User:Shawndouglas/sandbox/sublevel3
Now that the cybersecurity mission goals are clear and supported by leadership, it's time to tailor strategies based on those stated goals.
How broad of scope will the mission goals take you across your business assets? Information technology (IT) and data will surely be at the forefront, but don't forget to also address operational technology (OT) assets as well.[1] One helpful tool in determining the strategies and requirements needed to meet mission goals is to clearly define the logical and physical boundaries of your information system.[1][2] When considering those boundaries, remember the following[2]:
- An information system is more than a piece of software; it's a collection of all the components and other resources within the system's environment. Some of those will be internal and some external.
- The system is more than just hardware; the interfaces—physical and logical—as well as communication protocols also make up the system.
- The system has physical, logical, and security control boundaries, as well as data flows tied to those boundaries.
- The data housed and transmitted in the system is likely composed of varying degrees of sensitivity, further shaping boundaries.
- The information system's primary functions are directly tied to the goals of the business.
Additionally, when considering the scope of the plan, you'll also want to take into account advancements in both technology and cyber threats. "Unprecedented cybersecurity challenges loom just beyond the horizon," states CNA, a nonprofit research and analysis organization located in Arlington, Virginia. But we have to focus on more than just the "now." CNA adds that "today's operational security agenda is too narrow in scope to address the wide range of issues likely to emerge in the coming years."[3] Just as CNA is preparing a global initiative to shape policy on future cybersecurity challenges, so should you apply some focus to what potential technology upgrades may be made and what new cyber threats may appear.
Finally, some of the plan's scope may be dictated by prioritized assessment of risks to critical assets—addressed in the next section—and other assessments. It's important to keep this in mind when developing the scope; it may be affected by other parts of the plan. As you develop further sections of the plan, you may need to update previous sections with what you've learned.
References
- ↑ 1.0 1.1 Cadmus Group, LLC (30 October 2018). "Cybersecurity Strategy Development Guide" (PDF). National Association of Regulatory Utility Commissioners. https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204. Retrieved 23 July 2020.
- ↑ 2.0 2.1 Lebanidze, E. (2011). "Guide to Developing a Cyber Security and Risk Mitigation Plan" (PDF). National Rural Electric Cooperative Association, Cooperative Research Network. https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf. Retrieved 23 July 2020.
- ↑ "Cybersecurity Futures 2025". Institute for Public Research. CNA. 2019. https://www.cna.org/centers/ipr/safety-security/cyber-security-project. Retrieved 23 July 2020.
