraid to go back and update sections you've worked on previously using new-found knowledge.


5.1. Develop strategic cybersecurity goals and define success

NICE Cybersecurity Workforce Framework.jpg

5.1.1 Broadly articulate business goals and how information technology relates

Something should drive you to want to implement a cybersecurity plan. Sometimes the impetus may be external, such as a major breach at another company that affects millions of people. But more often than not, well-formulated business goals and the resources, regulations, and motivations tied to them will propel development of the plan. Business goals have, hopefully, already been developed by the time you consider a cybersecurity plan. Now is the time to identify the technology and data that are tied to those goals. A clinical testing laboratory, for example, may have as a business goal "to provide prompt, accurate analysis of specimens submitted to the laboratory." Does the lab utilize information management systems as a means to better meet that goal? How secure are the systems? What are the consequences of having mission-critical data compromised in said systems?

5.1.2 Articulate why cybersecurity is vital to achieving those goals

Looking to your business goals for the technology, data, and other resources used to achieve those goals gives you an opportunity to turn the magnifying glass towards why the technology, data, and resources need to be secure. For example, the clinical testing lab will likely be dealing with protected health information (PHI), and an electric cooperative must reliably provide service practically 100 percent of the time. Both the data and the service must be protected from physical and cyber intrusion, at risk of significant and costly consequence. Be clear about what the potential consequences actually may be, as well as how business goals could be hindered without proper cybersecurity for critical assets. Or, conversely, clearly state what will be positively achieved by addressing cybersecurity for those assets.

5.1.3 State the cybersecurity mission and define how to achieve it, based on the above

You've stated your business goals, how technology and data plays a role in them, and why it's vital to ensure their security. Now it's time to develop your strategic mission in regards to cybersecurity. You may wish to take a few extra steps before defining the goals of that mission, however. The NARUC has this to say in that regard[1]:

Establishing a strategic [mission] is a critical first step that sets the tone for the entire process of drafting the strategy. Before developing [the mission], a commission may want to do an internal inventory of key stakeholders; conduct blue-sky thinking exercises; and do an environmental assessment and literature review to identify near-, mid-, and long-term drivers of change that may affect its goals.

Whatever cybersecurity mission goals you inevitably declare, you'll want to be sure they "provide a sense of purpose, identity, and long-term direction" and clearly communicate what's most important in regards to cybersecurity to internal and external customers. Also consider adding concise points that paint the overall mission as one dedicated to limiting vulnerabilities and keeping risks mitigated.[1]

5.1.4 Gain and promote active and visible support from executive management in achieving the cybersecurity mission

Ensuring executive management is fully on-board with your stated cybersecurity mission is vital. If key business leaders have not been intimately involved with the process as of yet, it is now time to gain their input and full support. As NARUC notes, "with leadership buy-in, it will be easier to institutionalize the idea that cybersecurity is a priority and can result in more readily available resources."[1] Consider what AHIMA calls a "State of the Union" approach to presenting the cybersecurity mission goals to leadership, being prepared to answer questions from them about responsible parties, communication policies, and "cyber insurance."[4] (Answers to such questions are addressed further into this template. You may wish to have some of what follows informally addressed before taking it to leadership. Or perhaps have an agreement to keep leadership appraised throughout cybersecurity plan development, gaining their feedback and overall acceptance of the plan as development comes to a close.)


5.2 Define scope and responsibilities

Innovation & Research Symposium Cisco and Ecole Polytechnique 9-10 April 2018 Artificial Intelligence & Cybersecurity (40631791164).jpg

5.2.1 Define the scope and applicability through key requirements and boundaries

Now that the cybersecurity mission goals are clear and supported by leadership, it's time to tailor strategies based on those stated goals.

How broad of scope will the mission goals take you across your business assets? Information technology (IT) and data will surely be at the forefront, but don't forget to also address operational technology (OT) assets as well.[1] One helpful tool in determining the strategies and requirements needed to meet mission goals is to clearly define the logical and physical boundaries of your information system.[1][2] When considering those boundaries, remember the following[2]:

  • An information system is more than a piece of software; it's a collection of all the components and other resources within the system's environment. Some of those will be internal and some external.
  • The system is more than just hardware; the interfaces—physical and logical—as well as communication protocols also make up the system.
  • The system has physical, logical, and security control boundaries, as well as data flows tied to those boundaries.
  • The data housed and transmitted in the system is likely composed of varying degrees of sensitivity, further shaping boundaries.
  • The information system's primary functions are directly tied to the goals of the business.

Additionally, when considering the scope of the plan, you'll also want to take into account advancements in both technology and cyber threats. "Unprecedented cybersecurity challenges loom just beyond the horizon," states CNA, a nonprofit research and analysis organization located in Arlington, Virginia. But we have to focus on more than just the "now." CNA adds that "today's operational security agenda is too narrow in scope to address the wide range of issues likely to emerge in the coming years."[10] Just as CNA is preparing a global initiative to shape policy on future cybersecurity challenges, so should you apply some focus to what potential technology upgrades may be made and what new cyber threats may appear.

Finally, some of the plan's scope may be dictated by prioritized assessment of risks to critical assets—addressed in the next section—and other assessments. It's important to keep this in mind when developing the scope; it may be affected by other parts of the plan. As you develop further sections of the plan, you may need to update previous sections with what you've learned.

5.2.2 Define the roles, responsibilities, and chain of command of those enacting and updating the cybersecurity plan

You'll also want to define who will fill what roles, what responsibilities they will have, and who reports to who, as part of the scope of your plan. This will include not only who's responsible for developing the cybersecurity plan (which you'll have hopefully determined early on) but also implementing, enforcing, and updating it. Having a senior manager who's able to oversee these responsibilities, make decisions, and enforce requirements will improve the plan's chance of success. Having clearly defined security-related roles and responsibilities (including security risk management) at one or more organizational levels (depending on how big your organization is) will also improve success rates.[1][2][8][9]

5.2.3 Ensure that roles and responsibility for security (the “who” of it) are clear

Defining roles, responsibilities, and chain of command isn't enough. Effectively communicating these roles and responsibilities to everyone inside and outside the organization—including third parties such as contractors and cloud providers—is vital. This typically involves encouraging transparency of cybersecurity and responsibility goals of the organization, as well as addressing everyday communications and education of everyone affected by the cybersecurity plan.[1][2][8] However, through it all, keep in mind for future communications and training that ultimately security is everyone's responsibility, from employees to contractors, not just those enacting and updating the plan.


5.3 Identify cybersecurity requirements and objectives

Cybersecurity Strategy 5 Layer CS5L.png

5.3.1 Detail the existing system and classify its critical and non-critical cyber assets

AHIMA recommends you "create an information asset inventory as a base for risk analysis that defines where all data and information are stored across the entire organization."[4] Consider any applications and systems used within the periphery of your operations, including business intelligence software, mobile devices, and legacy systems. Remember that any networked application or system could potentially be compromised and turned into a vector of attack. Additionally, classify and gauge those assets' based on type, risk, and criticality. What are their essential functions? How can they be grouped? How do they communicate: internally, externally, or not at all?[2] As AHIMA notes, you'll be able to use this asset inventory, in combination with a variety of additional assessments described below, as a base for your risk assessment.

5.3.2 Define the contained data and classify its criticality

During the asset inventory, you'll also want to address classifying the type of data contained or transported by the cyber asset, which aids in decision making regarding the controls you'll need to adequately protect the assets.[2] Use a consistent set of nomenclature to define the data. For example, if you look at universities such as the University of Illinois and Carnagie Mellon University, they provide guidance on how to classify institutional data based on characteristics such as criticality, sensitivity, and risk. The University of Illinois has a defined set of standardized terms such as "high-risk," "sensitive," "internal" and "public,"[11] whereas Carnagie Mellon uses "restricted," "private," and "public."[12] You don't necessarily need to use anyone's classification system verbatim; however, do use a consistent set of terminology to define and classify data.[2] Consider also adding additional details about whether the data is in motion, in use, or at rest.[13]

If you have difficulties classifying the data, pose a series of data protection questions concerning the data's characteristics. One such baseline for questions could be the European Union's definition of what constitutes personal data. For example[2][14]:

  • Does the data identify an individual directly?
  • Does the data relate specifically to an identifiable person?
  • Could the data—when processed, lost, or misused—have an impact on an individual?

5.3.3 Identify current and previous cybersecurity policy and tools, as well as their effectiveness

Unless your business is in the formative stages, some type of technology infrastructure and policy likely exists. What, if any, cybersecurity policies and tools have you implemented in the past? Review any current access control protocols (e.g., role-based and "least privilege" policies) and security policies. Have they been updated to take into consideration recent changes in threats, risks, criticality, technology, or regulation?[4][3][8] In the same way, identify any past security policies and why they were discontinued. It may be convenient to track all these security protocols and policies in a master sheet, rather than spread out across multiple documents. Also, now might be a good time to identify how security-aware personnel are overall.[3] Of course, if protocols and policies aren't in place, create them, remembering to include proper communication, scheduled policy reviews, and training into the equation.

5.3.4 Identify the regulations, standards, and best practices affecting your assets and data

Arguably, most business types will be impacted by regulations, standards, or best practices. Even niche professions like cinema editors are guided by best practices set forth by professional organizations.[15] In the case of laboratories, multiple regulations and standards apply to operations, including information management and privacy practices. Presumably one or more executives in your business are familiar with the legal and professional aspects of how the business should be run. If not, significant research and outside consultant help may be required. Regardless, when approaching this task, ensure everyone understands the distinctions among "regulation," "standard," and "best practice."

Remember that while regulators may dictate how you manage your cybersecurity assets, setting policy that goes above and beyond regulation is occasionally detrimental to your business. Data retention requirements, for example, are important to consider, not only for regulatory purposes but also data management and security reasons. To be sure, numerous U.S. Code of Federal Regulations (e.g., 21 CFR Part 11, 40 CFR Part 141, and 45 CFR Part 164), European Union regulations (e.g., E.U. Annex 11 and E.U. Commission Directive 2003/94/EC), and even global entities (e.g., WHO Technical Report Series, #986, Annex 2) address the need for record retention. However, as AHIMA points out, records shouldn't be kept forever[4]:

Healthcare organizations have been storing and maintaining records and information well beyond record retention requirements. This creates significant additional security risks as systems and records must be maintained, patched, backed up, and provisioned (access) for longer than necessary or required by law ... In the era of big data the idea of keeping “everything forever” must end. It simply is not feasible, practical, or economical to secure legacy and older systems forever.

This example illustrates the idea that while regulatory compliance is imperative, going well beyond compliance limits has its own costs, not only financially but also by increasing cybersecurity risk.

5.3.5 Identify and analyze logical and physical system entry points and configurations

This step is actually closely tied to the next step concerning gap analysis. As such, you may wish to address both steps together. You've already identified your critical and non-critical assets, and performing a gap analysis on them may be a useful start in finding and analyzing the logical entry points of a system. But what are some of the most common entry points that attackers may use?[16][17][18][19]

  • Inbound network-based attacks through software, network gateways, and online repositories
  • Inbound network-based attacks through misconfigured firewalls and gateways
  • Access to systems using stolen credentials (networked and physical)
  • Access to peripheral systems via communication protocols, insecure credentials, etc. through lateral movement in the network

From email and enterprise resource planning (ERP) applications and servers to networking devices and tools, a wide variety of vectors for attack exist in the system, some more common than others. Analyzing these components and configurations takes significant expertise. If internal expertise is unavailable for this, it may require a third-party security assessment to gain a clearer picture of the entry points into your system. Even employees and their lack of cybersecurity knowledge may represent points of entry, via phishing schemes.[4][19] This is where training and internal random testing (addressed later) come into play.[4]

Physical access to system components and data also represent a significant attack vector, more so in particular industries and network set-ups. For example, industrial control systems in manufacturing plants may require extra consideration, with some control system vendors now offering an added layer of physical security in the form of physical locks that prevent code from being executed on the controller.[17] Cloud-based data centers and field-based monitoring systems represent other specialist situations requiring added physical controls.[2][4][8] That's not to say that even small businesses shouldn't worry about physical security; their workstations, laptops, USB drives, mobile devices, etc. can be compromised if made easy for the general public to access offices and other work spaces.[8] In regulated environments, physical access controls and facility monitoring may even be mandated.

5.3.6 Perform a gap analysis

A gap analysis is different from a risk analysis in that the gap analysis represents a high-level, narrowly-focused comparison of the technical, physical, and administrative safeguards in place with how well they actually perform against a cyber attack. As such, the gap analysis can be thought of as introduction to potential vulnerabilities in a system, which is part of an overall risk analysis.[5] The gap analysis asks what your cyber capabilities are, what the major threats are, and what the differences are between the two. Additionally, you may want to consider what the potential impacts would be if a threat were realized.[1]

The gap analysis can also be looked at as measure of current safeguards in place vs. what industry best practice controls dictate. This may be done by choosing an industry standard security framework—we're using the NIST Cybersecurity Framework for this guide— and evaluating key stakeholder policies, responsibilities, and processes against that framework.[20]

5.3.7 Perform a risk analysis and prioritize risk based on threat, vulnerability, likelihood, and impact

With cybersecurity goals, asset inventory, and gap analysis in hand, its time to go comprehensive with risk assessment and prioritization. Regardless of whether or not you're hosting and transmitting PHI or other types of sensitive information, you'll want to look at all your cybersecurity goals, systems, and applications as part of the risk analysis.[4] Functions of risk analysis include, but are not limited to[2][5][9]:

  • considering the operations supporting business goals and how those operations use technology to achieve them;
  • considering the various ways the system functionality and entry points could be abused and compromised (threat modeling);
  • comparing the current system's or component's architecture and features to various threat models; and
  • compiling the risks identified during threat modeling and architecture analysis and prioritizing them based on threat, vulnerability, likelihood, and impact.

Additionally, as part of this process, you'll also want to examine the human element of risk in your business. How thorough are your background checks of new employees and third parties accessing your systems? How easy is it for them to access the software and the hardware? Is the principle of "least privilege" being used appropriately? Have any employee loyalties shifted drastically lately? Are the vendors supplying your IT and data services thoroughly vetted? These and other questions can supplement the human-based aspect of cybersecurity risk assessment.

5.3.8 Declare and describe objectives based on the outcomes of the above assessments

After performing all that research, it's finally time to distill it down into a clear set of cybersecurity objectives. Those objectives will act as the underlying core for the actions the business will take to develop policies, fill in security gaps, monitor progress, and educate staff. The objectives that come out of this step "should be specific, realistic, and actionable."[1] In a world where cyber threats are constantly evolving, being "100 percent secure against cyber threats" is an unrealistic goal, for example.[1]

One way to go about this process is to go back to the cybersecurity goals you created (see 5.1.3) and place your objectives under the goals they support. Perhaps one of your goals is to promote a culture of cybersecurity awareness among all employees and contractors. Under that goal you could list objectives such as "improve subject-matter expertise among leadership" and "support and encourage biannual cybersecurity training exercises throughout the business." You may also want to, at this point, make mention of what prioritization the objectives have and what progress measurement mechanisms can and should be put in place. Finally, work a certain level of adaptability into the objectives, not only in what they should achieve but also how they should be evaluated and updated. Technology, attack vectors, and even business needs can change rapidly. The objectives you develop should take this into consideration, as should the review and update policy for the cybersecurity plan itself (discussed later).

5.3.9 Identify policies for creation or modification concerning passwords, physical security, etc., particularly where gaps have been identified from the prior assessments and objectives

Say you previously noted your business has a few password and other access management policies in place, but they are relatively weak compared to where you want to be. If you haven't already, now is a good time to start tracking those and other policies that need to be updated or even created from scratch. Note that you may also discover additional policies that should be addressed during the next step of selecting and refining security controls. Consider performing this step in tandem with the next to gain the clearest idea of all the policy updates the business will require to meet its cybersecurity objectives.

5.3.10 Select and refine security controls for identification, protection, detection, response, and recovery based on the assessments, objectives, and policies above

Still need to complete this subsection.

(NIST security controls are used for this example plan)


5.4 Establish performance indicators and associated time frames

Opsview Monitor 6.0 Dashboard.jpg

5.4.1 Determine baselines and indicators based on the assessments and objectives from the previous step

Your cybersecurity goals are formulated, their associated objectives are set, and security controls are selected. But how should you best measure their implementation, and over what sort of timeline should they be measured? This is where performance indicators come into play. A performance indicator is "an item of information collected at regular intervals to track the performance of a system."[21] They tend not to be perfect measures of performance, but performance indicators remain an important function of quality control and business management. There's also a social aspect to performance indicators: what is the implied message and behavioral implications of implementing such a monitoring system? Does the monitoring of the indicator, in the end, have a beneficial impact?[21]

Regardless of what industry you work in, deciding on the most appropriate indicators is no easy task. In March 2019, Axio CTO Jason Christopher spoke at a cybersecurity summit about security metrics (a metric is typically a number-based measurement within an indicator), with a focus on the energy industry. During that talk, he discussed various myths concerning collecting metric data for indicators, as well as the mixed success of tools such as heat maps and scorecards. After highlighting the difficulties, he gave a few pieces of useful advice. Among the more interesting suggestions he turned to was a security metrics worksheet to better define, understand, and track what you'll measure for your indicators. In his example, he used the EPRI's (Electric Power Research Institute) Cyber Security Metrics for the Electric Sector document, pulling an example metric and explaining how it was created. Among other aspects, their worksheet format includes an identifier for the metric, the associated organizational goal, and the associated cybersecurity control, which helps ensure the metric is aligned with both organizational policy, existing terminology, and current best practices.[22][23]

Regardless of industry, you may find it useful to use similar worksheet documentation for the indicators you choose to use. Unfortunately, unlike the EPRI and power industry, many industries don't have a developed set of technical cybersecurity metrics. However, the ground that EPRI has already covered, plus insights gained during the security controls selection process (see 5.3.10), should aid you in choosing the most appropriate indicators. (Jason Christopher's description of the fields of the security metrics worksheet can be found at sans.org [PDF]. The EPRI cybersecurity metrics document can be downloaded for free at EPRI.com.) Whatever indicators you choose, be sure they are specific, measurable, actionable, relevant, and focused on a timely nature.

Finally, consider the advice of author and strategic adviser Bernard Marr that business shouldn't be run heavily on KPI data. This goes for the development of your indicators for cybersecurity success. Instead, he says, "the focus should be on selecting a robust set of value-adding indicators that serve as the beginning a rich performance discussion focused on the delivery of your strategy." He adds with a reminder that people and actions are behind the indicators, which shouldn't be taken purely at face value.[24]

5.4.2 Determine how to measure progress and assess performance (quantitative vs. qualitative) and what tools are needed for such measurement and assessment (e.g., monitoring anomalous activity, system and asset activity logging)

[4]


5.5 Identify key stakeholders

Stakeholder for Software projects.png

5.5.1 Determine what external (federal, state, local, and private) entities the business currently interacts with

5.5.2 Determine what internal entities or people may act as cybersecurity stakeholders

5.5.3 Define how those stakeholders shape the cybersecurity plan and its strategic goals


5.6 Determine resource needs

Figure 1- Cybersecurity Funding at IRS, Fiscal Years 2014 Estimated, 2015 Actual, 2016 Enacted, and 2017 Requested (Dollars in Millions) (28979530692).jpg

5.6.1 Determine whether sufficient in-house subject-matter expertise exists, and if not, how it will be acquired

5.6.2 Estimate time commitments and resource allocation towards training exercises, professional assistance, infrastructure, asset management, and recovery and continuity

5.6.3 Review the budget


5.7 Develop a communications plan

Cybersecurity and the nation's digital future.jpg

5.7.1 Address the need for transparency in improving the cybersecurity culture

5.7.2 Determine guidelines for everyday communication (e.g., informing third parties of organization privacy policies) and mandatory reporting to meet cybersecurity goals

[4]

5.7.3 Determine guidelines for handling or discussing sensitive information

5.7.4 Address incident reporting and response (consider the use of playbooks, report templates, and training drills) as well as corrective action

5.7.5 Address cybersecurity training methodology, requirements, and status tracking

[4]


5.8 Develop a recovery and continuity plan

Micro Data Center.jpg

5.8.1 Consider linking a cybersecurity incident recovery plan and communication tools with a business continuity plan and its communication tools

[4]

5.8.2 Include a listing of organizational resources and their criticality, a set of formal recovery processes, security and dependency maps, a list of responsible personnel, a (previously mentioned) communication plan, and information sharing criteria

[4]


5.9 Establish how the overall cybersecurity plan will be implemented

Cybersecurity.png

5.9.1 Detail the specific steps regarding how all the above will be implemented

5.9.2 State the major implementation milestones

5.9.3 Determine how best to communicate progress on the plan’s implementation


5.10 Review progress

Cybersecurity Controls - Lunch N' Learn Session (37382400940).jpg

5.10.1 Monitor and assess the effectiveness of security controls

5.10.2 Review how to capture and incorporate corrective action procedures and results

5.10.3 Determine how often to review and update the cybersecurity plan

5.10.4 Determine external sources for “lessons learned” and how to incorporate them for improving cybersecurity strategy

6. Closing remarks

Appendix 1. A revised NIST Cybersecurity Framework, tied to LIMSpec

6.1 Access control

6.2 Awareness and training

6.3 Audit and accountability

6.4 Security assessment and authorization

6.5 Configuration management

6.6 Contingency planning

6.7 Identification and authentication

6.8 Incident response

6.9 Maintenance

6.10 Media protection

6.11 Physical and environmental protection

6.12 Planning

6.13 Personnel security

6.14 Risk assessment

6.15 System and services acquisition

6.16 System and communication protection

6.17 System and information integrity

References

  1. 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 1.12 1.13 Cadmus Group, LLC (30 October 2018). "Cybersecurity Strategy Development Guide" (PDF). National Association of Regulatory Utility Commissioners. https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204. Retrieved 29 November 2019. 
  2. 2.00 2.01 2.02 2.03 2.04 2.05 2.06 2.07 2.08 2.09 2.10 2.11 Lebanidze, E. (2011). "Guide to Developing a Cyber Security and Risk Mitigation Plan" (PDF). National Rural Electric Cooperative Association, Cooperative Research Network. https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf. Retrieved 29 November 2019. 
  3. 3.0 3.1 3.2 3.3 Lago, C. (10 July 2019). "How to implement a successful cybersecurity plan". CIO. IDG Communications, Inc. https://www.cio.com/article/3295578/how-to-implement-a-successful-security-plan.html. Retrieved 29 November 2019. 
  4. 4.00 4.01 4.02 4.03 4.04 4.05 4.06 4.07 4.08 4.09 4.10 4.11 4.12 4.13 4.14 Downing, K. (December 2017). "AHIMA Guidelines: The Cybersecurity Plan" (PDF). American Health Information Management Association. https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf. Retrieved 29 November 2019. 
  5. 5.0 5.1 5.2 5.3 Norton, K. (21 June 2018). "Similar but Different: Gap Assessment vs Risk Analysis". HIPAA One. https://www.hipaaone.com/2018/06/21/gap-assessment-vs-risk-analysis/. Retrieved 29 November 2019. 
  6. 6.0 6.1 Ewing, S. (12 July 2017). "4 Ways to Integrate Your Cyber Security Incident Response and Business Continuity Plans". Delta Risk. https://deltarisk.com/blog/4-ways-to-integrate-your-cyber-security-incident-response-and-business-continuity-plans/. Retrieved 29 November 2019. 
  7. 7.0 7.1 Krasnow, M.J. (February 2017). "Cyber-Security Event Recovery Plans". International Risk Management Institute, Inc. https://www.irmi.com/articles/expert-commentary/cyber-security-event-recovery-plans. Retrieved 29 November 2019. 
  8. 8.0 8.1 8.2 8.3 8.4 8.5 8.6 "How to Develop A Cybersecurity Plan For Your Company (checklist included)". Copeland Technology Solutions. 17 July 2018. https://www.copelanddata.com/blog/how-to-develop-a-cybersecurity-plan/. Retrieved 29 November 2019. 
  9. 9.0 9.1 9.2 9.3 Talamantes, J. (06 September 2017). "Does Your Cybersecurity Plan Need an Update?". RedTeam Knowledge Base. RedTeam Security Corporation. https://www.redteamsecure.com/blog/does-your-cybersecurity-plan-need-an-update/. Retrieved 29 November 2019. 
  10. "Cybersecurity Futures 2025". Institute for Public Research. CNA. 2019. https://www.cna.org/centers/ipr/safety-security/cyber-security-project. Retrieved 29 November 2019. 
  11. "Data Classification Overview". Cybersecurity. University of Illinois System. 2019. https://cybersecurity.uillinois.edu/data_classification. Retrieved 30 November 2019. 
  12. "Guidelines for Data Classification". Information Security Office Guidelines. Carnegie Mellon University. 23 May 2018. https://www.cmu.edu/iso/governance/guidelines/data-classification.html. Retrieved 30 November 2019. 
  13. Bowie, K. (09 April 2019). "SEC Cybersecurity Guidance: Data Loss Prevention". Adelia Associates, LLC. https://adeliarisk.com/sec-cybersecurity-guidance-data-loss-prevention/. 
  14. Koch, R. (01 February 2019). "What is considered personal data under the EU GDPR?". Proton Technologies AG. https://gdpr.eu/eu-gdpr-personal-data/. Retrieved 30 November 2019. 
  15. "ACE Best Practices Guide for Post Production". American Cinema Editors. 2017. https://americancinemaeditors.org/best-practices-guide/. Retrieved 01 December 2019. 
  16. Kumar, A.J. (06 September 2016). "Discovering Entry Points". InfoSec Institute. https://resources.infosecinstitute.com/discovering-entry-points/. Retrieved 01 December 2019. 
  17. 17.0 17.1 Ahmed, O.; Rehman, A.; Habib, A. (12 May 2019). "Industrial control system (ICS) cybersecurity advice, best practices". Control Engineering. CFE Media LLC. https://www.controleng.com/articles/industrial-control-system-ics-cybersecurity-advice-best-practices/. Retrieved 01 December 2019. 
  18. Bonderud, D. (11 June 2019). "Podcast: Lateral Movement: Combating High-Risk, Low-Noise Threats". SecurityIntelligence. IBM. https://securityintelligence.com/media/podcast-lateral-movement-combating-high-risk-low-noise-threats/. Retrieved 01 December 2019. 
  19. 19.0 19.1 "Incident Classification Patterns and Subsets". 2019 Data Breach Investigations Report. Verizon. 2019. https://enterprise.verizon.com/resources/reports/dbir/2019/incident-classification-patterns-subsets/. Retrieved 01 December 2019. 
  20. Sell, C. (28 January 2015). "How To Conduct An Information Security Gap Analysis". CIO. IDG Communications, Inc. https://www.cio.com/article/2876708/how-to-conduct-an-information-security-gap-analysis.html. Retrieved 01 December 2019. 
  21. 21.0 21.1 Fitz-Gibbon, C.T., ed. (1990). Performance Indicators. Multilingual Matters Ltd. p. 1. ISBN 1853590932. https://books.google.com/books?id=uxK0MUHeiI4C&pg=PA1. 
  22. Christopher, J.D. (18 March 2019). "Creating a Security Metrics Program: How to Measure Success" (PDF). Axio. https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1552942066.pdf. Retrieved 03 December 2019. 
  23. EPRI (18 December 2017). "Cyber Security Metrics for the Electric Sector: Volume 3". https://www.epri.com/#/pages/product/3002010426. Retrieved 03 December 2019. 
  24. Marr, B. (2012). "Introduction". Key Performance Indicators (KPI): The 75 Measures Every Manager Needs to Know. Pearson UK. p. xxvii. ISBN 9780273750116. https://books.google.com/books?id=WleQ-F6WC3sC&printsec=frontcover.