Decision-making Processes for Cybersecurity Implementation

 It is imperative that cybersecurity roles and responsibilities within an organization need to be clearly defined and communicated from the top-down, meaning all levels of technology users. Chief Information Officers, system owners, privileged users, and standard users have different sets of responsibilities to protect data, report incidents, and be aware of the cybersecurity risks they face. Also, the organization should ensure that all personnel and partners are provided cybersecurity awareness training so that their responsibilities are understood and consistent with cybersecurity policies, procedures, and agreements (NIST, 2018).

 By first identifying its business objectives and priorities, an organization can begin the decision-making process for cybersecurity implementation, regulatory requirements, and risk approach. After determining the scope of the plan, the responsibilities may differ for types of organizations. For example, if a merchant organization handles payment card data, they need to comply with the Payment Card Industry Data Security Standard (PCI DSS) requirements. Those organizations processing patient information must comply with the Health Insurance Portability and Accountability Act (HIPAA) regulatory standards. If an organization deals in private user information, responsibilities will include incorporating policies that comply with privacy laws into the cybersecurity plan, such as data collection minimization, disclosure, and retention of personal information material related any cybersecurity incidents (NIST, 2018). Policies and procedures should also cover physical security, account authorization and authentication, incident response, and business continuity planning (Every, 2008).

 Lastly, there should be an enterprise approach to consistently audit and monitor both cybersecurity risk to organizational assets and the regulatory, legal, environmental, and operational requirements.

 The business continuity management (BCM) standard ISO 22301 is called the Societal security – Business continuity management systems – Requirements. It provides a framework of international best practices and facilitates cyber incident and crisis management (ICM) and BCM to be integrated into organization-wide risk management and response plan for cyber incidents (Antonucci, 2017). Six sections required to certify a BCM against ISO 22301 are leadership, planning, support, operation, performance evaluation, and improvement.

• Leadership – Establish and document:
  • Leadership, support, and commitment to BCM
  • A BCM policy that demonstrates a:
    • Statement of corporate intent
    • The mandate for managers to develop, and operate the BCM System (BCMS)
    • Summary of BCM objectives and requirements
  •     Establish, document, implement and review the BCMS
  •     Roles, responsibilities, and authorities
• Planning – Determine and document:
  • Specify actions to manage risk and address opportunities that may influence or disrupt the BCMS
  • Set BCM objectives and develop plans to achieve them
• Support – Establish resources and support the BCMS:
  • A task and competence system
  • An awareness program
  • A communications plan to include incidents and non-incidents
  • Documentation management with version control, security, availability, and ease of use
• Operation – Plan and implement processes deliver:
  • Business impact analysis & risk assessment
  • Strategies
  • Continency Resources
  • Impact mitigation
  • Incident response & business continuity plans
  • Exercise & testing of plans and procedures
• Performance Evaluation – Determine and document arrangements for:
  • Monitoring, measurement, analysis, and evaluation
  • Internal audit to evaluate the BCMS
  • Management review and communication of results
• Improvement – Establish procedures for:
  • Identifying non-conformance, reporting, and consequence control
  • Corrective actions and system changes
  •     Continuous improvement (Drewitt, 2013)

 The Internet of things (IoT) and Smart Technology are two emerging and related technologies that require similarly emerging cybersecurity technology and practices to ensure information security. The IoT is the network of smart autonomous, sensors, cyber-physical systems, network-enabled, and embedded systems that can communicate over the Internet with one another or with a command and control module in order to interact with and monitor the real world. In the future, these smart technologies will be able to adapt, learn, and make decisions based on input (Klinedinst, 2017). IoT devices might also be labeled as smart devices or smart-home devices, such as thermostats, refrigerators, hubs, and security systems. IoT devices are not limited to static home, industrial, or commercial use – they are also found in air, sea, and mobile devices (Xu & Li, 2017).

 The mesh networks created with the IoT extend the network’s perimeter and access points which add additional exploitation targets, making it vulnerable to attacks against service integrity, availability, and privacy. The lower level of IoT, the device level, the sensing technologies have limited energy and computation capacity and do not provide the needed security. The middle layer, which includes the network and service layer, is susceptible to eavesdropping, denial of service (DoS) attacks, and de-centralized attacks such as endpoint replication, suppression, and impersonation. The upper layer, such as the application layer, must have robust data aggregation and encryption to mitigate the vulnerability problems of all layers (Xu & Li, 2017).

 The entire IoT security stack while still vulnerable to traditional attacks against networked and wireless networking endpoints carries additional risks based on device types and their implemenation of specific protocols and security features (Klinedinst, 2017).

 In order for an organization to be resilient when unexpected events arise and return to normal operations, business continuity plans (BCP) and disaster recovery plans (DRP) need to be scoped, planned, assessed, approved, and implemented (Stewart, Chapple, Gibson, 2015). The impact of the event(s) could be significant or catastrophic, so if business continuity controls fail, disaster recovery plans will assist with restoring operations. The bottom line is that applications, hardware, facilities, and data need to be restored as soon as possible so that normal operations and business continuity is achieved.

 The information technology disaster recovery plan and business continuity plan should be developed together in order to help an organization prepare for disruptive events such as natural disasters, infrastructure outages, insider attacks, and man-made emergencies. Two essential parts to the business continuity and disaster recovery plan are risk mitigation before an event, and the steps to take if a disaster or business disruption occurs. The BCP’s focus is on maintaining mission-critical business operations with reduced or restricted infrastructure resources and restoring capabilities to pre-event status (Stewart, Chapple, Gibson, 2015).

 If the BCP fails to prevent business operation interruptions and continuity is broken, the DRP is enacted. The importance of the DRP is that it guides emergency-response personnel to restore business operations to “full operating capacity in its primary operations facilities.” (Stewart, Chapple, Gibson, 2015)

References:

• Antonucci, D. (2017). The Cyber Risk Handbook: Creating and measuring effective cybersecurity capabilities. Hoboken, NJ: John Wiley & Sons.
• Drewitt, T. (2013). ISO22301 – A Pocket Guide. IT Governance Publishing.
• Every company needs to have a security program. (2008). Retrieved February 24, 2019, from https://www.appliedtrust.com/resources/security/every-company-needs-to-have-a-security-program
• Klinedinst, D. (2017, October 23). 8 At-Risk Emerging Technologies. Retrieved February 24, 2019, from https://insights.sei.cmu.edu/sei_blog/2017/10/8-at-risk-emerging-technologies.html
• NIST. (2018, April 16). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved February 17, 2019, from https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
• Stewart, J. M., Chapple, M., & Gibson, D. (2015). CISSP: Certified Information Systems Security Professional Study Guide. Hoboken, NJ: Sybex.
• Xu, L. D., & Li, S. (2017). Securing the Internet of Things. Syngress.