As the security landscape has become more threatening and dangerous and many organizations have fallen victim to attacks, breaches, and unrelenting news coverage, most have been forced to finally react in an effort to protect themselves. One of the first actions they have done is to apply more significant budget and resources to addressing their overall cyber security effort.
As more money and energy is poured into this cyber security, so has the emphasis by organizational management to ensure that a systematic approach is used to employ these resources in the most effective manner possible. In security speak; this is called “Security Program Development”. Actually, it is called Security Program Development, Information Security Management System (ISMS), Security Plan in government, and about a 100 other different things depending on your perspective and the perspective of the person that taught you about it. This has created an interesting situation.
“A Cyber Security Program is like building your own security empire to protect your Property.
Some basic standards provide you with a list of things which are needed to build it and a proven methodology provide us, a process to make a Cyber Security Program, but you have to be a Practical Oriented”
As organizations now want Cyber Security Programs more than ever, many organizations have been confused by the myriad of techniques and approaches that exist, especially now when time is of the essence. This paper seeks to address this confusion by looking at some of the available Cyber Security Program Development methodologies out there. Once this foundation has been established, this paper will then look to build on this new level of understanding with some actionable techniques for moving your Security Program Development efforts forward. So before moving on to some of the existing approaches out there, we will first explore why building a repeatable Cyber Security Program for your organization is important.
Note: Here are the 3 important tips to start with.
1.Information Security is not Cybersecurity –
Contrary to public opinion, either inadvertently or not, “Information Security” and “Cybersecurity” are not the same thing. In fact, if you take a deeper look into both disciplines, it is clear that there are actually significant differences between the two. Essentially, InfoSec is anything involving the security of information or information systems regardless of state (e.g. physical = paper | digital = database). Cybersecurity is anything involving the security of information or information systems in a digital state (e.g. database, financial systems).
Based on this understanding, it is quite reasonable to say that cybersecurity is in fact a subset of Information Security. You have now defined what cyber security means to your organization: the elements of InfoSec that are designed to safeguard digital assets and systems.
2. Laying the Groundwork
Your next step is to build on your definition by establishing a foundation for your program. In doing this, you don’t need to re-invent the wheel because there are several well established industry frameworks available to you, such as COBIT5, or the National Institute of Standards and Technology (NIST) Cybersecurity Framework which, in my opinion, provides the best foundation for a cybersecurity initiative .
As you work through your framework, you will probably find that many functions, categories or subcategories aren’t easily translatable into your organization. From this point, you’ll need to establish a correlation between the framework and your operational services. The Information Security Forum (ISF) Standards of Good Practice for Information Security provides an excellent reference for this exercise, after which you can figure out which operational services align with the scope of your cybersecurity definition. While working through this exercise, it is important to recognize that there are operational services aligning with your program that are supported by IT and/or business lines such as asset management, directory service administration, or software inventory.
3. Pulling together costs
You know what cybersecurity means to your organization, you’ve established a program using recognized industry frameworks/standards/etc., and all operational services have been aligned. It should be no surprise that at this point, executive management is going to ask the million dollar question: “How much do we spend on cybersecurity?”
No sweat! Having already mapped out the operational services that align to cybersecurity, you are in a much better position to justify your resource and operational budget allocations. However, from the granular perspective of operational services, presenting a breakdown of your cybersecurity program costing can be overwhelming. This is where the framework for operational service mapping comes into play.
At the highest level of the cybersecurity program are so-called ‘Control Objectives’ like ‘Security Operations’ or ‘Incident Management.’ Within each of the Control Objectives is where you find a subset of unique ‘Control Selections’ like ‘Secure Awareness Training’ or ‘Malware Protection Software.’ At the lowest level, within each Control Selection is where you have the many-to-many mapping of operational services like ‘ID Provisioning’ or ‘Web Application Protection’.
Your operational services all come with a total service cost separated into either overhead (people) or operational (software/hardware) expenses. For the total number of times an operational service is mapped into a Control Selection, you must divide that number into the total service cost. Using the mapping of Control Objectives, Selections, and Services you are now equipped to demonstrate the overall cost of your program.
Bottom line: Getting from “We need” a cybersecurity program” to “We have” one requires a serious investment in both time and resources. But once you’ve come to the end of the process, you will be able to say “Here’s how much we spend on cybersecurity” – and have the hard numbers to back it up.
So, Lets get started
So, Let us now plan for creating an effective cybersecurity program for your organization
Imagine a situation where it is discovered that customer accounts have been breached, a computer virus spreads across the network, or the purported identity of a staff member turns out to false. These are all significant security breaches that require effective countermeasures to contain damage, bring sanctions, fix issues and prevent future occurrences.
What guiding principles or mechanisms can be used to inform management and staff on not only what needs to be done, but how? A well developed and enforced cybersecurity program involving defined strategies, procedures and control would provide a guide or standard of practice in responding to these and other breaches. In this increasingly connected digital society it is very important for companies to find ways to protect their critical information infrastructure and assets, including human resources.
Cybercrime and cybersecurity are some of the top global concerns as cybercriminals continue to find innovative methods to breach organizational defenses. In response, cybersecurity is now at the top of national and organizational agenda. Despite this development many organizations still suffer from governance lapses and are without current or well-defined programs to help inform stakeholders on approaches to maintain security and enterprise continuity. In Jamaica for example, many businesses and areas of government unfortunately do not have formal security programs and in some cases cybersecurity is not even on the radar. The security program provides a holistic view of the actions needed to achieve sound cybersecurity management across the enterprise. It defines not only technical but operational, management and legal and regulatory baseline measures. One of the first steps of this program is the development of a comprehensive set of documents, including the strategy and suite of policies to be implemented and enforced.
The strategy details the roadmap in optimizing security. It is the plan of action developed to inform the organizational security policy, and activities to maintain or improve the security levels of the organization, its people, processes and critical infrastructure. It informs the contents of the policy documents such as data security, incident management, network security and personnel security to name a few.
These policies facilitate organizational control by informing the desired state and specific outcome must be assured. From this more a detailed set of operational plans and procedures are developed.
All three components are closely related (figure 1) and provide guidance across the full security and incident management life cycles. Figure 1: Cybersecurity Program
The cybersecurity program framework, figure 2, places the program activities in context. The framework establishes a coherent set of processes that are required in helping to develop a sound and comprehensive security program.
This in turn will establish and maintain baseline standard of practice and competency for the organization.
The CYBERSECURITY PROGRAM FRAMEWORK
Step 1: Identify Identify the essential elements of what is required to attain compliance or successful cybersecurity resilience.
- Determine the desired state of security maturity, baseline and readiness for the organization.
- Identify the requisite set of standards /frameworks and best practices that will be used to guide development and implementation of the organization’s activities. For example, ISO, COBIT, ENISA, etc.
- Identify the organization’s critical information infrastucture/assets. Know what is important and describe protective measures.
- The network and telecommunications, utilities, programs/ applications, computers and data are the key categories. The detail may differ among organizations, however some common forms would be found in the technology to support critical areas of the business, the network infrastructure, specific information systems that use critical processes and activities.
- Identify the human resources for technical, operational, management and legal skills, roles and responsibilities. People are often taken for granted in the process however knowing the right people for the right tasks is an essential part of a successful plan.
Step 2: Assess, Gauge and evaluate your organization’s state of protection mechanisms, gaps and opportunities for improvement. Conduct a thorough audit.
- Assess the critical information infrastructure/assets.
- Identify key vulnerabilities points and strengths.
- Assess any previous security documents and processes.
- Speak to experts in chosen areas.
Step 3: Develop This step involves the set of activities required to draft and test the adoptability of the organization’s cybersecurity strategy, policy and set of actions to manage enterprise security. The overall set of documents should include know- how, know-what knowledge on areas such as surveillance and monitoring of threats, security audits, vulnerability assessments, incident handling and reporting, risk management, business continuity and more.
- Develop the cybersecurity strategy
- Develop the policy, plans and procedures
- Obtain key stakeholders’ involvement
Step 4: Train Creating awareness of the organizational’s intent and content of the security program is necessary after development. This aids in improving security awareness in the business and promote collaboration and buy-in among employees, and other stakeholders.
- Develop awareness campaigns, and conduct them periodically
- Educate staff, management and customers of relevant areas pertinent to them about keeping safe and protecting the organizations. Areas of the content of the strategy, key areas and methods of adherence and enforcement, and communicating any revisions are some examples.
- Build capacity where the need exists to support the strategy, policies and procedures.
Step 5: Monitor Upon implementation of the strategy it is critical to monitor its performance to be able identify any areas of improvement. Also implicit is the continuous surveillance of the landscape to identify new threats, vulnerabilities or even countermeasures that may not have been present when strategy was developed.
- Track use and performance of strategy within context of the security policies and programs within the organizations.
- Obtain feedback on the effectiveness of strategy from stakeholders.
- Continuously monitor the internal and external environment for changes or developments.
Step 6: Respond With knowledge of what is happening in the internal and external environment suitable response strategies can be devised and put into action. Implement revised strategies that will inform tactical and operational programs. Implement enforcement mechanisms for breaches and non-adherences.
Step 7: Evolve The ability to adapt and evolve based on changing needs, demands and events is necessary with any organizational framework, document. With the characteristics of cybersecurity and rapidily changing landscape, it is even more critical here. Revise strategy in frequent intervals based on organizational context. Continue to adopt best practices, international and local security standards. Respond quickly to changes in the environment. Build on knowledge.
We need to also concentrate on the 7-Important Steps of Risk Management.
The CRITICAL SUCCESS FACTORS and the Strategies
No matter how well a strategy is prepared, it is the people who will determine how effective the cybersecurity strategy will become. There are multiple critical success factors for an effective cybersecurity strategy. Some are highlighted here and in table 1.
Alignment of the business strategy and security objectives is necessary to achieve cohesiveness and success. Including security as part of the organization’s strategy is important while ensuring that the security framework matches to the direction, goals and objectives of the organization.
Sound Governance Practices
Governance is the bedrock of standards and maturity. Equipping the organization with clear measures of transparency, accountability, confidentiality, integrity and other areas has a positive effect on security management. Enforcement of the security programs is an also important part of accountability and governance. This shows members that actions or lack thereof have consequences.
Executive Management Support & Commitment
The level of awareness and interest of executive management in securing the enterprise and maintaining this status is important in any security activity. Support from the onset should be obtained, managed and maintained throughout. Executive management should drive the process.
The support of the internal and external stakeholders is necessary to support adoption of the mandates embedded in the security strategy.
Judicious Use of Current Security Standards and Best Practices
There is a plethora of standards and best practices for organizations to adopt. Careful examination of them and determinability of suitability is necessary. However there must be some baseline standard of adherence but do not be afraid to create your own set of standards. Continuous Capacity Building The environment and security landscapes are changing rapidly and persons need to be equipped with the necessary technical, operational, legal and managerial skillsets. Note it is not only about technical skills, it is a necessary but not sufficient form of sound cybersecurity management. Know the laws of your country. Train the staff and apply sound profiling techniques on prospective employees and even current ones periodically.
Promote Inter-Organizational Cooperation
For some this is seen as a dream. However organizations can share ideas and strategies to help combat threats. Information sharing between organizations, and governments is essential in the fight against cybercrime. We have to move away from the fear factor if we are serious about moving beyond the blissfully ignorant stage of security management.
The ability to respond to the dynamism of the cybersecurity landscape and being agile in improving security standards, techniques and cybercrime strategies sends a strong signal to the level of commitment, readiness or preparedness of the organization. It also suggests the presence of sound security practices.
Support Law Enforcement
Report cyberincidents to law enforcement. It is that simple. Knowledge is one important element for fighting against cybercrime, and unfortunately the cybercriminals keep getting an upper hand due to the lack of reporting. Therefore an alleged criminal employee may move from one organization to next or criminals target a series of organizations due to the lack of information sharing.
Promote Corporate and Individual Responsibilities
Understanding that each member of the organization is responsible for their own as well as the organization’s safety is paramount. Additionally promoting corporate responsibility through safe practices, continuous awareness campaigns and support of the law and law enforcement can have a positive impact on the overall organizational security philosophy.
According the Estonian Permanent Undersecretary of the Ministry of Defence, one reason why other countries are now listening to them is that they have been open and public about security matters. Estonia is now a key thought leader in cybersecurity as a result of the 2007 attack. Organizations can also take similar lessons and be open about breaches while being committed to learn and prevent future attacks. This means putting the necessary measures in place to manage cybercrimes and improve cybersecurity, including adopting sound governance practices. Cybersecurity is centred on formulating tangible measures to counter threats and vulnerabilities. Developing a comprehensive, usable strategy document is one of the first steps to showing commitment to effectively managing and protecting the organization against cyber threats and vulnerabilities. The cybersecurity strategy is an important document, and it serves to establish the roadmap on security for the organization and informs the policies and actions within the business. In other words it articulates measures, methods and mechanism to help counter the cyber threats and vulnerabilities. A guide is introduced: identify, assess, develop, train, monitor, respond and evolve, which is emboldened by important facilitating conditions such as support to law enforcement, sound governance structure and practices and inter-organizational cooperation.
The 10 tips for Creating a Cybersecurity Program
These 10 tips can help healthcare organizations establish such a program:
1. Create a strong, cross-sectional cybersecurity team that includes personnel from legal, information technology, human resources, and public relations departments. The team should also include at least one member of senior management.
2. Conduct a “privacy survey,” which is the process of identifying the legal, regulatory, and contractual obligations to protect data. Healthcare companies and their business associates must be particularly aware of their obligations to safeguard protected health information under both HIPAA and HITECH. Companies should also consider state laws to protect “personally identifiable information” (“PII”), and should understand contractual obligations, which likely include obligations to protect payment card information (“PCI”) under the rules established by card brands like Visa and MasterCard.
3. Perform risk analysis required under HIPAA’s Security Rule. As part of the risk analysis process, companies need to identify the PHI they maintain and develop a detailed understanding of their technical systems and the potential threats they may face.
4. Segregate sensitive data from regular data and protect it with additional physical, technical, or procedural safeguards (including firewalls, password protection and encryption).
5. Implement “privacy by design” when developing cybersecurity solutions. The company should create policies and procedures that account for patient privacy, legal compliance, and data protection throughout the data lifecycle (i.e., collection, processing, storage, and destruction). As part of this effort, the company should develop comprehensive policies to address privacy and data security, including a BYOD policy, a password policy requiring use of strong, complex, unique passwords; personnel policies (including onboarding and off-boarding policies) that enhance security; and a network tracking policy requiring regular monitoring of network traffic for evidence of suspicious access.
6. Manage vendors and scrutinize the adequacy of their cybersecurity policies and procedures before entering into relationships with them. Enact contractual safeguards to minimize risk, including by requiring protection of sensitive data, providing rights to audit vendors’ security practices, and requiring vendors to notify the company if a breach occurs. The contract should allocate risk in the event that a breach at the vendor harms the company, and companies should consider requiring vendors to carry cyber insurance. Companies must enter business associate agreements with vendors that will have access to PHI. But before entering a business associate agreement, healthcare organizations should assess whether a vendor’s access to PHI is necessary. If not, the vendor should not have access to the PHI, and the company may avoid the compliance costs associated with business associates.
7. Engage in cybersecurity information sharing through, for example, the National Health ISAC. The NH-ISAC allows industry players to keep abreast of evolving cyber-attack tactics and industry security standards.
8. Consider cybersecurity insurance, which, depending on the policy, may cover forensic investigation and system restoration costs; defense and indemnity costs associated with litigation resulting from the loss of personal information or other sensitive data; regulatory investigation defense costs and penalties; notification costs and credit monitoring for affected customers and employees; losses attributable to the theft of the policyholder-company’s own data (including transfer of funds); business interruption costs; costs required to investigate threats of cyber-extortion and payments to extortionists; and (viii) crisis management costs, such as the hiring of public relations firms. Unlike many traditional policies, cyber liability policies differ significantly because they are not (yet) based on a standard form. It is therefore critical to carefully review the exclusions of cyber policies with a broker and coverage counsel.
9. Develop an incident response plan, which is a detailed plan that outlines how a company will respond to suspected cyber-events. These plans help companies quickly and effectively investigate and remediate attacks. An incident response plan should identify the leaders of the response team and present easy-to-follow, scenario-based responses to different types of cyber incidents. The plan should clearly delineate first steps and include a timeline of major investigative events. The plan should also provide for involvement of experienced legal counsel in all aspects of the investigation of a suspected cyber-event (including communications about the potential event, remediation efforts, and disclosure and reporting) to ensure that the investigation is protected under the attorney-client and work product privileges. Privilege is critical because the company may soon find itself the defendant in a variety of lawsuits, including lawsuits by regulators, customers, issuing banks, or investors.
10. Develop a business continuity plan to facilitate efficient data recovery and resumption of operations in compliance with HIPAA requirements. Cyber-attacks may result in victim-companies losing access to their data and systems. For example, many companies have been affected by the Cryptolocker malware, which encrypts (and renders useless) the company’s data until a ransom is paid. If companies are not prepared for these types of attacks, they may face enforcement actions, private litigation, and a substantial interruption of services, which can each be extremely costly. The first step in creating an effective business continuity plan is identifying critical systems. Systems should be prioritized based on the maximum time that each can be down without causing substantial harm to the business. The company must then select a back-up system, and should consider the following factors in choosing a back-up system: how quickly the data needs to be restored, how much data must be stored, and how long data must be maintained. It is critical that the company’s back-up system be sufficiently segregated from the company’s day-to-day systems so that a cyber-attacker cannot access the back-up system during an attack.
So, let us build the strategy and team now…
Common Security Program Definitions
As mentioned in the introduction, there is a long history for how the concept of Cyber Security Program Development has been used within the security community.
While it is clear that organizations were not ready for Cyber Security Programs five and even two years ago, the security community, in our quest to be accepted, did develop a myriad of approaches, frameworks and documentation to implement and/or define a Security Program.
What has changed is organizations were not ready to spend money and build a real program a few years ago. Now they are which for the first time really gives the security community a compelling business purpose to implement these programs.
Let’s explore some of these approaches to add some clarity to the subject. When it comes to Security Program Development, there are three primary frameworks of information that can be utilized. We will attempt to summarize them here, as well as provide some pros and cons for you to consider specific to using one of these frameworks for your organization.
- The NIST Approach
The National Institute of Standards and Technology (NIST) have been documenting approaches for developing a Security
Programs since early 2000’s. In the government world, developing a Security Program is generally called a “Security Plan.” Yes, this is a nebulous term for a nebulous term, which is why so many organizations and people get confused with all this stuff. Below are the documents within the NIST catalog that address building a security plan or program. There is no doubt that we may have missed some by the way, but here are the main ones that most of us know about.
- 2003: NIST 800-35 Guide to Information Technology Security Services
- 2006: 800-100: Information Security Handbook: A Guide for Managers
- 2007: 800-18: Guide for Developing Security Plans for Federal Information Systems
- 2013: 800-53 Security and Privacy Controls for Federal Information Systems and Organizations v4
In general, for an organization, understanding the recommendations and guidelines of NIST is critical for one reason. Though not mandatory, the majority of HIPAA security rule points to using documents and standards created in NIST. As a result, many lawyers, particularly in breach situations, are recommending using NIST for building a Security Program. Over the next couple of years, this is going to lead to chaos.
Cyber Security Program Development
Here are some considerations in using them that may help.
They often break down into three types of book: war story books, certification books and process driven approaches. The war story versions are a collection of stories about how to build a Security Program. These are often a waste of time because your situation will be different from each said story in these books, which often leaves your with fear and anxiety and not an approach.
The certification books will tell you exactly what a Security Program should be, but will give you no clue how to build one. In that instance, I would go with NIST and save $70 on a book. Finally, there are process driven books.
“The key to a process driven Cyber Security Program Development approach is that it allows you to customize specifically to your environment”
Considerations for Today
Lately, the current security landscape, and more specifically the appetite for organizations to want to build a Security Program is truly amazing. Organizations were simply not ready for many of the concepts about building a custom fit Security Program. Whereas I begged for meetings with management to discuss building a Security Program even as early as two years ago, now they can’t schedule meetings quick enough, or make the necessary investments quick enough to get the program started.
That is great if that program is being developed by someone who knows what they are doing. However, I often tell management that a large investment in security, without a sound approach for using it, is going to lead to a false sense of security, and actually a less secure environment than spending no money at all. So what to do?
Steps for Getting a Security Program going today
If you are charged with getting a formal Security Program going today for your organization, here is what I recommend to get you started.
Step 1: Understand your options: There are a myriad of approaches in the industry, you just have to understand them and then use this understanding to shape your program.
Step 2: Define your functional requirements: What does your program need to do for your organization? A healthy Security Program must have processes to do the following four functional things. They include:
- Define a standard benchmark: For your organization, a Security Program has to define what the appropriate level of security is that the business must align to. This might be as defined in NIST, ISO, or a custom flavor of standards. None of these are wrong, simply that your Security Program must have a way of defining them and then letting your organization know what they are.
What does this look like when done right?When you have established an effective benchmark, your Security Program will have a:
- Defined Program Charter– This ratified charter will illustrate the strategy, mission and mandate, as well as associated roles and responsibilities for your program.
A successful Cyber Security Program includes:
- Establishing a benchmark
- Ability to measure against that benchmark
- Report findings to management
- Implement decisions made by management
- Security Policies, Standards, & Guidelines: You will have a retrofitted suite of policies, standards, and associated guidelines that align to your defined program charter. Integrated guidance from NIST or ISO, or anything else should be done here and should be done across all of your documentation.
- Defined Security Processes: Any security process or service that your Security Program performs should be defined and documented in a repeatable process.
- An ability to measure your environment against your defined benchmark: Once you define your benchmark, you have to institute the mechanism to measure your organization against this benchmark.
A Take away while you finish up with this Cyber Security Program White Paper
A 5-Step Process for a Proactive Security Program
Based on experience from hundreds of customer engagements, some experts can design a continuous assessment and monitoring program aligned with your strategy and industry best practices. A five step process should include these key actions:
- Collaborate with your organization to understand your security strategy
- Establish overarching security goals
- Review, refine and close gaps in existing security plans and policies
- Design a continuous assessment and monitoring program aligned with your strategy
- Help integrate these plans, policies and processes into your day-to-day operations
The end result is a robust, manageable and ongoing cybersecurity program tailored to your organization’s needs to improve your security posture.
Your valuable feedback / comments welcome