Difference between revisions of "User:Shawndouglas/sandbox/sublevel24"

Revision as of 19:22, 14 December 2019

1. What is a cybersecurity plan and why do you need it?

Incidents Reported by Federal Agencies in Fiscal Years 2006-2012 (15400517077).jpg

From law firms^[1] to automotive manufacturers^[2], the need to address cybersecurity is increasingly apparent. In 2018, the Center for Strategic & International Studies estimated that cybercrime causes close to $600 billion in damages to the global economy every year^[3], though due to underreporting of crimes, that number may be much higher. That number also likely doesn't take into account lost business, fines, litigation, and intangible losses^[4] In the end, businesses of all sizes average to about $200,000 in losses due to a cybersecurity incident^[5], and nearly 60 percent of small and midsized businesses go bankrupt within six months because of it.^[6]

It's not just large corporations at risk; small businesses of all types are also subject to cyber crimes. Juniper Research reports that despite small businesses making up over 99 percent of all companies, approximately 13 percent of overall cybersecurity spending came from those small businesses in 2018, amounting to about $500 per business.^[7] Even the tiniest of businesses face cybersecurity risks today. The independent contractor with a WordPress-based website advertising their knowledge and skills must still ensure all website plugins and themes are updated and install security plugins to close potential vulnerabilities in the software. Without these precautions, hackers could spread malware, steal user data, add the website to a bot network, or hack it just for fun and learning.^[8]^[9]^[10]

A late 2018 audit of Fortune 500 companies found a mix of good and bad news: they're doing better at reducing the number of entry points for hackers to enter their systems, yet susceptibility to fraudulent email remains a major concern.^[11]Additionally, Fortune 500 companies are still lagging behind in public transparency of showing a commitment to cybersecurity and protecting customer data.^[12] More broadly, roughly 60 to 70 percent of all companies are still ill-prepared for cyber threats, either not having an up-to-date cybersecurity strategy or having no plan at all.^[6]^[10] All this, despite the fact that cybercrime appears to only be getting worse for everyone.

The most solid first steps any organization or individual can take to limit the potential effects of cybercrime is to learn more about the threat and to develop a cybersecurity strategy. For most organizations, this means developing a cybersecurity plan.

A cybersecurity plan is a developed, distributed, reviewed, updated, and protected collection of assessments, analyses, requirements, controls, goals, policies, performance indicators, and metrics that shapes how an organization protects against and responds to cybersecurity threats. Developing a cybersecurity plan is not a simple process; it requires expertise, resources, and diligence. Even a simple plan may involve several months of development, more depending on the complexity involved. The time it takes to develop the plan may also be impacted by how much executive support is provided, the size of the development team (bigger is not always better), and how available required resources are.^[13]

This guide attempts to assist organizations and individuals with overcoming the involved complexities cybersecurity plan development and preventing becoming another cybersecurity statistic. It addresses the major standards and regulations affecting cybersecurity, in particular the National Institute of Standards and Technology's Cybersecurity Framework and related controls. Also addressed is how to best incorporate a cybersecurity framework and controls into your plan development. Afterwards, a 10-step plan of attack is presented in detail, followed by closing comments. At the end of this guide, we include an appendix containing a slightly more simplified wording of NIST's most popular cybersecurity controls, as well as mappings to this wiki's own LIMSpec for laboratory informatics solutions.

Note that this guide has been written with the intent to broadly cover multiple industries. However, it does have a slight lean towards laboratories, particularly those implementing information systems. Despite that, there should be sufficient information contained herein to be helpful to most people attempting to navigate the challenges of consistently applying cybersecurity goals and policies to their organization.

2. What are the major standard and regulations dictating cybersecurity action?

3. The NIST Cybersecurity Framework and its control families

4. Fitting a framework or specification into a cybersecurity plan

5. Develop and create the cybersecurity plan

https://www.limswiki.org/index.php/User:Shawndouglas/sandbox/sublevel28

6. Closing remarks

Appendix 1. A simplified description of NIST Cybersecurity Framework controls, with ties to LIMSpec

https://www.limswiki.org/index.php/User:Shawndouglas/sandbox/sublevel30

References

↑ Sobowale, J. (1 March 2017). "Law firms must manage cybersecurity risks". ABA Journal. American Bar Association. http://www.abajournal.com/magazine/article/managing_cybersecurity_risk/. Retrieved 14 December 2019.
↑ Watney, C.; Draffin, C. (November 2017). "Addressing new challenges in automotive cybersecurity" (PDF). R Street Policy Study No. 118. R Street Institute. https://www.rstreet.org/wp-content/uploads/2018/04/118-1.pdf. Retrieved 14 December 2019.
↑ Lewis, J.A. (21 February 2018). "Economic Impact of Cybercrime". Center for Strategic & International Studies. https://www.csis.org/analysis/economic-impact-cybercrime. Retrieved 14 December 2019.
↑ "BLOG: Cost of Cyber Crime to Small Businesses". Virginia SBDC Blog. Virginia SBDC. 30 May 2017. https://www.virginiasbdc.org/blog-cost-of-cyber-crime-to-small-businesses/. Retrieved 14 December 2019.
↑ "Hiscox Cyber Readiness Report 2019" (PDF). Hiscox Ltd. April 2019. https://www.hiscox.com/documents/2019-Hiscox-Cyber-Readiness-Report.pdf. Retrieved 14 December 2019.
↑ ^6.0 ^6.1 Galvin, J. (7 May 2018). "60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect Yourself". Inc.com. https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html. Retrieved 14 December 2019.
↑ "Cybersecurity Breaches to Result in over 146 Billion Records Being Stolen by 2023". Juniper Research. 8 August 2018. https://www.juniperresearch.com/press/press-releases/cybersecurity-breaches-to-result-in-over-146-bn. Retrieved 14 December 2019.
↑ Grima, M. (14 November 2019). "Top reasons why WordPress websites get hacked (and how you can stop it)". WP White Security. https://www.wpwhitesecurity.com/why-malicious-hacker-target-wordpress/. Retrieved 14 December 2019.
↑ Moen, D. (19 April 2016). "What Hackers Do With Compromised WordPress Sites". Wordfence Blog. Defiant, Inc. https://www.wordfence.com/blog/2016/04/hackers-compromised-wordpress-sites/. Retrieved 14 December 2019.
↑ ^10.0 ^10.1 Talaleve, A. (May 2019). "Website Hacking Statistics (Updated 2019)". WebARX. https://www.webarxsecurity.com/website-hacking-statistics-2018-february/. Retrieved 14 December 2019.
↑ Uchill, J. (11 December 2018). "Fortune 500 cybersecurity is better and worse than you'd think". Axios. https://www.axios.com/fortune-500-cybersecurity-email-security-8cb4a3ee-0aa4-42b4-8ab4-da722d756379.html. Retrieved 14 December 2019.
↑ Stahie, S. (4 October 2019). "Fortune 500 Companies Take Cyber Security for Granted". Security Boulevard. https://securityboulevard.com/2019/10/fortune-500-companies-take-cyber-security-for-granted/. Retrieved 14 December 2019.
↑ Cadmus Group, LLC (30 October 2018). "Cybersecurity Strategy Development Guide" (PDF). National Association of Regulatory Utility Commissioners. https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204. Retrieved 29 November 2019.

[SobowaleLaw17-1] Sobowale, J. (1 March 2017). "Law firms must manage cybersecurity risks". ABA Journal. American Bar Association. http://www.abajournal.com/magazine/article/managing_cybersecurity_risk/. Retrieved 14 December 2019.

[WatneyAddress17-2] Watney, C.; Draffin, C. (November 2017). "Addressing new challenges in automotive cybersecurity" (PDF). R Street Policy Study No. 118. R Street Institute. https://www.rstreet.org/wp-content/uploads/2018/04/118-1.pdf. Retrieved 14 December 2019.

[LewisEcon18-3] Lewis, J.A. (21 February 2018). "Economic Impact of Cybercrime". Center for Strategic & International Studies. https://www.csis.org/analysis/economic-impact-cybercrime. Retrieved 14 December 2019.

[SBDCC_BlogCost17-4] "BLOG: Cost of Cyber Crime to Small Businesses". Virginia SBDC Blog. Virginia SBDC. 30 May 2017. https://www.virginiasbdc.org/blog-cost-of-cyber-crime-to-small-businesses/. Retrieved 14 December 2019.

[HiscoxHiscox19.22-5] "Hiscox Cyber Readiness Report 2019" (PDF). Hiscox Ltd. April 2019. https://www.hiscox.com/documents/2019-Hiscox-Cyber-Readiness-Report.pdf. Retrieved 14 December 2019.

[Galvin60_18-6] 6.0 ^6.1 Galvin, J. (7 May 2018). "60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect Yourself". Inc.com. https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html. Retrieved 14 December 2019.

[JuniperCyber18-7] "Cybersecurity Breaches to Result in over 146 Billion Records Being Stolen by 2023". Juniper Research. 8 August 2018. https://www.juniperresearch.com/press/press-releases/cybersecurity-breaches-to-result-in-over-146-bn. Retrieved 14 December 2019.

[GrimaTop19-8] Grima, M. (14 November 2019). "Top reasons why WordPress websites get hacked (and how you can stop it)". WP White Security. https://www.wpwhitesecurity.com/why-malicious-hacker-target-wordpress/. Retrieved 14 December 2019.

[MoenWhatHack16-9] Moen, D. (19 April 2016). "What Hackers Do With Compromised WordPress Sites". Wordfence Blog. Defiant, Inc. https://www.wordfence.com/blog/2016/04/hackers-compromised-wordpress-sites/. Retrieved 14 December 2019.

[TalalevWebsite19-10] 10.0 ^10.1 Talaleve, A. (May 2019). "Website Hacking Statistics (Updated 2019)". WebARX. https://www.webarxsecurity.com/website-hacking-statistics-2018-february/. Retrieved 14 December 2019.

[UchillFortune18-11] Uchill, J. (11 December 2018). "Fortune 500 cybersecurity is better and worse than you'd think". Axios. https://www.axios.com/fortune-500-cybersecurity-email-security-8cb4a3ee-0aa4-42b4-8ab4-da722d756379.html. Retrieved 14 December 2019.

[StahieFortune19-12] Stahie, S. (4 October 2019). "Fortune 500 Companies Take Cyber Security for Granted". Security Boulevard. https://securityboulevard.com/2019/10/fortune-500-companies-take-cyber-security-for-granted/. Retrieved 14 December 2019.

[NARUCCyber18-13] Cadmus Group, LLC (30 October 2018). "Cybersecurity Strategy Development Guide" (PDF). National Association of Regulatory Utility Commissioners. https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204. Retrieved 29 November 2019.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

@@ Line 1: / Line 1: @@
 <div class="nonumtoc">__TOC__</div>
 ==1. What is a cybersecurity plan and why do you need it?==
-From law firms<ref name="SobowaleLaw17">{{cite web |url=http://www.abajournal.com/magazine/article/managing_cybersecurity_risk/ |title=Law firms must manage cybersecurity risks |author=Sobowale, J. |work=ABA Journal |publisher=American Bar Association |date=01 March 2017 |accessdate=14 December 2019}}</ref> to automotive manufacturers<ref name="WatneyAddress17">{{cite web |url=https://www.rstreet.org/wp-content/uploads/2018/04/118-1.pdf |format=PDF |title=Addressing new challenges in automotive cybersecurity |author=Watney, C.; Draffin, C. |work=R Street Policy Study No. 118 |publisher=R Street Institute |date=November 2017 |accessdate=14 December 2019}}</ref>, the need to address cybersecurity is increasingly apparent. In 2018, the Center for Strategic & International Studies estimated that cybercrime causes close to $600 billion in damages to the global economy every year<ref name="LewisEcon18">{{cite web |url=https://www.csis.org/analysis/economic-impact-cybercrime |title=Economic Impact of Cybercrime |author=Lewis, J.A. |publisher=Center for Strategic & International Studies |date=21 February 2018 |accessdate=14 December 2019}}</ref>, though due to underreporting of crimes, that number may be much higher. That number also likely doesn't take into account lost business, fines, litigation, and intangible losses<ref name="SBDCC_BlogCost17">{{cite web |url=https://www.virginiasbdc.org/blog-cost-of-cyber-crime-to-small-businesses/ |title=BLOG: Cost of Cyber Crime to Small Businesses |work=Virginia SBDC Blog |publisher=Virginia SBDC |date=30 May 2017 |accessdate=14 December 2019}}</ref> In the end, businesses of all sizes average to about $200,000 in losses due to a cybersecurity incident<ref name=HiscoxHiscox19">{{cite web |url=https://www.hiscox.com/documents/2019-Hiscox-Cyber-Readiness-Report.pdf |format=PDF |title=Hiscox Cyber Readiness Report 2019 |publisher=Hiscox Ltd |date=April 2019 |accessdate=14 December 2019}}</ref>, and nearly 60 percent of small and midsized businesses go bankrupt within six months because of it.<ref name="Galvin60_18">{{cite web |url=https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html |title=60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect Yourself |author=Galvin, J. |work=Inc.com |date=07 May 2018 |accessdate=14 December 2019}}</ref>
+[[File:Incidents Reported by Federal Agencies in Fiscal Years 2006-2012 (15400517077).jpg|right|400px]]From law firms<ref name="SobowaleLaw17">{{cite web |url=http://www.abajournal.com/magazine/article/managing_cybersecurity_risk/ |title=Law firms must manage cybersecurity risks |author=Sobowale, J. |work=ABA Journal |publisher=American Bar Association |date=01 March 2017 |accessdate=14 December 2019}}</ref> to automotive manufacturers<ref name="WatneyAddress17">{{cite web |url=https://www.rstreet.org/wp-content/uploads/2018/04/118-1.pdf |format=PDF |title=Addressing new challenges in automotive cybersecurity |author=Watney, C.; Draffin, C. |work=R Street Policy Study No. 118 |publisher=R Street Institute |date=November 2017 |accessdate=14 December 2019}}</ref>, the need to address cybersecurity is increasingly apparent. In 2018, the Center for Strategic & International Studies estimated that cybercrime causes close to $600 billion in damages to the global economy every year<ref name="LewisEcon18">{{cite web |url=https://www.csis.org/analysis/economic-impact-cybercrime |title=Economic Impact of Cybercrime |author=Lewis, J.A. |publisher=Center for Strategic & International Studies |date=21 February 2018 |accessdate=14 December 2019}}</ref>, though due to underreporting of crimes, that number may be much higher. That number also likely doesn't take into account lost business, fines, litigation, and intangible losses<ref name="SBDCC_BlogCost17">{{cite web |url=https://www.virginiasbdc.org/blog-cost-of-cyber-crime-to-small-businesses/ |title=BLOG: Cost of Cyber Crime to Small Businesses |work=Virginia SBDC Blog |publisher=Virginia SBDC |date=30 May 2017 |accessdate=14 December 2019}}</ref> In the end, businesses of all sizes average to about $200,000 in losses due to a cybersecurity incident<ref name=HiscoxHiscox19">{{cite web |url=https://www.hiscox.com/documents/2019-Hiscox-Cyber-Readiness-Report.pdf |format=PDF |title=Hiscox Cyber Readiness Report 2019 |publisher=Hiscox Ltd |date=April 2019 |accessdate=14 December 2019}}</ref>, and nearly 60 percent of small and midsized businesses go bankrupt within six months because of it.<ref name="Galvin60_18">{{cite web |url=https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html |title=60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect Yourself |author=Galvin, J. |work=Inc.com |date=07 May 2018 |accessdate=14 December 2019}}</ref>
 It's not just large corporations at risk; small businesses of all types are also subject to cyber crimes. Juniper Research reports that despite small businesses making up over 99 percent of all companies, approximately 13 percent of overall cybersecurity spending came from those small businesses in 2018, amounting to about $500 per business.<ref name="JuniperCyber18">{{cite web |url=https://www.juniperresearch.com/press/press-releases/cybersecurity-breaches-to-result-in-over-146-bn |title=Cybersecurity Breaches to Result in over 146 Billion Records Being Stolen by 2023 |publisher=Juniper Research |date=08 August 2018 |accessdate=14 December 2019}}</ref> Even the tiniest of businesses face cybersecurity risks today. The independent contractor with a WordPress-based website advertising their knowledge and skills must still ensure all website plugins and themes are updated and install security plugins to close potential vulnerabilities in the software. Without these precautions, hackers could spread malware, steal user data, add the website to a bot network, or hack it just for fun and learning.<ref name="GrimaTop19">{{cite web |url=https://www.wpwhitesecurity.com/why-malicious-hacker-target-wordpress/ |title=Top reasons why WordPress websites get hacked (and how you can stop it) |author=Grima, M. |publisher=WP White Security |date=14 November 2019 |accessdate=14 December 2019}}</ref><ref name="MoenWhatHack16">{{cite web |url=https://www.wordfence.com/blog/2016/04/hackers-compromised-wordpress-sites/ |title=What Hackers Do With Compromised WordPress Sites |author=Moen, D. |work=Wordfence Blog |publisher=Defiant, Inc |date=19 April 2016 |accessdate=14 December 2019}}</ref><ref name="TalalevWebsite19" />
-A late 2018 audit of Fortune 500 companies found a mix of good an bad news: they're doing better at reducing the number of entry points for hackers to enter their systems, yet susceptibility to fraudulent email remains a major concern.<ref name="UchillFortune18">{{cite web |url=https://www.axios.com/fortune-500-cybersecurity-email-security-8cb4a3ee-0aa4-42b4-8ab4-da722d756379.html |title=Fortune 500 cybersecurity is better and worse than you'd think |author=Uchill, J. |publisher=Axios |date=11 December 2018 |accessdate=14 December 2019}}</ref>Additionally, Fortune 500 companies are still lagging behind in public transparency of showing a commitment to cybersecurity and protecting customer data.<ref name="StahieFortune19">{{cite web |url=https://securityboulevard.com/2019/10/fortune-500-companies-take-cyber-security-for-granted/ |title=Fortune 500 Companies Take Cyber Security for Granted |author=Stahie, S. |work=Security Boulevard |date=04 October 2019 |accessdate=14 December 2019}}</ref> More broadly, roughly 60 to 70 percent of companies are still ill-prepared for cyber threats, either not having an up-to-date cybersecurity strategy or having no plan at all.<ref name="Galvin60_18" /><ref name="TalalevWebsite19">{{cite web |url=https://www.webarxsecurity.com/website-hacking-statistics-2018-february/ |title=Website Hacking Statistics (Updated 2019) |author=Talaleve, A. |publisher=WebARX |date=May 2019 |accessdate=14 December 2019}}</ref>
+A late 2018 audit of Fortune 500 companies found a mix of good and bad news: they're doing better at reducing the number of entry points for hackers to enter their systems, yet susceptibility to fraudulent email remains a major concern.<ref name="UchillFortune18">{{cite web |url=https://www.axios.com/fortune-500-cybersecurity-email-security-8cb4a3ee-0aa4-42b4-8ab4-da722d756379.html |title=Fortune 500 cybersecurity is better and worse than you'd think |author=Uchill, J. |publisher=Axios |date=11 December 2018 |accessdate=14 December 2019}}</ref>Additionally, Fortune 500 companies are still lagging behind in public transparency of showing a commitment to cybersecurity and protecting customer data.<ref name="StahieFortune19">{{cite web |url=https://securityboulevard.com/2019/10/fortune-500-companies-take-cyber-security-for-granted/ |title=Fortune 500 Companies Take Cyber Security for Granted |author=Stahie, S. |work=Security Boulevard |date=04 October 2019 |accessdate=14 December 2019}}</ref> More broadly, roughly 60 to 70 percent of all companies are still ill-prepared for cyber threats, either not having an up-to-date cybersecurity strategy or having no plan at all.<ref name="Galvin60_18" /><ref name="TalalevWebsite19">{{cite web |url=https://www.webarxsecurity.com/website-hacking-statistics-2018-february/ |title=Website Hacking Statistics (Updated 2019) |author=Talaleve, A. |publisher=WebARX |date=May 2019 |accessdate=14 December 2019}}</ref> All this, despite the fact that cybercrime appears to only be getting worse for everyone.
+The most solid first steps any organization or individual can take to limit the potential effects of cybercrime is to learn more about the threat and to develop a cybersecurity strategy. For most organizations, this means developing a cybersecurity plan.
-[[File:Incidents Reported by Federal Agencies in Fiscal Years 2006-2012 (15400517077).jpg|right|400px]]Developing a cybersecurity plan is not a simple process; it requires expertise, resources, and diligence. Even a simple plan may involve several months of development, more depending on the complexity involved. The time it takes to develop the plan may also be impacted by how much executive support is provided, the size of the development team (bigger is not always better), and how available required resources are.<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=29 November 2019}}</ref>
+A cybersecurity plan is a developed, distributed, reviewed, updated, and protected collection of assessments, analyses, requirements, controls, goals, policies, performance indicators, and metrics that shapes how an organization protects against and responds to cybersecurity threats. Developing a cybersecurity plan is not a simple process; it requires expertise, resources, and diligence. Even a simple plan may involve several months of development, more depending on the complexity involved. The time it takes to develop the plan may also be impacted by how much executive support is provided, the size of the development team (bigger is not always better), and how available required resources are.<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=29 November 2019}}</ref>
+This guide attempts to assist organizations and individuals with overcoming the involved complexities cybersecurity plan development and preventing becoming another cybersecurity statistic. It addresses the major standards and regulations affecting cybersecurity, in particular the National Institute of Standards and Technology's Cybersecurity Framework and related controls. Also addressed is how to best incorporate a cybersecurity framework and controls into your plan development. Afterwards, a 10-step plan of attack is presented in detail, followed by closing comments. At the end of this guide, we include an appendix containing a slightly more simplified wording of NIST's most popular cybersecurity controls, as well as mappings to this wiki's own LIMSpec for laboratory informatics solutions.
+Note that this guide has been written with the intent to broadly cover multiple industries. However, it does have a slight lean towards laboratories, particularly those implementing information systems. Despite that, there should be sufficient information contained herein to be helpful to most people attempting to navigate the challenges of consistently applying cybersecurity goals and policies to their organization.
-Keep in mind that while this guide has been written with intent to broadly cover multiple industries, it does have a slight lean towards laboratories, particularly those implementing information systems.
 ==2. What are the major standard and regulations dictating cybersecurity action?==

Difference between revisions of "User:Shawndouglas/sandbox/sublevel24"

Revision as of 19:22, 14 December 2019

Contents

1. What is a cybersecurity plan and why do you need it?

2. What are the major standard and regulations dictating cybersecurity action?

3. The NIST Cybersecurity Framework and its control families

4. Fitting a framework or specification into a cybersecurity plan

5. Develop and create the cybersecurity plan

6. Closing remarks

Appendix 1. A simplified description of NIST Cybersecurity Framework controls, with ties to LIMSpec

References

Navigation menu

Page actions

Page actions

Personal tools

Navigation

Search

Tools

Popular publications

Print/export