By: Cliff Neve, COO, MAD Security
As a consultant I have had the opportunity to evaluate hundreds of organizations’ cybersecurity programs, which span the gamut from nearly non-existent to robust. The successful programs generally have very similar characteristics, which are addressed in an actionable step-by-step manner below.
Step 1: Gain Executive Buy-In and Assign Responsibility
Winning organizations have top-level support from senior leaders that understand the importance of cybersecurity, integrate cybersecurity risks with other business risks, and empower an individual in writing – and in reality – with the authority, responsibility, and resources to manage the cybersecurity program. Every successful cybersecurity program I have seen has a strong champion clearly designated and empowered to lead the program. Unsuccessful programs, on the other hand, typically possess fragmented or unclear lines of authority represented by fiefdoms resulting in destructive power struggles and ad hoc, chaotic behavior.
Step 2: Conduct a Business Impact Analysis and Establish a Data Classification Guide
The reason for investing in cybersecurity is to enable the organizational mission and protect organizational assets, so it is imperative to begin with documenting business functions and their requirements for system availability and data protection. For instance, an organization may have high availability system requirements for medical systems, 911 call centers, or bridge controllers where availability trumps confidentiality and integrity. In an HR system, on the other hand, confidentiality might overshadow the need for availability and thus if there was potential compromise, it would likely be a better decision to disconnect access from the network rather than risking data exfiltration. By assessing all requirements for information and information systems in a business context, the appropriate IT architectures can be built with the proper controls, redundancies, and remediations for the environment.
Less than half of organizations that I have audited have a good understanding of types of data and data access. Data classification, and the understanding of what types of data reside on your systems, where the data resides, and who has access to the data, is also critical to understanding security requirements. Some types of data, such as Payment Card Industry (PCI) information, may trigger legal or regulatory requirements that must be fulfilled.
Step 3: Determine Threats
The next step is understanding adversaries that would be motivated to disrupt your operations, exfiltrate data, change your data to give a false representation of facts, as well as understanding your organization’s susceptibility for natural disasters. Threats can include:
- Nation States
- Black Hat Hackers
- Natural Disasters
- Third Party Vendors with Access
These threats inform the “likelihood” portion of the risk equation, wherein Risk equals Likelihood times Impact.
 See the author’s article from the July/August 2018 issue of Western Banker for more information on Vendor Management.
Step 4: Develop a Risk Management Plan and Choose a Risk Management Framework
Now that you understand your mission requirements, data sensitivity, and threats, the next step is to formulate a risk management plan that will detail how to identify, characterize, and handle risks. At this point you should also select a cybersecurity framework that best represents your organizational needs. It may be that you are required to conform to the controls of a specific framework based on legal and regulatory considerations. If none are specifically required, then you should evaluate frameworks and select one based upon best fit. For financial entities, the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool would be an excellent choice (a link to the tool is provided at the end of this article). Some other frameworks include the NIST Cybersecurity Framework, International Organization for Standardization (ISO) 27000, NIST 800-171, and CIS-20.
Step 5: Ensure Plans and Policies Align with Enterprise Risk and Compliance Framework
Draft a System Security Plan (SSP) that addresses requirements for IT systems in your environment, that incorporates elements contained in the compliance framework. The SSP should be reviewed at least annually and approved by senior management. Additionally, policies must be monitored and enforced.
Step 6: Conduct a Gap Assessment and Document Plans of Action and Milestones (POA&M)
A gap assessment should be conducted using the prescribed framework, including technical testing (scans and pen testing) to validate that the policies are being implemented. Technological, personnel, and procedural gaps should be handled as risks, which should then be appropriately characterized and documented in a risk register. The organization should then develop a POA&M to manage risks in alignment with the risk management plan. Progress against POA&Ms should be tracked and briefed at regular risk management meetings.
Step 7: Maintain Continuous Monitoring
New threats and vulnerabilities occur every day, so it is necessary to continually monitor your environment for out-of-date software, poor configuration settings, and rogue devices. The two ways of accomplishing this would be to either build out your own security operations center, or to contract with a managed security service provider (MSSP) that can give you constant monitoring for vulnerabilities and intrusions. If you do contract the services out, make sure that the MSSP meets the controls of your compliance framework of choice.
Following these steps will put you well on your way to a winning cybersecurity program.
For more information, please see the following links:
- Business Impact Analysis (BIA) Template: https://csrc.nist.gov/CSRC/media/Publications/sp/800-34/rev-1/final/documents/sp800-34-rev1_bia_template.docx
- FFIEC Cybersecurity Assessment Tool. https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017.pdf
- NIST Cyber https://www.nist.gov/cyberframework